RE: [ActiveDir] DC and ADC replication prob.
Never miss a chance, do you Susan? ;) For those interested, I am in China at the moment, doing a meet and greet/reccy on our sister companies there and preparing for connecting them to our regional domain - then our region will be migrated to the corporate global domain as a part of the directive from Head Office in Sweden. My blog isn't very technical at the best of times, and is laced with (what I hope is) Aussie humour... But if you want to maybe learn something - http://themolks.com/blog/. For those not interested... Ask Susan about the benefits of an SBS box for your small network. ;) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Monday, 5 June 2006 3:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC and ADC replication prob. .. (and I'd just like to annoyingly point out that 50 pc's is perfect for a SBS network ;-) Ajay Kumar wrote: Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Resizing issue
Hello everybody, I got this problem: I am trying to resize a partition on fileserver running on Windows 2003 Enterprise . I got 1TB in raid 5, and my system partition is 40GB and I have 500 GB for storage. So is there a way to resize this 500 GB partition and extend it with the rest unallocated free space without formating or loosing any information? greetings db List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Resizing issue
Diskpart.exe Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boris Demirov Sent: Monday, June 05, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resizing issue Hello everybody, I got this problem: I am trying to resize a partition on fileserver running on Windows 2003 Enterprise . I got 1TB in raid 5, and my system partition is 40GB and I have 500 GB for storage. So is there a way to resize this 500 GB partition and extend it with the rest unallocated free space without formating or loosing any information? greetings db List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] FW: Assigning Software Via GPO
Christine, John does have a fix but do realize that once users given elevated privileges, their boxes will become the source for malware entry points. In my firm, we install the apps that needed admin attention and specifically modify the ACLs/DACLs so that user will not encounter launching the apps with limited privileges. -Shariff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 02, 2006 4:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FW: Assigning Software Via GPO Hi Christine, In a GPO you can set always install with elevated privileges to MSI's It is in both the user, and computer settings. You may want to set those. John Christine Allen Christine.Allen@ bmchp.org To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] FW: Assigning Software 06/02/2006 02:04 Via GPO PM Please respond to [EMAIL PROTECTED] tivedir.org I'm having an issue with assigning software to folks who are not local admins to their machines. How would I get around this? Thanks. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02116 617-748-6034 617-293-4407 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
I knew there was a firewall between some of the clients at remote sites and the DCs, but what I didnt realize is that the clients at the same physical site as the DCs were also going through the firewall. I assumed (incorrectly) that they were on the same layer-2 network and that there were no ACLs or firewalls separating the clients and the DCs. I definitely hope to see a reduction in the number of Access is denied. for computer account errors. Thanks again for all the help! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 5:48 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Hmm... yeah, I can see where that would take a while. I'm concerned that we didn't know there was a firewall between the clients and the machines. That might explain why the computer accounts were out of date, or at least reporting that they were. On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, it's always appreciated! Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Darren, RPC connects initially on 135 and then the DC tells the client to establish a new connection on one of the free high ports. They start at 1024 and move up from there, so if there are already 2 clients connected starting at 1024, then the next client would be told to connect to the DC on port 1026 and so on. At least thats my understanding of it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, June 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Good to know Justin. Exactly where were higher ports blocked? At the DCs? Did MS say what wasexpecting touse those higher ports? Presumably some RPC communication? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCsto 2K3 SP1
If you have to open high ports than what are the reasons of having a firewall in the first place? -Z.V. Clay, Justin (ITS) wrote: Darren, RPC connects initially on 135 and then the DC tells the client to establish a new connection on one of the free high ports. They start at 1024 and move up from there, so if there are already 2 clients connected starting at 1024, then the next client would be told to connect to the DC on port 1026 and so on. At least thats my understanding of it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Friday, June 02, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Good to know Justin. Exactly where were higher ports blocked? At the DCs? Did MS say what wasexpecting touse those higher ports? Presumably some RPC communication? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in
RE: [ActiveDir] Change private IP on a cluster
Thanks Jose, This is just going to affect the private IPs in the cluster so no name resolution issues will come into play. This helped a lot. It lead me to http://support.microsoft.com/kb/241828/ which is pretty clear. Im looking at some downtime on the cluster and thats what I needed to know. I was *assuