RE: [ActiveDir] Optimize Exchange Pagefile
why don't you ask on the Exchange2000 or Exchange2003 Yahoo group.. -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 20:16 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] Optimize Exchange Pagefile I was wondering if anyone can point me to any MS document that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372, but this article does not discuss the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange binaries on the first logical drive (which will also contain the system and boot partitions) and the Exchange databases, logs, queues, etc on the second logical drive. The way I normally set the pagefile on my systems is to set it to be static and 1.5x physical RAM. I also create a pagefile on each disk and let Windows choose the best one (which will be the second logical drive). I do not want to disable the pagefile on C: because, from what I understand, this will disable crash dumps, which I do not want. However, I set the crash dump to kernel only, not the entire pagefile. That being said, would it be appropriate to set the pagefile on C: to something small like 256MB since the OS will be using the one on the second drive anyway? Also, other than not using the /3GB switch, are there any other differences between the memory/pagefile settings on a regular Exchange box running WS2k3 and the SBS2k3 version? I would appreciate any guidance. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com http://www.info-lution.com/ Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** winmail.dat
RE: [ActiveDir] which GC answers?
it is: repadmin /showobjmeta GC: CN=User-ROOT-01,OU=Users,OU=ORG,DC=ADCORP,DC=LAN the output will something like: repadmin running command /showobjmeta against server ed0c6501-28c1-47e9-b3db-5dcf281e9e31._msdcs.ADCORP.LAN 26 entries. Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute === === = = === = 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 objectClass 12417Default-First-Site-Name\ROOTDC002 12417 2006-02-13 11:48:46 1 cn 12417Default-First-Site-Name\ROOTDC001 14299 2006-02-13 11:41:54 1 description 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 givenName 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 instanceType 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 whenCreated 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 displayName 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 nTSecurityDescriptor 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 name 12417Default-First-Site-Name\ROOTDC001 14282 2006-02-13 11:40:34 4 userAccountControl 12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34 1 codePage 12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34 1 countryCode 12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34 2 dBCSPwd 12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34 1 logonHours 12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34 2 unicodePwd 12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34 2 ntPwdHistory 12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34 2 pwdLastSet 12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34 1 primaryGroupID 12417Default-First-Site-Name\ROOTDC001 14280 2006-02-13 11:40:34 1 supplementalCredentials 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 objectSid 12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34 1 accountExpires 12417Default-First-Site-Name\ROOTDC001 14279 2006-02-13 11:40:34 2 lmPwdHistory 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 sAMAccountName 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 sAMAccountType 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 userPrincipalName 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 objectCategory 0 entries. TypeAttribute Last Mod Time Originating DC Loc.USN Org.USN Ver === = = === === === Distinguished Name = repadmin running command /showobjmeta against server 01570860-7552-4789-a9ec-401dc63fc8d8._msdcs.ADCORP.LAN DsBindWithCred to 01570860-7552-4789-a9ec-401dc63fc8d8._msdcs.ADCORP.LAN failed with status 5 (0x5): Access is denied. BY THE WAY: don't look at the last line with the access denied as I did this in a test env where I'm testing some things with lingering objects cheers, Jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-05-03 19:29 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] which GC answers? I have a problema running that: this is one of the objects I want to delete, foudn with ldp Dn: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br 1 canonicalName: esgoto.sabesp.com.br/Users/adriao; 1 cn: adriao; 1 distinguishedName: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br; 4 objectClass: top; person; organizationalPerson; user; 1 name: adriao; what is the exactly DN I have to use? I tried this ways C:\REPADMIN /SHOWOBJMETA GC: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br OUTPUTfile.TXT C:\REPADMIN /SHOWOBJMETA GC: Dn: CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br : OUTPUTfile.TXT C:\REPADMIN /SHOWOBJMETA GC: Dn=CN=adriao,CN=Users,DC=esgoto,DC=sabesp,DC=com,DC=br OUTPUTfile.TXT none of them worked. What
RE: [ActiveDir] Query regarding Windows Time Service
thanks joe, that seems like a straightforward command to run.a lot more simpler than the following kb (I'm looking at the external time source)http://support.microsoft.com/kb/816042/Does anyone know why this would be different?joe [EMAIL PROTECTED] wrote: I would certainly check into it, it is implying the machines aren't syncing their time which could be bad for you. Normally I just set this with net time /setsntp:serverHowever it would appear they just do the same thing.It used to be w32tm had a cool switch for testing the time sync process and outputting a verbose listing of all of the steps and values, that doesn't appear to be in there now. I would wonder how people are supposed to troubleshoot now. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Wednesday, May 03, 2006 3:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Query regarding Windows Time ServiceI have a query regarding the Windows Time Service. Our environment is Windows 2003 FFL, Single Domain. We have a Network Time Server which I have configured our PDCe to use. Having read other posts I also configured our Core DC's to use this Time Server so that if the PDCe failed, I could just seize the role to another DC and have one less thing to configure.What I am receiving is Eventlog messages saying "the time provider NtpClient is configured to acquire a time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 960 minutes. Ntpclient has no source of accurate time" Event ID 29This is received on all of the Core DC's that I have configured to use the Network Time Server rather than the PDCe.All I did was run the following command on each DC that could potentially be used as a PDCew32tm /config /manualpeerlist:10.1.1.225 /syncfromflags:manual /reliable:yes /updateAnyone know why I would be receiving these event messages, should I be concerned?James Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min.
RE: [ActiveDir] TScmd help
Oh sorry, yes, I completely understand that advice came from PSS from your previous post, I should have put the "Thanks PSS" on there too. :) Did PSS actually say to check of they were TS Users? I wouldn't be surprised if they hadn't. A lot of the help and direction doesn't come with much insight unless you get the "right" PSS people. Which ones are the "right" ones... the ones that are good of course, I don't believe MSFT breeds for them or even tests for them, they just sort of happen and then once you find them you don't want to let go. I once received an email from an old coworker still working for the former employeer asking if I heard this from PSS what would I have done... Keep in mind that this employee was in the USA and there was no local support where the server was other than say a janitor and a secretary nor hardware level remote control capability "This server you have in insert name of some small almost third world European nation, you want to disable NET LOGON and then reboot it and then we can check out the results..." and then 30-60 minutes later a call back from PSS "Hold on, don't do that yet, that may not be a good idea...". Then the coworker responding to PSS, "We already did, what now???" My response was that I would have openly laughed at the PSS guy as soon as he said the first thing and said go get your dad, I need to talk to a grownup. Yes that is insulting but if you are paying for best in class support, you better get it, if not, you insult them until they get you someone who will give you that support. I was once told, but if you insult them, they will remember you and won't want to work with you again. My response to that... If I am at the point that I am going to insult them, I would rather they not work with me again and better they spend their time filtering themselves out from me than spending my time while I filter them out. Plus I have learned that just asking for someone else isn't going to help you as evidenced by a problem I have been working through my current employer with PSS, the problem is approaching the one year point now, I have to be nice though, those are the rules I have to follow. If I didn't have to be nice, I can pretty much guarantee I wouldn't still be waiting for responses. I would have talked to the top person and they would either correct or have said no. Instead, I am treated like any customer who doesn't know better and sitting here not knowing anything about what PSS is doing. I have accomplished great things or at least brought great visibility to things within MSFT by being an extreme pain in the tush and making engineers feel stupid and making them want to "prove me wrong". I dislike very much that I have to do things that way but have been taught, that is how I can get results with them. Ditto for the Exchange Dev folks. The DS Dev folks on the other hand, they are great, you talk to them and they listen. They may not agree with you but they will talk to you and explain why they can't do what you are asking or what is wrong with what you want changed. They have some bad apples of course, but in that case, the barrel is mostly good apples and you aren't trying to pick and choose who you deal with, you can take a random deal and almost always be ok. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Thursday, May 04, 2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help I meant that was the advice we were given from PSS on how to solve the problem. :) Though...we did end up clearing it after finding out they were not TS users. From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Thu, 4 May 2006 21:17:34 -0400 Yes some Novell stuff can be found in there as well as some other things I have heard of through the years. Just clearing that attribute is a great idea... especially if you use Novell stuff as well as TS stuff. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it. The solution? Just clear the userParameters attribute for all affected users if I remember. I think there is a KB article on it now. From: [EMAIL PROTECTED]To:
RE: [ActiveDir] GPResult incorrectly reporting DC's security groups?
As Steve mentioned it is for the Trust Selective Authentication stuff. You may have noticed this and Other Organization security principals in your Forest after you did your Windows Server 2003 ForestPrep. If not, go peek at your defined WellKnown Security Principals container in the config... dn:CN=This Organization,CN=WellKnown Security Principals,CN=Configuration,DC=joeware,DC=local objectClass: top objectClass: foreignSecurityPrincipal cn: This Organization distinguishedName: CN=This Organization,CN=WellKnown Security Principals,CN=Configuration,DC=joeware,DC=local instanceType: 4 whenCreated: 20050424170716.0Z whenChanged: 20050424170716.0Z uSNCreated: 12314 uSNChanged: 12314 showInAdvancedViewOnly: TRUE name: This Organization objectGUID: {EA66BC8D-F614-4906-8E20-F17A7967D58F} objectSid: S-1-5-15 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=joeware,DC=local dn:CN=Other Organization,CN=WellKnown Security Principals,CN=Configuration,DC=joeware,DC=local objectClass: top objectClass: foreignSecurityPrincipal cn: Other Organization distinguishedName: CN=Other Organization,CN=WellKnown Security Principals,CN=Configuration,DC=joeware,DC=local instanceType: 4 whenCreated: 20050424170716.0Z whenChanged: 20050424170716.0Z uSNCreated: 12315 uSNChanged: 12315 showInAdvancedViewOnly: TRUE name: Other Organization objectGUID: {8C59DDCA-99DC-4548-A1CE-20A02D906B78} objectSid: S-1-5-1000 objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,DC=joeware,DC=local For some very light programmatic info regarding your favorite framework on it check out http://msdn2.microsoft.com/en-US/library/ms180941.aspx and http://msdn2.microsoft.com/en-US/library/system.directoryservices.activedire ctory.forest.getselectiveauthenticationstatus.aspx I don't ever recall seeing anything that mentions it in the Win32 API though the NET stuff is thunking down to the real API at some point. NET doesn't actually do anything itself. ;o) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, May 04, 2006 10:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security groups? Have you any idea what the this organization thing is? I noticed that when I went and did gpresult on one of mine in reference to this thread. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 04, 2006 9:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPResult incorrectly reporting DC's security groups? That is odd. Here is what one of my DCs shows BUILTIN\Administrators Everyone BUILTIN\Users Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization ServerName$ Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS The first thing I would do is look at that DC directly to make sure it has all the proper values on itself. If it does, then I would use gpresult and ethereal and get a trace just to make sure that it is using the info on the local machine. You can even set up the gateway values so that you could see the traffic locally but mostly you just want to see if the queries are going off the box and you don't need to change any IP config to capture that, just watch the traffic for all LDAP packets. If it is going off the box for the info, go look at the DC it is querying and find out what is dorked up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ali Cain Sent: Tuesday, May 02, 2006 5:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPResult incorrectly reporting DC's security groups? I am currently looking at a forest which had some issues after DCPromo'ing some of the DCs, most of the problems appear to be resolved. However, a few of the DCs (Windows 2003 SP1) have a rather odd entry in GPResult (and GPMC) output : The computer is a part of the following security groups --- BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization computeraccountname$ Domain Computers So it is reporting to be a member of Domain Computers, when it should not be. More concerning is that it is not reporting as being a member of the following groups : BUILTIN\Pre-Windows 2000 Compatible Access Windows Authorization Access Group Domain Controllers NT
RE: [ActiveDir] TScmd help
Joe, I don't remember if they told us to check if they are TS users or not to be honest as this was almost 2 years ago. I do remember that he symptoms were quite odd in that the error message dialog box would throw out an obscure error that could not be found in any online resource. They said they had to pull it out of a source code comment reference which lead them down the NWCLIENT trail. I remember writing something to identity the users in the directory that culd be affected by this issue, an someone did remediate them. Through the years of getting support ( and giving it) I've found it best to ALWAYS question the actions you are being told, because people do make mistakes. I hate the excuse "Well I was told to do this." and they didn't think it through before doing it. This reminds me of a tech who noticed a certain service was using alot of CPU time on our Domain Controllers. He figured it might be a problem, so he killed the exe that was eating the CPU time because the OPs guy suggested it. I guess he thought this little exe would just restart and be fine because it had an obscure name he did not recognize..LSASS.EXE :) And then he wondered why authentication problem tickets came in at that site... J From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Fri, 5 May 2006 08:24:47 -0400 Oh sorry, yes, I completely understand that advice came from PSS from your previous post, I should have put the "Thanks PSS" on there too. :) Did PSS actually say to check of they were TS Users? I wouldn't be surprised if they hadn't. A lot of the help and direction doesn't come with much insight unless you get the "right" PSS people. Which ones are the "right" ones... the ones that are good of course, I don't believe MSFT breeds for them or even tests for them, they just sort of happen and then once you find them you don't want to let go. I once received an email from an old coworker still working for the former employeer asking if I heard this from PSS what would I have done... Keep in mind that this employee was in the USA and there was no local support where the server was other than say a janitor and a secretary nor hardware level remote control capability "This server you have in insert name of some small almost third world European nation, you want to disable NET LOGON and then reboot it and then we can check out the results..." and then 30-60 minutes later a call back from PSS "Hold on, don't do that yet, that may not be a good idea...". Then the coworker responding to PSS, "We already did, what now???" My response was that I would have openly laughed at the PSS guy as soon as he said the first thing and said go get your dad, I need to talk to a grownup. Yes that is insulting but if you are paying for best in class support, you better get it, if not, you insult them until they get you someone who will give you that support. I was once told, but if you insult them, they will remember you and won't want to work with you again. My response to that... If I am at the point that I am going to insult them, I would rather they not work with me again and better they spend their time filtering themselves out from me than spending my time while I filter them out. Plus I have learned that just asking for someone else isn't going to help you as evidenced by a problem I have been working through my current employer with PSS, the problem is approaching the one year point now, I have to be nice though, those are the rules I have to follow. If I didn't have to be nice, I can pretty much guarantee I wouldn't still be waiting for responses. I would have talked to the top person and they would either correct or have said no. Instead, I am treated like any customer who doesn't know better and sitting here not knowing anything about what PSS is doing. I have accomplished great things or at least brought great visibility to things within MSFT by being an extreme pain in the tush and making engineers feel stupid and making them want to "prove me wrong". I dislike very much that I have to do things that way but have been taught, that is how I can get results with them. Ditto for the Exchange Dev folks. The DS Dev folks on the other hand, they are great, you talk to them and they listen. They may not agree with you but they will talk to you and explain why they can't do what you are asking or what is wrong with what you want changed. They have some bad apples of course, but in that case, the barrel is mostly good apples and you aren't trying to pick and choose who you deal with, you can take a random deal and almost always be ok. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Thursday, May 04, 2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help I meant that was the advice we were given from PSS on how to solve the
Re: [ActiveDir] Robocopy(OT)
How can I take ownership of it? It doesn't have a security tab and xcacls doesn't see the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: Steve Rochford [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job. When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. If i do a RD /s, i get The system cannot find the file specified.However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no security tab(and its on an ntfs file system). Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the /E and /V switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks
Re: [ActiveDir] LDAP Matched DN: (Null)
Joe, Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B. It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now. Teo On 5/4/06, joe [EMAIL PROTECTED] wrote: I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null) We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: -LDAP Message - Matched DN: (null) Error Message: (null) Error: Couldn't parse LDAP Controls: Wrong type for that item -NTLMSSP- -Lan Manager Response: 00 - NTLM Response: Empty Domain name: NULL User name: Null PSS has not been able to help with this nor has Citrix
RE: [ActiveDir] Robocopy(OT)
You could try 1. subinacl 2. script 3. search the web for various ACL mod tools plus I seem to recall one tool specifically for taking ownership out on the web somewhere, I believe it was called setowner. If none of those work I see your options as A. If the file is external disksuch as a SAN/NAS type device, see if the vendor hasa way to tap the file. B. Open a support ticket with MSFT C. Bring someoneknowledgeable other than MSFT in to start looking at the problem D. Reformatting the partition -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: "Steve Rochford" [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job.When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of "cannot delete file:cannot read from the source file or disk". If i do a RD /s, i get "The system cannot find the file specified."However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no "security" tab(and its on an ntfs file system). Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the "/E" and "/V" switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks
RE: [ActiveDir] LDAP Matched DN: (Null)
Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Friday, May 05, 2006 9:31 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B. It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now. Teo On 5/4/06, joe [EMAIL PROTECTED] wrote: I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null) We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: -LDAP Message - Matched DN: (null) Error Message: (null) Error: Couldn't parse LDAP Controls: Wrong type for that item -NTLMSSP- -Lan Manager Response: 00 - NTLM Response: Empty Domain name: NULL User name: Null PSS has not been able to help with this nor has Citrix
RE: [ActiveDir] Robocopy(OT)
CHKDSK? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, May 05, 2006 6:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't see the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another. Mark -Original Message- From: Steve Rochford [EMAIL PROTECTED] Date: Wed, 5 Apr 2006 16:37:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT) This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. Steve From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: 05 April 2006 15:45 To: activedirectory Subject: [ActiveDir] Robocopy(OT) I have a strange issue. I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job. When he went to the target server a empty dir was created which now cannot be deleted. I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. If i do a RD /s, i get The system cannot find the file specified. However the dir shows up in a dir listing or explorer. The weird thing is also, the dir has no security tab(and its on an ntfs file system). Some backround on the robocopy job- the admin mapped 2 drives from his local box(win2k). One drive to the root of the volume on the source server and another to the root on the target. he then CD'ed to the source and ran robocopy with the /E and /V switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR. Any insight would be great. thanks
Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
ADAM rocks! It's exactly what I look for in a directory of that type - stable, scalable, easy to deploy. What's missing are the tools to easily administer it for the average Joe (note the capitalization and the reference to the average :) which would help it compete against more expensive tools such, as, oh I don't know, SunOne. It's that toolset that will differentiate it (and the price of course) for the purchaser that doesn't have the time to roll their own toolsets. RedHat's directory will have other tools available. Will they be better? Hard to say, but the expectation that if you pay for it, you have a better tool set is certainly there. Not sure about the happiness factor with ADAM tools. I have to say I think they're rough(er) than I expected from a Microsoft product, but then again, they are suitable to the task that ADAM is designed for. I cannot think that there is anything more specific that Microsoft could/would have come up with that would make sense for the intended ADAM audience. That's really the key, the ADAM audience. It's a programmer's directory - by design. Not an Admin's directory, not an end user's directory, but a programmer's directory intended to be repackaged and delivered to the masses. Directories everywhere :) As for interface, ...and if people wanted to use it bad enough, they would figure it out. I have to disagree to some extent. I think of people writing those extensions as being like water: they tend to take the path of least resistance appropriate for the task. Sure, not everyone does, but we're not talking about everyone. We're talking about the John Q here, and even then we're narrowing that down to a subset of those that are interested enough to read the ADAM documentation in the first place or the MMC extension documentation (yuck.) The stability of the MMC resource pig has not be favorable when taking that route, IMHO. Nice concept, but yikes difficult to work with for the average admin. Not what I have in mind for ADAM management. I like the idea of a drag and drop concept if you're going to make tools. Should it be specific to ADAM? I don't think so. I think it should read the directory it's working with and present based on that as much as possible. I think it should be web based with drag and drop abilities. .Net, JAVA, AJAX, whatever, but it should be easy to use and customizable by the average geek that picks it up with minimal coding skillz. They said that admins would all become scripters when they released AD many years back. Hmm... Not sure that's the case, but some tasks are certainly easier if you can script them against the directory. If you can't make it read and adapt to the directory structure it's going to use, I'm not sure I see much value in a tool aimed at ADAM joe. My $0.04 worth anyway. Al On 5/4/06, joe [EMAIL PROTECTED] wrote: I was thinking of something a little more robust than ADUC with extensions. More of a combination of ADUC, DSSITES, ADSIEDIT, Schema Managemer, and some yet to be publicly seen ADAM specific management stuff. Maybe some form of tie in to MIIS/IIFP/ADAMSynch for easily configuring those products so you don't have to hurt your forehead slamming the wall. I understand the desire for extension capability but even there, how many people are actually taking advantage of it? Yes it is a pain now for ADUC but it exists and if people wanted to use it bad enough, they would figure it out. Next question, how do you do EASY extension capability that is flexible and powerful and useable? Add to that not requiring people to use NET to do things. I haven't completely shut the door on NET but it is bottom of the pile for things I want to do or require. I have had way too many people write me (some of whom I even respect) and say that one of the beautiful things about my code is that I am not using/requiring NET. I feel similar when I hear people say that NET and MONAD are going to make most everyone scripters and programmers. I think we will see Australian Ice Hockey becoming the next great global sport before we see everyone or even a majority of admins becoming scripters and programmers with NET unless MSFT dumbs it down considerably more, the object model is enough to scare most people away. Don't get me wrong, I think NET is going to be popular, just like JAVA was/is. But there are a lot of coders who won't go near it. So the next question is What kind of extension model do you go with? Honestly it would have to be some RAD drag and drop with field tweak kind of extension in my opinion. I would visualize you saying ADD TAB, then laying out the form the way you like to see data, specifying the attribute to be displayed in the various fields and specifying HOW it should be displayed with the schema being used to determine a default and possibly helping control what other ways it could be displayed. Possibly adding in data rules that control what can be typed in the fields
[ActiveDir] NT4Emulator Reg Key
I am upgrading an NT4.0 domain to Windows 2003R2 and on the PDC I have added to the HKLM...Netlogon\parameters the key NT4Emulator with a value of 1 and then done the inplace upgrade. I now try to promote in another AD DC and it does not work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT) DNS is configured correctly and removing the key and rebooting the upgraded DC makes the issue go away and I can add new AD DC's. Is this normal or is it a new feature of R2? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LDAP Matched DN: (Null)
Joe, On some domain controllers we're getting the following: I:\nltest /server:domain naming master dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN So I think we are closer Teo On 5/5/06, joe [EMAIL PROTECTED] wrote: Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras Sent: Friday, May 05, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B. It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now. Teo On 5/4/06, joe [EMAIL PROTECTED] wrote: I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null) We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: -LDAP Message - Matched DN: (null) Error Message: (null) Error: Couldn't parse LDAP Controls: Wrong type for that item -NTLMSSP- -Lan Manager Response: 00 - NTLM Response: Empty Domain name: NULL User name: Null PSS has not been able to help with this nor has Citrix
RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
So did yours Al... I read it over on OWA... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, May 05, 2006 10:21 AMTo: ActiveDir@mail.activedir.orgSubject: Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers?
RE: [ActiveDir] LDAP Matched DN: (Null)
That is name resolution failure, DomainB DC issues,or network issues... You can try this nltest /sc_reset:domainb\dcname If it works, it means that you probably have name res issues. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Friday, May 05, 2006 10:31 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, On some domain controllers we're getting the following: I:\nltest /server:domain naming master dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN So I think we are closer Teo On 5/5/06, joe [EMAIL PROTECTED] wrote: Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras Sent: Friday, May 05, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B. It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now. Teo On 5/4/06, joe [EMAIL PROTECTED] wrote: I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null) We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: -LDAP Message - Matched DN: (null) Error Message: (null) Error: Couldn't parse LDAP Controls: Wrong type for that item -NTLMSSP- -Lan Manager Response: 00 - NTLM Response: Empty Domain name: NULL User name: Null PSS has not been able to help with this nor has Citrix
RE: [ActiveDir] Robocopy(OT)
Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't see the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another. Mark -Original Message- From: Steve Rochford [EMAIL PROTECTED] Date: Wed, 5 Apr 2006 16:37:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT) This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. Steve From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: 05 April 2006 15:45 To: activedirectory Subject: [ActiveDir] Robocopy(OT) I have a strange issue. I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job. When he went to the target server a empty dir was created which now cannot be deleted. I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. If i do a RD /s, i get The system cannot find the file specified. However the dir shows up in a dir listing or explorer. The weird thing is also, the dir has no security tab(and its on an ntfs file system). Some backround on the robocopy job- the admin mapped 2 drives from his local box(win2k). One drive to the root of the volume on the source server and another to the root on the target. he then CD'ed to the source and ran robocopy with the /E and /V switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR. Any insight would be great. thanks
RE: [ActiveDir] Robocopy(VERY OT)
Other ways... Dos bootdisk with Fdisk - www.bootdisk.com And theres also this. http://www.semshred.com/contentmgr/showdetails.php/id/680/tp/VE1HUj0xLHRpZD02NzIs Clyde Burns Louisville Ky. The one guy in the office who didn't go the track on Oaks day. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, May 05, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: "Steve Rochford" [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job.When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of "cannot delete file:cannot read from the source file or disk". If i do a RD /s, i get "The system cannot find the file specified."However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no "security" tab(and its on an ntfs file system). Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the "/E" and "/V" switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended
Re: [ActiveDir] LDAP Matched DN: (Null)
Thanks Joe...I think we figured it outthe domain controller having issues has lost it's route to domain bI think we can get this fixed if we can get the citrix server to log on to another DC. Thanks! Teo On 5/5/06, joe [EMAIL PROTECTED] wrote: That is name resolution failure, DomainB DC issues,or network issues... You can try this nltest /sc_reset:domainb\dcname If it works, it means that you probably have name res issues. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras Sent: Friday, May 05, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, On some domain controllers we're getting the following: I:\nltest /server:domain naming master dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN So I think we are closer Teo On 5/5/06, joe [EMAIL PROTECTED] wrote: Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras Sent: Friday, May 05, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B. It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now. Teo On 5/4/06, joe [EMAIL PROTECTED] wrote: I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null) We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: -LDAP Message - Matched DN: (null) Error Message: (null) Error: Couldn't parse LDAP Controls: Wrong type for that item -NTLMSSP- -Lan Manager Response: 00 - NTLM Response: Empty Domain name: NULL User name: Null PSS has not been able to help with this nor has Citrix
Re: [ActiveDir] Robocopy(OT)
Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- The system cannot find the file specified. Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format –q c: rm –rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't see the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: Steve Rochford [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job. When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. If i do a RD /s, i get The system cannot find the file specified.However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no security tab(and its on an ntfs file system). Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the /E and /V switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks
RE: [ActiveDir] which GC answers?
Jorge, thanks a lot, but I don´t know either I am doing something wrong or there´s a problem here. This is the case: I have a user (jjunior - Jose Marcondes Junior) that is a lingering object for sure. I used ldp and found it as I can see here ***Searching... ldap_search_s(ld, DC=SABESP,DC=COM,DC=BR, 2, (sAMAccountName=jjunior), attrList, 0, msg) Result 0: (null) Matched DNs: Getting 1 entries: Dn: CN=Jose Marcondes Junior,OU=Usuarios,OU=Pindamonhangaba,DC=sjc,DC=sabesp,DC=com,DC=br 1 canonicalName: sjc.sabesp.com.br/Pindamonhangaba/Usuarios/Jose Marcondes Junior; 1 cn: Jose Marcondes Junior; 1 distinguishedName: CN=Jose Marcondes Junior,OU=Usuarios,OU=Pindamonhangaba,DC=sjc,DC=sabesp,DC=com,DC=br; 4 objectClass: top; person; organizationalPerson; user; 1 objectGUID: 5efc7740-29c6-432f-b255-133b5018c2e3; 1 name: Jose Marcondes Junior; Using the command you´ve sent to me I get this messager in all my GC´s repadmin running command /SHOWOBJMETA against server 526daaa4-e98a-444c-8474-eca005b4651b._msdcs.sabesp.com.br Caching GUIDs. ..Assertion Assertion 17 entries. Loc.USN Originating DC Org.USN Org.Time/DateVer Attribute === === = ==== = 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 objectClass 153144 RGT-AFERNANDES\RGT-ETARGT1 153144 2006-04-17 17:44:36 1 cn 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 sn 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47424 2004-01-08 11:11:42 1 description 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 givenName 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 instanceType 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 whenCreated 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47424 2004-01-08 11:11:42 1 displayName 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47426 2004-01-08 11:11:43 2 nTSecurityDescriptor 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 name 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47431 2004-01-08 11:11:43 3 userAccountControl 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47424 2004-01-08 11:11:42 1 primaryGroupID 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 objectSid 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 sAMAccountName 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 sAMAccountType 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 userPrincipalName 153144 4b6fb9d1-a80f-4100-8647-f92d9cdc0995 47423 2004-01-08 11:11:42 1 objectCategory Caching GUIDs. ..Assertion Assertion DsReplicaGetInfo() failed with status 50 (0x32): Não há suporte para o pedido. (what´s the meaning of this error message?) and so on in all of them With adsiedit looked in many GC and I can not find the user in the OU showed with LDP. It must be somewhere, mustn´t it? cause LDP is displaying it and I can not use that name (jjnunior) because it is already in use. I wait your help. ___ Adrião Ferreira Ramos [EMAIL PROTECTED] Equipe Suporte Windows (11) 3388-8193 Almeida Pinto, Jorge de [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 05/05/2006 04:30 Favor responder a ActiveDir@mail.activedir.org Para ActiveDir@mail.activedir.org cc Assunto RE: [ActiveDir] which GC answers? it is: repadmin /showobjmeta GC: CN=User-ROOT-01,OU=Users,OU=ORG,DC=ADCORP,DC=LAN the output will something like: repadmin running command /showobjmeta against server ed0c6501-28c1-47e9-b3db-5dcf281e9e31._msdcs.ADCORP.LAN 26 entries. Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute === === = = === = 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 objectClass 12417Default-First-Site-Name\ROOTDC002 12417 2006-02-13 11:48:46 1 cn 12417Default-First-Site-Name\ROOTDC001 14299 2006-02-13 11:41:54 1 description 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 givenName 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 instanceType 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 whenCreated 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 displayName 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 nTSecurityDescriptor 12417Default-First-Site-Name\ROOTDC001 14277 2006-02-13 11:40:34 1 name 12417Default-First-Site-Name\ROOTDC001 14282 2006-02-13 11:40:34 4 userAccountControl 12417Default-First-Site-Name\ROOTDC001 14278 2006-02-13 11:40:34 1 codePage 12417Default-First-Site-Name\ROOTDC001 14278
RE: [ActiveDir] LDAP Matched DN: (Null)
You can try to do that by forcing the secure channel to go to another DC. You would use the SC_RESET command and specify the DC you want like I mentioned below. That may not work at all or it may not work long term though so try and see if it gets you running but really try to get your routing straightened up asap. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las HerasSent: Friday, May 05, 2006 11:22 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Matched DN: (Null) Thanks Joe...I think we figured it outthe domain controller having issues has lost it's route to domain bI think we can get this fixed if we can get the citrix server to log on to another DC. Thanks! Teo On 5/5/06, joe [EMAIL PROTECTED] wrote: That is name resolution failure, DomainB DC issues,or network issues... You can try this nltest /sc_reset:domainb\dcname If it works, it means that you probably have name res issues. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras Sent: Friday, May 05, 2006 10:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, On some domain controllers we're getting the following: I:\nltest /server:domain naming master dc/sc_query:domainbI_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN So I think we are closer Teo On 5/5/06, joe [EMAIL PROTECTED] wrote: Yep, the first thing I would do is use nltest to verify the secure channel back to the Domain A DC from the member, then from the Domain A DC to Domain B. Don't just look at the results of nltest query, actually reset the channel as I have seen times where it says it is fine but can't reset. If the secure channel testingall pans out I would start looking at network traces as I expect you will find a network issue or firewall helping outsomewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las Heras Sent: Friday, May 05, 2006 9:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Matched DN: (Null) Joe, Thanks for replying.The critrix server is a member of domain A and the user accounts were having problems resolving are members of domain B. It's hard to explain what we're seeing. Our Citrix admin is trying grant user account access to a 'published application' since the SID doesn't resolve, he's getting errors. If we try and add those same users to the local admins group, the SID also fails to resolve. The trust does validate, but we havent done extensive tests with nltest. I'm going to go and try that now. Teo On 5/4/06, joe [EMAIL PROTECTED] wrote: I am not a citrix (or even TS for that matter) person so you will have to bear with me. What do you mean you are trying to add user accounts? Is this a citrix thing? Add to what? Is the citrix server a DC or is it a member in a domain? If you try to add user accounts to local groups on the server does that work? Do the accounts resolve? If not, have you chases the trust channels with nltest to see if there is a break somewhere? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Teo De Las HerasSent: Thursday, May 04, 2006 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Matched DN: (Null) We have a citrix server that where we're trying to add user accounts to from a trusted Windows 2000 domain. When we add the user account, only the SID shows up. In addition, we get an error when trying to save the permissions change. A trace of the communication between the citrix server and the Windows 2000 domain controller shows the following: -LDAP Message - Matched DN: (null) Error Message: (null) Error: Couldn't parse LDAP Controls: Wrong type for that item -NTLMSSP- -Lan Manager Response: 00 - NTLM Response: Empty Domain name: NULL User name: Null PSS has not been able to help with this nor has Citrix
RE: [ActiveDir] NT4Emulator Reg Key
As the key says, the NT4Emulator key makes a AD DC behave like an NT4 DC. When trying to promote additional DCs or using w2k/wxp/w2k3 clients to manage AD you are not able to connect. The main reason the NT4Emulator key is to prevent ALL w2k/wxp/w2k3 clients and servers swamping down the PDC FSMO as that is the first AD DC in the field. Another reason could me you want to in place upgrade and see if everything goes OK without starting using kerberos already. As soon as you are satisfied and you have enough AD DCs you can remove the NT4Emulator keys from the AD DCs and ALL w2k/wxp/w2k3 clients and servers will start using kerberos instead of NTLM as soon as they find the AD DCs. OK, back to the connecting thing To be able to connect and to add additional AD DCs you must introduce the NeutralizeNT4Emulator key on the client that tries to connect or on the DC you are promoting. For the DC you are promoting, make sure you introduce the NT4Emulator key (if needed!) otherwise the w2k/wxp/w2k3 clients and servers will find that DC and use it! Normal? No Feature of R2? No You? Who knows... ;-)) Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, May 05, 2006 16:11 To: ActiveDir.org Subject: [ActiveDir] NT4Emulator Reg Key I am upgrading an NT4.0 domain to Windows 2003R2 and on the PDC I have added to the HKLM...Netlogon\parameters the key NT4Emulator with a value of 1 and then done the inplace upgrade. I now try to promote in another AD DC and it does not work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT) DNS is configured correctly and removing the key and rebooting the upgraded DC makes the issue go away and I can add new AD DC's. Is this normal or is it a new feature of R2? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Robocopy(OT)
I've seen this in NT4, but not recently. In our case, the fix was to share out a parent folder, and delete the offending sub-folder from another machine via the share. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- "The system cannot find the file specified". Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck cn I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete i or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: "Steve Rochford" [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job.When he went to the target server a empty dir was created which now cannot be deleted.I can't delete it through explorer or the command console at the server and get an error of "cannot delete file:cannot read from the source file or disk". If i do a RD /s, i get "The system cannot find the file specified."However the dir shows up in a dir listing or explorer.The weird thing is also, the dir has no "security" tab(and its on an ntfs file system). Some backround on the robocopy job-the admin mapped 2 drives from his local box(win2k).One drive to the root of the volume on the source server and another to the root on the target.he then CD'ed to the source and ran robocopy with the "/E" and "/V" switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR.Any insight would be great.thanks
RE: [ActiveDir] Robocopy(OT)
Tough to do if it's at the root. I would try this, have the originating user log on to the originating machine that originally mapped the two drives and disconnect the target's mapped drive, if not already done, then reboot it. Have him log back on, map the target againusing the same drive letter and same security credential andhave him see if the folder in question shows up. If so, have him try whacking it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Tyson LeslieSent: Friday, May 05, 2006 11:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) I've seen this in NT4, but not recently. In our case, the fix was to share out a parent folder, and delete the offending sub-folder from another machine via the share. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- "The system cannot find the file specified". Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck cn I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete i or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: "Steve Rochford" [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. SteveFrom: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom KernSent: 05 April 2006 15:45To: activedirectory Subject: [ActiveDir] Robocopy(OT)I have a strange issue.I had a help desk admin robocopy a
RE: [ActiveDir] Robocopy(OT)
Is there a trailing space at the end of the folder name?I got bit by this one and didn't really understand why at first because the trailing space was almost unnoticeable. To date I have not been able to remove the folder.I found a number of tools that address deleting files with trailing spaces, but not a lot of help for folders.If anyone solves this, I'd sure like to know how. Mostly, it's a tidiness issue for me. Thomas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Friday, May 05, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) Tough to do if it's at the root. I would try this, have the originating user log on to the originating machine that originally mapped the two drives and disconnect the target's mapped drive, if not already done, then reboot it. Have him log back on, map the target againusing the same drive letter and same security credential andhave him see if the folder in question shows up. If so, have him try whacking it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Tyson LeslieSent: Friday, May 05, 2006 11:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) I've seen this in NT4, but not recently. In our case, the fix was to share out a parent folder, and delete the offending sub-folder from another machine via the share. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- "The system cannot find the file specified". Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck cn I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete i or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another.Mark-Original Message-From: "Steve Rochford" [EMAIL PROTECTED]Date: Wed, 5 Apr 2006 16:37:03To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT)This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name
Re: [ActiveDir] NT4Emulator Reg Key
Thanks Jorge. I have not done an inplace before, only migrations. Mark -Original Message- From: Almeida Pinto, Jorge de [EMAIL PROTECTED] Date: Fri, 5 May 2006 17:52:35 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT4Emulator Reg Key As the key says, the NT4Emulator key makes a AD DC behave like an NT4 DC. When trying to promote additional DCs or using w2k/wxp/w2k3 clients to manage AD you are not able to connect. The main reason the NT4Emulator key is to prevent ALL w2k/wxp/w2k3 clients and servers swamping down the PDC FSMO as that is the first AD DC in the field. Another reason could me you want to in place upgrade and see if everything goes OK without starting using kerberos already. As soon as you are satisfied and you have enough AD DCs you can remove the NT4Emulator keys from the AD DCs and ALL w2k/wxp/w2k3 clients and servers will start using kerberos instead of NTLM as soon as they find the AD DCs. OK, back to the connecting thing To be able to connect and to add additional AD DCs you must introduce the NeutralizeNT4Emulator key on the client that tries to connect or on the DC you are promoting. For the DC you are promoting, make sure you introduce the NT4Emulator key (if needed!) otherwise the w2k/wxp/w2k3 clients and servers will find that DC and use it! Normal? No Feature of R2? No You? Who knows... ;-)) Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, May 05, 2006 16:11 To: ActiveDir.org Subject: [ActiveDir] NT4Emulator Reg Key I am upgrading an NT4.0 domain to Windows 2003R2 and on the PDC I have added to the HKLM...Netlogon\parameters the key NT4Emulator with a value of 1 and then done the inplace upgrade. I now try to promote in another AD DC and it does not work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT) DNS is configured correctly and removing the key and rebooting the upgraded DC makes the issue go away and I can add new AD DC's. Is this normal or is it a new feature of R2? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ [EMAIL PROTECTED] V«r¯yÊý§-÷¾4¨¥iËb½çb®à
RE: [ActiveDir] Optimize Exchange Pagefile
If you get another drive a RAID 01 (or is it 10) would be a better choice in my eyes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored pair for OS LOGS, and a mirrored pair for Databases. . Putting these on seperate drives will do far more for performance than changing the page file. RAID-5 is a real bad performer on write. These days I woudl avoid as far as possible... I am sure other folks may disagree... -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 21:36 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Optimize Exchange Pagefile Yes, far less than 100, on this box it is under 20. You do not think it is necessary to mess with the page file, even if only to make it static? Dan _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile There is no point in messing about with memory config if you only have a three drive RAID 5 array. Disk config is critical. How many users do you want to put on this box. less than 100? -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 20:16 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] Optimize Exchange Pagefile I was wondering if anyone can point me to any MS document that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372, but this article does not discuss the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange binaries on the first logical drive (which will also contain the system and boot partitions) and the Exchange databases, logs, queues, etc on the second logical drive. The way I normally set the pagefile on my systems is to set it to be static and 1.5x physical RAM. I also create a pagefile on each disk and let Windows choose the best one (which will be the second logical drive). I do not want to disable the pagefile on C: because, from what I understand, this will disable crash dumps, which I do not want. However, I set the crash dump to kernel only, not the entire pagefile. That being said, would it be appropriate to set the pagefile on C: to something small like 256MB since the OS will be using the one on the second drive anyway? Also, other than not using the /3GB switch, are there any other differences between the memory/pagefile settings on a regular Exchange box running WS2k3 and the SBS2k3 version? I would appreciate any guidance. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com/ http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com/ http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. attachment: winmail.dat
RE: [ActiveDir] NT4Emulator Reg Key
You're welcome! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, May 05, 2006 18:58 To: ActiveDir.org Subject: Re: [ActiveDir] NT4Emulator Reg Key Thanks Jorge. I have not done an inplace before, only migrations. Mark -Original Message- From: Almeida Pinto, Jorge de [EMAIL PROTECTED] Date: Fri, 5 May 2006 17:52:35 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT4Emulator Reg Key As the key says, the NT4Emulator key makes a AD DC behave like an NT4 DC. When trying to promote additional DCs or using w2k/wxp/w2k3 clients to manage AD you are not able to connect. The main reason the NT4Emulator key is to prevent ALL w2k/wxp/w2k3 clients and servers swamping down the PDC FSMO as that is the first AD DC in the field. Another reason could me you want to in place upgrade and see if everything goes OK without starting using kerberos already. As soon as you are satisfied and you have enough AD DCs you can remove the NT4Emulator keys from the AD DCs and ALL w2k/wxp/w2k3 clients and servers will start using kerberos instead of NTLM as soon as they find the AD DCs. OK, back to the connecting thing To be able to connect and to add additional AD DCs you must introduce the NeutralizeNT4Emulator key on the client that tries to connect or on the DC you are promoting. For the DC you are promoting, make sure you introduce the NT4Emulator key (if needed!) otherwise the w2k/wxp/w2k3 clients and servers will find that DC and use it! Normal? No Feature of R2? No You? Who knows... ;-)) Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, May 05, 2006 16:11 To: ActiveDir.org Subject: [ActiveDir] NT4Emulator Reg Key I am upgrading an NT4.0 domain to Windows 2003R2 and on the PDC I have added to the HKLM...Netlogon\parameters the key NT4Emulator with a value of 1 and then done the inplace upgrade. I now try to promote in another AD DC and it does not work I get DNS timeout errors (0x05B4 ERROR_TIMEOUT) DNS is configured correctly and removing the key and rebooting the upgraded DC makes the issue go away and I can add new AD DC's. Is this normal or is it a new feature of R2? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ [EMAIL PROTECTED] Ö«r¯zm§ÿðà šŠV«r¯yÊý§-Š÷Š¾4™¨¥iËb½çb®Šà
RE: [ActiveDir] GC Promotion
I wasn't claiming that it would pick the DC for regular replication. We were talking GC promotion and I did throw in the weasel words about PAS replication since my confidence level wasn't sky high. It's been so long since we've done anything but IFM that I forget these little details. I know that the PAS replication partner selection algorithm isn't very smart but it does try to pick based on something other than just random selection. It'll be interesting to see what Microsoft does about that. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 04, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Not sure how well that would scale, say you have 50 GCs in a site and only one DC of a certain domain, all GCs would want to replicate with that one DC which I wouldn't expect. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, April 28, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I thought that if there is a writable NC in the same site, it would try to use that, but maybe that's just for PAS replication. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Yes a GC promotion can/will source readonly NCs from another GC, it does not have to go back to a DC that maintains a writeable replica. If the DC is already replicating with a DC that is also a GC, it is likely that it will start pulling the additional NCs from that GC. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, April 28, 2006 12:28 PM To: ActiveDir.org Subject: [ActiveDir] GC Promotion When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information? Make sense? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Default Domain
First off let me do a small introduction. I come from a Netware background. My university's students have been using eDirectory for several years without any problems. However, we have decided (mostly because of the business model of Novell) to move all of our student logins, storage, and lab computers to Active Directory. Needless to say, this will not be a small undertaking for us. We have started testing to make sure we have all of our procedures down and have faired well so far. Our first big hurdle was ghosting the machines and having them automatically join the AD in the correct container. Done. We've also been testing out the GPOs to move what we do now with ZenWorks to them. We will be providing our home storage solution via File System Factory which we've been using for several years under Netware - They have decided now is the time for them to write itfor Active Directory. One small problem we are having now (and we all think we're just missing something simple) is getting the domain to showup in the logon box the first time. We know after a student logs on the first time things will be OK. However, after ghosting 900 machines, the last thing we want to do is touch each one just to get this setting correct. We've ripped the registry to pieces, looked everywhere we know to look, but nothing seems to set it the first time. I realize this may not seem like a big deal to most people out there, but if you've ever had to deal with a student population you know why this is important. One other thing for now. We have found a few custom templates we would like to use (one modifying the logon screen to tell the students what the Domain should be set as). I have added them to my test AD domain controllers' INF folder. They work just fine. When I told one of our administrators about this, he said, he didn't like that idea much (placing this on the DC). In my testing, I wasn't able to get any of the custom templates to work until I did put them there and in the INF folder. Is there another way? I thank you in advance for you help. I would expect I'll be around here a bunch during this move. Paul Glenn University of Kentucky-- ***I've got a fever and the only prescription is morecowbell.--Christopher Walken ***
[ActiveDir] Trust for delegation error
Hi all, I have a new problem: When I try to enbale this option :Trust Computer for delegationfor a computer account in DSA.msc I recive this error Your security setting do not allow you to Specify whether or not This account is to be trusted for delagation I have already applied an instrution to change local user rights, But it is still showing that message The mos strange is that we have 18 subdomains, and it works in all, but that. That is happening to user, too, I can not enable TUST FOR delegation for a user account Is htere a way to solve that problem? ___ Adrião Ferreira Ramos [EMAIL PROTECTED] Equipe Suporte Windows (11) 3388-8193
[ActiveDir] Visio Stencil for AD Forest
Title: Visio Stencil for AD Forest Anyone know where I can find a good stencil for this? I just want a cool triangle 3D and all and not a server or a domain, or an OU. -fitz J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell)
RE: [ActiveDir] Default Domain
Havent tried it, but check out this TID: http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=10023078sliceId=dialogID=2929119stateId=0%200%202927987 Note that the registry entry in Workaround #2 has left out one level of the registry structure. It should be: HKLM\Software\Novell\Location Profiles\Services\{1E6CEEA1-FB73-11CF-BD76-0001B27DA23}\Default\Tab3] Tab=NT Credentials DefaultDomainName=MyDomain Cheers, Randy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Glenn Sent: Friday, May 05, 2006 1:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain First off let me do a small introduction. I come from a Netware background. My university's students have been using eDirectory for several years without any problems. However, we have decided (mostly because of the business model of Novell) to move all of our student logins, storage, and lab computers to Active Directory. Needless to say, this will not be a small undertaking for us. We have started testing to make sure we have all of our procedures down and have faired well so far. Our first big hurdle was ghosting the machines and having them automatically join the AD in the correct container. Done. We've also been testing out the GPOs to move what we do now with ZenWorks to them. We will be providing our home storage solution via File System Factory which we've been using for several years under Netware - They have decided now is the time for them to write itfor Active Directory. One small problem we are having now (and we all think we're just missing something simple) is getting the domain to showup in the logon box the first time. We know after a student logs on the first time things will be OK. However, after ghosting 900 machines, the last thing we want to do is touch each one just to get this setting correct. We've ripped the registry to pieces, looked everywhere we know to look, but nothing seems to set it the first time. I realize this may not seem like a big deal to most people out there, but if you've ever had to deal with a student population you know why this is important. One other thing for now. We have found a few custom templates we would like to use (one modifying the logon screen to tell the students what the Domain should be set as). I have added them to my test AD domain controllers' INF folder. They work just fine. When I told one of our administrators about this, he said, he didn't like that idea much (placing this on the DC). In my testing, I wasn't able to get any of the custom templates to work until I did put them there and in the INF folder. Is there another way? I thank you in advance for you help. I would expect I'll be around here a bunch during this move. Paul Glenn University of Kentucky -- *** I've got a fever and the only prescription is more cowbell.--Christopher Walken *** -- Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. Visit us online at our award-winning http://www.clevelandclinic.org for a complete listing of Cleveland Clinic services, staff and locations from one of the country's leading hospitals. ==
Re: [ActiveDir] Optimize Exchange Pagefile
yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's special. Just ask SBS-Lady ;) Al On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote: If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored pair for OS LOGS, and a mirrored pair for Databases. . Putting these on seperate drives will do far more for performance than changing the page file. RAID-5 is a real bad performer on write. These days I woudl avoid as far as possible... I am sure other folks may disagree... -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 21:36 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Optimize Exchange Pagefile Yes, far less than 100, on this box it is under 20. You do not think it is necessary to mess with the page file, even if only to make it static? Dan _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile There is no point in messing about with memory config if you only have a three drive RAID 5 array. Disk config is critical. How many users do you want to put on this box. less than 100? -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 20:16 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] Optimize Exchange Pagefile I was wondering if anyone can point me to any MS document that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372, but this article does not discuss the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange binaries on the first logical drive (which will also contain the system and boot partitions) and the Exchange databases, logs, queues, etc on the second logical drive. The way I normally set the pagefile on my systems is to set it to be static and 1.5x physical RAM. I also create a pagefile on each disk and let Windows choose the best one (which will be the second logical drive). I do not want to disable the pagefile on C: because, from what I understand, this will disable crash dumps, which I do not want. However, I set the crash dump to kernel only, not the entire pagefile. That being said, would it be appropriate to set the pagefile on C: to something small like 256MB since the OS will be using the one on the second drive anyway? Also, other than not using the /3GB switch, are there any other differences between the memory/pagefile settings on a regular Exchange box running WS2k3 and the SBS2k3 version? I would appreciate any guidance. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** Dan DeStefano Info-lution Corporation [EMAIL
RE: [ActiveDir] Default Domain
Welcome. I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry. You could step around that by telling people to use UPNs for logon instead of SAM Names. That would meanyou would use something like [EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almostto your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure. I am curious about the direction to move as you state it as "the Novell business model", what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: Friday, May 05, 2006 1:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Default Domain First off let me do a small introduction. I come from a Netware background. My university's students have been using eDirectory for several years without any problems. However, we have decided (mostly because of the business model of Novell) to move all of our student logins, storage, and lab computers to Active Directory. Needless to say, this will not be a small undertaking for us. We have started testing to make sure we have all of our procedures down and have faired well so far. Our first big hurdle was ghosting the machines and having them automatically join the AD in the correct container. Done. We've also been testing out the GPOs to move what we do now with ZenWorks to them. We will be providing our home storage solution via File System Factory which we've been using for several years under Netware - They have decided now is the time for them to write itfor Active Directory. One small problem we are having now (and we all think we're just missing something simple) is getting the domain to showup in the logon box the first time. We know after a student logs on the first time things will be OK. However, after ghosting 900 machines, the last thing we want to do is touch each one just to get this setting correct. We've ripped the registry to pieces, looked everywhere we know to look, but nothing seems to set it the first time. I realize this may not seem like a big deal to most people out there, but if you've ever had to deal with a student population you know why this is important. One other thing for now. We have found a few custom templates we would like to use (one modifying the logon screen to tell the students what the Domain should be set as). I have added them to my test AD domain controllers' INF folder. They work just fine. When I told one of our administrators about this, he said, he didn't like that idea much (placing this on the DC). In my testing, I wasn't able to get any of the custom templates to work until I did put them there and in the INF folder. Is there another way? I thank you in advance for you help. I would expect I'll be around here a bunch during this move. Paul Glenn University of Kentucky-- ***"I've got a fever and the only prescription is morecowbell."--Christopher Walken ***
Re: [ActiveDir] Robocopy(OT)
Back in the days of DOS, you could deletea file that had invalid characters or spaces in the file name byfirst renaming the file substituting a "?" for the invalid characters or spaces to a valid file name, you could then delete the file. HTH - Original Message - From: Thomas O'Brien To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 9:57 AM Subject: RE: [ActiveDir] Robocopy(OT) Is there a trailing space at the end of the folder name?I got bit by this one and didn't really understand why at first because the trailing space was almost unnoticeable. To date I have not been able to remove the folder.I found a number of tools that address deleting files with trailing spaces, but not a lot of help for folders.If anyone solves this, I'd sure like to know how. Mostly, it's a tidiness issue for me. Thomas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Friday, May 05, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) Tough to do if it's at the root. I would try this, have the originating user log on to the originating machine that originally mapped the two drives and disconnect the target's mapped drive, if not already done, then reboot it. Have him log back on, map the target againusing the same drive letter and same security credential andhave him see if the folder in question shows up. If so, have him try whacking it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Tyson LeslieSent: Friday, May 05, 2006 11:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) I've seen this in NT4, but not recently. In our case, the fix was to share out a parent folder, and delete the offending sub-folder from another machine via the share. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- "The system cannot find the file specified". Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck cn I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete i or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris
RE: [ActiveDir] GC Promotion
Ah sorry, you mean the initial population, I dropped that piece... That would make sense if it did that because you wouldn't have to worry about promoing a new GC and getting lingering objects passed onto it... I am still not sure it does it that way though as I swear I have talked to folks with new GCs with long dead lingering objects getting replicated in. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, May 05, 2006 1:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I wasn't claiming that it would pick the DC for regular replication. We were talking GC promotion and I did throw in the weasel words about PAS replication since my confidence level wasn't sky high. It's been so long since we've done anything but IFM that I forget these little details. I know that the PAS replication partner selection algorithm isn't very smart but it does try to pick based on something other than just random selection. It'll be interesting to see what Microsoft does about that. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 04, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Not sure how well that would scale, say you have 50 GCs in a site and only one DC of a certain domain, all GCs would want to replicate with that one DC which I wouldn't expect. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, April 28, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I thought that if there is a writable NC in the same site, it would try to use that, but maybe that's just for PAS replication. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Yes a GC promotion can/will source readonly NCs from another GC, it does not have to go back to a DC that maintains a writeable replica. If the DC is already replicating with a DC that is also a GC, it is likely that it will start pulling the additional NCs from that GC. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, April 28, 2006 12:28 PM To: ActiveDir.org Subject: [ActiveDir] GC Promotion When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information? Make sense? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Default Domain
Randy, Not quite sure that will work since I won't have a Novell hive after this semesterPaul On 5/5/06, Walton, Randy [EMAIL PROTECTED] wrote: Haven't tried it, but check out this TID: http://www.novell.com/support/search.do?cmd=displayKCdocType=kcexternalId=10023078sliceId=dialogID=2929119stateId=0%200%202927987 Note that the registry entry in Workaround #2 has left out one level of the registry structure. It should be: HKLM\Software\Novell\Location Profiles\Services\{1E6CEEA1-FB73-11CF-BD76-0001B27DA23}\Default\Tab3] "Tab"="NT Credentials" "DefaultDomainName"="MyDomain" Cheers, Randy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul GlennSent: Friday, May 05, 2006 1:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Default Domain First off let me do a small introduction. I come from a Netware background. My university's students have been using eDirectory for several years without any problems. However, we have decided (mostly because of the business model of Novell) to move all of our student logins, storage, and lab computers to Active Directory. Needless to say, this will not be a small undertaking for us. We have started testing to make sure we have all of our procedures down and have faired well so far. Our first big hurdle was ghosting the machines and having them automatically join the AD in the correct container. Done. We've also been testing out the GPOs to move what we do now with ZenWorks to them. We will be providing our home storage solution via File System Factory which we've been using for several years under Netware - They have decided now is the time for them to write itfor Active Directory. One small problem we are having now (and we all think we're just missing something simple) is getting the domain to showup in the logon box the first time. We know after a student logs on the first time things will be OK. However, after ghosting 900 machines, the last thing we want to do is touch each one just to get this setting correct. We've ripped the registry to pieces, looked everywhere we know to look, but nothing seems to set it the first time. I realize this may not seem like a big deal to most people out there, but if you've ever had to deal with a student population you know why this is important. One other thing for now. We have found a few custom templates we would like to use (one modifying the logon screen to tell the students what the Domain should be set as). I have added them to my test AD domain controllers' INF folder. They work just fine. When I told one of our administrators about this, he said, he didn't like that idea much (placing this on the DC). In my testing, I wasn't able to get any of the custom templates to work until I did put them there and in the INF folder. Is there another way? I thank you in advance for you help. I would expect I'll be around here a bunch during this move. Paul Glenn University of Kentucky-- ***I've got a fever and the only prescription is more cowbell.--Christopher Walken *** --Confidentiality Note: This message is intended for use only by the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. Thank you. Visit us online at our award-winning http://www.clevelandclinic.org for a complete listing of Cleveland Clinic services, staff and locations from one of the country's leading hospitals. ==-- *** I've got a fever and the only prescription is morecowbell.--Christopher Walken***
RE: [ActiveDir] [OT] Optimize Exchange Pagefile
Yeah I might as well pop in a similar feeling that the disk is not optimal for Exchange. Certainly I wouldn't worry about which logical drive the page file was on, it is all the same physicals underneath so it doesn't much matter from a perf standpoint. With Exchange you want as many spindles as you can get your hands on. Otherwise your IOPS eat you alive and your RPC starts going down the toilet and clients get popups. Oh I also added the [OT] to the subject to fit the rules. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, May 05, 2006 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile If you get another drive a RAID 01 (or is it 10) would be a better choice in my eyes _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored pair for OS LOGS, and a mirrored pair for Databases. . Putting these on seperate drives will do far more for performance than changing the page file. RAID-5 is a real bad performer on write. These days I woudl avoid as far as possible... I am sure other folks may disagree... -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 21:36 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Optimize Exchange Pagefile Yes, far less than 100, on this box it is under 20. You do not think it is necessary to mess with the page file, even if only to make it static? Dan _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Optimize Exchange Pagefile There is no point in messing about with memory config if you only have a three drive RAID 5 array. Disk config is critical. How many users do you want to put on this box. less than 100? -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 20:16 To: ActiveDir@mail.activedir.org Cc: Subject: [ActiveDir] Optimize Exchange Pagefile I was wondering if anyone can point me to any MS document that discusses optimizing the page file on an Exchange box. I found http://support.microsoft.com/kb/815372, but this article does not discuss the page file. I am running SBS 2003 on a 3 GHZ Xeon with 4GB physical memory and a 3-disk RAID5 array with 2 logical drives. I plan on installing the Exchange binaries on the first logical drive (which will also contain the system and boot partitions) and the Exchange databases, logs, queues, etc on the second logical drive. The way I normally set the pagefile on my systems is to set it to be static and 1.5x physical RAM. I also create a pagefile on each disk and let Windows choose the best one (which will be the second logical drive). I do not want to disable the pagefile on C: because, from what I understand, this will disable crash dumps, which I do not want. However, I set the crash dump to kernel only, not the entire pagefile. That being said, would it be appropriate to set the pagefile on C: to something small like 256MB since the OS will be using the one on the second drive anyway? Also, other than not using the /3GB switch, are there any other differences between the memory/pagefile settings on a regular Exchange box running WS2k3 and the SBS2k3 version? I would appreciate any guidance. Dan DeStefano Info-lution Corporation www.info-lution.com MCSE - 2073750 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ** Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com/ http://www.info-lution.com Office: 727 546-9143 FAX: 727
RE: [ActiveDir] GC Promotion
The lingering object problems we've seen have always involved partitions that didn't have a writeable copy in site. In general, we've had more problems with ghosts than with zombies. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 05, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Ah sorry, you mean the initial population, I dropped that piece... That would make sense if it did that because you wouldn't have to worry about promoing a new GC and getting lingering objects passed onto it... I am still not sure it does it that way though as I swear I have talked to folks with new GCs with long dead lingering objects getting replicated in. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, May 05, 2006 1:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I wasn't claiming that it would pick the DC for regular replication. We were talking GC promotion and I did throw in the weasel words about PAS replication since my confidence level wasn't sky high. It's been so long since we've done anything but IFM that I forget these little details. I know that the PAS replication partner selection algorithm isn't very smart but it does try to pick based on something other than just random selection. It'll be interesting to see what Microsoft does about that. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 04, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Not sure how well that would scale, say you have 50 GCs in a site and only one DC of a certain domain, all GCs would want to replicate with that one DC which I wouldn't expect. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, April 28, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I thought that if there is a writable NC in the same site, it would try to use that, but maybe that's just for PAS replication. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Yes a GC promotion can/will source readonly NCs from another GC, it does not have to go back to a DC that maintains a writeable replica. If the DC is already replicating with a DC that is also a GC, it is likely that it will start pulling the additional NCs from that GC. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, April 28, 2006 12:28 PM To: ActiveDir.org Subject: [ActiveDir] GC Promotion When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information? Make sense? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Optimize Exchange Pagefile
Word of advice -- put SBS in the subject line and you'll get SBSlady from the get go :-) By design SBS is maxed at 75 users/devices. As you have already stateddo not do a /3GB (let me repeat that again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't impact a thing. Remember with SP2 we now have 75 gigs to play with so plan accordingly (and no snickers from the terrabyte people) SBS is pretty tuned as it is.. set your page files to be 1.5 and I have mine spread on two drives. What is more important is the layout of those partitions..and boy... did a recent blog post bring out a lot of comments http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx Set the crash dump to minidump or even full dump... when that sucker blows (and it's not that often and kinda fun when it does as you can use the debugger tool) you want that dumpfile to be there and juicy. Exchange 'by design' will suck down the memory and release when needed. Honestly Exchange ..while being a hog.. isn't the annoyance on my boxes.. it's MSDE that is the troublesome child. After applications of SP1 (if it is not integrated that is) you need to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert. Now then.. about that MSDE. The SBS health monitor function is set to warn you with an allocated memory alert when the use is above 2 gigs..when you have a 4 gig box..that 2 gig limit is a bit stupid. So step one is to monitor your box.. see where it hovers at. I bumped mine up a bit. Next... the problem children. ISA running on MSDE 'by design' will be like Exchange and suck up all RAM and release when needed... sorry ISA .. you don't need to do that (and before Joe has the inevitable heart attack of a firewall on my DC.. it's in all honesty my 'second' firewall as I have a hardware one in front..but I like the monitoring and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts of the firewall hits that 'do' hit my domain controller are way coolI know, I know... it's the GUI..just shake your head and walk away). SBSMonitoring 'can' and 'has' on my box and others in the community gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring there's a command (yes Joe, I did command line) to stomp on those msde instances and make them behave http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 This is the ISA http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx This is SBS montoring http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx So for memory optimization... forget about Exchange.. it behaves.. but be prepared to stomp on those MSDE's ...and we're using a lot of RAID 5's down here (and even SATA drives) Al Mulnick wrote: yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's special. Just ask SBS-Lady ;) Al On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote: If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored pair for OS LOGS, and a mirrored pair for Databases. . Putting these on seperate drives will do far more for performance than changing the page file. RAID-5 is a real bad performer on write. These days I woudl avoid as far as possible... I am sure other folks may disagree... -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 21:36 To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] Optimize Exchange Pagefile Yes, far less than 100, on this box it is under 20. You do not think it is necessary to mess with the page file, even if only to make it static? Dan _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, May 04, 2006 4:06 PM To: ActiveDir@mail.activedir.org Subject:
RE: [ActiveDir] GC Promotion
To my knowledge a GC searches for a replication partner it can use to source the partitions from and it does not care if it uses the writable versions or read-only version. Both have the data needed. On the other side, if it did use only writable NCs, that would mean replication could place over all kinds of WAN links while a partner GC will all the data was standing next it. Or have I missed something? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 2006-05-05 20:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Ah sorry, you mean the initial population, I dropped that piece... That would make sense if it did that because you wouldn't have to worry about promoing a new GC and getting lingering objects passed onto it... I am still not sure it does it that way though as I swear I have talked to folks with new GCs with long dead lingering objects getting replicated in. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, May 05, 2006 1:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I wasn't claiming that it would pick the DC for regular replication. We were talking GC promotion and I did throw in the weasel words about PAS replication since my confidence level wasn't sky high. It's been so long since we've done anything but IFM that I forget these little details. I know that the PAS replication partner selection algorithm isn't very smart but it does try to pick based on something other than just random selection. It'll be interesting to see what Microsoft does about that. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 04, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Not sure how well that would scale, say you have 50 GCs in a site and only one DC of a certain domain, all GCs would want to replicate with that one DC which I wouldn't expect. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Friday, April 28, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I thought that if there is a writable NC in the same site, it would try to use that, but maybe that's just for PAS replication. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 28, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Yes a GC promotion can/will source readonly NCs from another GC, it does not have to go back to a DC that maintains a writeable replica. If the DC is already replicating with a DC that is also a GC, it is likely that it will start pulling the additional NCs from that GC. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, April 28, 2006 12:28 PM To: ActiveDir.org Subject: [ActiveDir] GC Promotion When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information? Make sense? Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment
Re: [ActiveDir] Default Domain
On 5/5/06, joe [EMAIL PROTECTED] wrote: Welcome. I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry. That is exactly thekeywe have found what little information we have. No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing. You could step around that by telling people to use UPNs for logon instead of SAM Names. That would meanyou would use something like [EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almostto your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure. We would like, if possible, to stay away from this because of the way we have the students logging on now. Currently they don't have to use any context for their Netware logins. A far cry from the days they had to put in .pglenn.uxx.student.usr.uky The direction our university is leaning is to do everything via LDAP lookups. We are doing this because we have 2 major AD domains and on major eDirectory. Account information is handles by Novell's Identity Manager. I am curious about the direction to move as you state it as the Novell business model, what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small. Going open source is great for many things. However, after many years or struggling with different vendors and their lack of support for anything that is not Windows, open source wasn't that appealing. Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had. After wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD. This will allow us to put out images without a non-native client. This also pleases my VP, who really wants me to move toward AD. Paul
Re: [ActiveDir] Default Domain
Of course, it makes supporting non-windows clients a different challenge :) Paul, what method are you using to join the workstation to the domain? It sounds like the domains are being enumerated at initial logon as if it has no list when it joins. Could be something in the process or something else, but figured I'd ask. al On 5/5/06, Paul Glenn [EMAIL PROTECTED] wrote: On 5/5/06, joe [EMAIL PROTECTED] wrote: Welcome. I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry. That is exactly the key we have found what little information we have. No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing. You could step around that by telling people to use UPNs for logon instead of SAM Names. That would mean you would use something like [EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almost to your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure. We would like, if possible, to stay away from this because of the way we have the students logging on now. Currently they don't have to use any context for their Netware logins. A far cry from the days they had to put in .pglenn.uxx.student.usr.uky The direction our university is leaning is to do everything via LDAP lookups. We are doing this because we have 2 major AD domains and on major eDirectory. Account information is handles by Novell's Identity Manager. I am curious about the direction to move as you state it as the Novell business model, what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small. Going open source is great for many things. However, after many years or struggling with different vendors and their lack of support for anything that is not Windows, open source wasn't that appealing. Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had. After wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD. This will allow us to put out images without a non-native client. This also pleases my VP, who really wants me to move toward AD. Paul
RE: [ActiveDir] Robocopy(OT)
Thanks for the reply. I've tried exactly this approach. Works great for files. Not so well for folders. Executing move source-folder destination-folder yields "The system cannot find the file specified". Thomas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross StingleySent: Friday, May 05, 2006 11:15 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Back in the days of DOS, you could deletea file that had invalid characters or spaces in the file name byfirst renaming the file substituting a "?" for the invalid characters or spaces to a valid file name, you could then delete the file. HTH - Original Message - From: Thomas O'Brien To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 9:57 AM Subject: RE: [ActiveDir] Robocopy(OT) Is there a trailing space at the end of the folder name?I got bit by this one and didn't really understand why at first because the trailing space was almost unnoticeable. To date I have not been able to remove the folder.I found a number of tools that address deleting files with trailing spaces, but not a lot of help for folders.If anyone solves this, I'd sure like to know how. Mostly, it's a tidiness issue for me. Thomas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Friday, May 05, 2006 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) Tough to do if it's at the root. I would try this, have the originating user log on to the originating machine that originally mapped the two drives and disconnect the target's mapped drive, if not already done, then reboot it. Have him log back on, map the target againusing the same drive letter and same security credential andhave him see if the folder in question shows up. If so, have him try whacking it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Tyson LeslieSent: Friday, May 05, 2006 11:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Robocopy(OT) I've seen this in NT4, but not recently. In our case, the fix was to share out a parent folder, and delete the offending sub-folder from another machine via the share. Tyson. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Robocopy(OT) Subinacl,Xacls(which I stated I used already, Brian),and Setowner all give the same error- "The system cannot find the file specified". Chkdsk with a reboot didn't help at all. Thanks On 5/5/06, Brian Desmond [EMAIL PROTECTED] wrote: Cacls Xcacls Subinacl Format q c: rm rf / a consultant google set ownership tools perhaps too Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, May 05, 2006 9:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't "see" the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck cn I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Thursday, April 06, 2006 9:18 AM To:
Re: [ActiveDir] Default Domain
Al, We are accomplishing this by Ghost. We push out a configuration that tells it the domain and OU to join. The rights are associated with the Ghost Console user that gets installed. After the workstations join and reboot it's getting all the AD domains on campus via the DNS server (I'm assuming). there are actually 3 domains and the local workstation that show up in the drop down menu. BTW, if you all ever need a Ghost question answered, we have one of the best guys in the world for those! Paul On 5/5/06, Al Mulnick [EMAIL PROTECTED] wrote: Of course, it makes supporting non-windows clients a different challenge :)Paul, what method are you using to join the workstation to the domain? It sounds like the domains are being enumerated at initial logon asif it has no list when it joins. Could be something in the process orsomething else, but figured I'd ask.alOn 5/5/06, Paul Glenn [EMAIL PROTECTED] wrote: On 5/5/06, joe [EMAIL PROTECTED] wrote:Welcome. I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry. That is exactly the key we have found what little information we have.No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing. You could step around that by telling people to use UPNs for logon instead of SAM Names. That would mean you would use something like [EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almost to your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure. We would like, if possible, to stay away from this because of the way we have the students logging on now.Currently they don't have to use any context for their Netware logins.A far cry from the days they had to put in .pglenn.uxx.student.usr.ukyThe direction our university is leaning is to do everything via LDAP lookups.We are doing this because we have 2 major AD domains and on major eDirectory.Account information is handles by Novell's Identity Manager. I am curious about the direction to move as you state it as the Novell business model, what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small. Going open source is great for many things.However, after many years or struggling with different vendors and their lack of support for anything that is not Windows, open source wasn't that appealing.Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had.After wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD.This will allow us to put out images without a non-native client.This also pleases my VP, who really wants me to move toward AD. Paul-- ***I've got a fever and the only prescription is more cowbell.--Christopher Walken***
[ActiveDir] OT: KVM switches
Does anyone have any suggestions for cheap KVM switches? We are currently using Belkin 16 port switches. They are cheap enough, but we seem to experience issues with them. I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC Promotion
Title: RE: [ActiveDir] GC Promotion Hi, Jorge, Were talking in the context of an AD replication site. If it were picking writeable anywhere, then yeah, that would not be good for network utilization unless youre a provider and charge by the bit. The point is that in a site, the writeable copy of a partition is potentially higher fidelity than any of the read-only copies. The KCC must take the write-ability of a partition into account when its working out the topology since it at least has to make sure the writeable copies all replicate amongst themselves. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, May 05, 2006 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion To my knowledge a GC searches for a replication partner it can use to source the partitions from and it does not care if it uses the writableversions or read-only version. Both have the data needed. On the other side, if it did use only writable NCs, that would mean replication could place over all kinds of WAN links while a partner GC will all the data was standing next it. Or have I missed something? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 2006-05-05 20:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Ah sorry, you mean the initial population, I dropped that piece... That would make sense if it did that because you wouldn't have to worry about promoing a new GC and getting lingering objects passed onto it... I am still not sure it does it that way though as I swear I have talked to folks with new GCs with long dead lingering objects getting replicated in. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lee, Wook Sent: Friday, May 05, 2006 1:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I wasn't claiming that it would pick the DC for regular replication. We were talking GC promotion and I did throw in the weasel words about PAS replication since my confidence level wasn't sky high. It's been so long since we've done anything but IFM that I forget these little details. I know that the PAS replication partner selection algorithm isn't very smart but it does try to pick based on something other than just random selection. It'll be interesting to see what Microsoft does about that. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Thursday, May 04, 2006 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Not sure how well that would scale, say you have 50 GCs in a site and only one DC of a certain domain, all GCs would want to replicate with that one DC which I wouldn't expect. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lee, Wook Sent: Friday, April 28, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion I thought that if there is a writable NC in the same site, it would try to use that, but maybe that's just for PAS replication. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Friday, April 28, 2006 11:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC Promotion Yes a GC promotion can/will source readonly NCs from another GC, it does not have to go back to a DC that maintains a writeable replica. If the DC is already replicating with a DC that is also a GC, it is likely that it will start pulling the additional NCs from that GC. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Friday, April 28, 2006 12:28 PM To: ActiveDir.org Subject: [ActiveDir] GC Promotion When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information? Make sense? Mark List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ :
[ActiveDir] OT: Blank messages to lists???
Anyone else receiving blank emails? The reply from Al (below Susans email) and a couple of others I have got over the past couple of days have had empty bodies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, May 05, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Optimize Exchange Pagefile Word of advice -- put SBS in the subject line and you'll get SBSlady from the get go :-) By design SBS is maxed at 75 users/devices. As you have already stateddo not do a /3GB (let me repeat that again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't impact a thing. Remember with SP2 we now have 75 gigs to play with so plan accordingly (and no snickers from the terrabyte people) SBS is pretty tuned as it is.. set your page files to be 1.5 and I have mine spread on two drives. What is more important is the layout of those partitions..and boy... did a recent blog post bring out a lot of comments http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx Set the crash dump to minidump or even full dump... when that sucker blows (and it's not that often and kinda fun when it does as you can use the debugger tool) you want that dumpfile to be there and juicy. Exchange 'by design' will suck down the memory and release when needed. Honestly Exchange ..while being a hog.. isn't the annoyance on my boxes.. it's MSDE that is the troublesome child. After applications of SP1 (if it is not integrated that is) you need to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert. Now then.. about that MSDE. The SBS health monitor function is set to warn you with an allocated memory alert when the use is above 2 gigs..when you have a 4 gig box..that 2 gig limit is a bit stupid. So step one is to monitor your box.. see where it hovers at. I bumped mine up a bit. Next... the problem children. ISA running on MSDE 'by design' will be like Exchange and suck up all RAM and release when needed... sorry ISA .. you don't need to do that (and before Joe has the inevitable heart attack of a firewall on my DC.. it's in all honesty my 'second' firewall as I have a hardware one in front..but I like the monitoring and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts of the firewall hits that 'do' hit my domain controller are way coolI know, I know... it's the GUI..just shake your head and walk away). SBSMonitoring 'can' and 'has' on my box and others in the community gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring there's a command (yes Joe, I did command line) to stomp on those msde instances and make them behave http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 This is the ISA http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx This is SBS montoring http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx So for memory optimization... forget about Exchange.. it behaves.. but be prepared to stomp on those MSDE's ...and we're using a lot of RAID 5's down here (and even SATA drives) Al Mulnick wrote: yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's special. Just ask SBS-Lady ;) Al On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote: If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored pair for OS LOGS, and a mirrored pair for Databases. . Putting these on seperate drives will do far more for performance than changing the page file. RAID-5 is a real bad performer on write. These days I woudl avoid as far as possible... I am sure other folks may disagree... -Original Message- From: [EMAIL PROTECTED] on behalf of Dan DeStefano Sent: Thu 04/05/2006 21:36 To: ActiveDir@mail.activedir.org
Re: [ActiveDir] OT: Blank messages to lists???
i'm seeing lots of blanks over the past week - Original Message - From: Douglas M. Long [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 4:05 PM Subject: [ActiveDir] OT: Blank messages to lists??? Anyone else receiving blank emails? The reply from Al (below Susans email) and a couple of others I have got over the past couple of days have had empty bodies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, May 05, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Optimize Exchange Pagefile Word of advice -- put SBS in the subject line and you'll get SBSlady from the get go :-) By design SBS is maxed at 75 users/devices. As you have already stateddo not do a /3GB (let me repeat that again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't impact a thing. Remember with SP2 we now have 75 gigs to play with so plan accordingly (and no snickers from the terrabyte people) SBS is pretty tuned as it is.. set your page files to be 1.5 and I have mine spread on two drives. What is more important is the layout of those partitions..and boy... did a recent blog post bring out a lot of comments http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx Set the crash dump to minidump or even full dump... when that sucker blows (and it's not that often and kinda fun when it does as you can use the debugger tool) you want that dumpfile to be there and juicy. Exchange 'by design' will suck down the memory and release when needed. Honestly Exchange ..while being a hog.. isn't the annoyance on my boxes.. it's MSDE that is the troublesome child. After applications of SP1 (if it is not integrated that is) you need to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert. Now then.. about that MSDE. The SBS health monitor function is set to warn you with an allocated memory alert when the use is above 2 gigs..when you have a 4 gig box..that 2 gig limit is a bit stupid. So step one is to monitor your box.. see where it hovers at. I bumped mine up a bit. Next... the problem children. ISA running on MSDE 'by design' will be like Exchange and suck up all RAM and release when needed... sorry ISA .. you don't need to do that (and before Joe has the inevitable heart attack of a firewall on my DC.. it's in all honesty my 'second' firewall as I have a hardware one in front..but I like the monitoring and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts of the firewall hits that 'do' hit my domain controller are way coolI know, I know... it's the GUI..just shake your head and walk away). SBSMonitoring 'can' and 'has' on my box and others in the community gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring there's a command (yes Joe, I did command line) to stomp on those msde instances and make them behave http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 This is the ISA http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx This is SBS montoring http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx So for memory optimization... forget about Exchange.. it behaves.. but be prepared to stomp on those MSDE's ...and we're using a lot of RAID 5's down here (and even SATA drives) Al Mulnick wrote: yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's special. Just ask SBS-Lady ;) Al On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote: If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored pair for OS LOGS, and a mirrored pair for Databases. . Putting these on seperate drives will do far more for performance than changing the page file. RAID-5 is a real bad performer on write. These days I woudl avoid as far as possible... I am sure other folks may
Re: [ActiveDir] OT: Blank messages to lists???
Okay dumb questions to folks.. E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on Microsoft Update: http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx Are the folks that are sending blank emails .. have you deployed 911829? Kevin Gent wrote: i'm seeing lots of blanks over the past week - Original Message - From: Douglas M. Long [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 4:05 PM Subject: [ActiveDir] OT: Blank messages to lists??? Anyone else receiving blank emails? The reply from Al (below Susans email) and a couple of others I have got over the past couple of days have had empty bodies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, May 05, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Optimize Exchange Pagefile Word of advice -- put SBS in the subject line and you'll get SBSlady from the get go :-) By design SBS is maxed at 75 users/devices. As you have already stateddo not do a /3GB (let me repeat that again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't impact a thing. Remember with SP2 we now have 75 gigs to play with so plan accordingly (and no snickers from the terrabyte people) SBS is pretty tuned as it is.. set your page files to be 1.5 and I have mine spread on two drives. What is more important is the layout of those partitions..and boy... did a recent blog post bring out a lot of comments http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx Set the crash dump to minidump or even full dump... when that sucker blows (and it's not that often and kinda fun when it does as you can use the debugger tool) you want that dumpfile to be there and juicy. Exchange 'by design' will suck down the memory and release when needed. Honestly Exchange ..while being a hog.. isn't the annoyance on my boxes.. it's MSDE that is the troublesome child. After applications of SP1 (if it is not integrated that is) you need to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert. Now then.. about that MSDE. The SBS health monitor function is set to warn you with an allocated memory alert when the use is above 2 gigs..when you have a 4 gig box..that 2 gig limit is a bit stupid. So step one is to monitor your box.. see where it hovers at. I bumped mine up a bit. Next... the problem children. ISA running on MSDE 'by design' will be like Exchange and suck up all RAM and release when needed... sorry ISA .. you don't need to do that (and before Joe has the inevitable heart attack of a firewall on my DC.. it's in all honesty my 'second' firewall as I have a hardware one in front..but I like the monitoring and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts of the firewall hits that 'do' hit my domain controller are way coolI know, I know... it's the GUI..just shake your head and walk away). SBSMonitoring 'can' and 'has' on my box and others in the community gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring there's a command (yes Joe, I did command line) to stomp on those msde instances and make them behave http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 This is the ISA http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx This is SBS montoring http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx So for memory optimization... forget about Exchange.. it behaves.. but be prepared to stomp on those MSDE's ...and we're using a lot of RAID 5's down here (and even SATA drives) Al Mulnick wrote: yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's special. Just ask SBS-Lady ;) Al On 5/4/06, Dave Wade [EMAIL PROTECTED] wrote: If you have 4gig of RAM then you should get minimal paging. (I know this is a great generalization) 1) Log file access is sequential, database is random 2) Keeping Log files write queue down is key to performance 3) log files are write only 4) raid-5 tends to have poor write performance (again greate generalization). So I would try and get another drive in the box so I could have a mirrored
RE: [ActiveDir] OT: Blank messages to lists???
Nope, don't have that one installed. The blanks I have been seeing are limited to this list of all of the lists I am on. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, May 05, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Blank messages to lists??? Okay dumb questions to folks.. E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on Microsoft Update: http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx Are the folks that are sending blank emails .. have you deployed 911829? Kevin Gent wrote: i'm seeing lots of blanks over the past week - Original Message - From: Douglas M. Long [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 4:05 PM Subject: [ActiveDir] OT: Blank messages to lists??? Anyone else receiving blank emails? The reply from Al (below Susans email) and a couple of others I have got over the past couple of days have had empty bodies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, May 05, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Optimize Exchange Pagefile Word of advice -- put SBS in the subject line and you'll get SBSlady from the get go :-) By design SBS is maxed at 75 users/devices. As you have already stateddo not do a /3GB (let me repeat that again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't impact a thing. Remember with SP2 we now have 75 gigs to play with so plan accordingly (and no snickers from the terrabyte people) SBS is pretty tuned as it is.. set your page files to be 1.5 and I have mine spread on two drives. What is more important is the layout of those partitions..and boy... did a recent blog post bring out a lot of comments http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx Set the crash dump to minidump or even full dump... when that sucker blows (and it's not that often and kinda fun when it does as you can use the debugger tool) you want that dumpfile to be there and juicy. Exchange 'by design' will suck down the memory and release when needed. Honestly Exchange ..while being a hog.. isn't the annoyance on my boxes.. it's MSDE that is the troublesome child. After applications of SP1 (if it is not integrated that is) you need to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert. Now then.. about that MSDE. The SBS health monitor function is set to warn you with an allocated memory alert when the use is above 2 gigs..when you have a 4 gig box..that 2 gig limit is a bit stupid. So step one is to monitor your box.. see where it hovers at. I bumped mine up a bit. Next... the problem children. ISA running on MSDE 'by design' will be like Exchange and suck up all RAM and release when needed... sorry ISA .. you don't need to do that (and before Joe has the inevitable heart attack of a firewall on my DC.. it's in all honesty my 'second' firewall as I have a hardware one in front..but I like the monitoring and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts of the firewall hits that 'do' hit my domain controller are way coolI know, I know... it's the GUI..just shake your head and walk away). SBSMonitoring 'can' and 'has' on my box and others in the community gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring there's a command (yes Joe, I did command line) to stomp on those msde instances and make them behave http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 This is the ISA http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx This is SBS montoring http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx So for memory optimization... forget about Exchange.. it behaves.. but be prepared to stomp on those MSDE's ...and we're using a lot of RAID 5's down here (and even SATA drives) Al Mulnick wrote: yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is
RE: [ActiveDir] OT: KVM switches
I had issues with Belkin KVMs too, and I found an even cheaper KVM that works great. I have 4, 8, 16-port StarTech KVMs: the 4-port ones use proprietary cables, but the 8 16-port models use standard cables - probably the same as your Belkin (Omniview?). http://startech.com Derek Not affiliated in any way, just happy with a couple of their products. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, May 05, 2006 1:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: KVM switches Does anyone have any suggestions for cheap KVM switches? We are currently using Belkin 16 port switches. They are cheap enough, but we seem to experience issues with them. I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: KVM switches
BlackBoxrock-solid reliable. http://www.blackbox.com/Catalog/Category.aspx?cid=537 -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Friday, May 05, 2006 12:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: KVM switches Does anyone have any suggestions for cheap KVM switches? We are currently using Belkin 16 port switches. They are cheap enough, but we seem to experience issues with them. I don't need anything fancy. No KVM over IP, no KVM over cat 5, etc. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Trust for delegation error
It sounds like you are configuring this setting on many directory objects: For what purpose? What functional level is the domain having these problems and is different from the other domains? Aric Sent from my Windows Mobile 5 device. -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 5/5/06 10:59 AM Subject: [ActiveDir] Trust for delegation error Hi all, I have a new problem: When I try to enbale this option :Trust Computer for delegation for a computer account in DSA.msc I recive this error Your security setting do not allow you to Specify whether or not This account is to be trusted for delagation I have already applied an instrution to change local user rights, But it is still showing that message The mos strange is that we have 18 subdomains, and it works in all, but that. That is happening to user, too, I can not enable TUST FOR delegation for a user account Is htere a way to solve that problem? ___ Adrião Ferreira Ramos [EMAIL PROTECTED] Equipe Suporte Windows (11) 3388-8193 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Blank messages to lists???
I'm using GMail. Fixes would all be client side and since I see the content in the mail I send, I doubt it's client side. Else it's highly consistent client-side issues. Tony might be the person to contact about some of this, but I think there're also some server side issues possibly at GMAIL, possibly at the receiving end. Al On 5/5/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Okay dumb questions to folks.. E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on Microsoft Update: http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx Are the folks that are sending blank emails .. have you deployed 911829? Kevin Gent wrote: i'm seeing lots of blanks over the past week - Original Message - From: Douglas M. Long [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 4:05 PM Subject: [ActiveDir] OT: Blank messages to lists??? Anyone else receiving blank emails? The reply from Al (below Susans email) and a couple of others I have got over the past couple of days have had empty bodies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, May 05, 2006 2:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Optimize Exchange Pagefile Word of advice -- put SBS in the subject line and you'll get SBSlady from the get go :-) By design SBS is maxed at 75 users/devices. As you have already stateddo not do a /3GB (let me repeat that again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't impact a thing. Remember with SP2 we now have 75 gigs to play with so plan accordingly (and no snickers from the terrabyte people) SBS is pretty tuned as it is.. set your page files to be 1.5 and I have mine spread on two drives. What is more important is the layout of those partitions..and boy... did a recent blog post bring out a lot of comments http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx Set the crash dump to minidump or even full dump... when that sucker blows (and it's not that often and kinda fun when it does as you can use the debugger tool) you want that dumpfile to be there and juicy. Exchange 'by design' will suck down the memory and release when needed. Honestly Exchange ..while being a hog.. isn't the annoyance on my boxes.. it's MSDE that is the troublesome child. After applications of SP1 (if it is not integrated that is) you need to rerun the SBS monitoring wizard to get rid of a bogus STORE memory alert. Now then.. about that MSDE. The SBS health monitor function is set to warn you with an allocated memory alert when the use is above 2 gigs..when you have a 4 gig box..that 2 gig limit is a bit stupid. So step one is to monitor your box.. see where it hovers at. I bumped mine up a bit. Next... the problem children. ISA running on MSDE 'by design' will be like Exchange and suck up all RAM and release when needed... sorry ISA .. you don't need to do that (and before Joe has the inevitable heart attack of a firewall on my DC.. it's in all honesty my 'second' firewall as I have a hardware one in front..but I like the monitoring and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI pie charts of the firewall hits that 'do' hit my domain controller are way coolI know, I know... it's the GUI..just shake your head and walk away). SBSMonitoring 'can' and 'has' on my box and others in the community gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring there's a command (yes Joe, I did command line) to stomp on those msde instances and make them behave http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 This is the ISA http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx This is SBS montoring http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx So for memory optimization... forget about Exchange.. it behaves.. but be prepared to stomp on those MSDE's ...and we're using a lot of RAID 5's down here (and even SATA drives) Al Mulnick wrote: yeah, there would be some general disagreement from me. Why? Only because this is SBS box vs. an enterprise Exchange server hosting 5K users. My laptop (crud that it is) could host 20 heavy exchange users with usable/good performance with that amount of memory. I don't think the focus of a machine that will only ever have 75 users should be optimized for more than space in most situations. It would be a waste of money that could be spent on other things like better backups, better coffee, etc. I don't believe there's any value in buying a system such as SBS and then having to make adjustments to things like pagefile size. That's counter to the product's reason for being. Saying that, Dave is correct that optimizing the disk layout has the biggest benefit, but it's SBS and as such it's
RE: [ActiveDir] OT: Blank messages to lists???
I've seen this happen occasionally on other lists, but I don't know if it's the same underlying cause. The original post is encoded in some way, and then the addition of the list footer means that the post isn't properly encoded anymore. Some email clients then display this as a blank post. If you are able to get to the message source in your client, you will see the message contents. HTH Cheers Ken : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of joe : Sent: Saturday, 6 May 2006 6:57 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] OT: Blank messages to lists??? : : Nope, don't have that one installed. : : The blanks I have been seeing are limited to this list of all of the lists : I am on. : : : -- : O'Reilly Active Directory Third Edition - : http://www.joeware.net/win/ad3e.htm : : : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS : Rocks [MVP] : Sent: Friday, May 05, 2006 4:41 PM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] OT: Blank messages to lists??? : : Okay dumb questions to folks.. : : E-Bitz - SBS MVP the Official Blog of the SBS Diva : OWA fix on : Microsoft Update: : http://msmvps.com/blogs/bradley/archive/2006/04/28/92884.aspx : : Are the folks that are sending blank emails .. have you deployed 911829? : : Kevin Gent wrote: : : i'm seeing lots of blanks over the past week : : : - Original Message - From: Douglas M. Long : [EMAIL PROTECTED] : To: ActiveDir@mail.activedir.org : Sent: Friday, May 05, 2006 4:05 PM : Subject: [ActiveDir] OT: Blank messages to lists??? : : : Anyone else receiving blank emails? The reply from Al (below Susans : email) and a couple of others I have got over the past couple of days : have had empty bodies. : : : : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Susan : Bradley, CPA aka Ebitz - SBS Rocks [MVP] : Sent: Friday, May 05, 2006 2:53 PM : To: ActiveDir@mail.activedir.org : Subject: Re: [ActiveDir] Optimize Exchange Pagefile : : Word of advice -- put SBS in the subject line and you'll get : SBSlady from the get go :-) : : By design SBS is maxed at 75 users/devices. : : As you have already stateddo not do a /3GB (let me repeat that : again) DO NOT do a /3GB on a SBS box. It's not necessary and doesn't : impact a thing. : : Remember with SP2 we now have 75 gigs to play with so plan accordingly : (and no snickers from the terrabyte people) : : SBS is pretty tuned as it is.. set your page files to be 1.5 and I : have mine spread on two drives. What is more important is the layout : of those partitions..and boy... did a recent blog post bring out a lot : of comments : http://msmvps.com/blogs/bradley/archive/2006/05/02/93249.aspx : : Set the crash dump to minidump or even full dump... when that sucker : blows (and it's not that often and kinda fun when it does as you can : use the debugger tool) you want that dumpfile to be there and juicy. : : Exchange 'by design' will suck down the memory and release when needed. : Honestly Exchange ..while being a hog.. isn't the annoyance on my : boxes.. it's MSDE that is the troublesome child. : : After applications of SP1 (if it is not integrated that is) you need : to rerun the SBS monitoring wizard to get rid of a bogus STORE memory : alert. : : Now then.. about that MSDE. : : The SBS health monitor function is set to warn you with an allocated : memory alert when the use is above 2 gigs..when you have a 4 gig : box..that 2 gig limit is a bit stupid. So step one is to monitor your : box.. see where it hovers at. I bumped mine up a bit. : : Next... the problem children. ISA running on MSDE 'by design' will be : like Exchange and suck up all RAM and release when needed... sorry ISA : .. you don't need to do that (and before Joe has the inevitable heart : attack of a firewall on my DC.. it's in all honesty my 'second' : firewall as I have a hardware one in front..but I like the monitoring : and with Dana Epp's Scorpion Software Firewall dashboard tool, the GUI : pie charts of the firewall hits that 'do' hit my domain controller are : way coolI know, I know... it's the GUI..just shake your head and : walk away). : : SBSMonitoring 'can' and 'has' on my box and others in the community : gotten too 'hot' on my box as well. So for both ISA and SBSmonitoring : there's a command (yes Joe, I did command line) to stomp on those msde : instances and make them behave : : http://msmvps.com/blogs/bradley/search.aspx?q=allocated+memoryp=1 : : This is the ISA : http://msmvps.com/blogs/bradley/archive/2005/05/22/48500.aspx : : This is SBS montoring : http://msmvps.com/blogs/bradley/archive/2005/02/04/34984.aspx : : So for memory optimization... forget about Exchange.. it behaves.. but : be
RE: [ActiveDir] Trust for delegation error
Try to set the userAccountControl value manually with either LDP or admod (with -exterr) and report back the full LDAP error with DSID. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, May 05, 2006 12:10 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Trust for delegation error Hi all, I have a new problem: When I try to enbale this option :"Trust Computer for delegation"for a computer account in DSA.msc I recive this error "Your security setting do not allow you to Specify whether or not This account is to be trusted for delagation" I have already applied an instrution to change local user rights, But it is still showing that message The mos strange is that we have 18 subdomains, and it works in all, but that. That is happening to user, too, I can not enable "TUST FOR delegation" for a user account Is htere a way to solve that problem?___Adrião Ferreira Ramos[EMAIL PROTECTED]Equipe Suporte Windows(11) 3388-8193
RE: [ActiveDir] Default Domain
I agree with Al that the process to get the trusted domains list could possibly be wiping out the value you are tucking in. If you are trying to get away from "contexts", I think one of the best things you could do is go to UPN logon then, then they don't have to remember their domain for the most part, you could do something like [EMAIL PROTECTED] or [EMAIL PROTECTED] even. Hmm your words of kindness towards IBM and their Tivoli product is not the first I have heard for that. ;o) The rest of the info is quite interesting to me, thanks for sharing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: Friday, May 05, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Default Domain On 5/5/06, joe [EMAIL PROTECTED] wrote: Welcome. I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry. That is exactly thekeywe have found what little information we have. No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing. You could step around that by telling people to use UPNs for logon instead of SAM Names. That would meanyou would use something like [EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almostto your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure. We would like, if possible, to stay away from this because of the way we have the students logging on now. Currently they don't have to use any context for their Netware logins. A far cry from the days they had to put in .pglenn.uxx.student.usr.uky The direction our university is leaning is to do everything via LDAP lookups. We are doing this because we have 2 major AD domains and on major eDirectory. Account information is handles by Novell's Identity Manager. I am curious about the direction to move as you state it as "the Novell business model", what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small. Going open source is great for many things. However, after many years or struggling with different vendors and their lack of support for anything that is not Windows, open source wasn't that appealing. Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had. After wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD. This will allow us to put out images without a non-native client. This also pleases my VP, who really wants me to move toward AD. Paul
RE: [ActiveDir] Default Domain
Oh BTW, are you changing the SIDs on the workstations after you finish the ghost process? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul GlennSent: Friday, May 05, 2006 3:42 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Default Domain Al, We are accomplishing this by Ghost. We push out a configuration that tells it the domain and OU to join. The rights are associated with the Ghost Console user that gets installed. After the workstations join and reboot it's getting all the AD domains on campus via the DNS server (I'm assuming). there are actually 3 domains and the local workstation that show up in the drop down menu. BTW, if you all ever need a Ghost question answered, we have one of the best guys in the world for those! Paul On 5/5/06, Al Mulnick [EMAIL PROTECTED] wrote: Of course, it makes supporting non-windows clients a different challenge :)Paul, what method are you using to join the workstation to the domain? It sounds like the domains are being enumerated at initial logon asif it has no list when it joins. Could be something in the process orsomething else, but figured I'd ask.alOn 5/5/06, Paul Glenn [EMAIL PROTECTED] wrote: On 5/5/06, joe [EMAIL PROTECTED] wrote: Welcome.I am not sure if you can set a domain by default for the initial logon. If you could, I would expect it to be to some of the reg entries maintained in the HKLM\software\microsoft\windows nt\currentversion\winlogon portion of the registry. That is exactly the key we have found what little information we have.No matter what you set for defaultdomainname or altdefaultdomainname it's the same thing. You could step around that by telling people to use UPNs for logon instead of SAM Names. That would mean you would use something like [EMAIL PROTECTED] instead of something\PGlenn. That is the direction the auth is going so if you are starting fresh now, might as well start that way. Then the domain dropdown is a moot point. It also means you can dork with the domain's almost to your heart's content and never have to worry about telling the users their new domain, it will just work because the UPN does not have to match the Domain structure. We would like, if possible, to stay away from this because of the way we have the students logging on now.Currently they don't have to use any context for their Netware logins.A far cry from the days they had to put in .pglenn.uxx.student.usr.ukyThe direction our university is leaning is to do everything via LDAP lookups.We are doing this because we have 2 major AD domains and on major eDirectory.Account information is handles by Novell's Identity Manager. I am curious about the direction to move as you state it as "the Novell business model", what specifically is pushing this change? With Novell embracing Open Source I would expect schools and the like to be more, not less, interested in it. Also I am curious why not a move to say BSD or Linux. If anywhere that stuff works well en masse it is in school environments because they are so closed and geographically small. Going open source is great for many things.However, after many years or struggling with different vendors and their lack of support for anything that is not Windows, open source wasn't that appealing.Our vendors include made dicipline specific software who don't want to support anything else and hardware vendors that support others things when they get around to it - and example of the latter being the horrible tech support from Tivoli after loosing about 2 terabytes of data (took them 6 months to get it resolved). Using Netware OES or eDirectory on SUsE were other options I had.After wieghing several things - most importantly my learning curve for such a move to either one given the time table - I chose AD.This will allow us to put out images without a non-native client.This also pleases my VP, who really wants me to move toward AD. Paul-- ***"I've got a fever and the only prescription is more cowbell."--Christopher Walken***
Re: [ActiveDir] Trust for delegation error
Can you expand on this statement? I have already applied an instrution to change local user rights This should be enabled by default in the Domain Controller policy -- Enable computer and user accounts to be trusted for delegation +r Administrators. Make sure the you have the user right SeEnableDelegationPrivilege Also - check the acls on the computer and useraccountcontrol. steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, May 05, 2006 2:33 PM Subject: RE: [ActiveDir] Trust for delegation error It sounds like you are configuring this setting on many directory objects: For what purpose? What functional level is the domain having these problems and is different from the other domains? Aric Sent from my Windows Mobile 5 device. -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 5/5/06 10:59 AM Subject: [ActiveDir] Trust for delegation error Hi all, I have a new problem: When I try to enbale this option :Trust Computer for delegation for a computer account in DSA.msc I recive this error Your security setting do not allow you to Specify whether or not This account is to be trusted for delagation I have already applied an instrution to change local user rights, But it is still showing that message The mos strange is that we have 18 subdomains, and it works in all, but that. That is happening to user, too, I can not enable TUST FOR delegation for a user account Is htere a way to solve that problem? ___ Adrião Ferreira Ramos [EMAIL PROTECTED] Equipe Suporte Windows (11) 3388-8193 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/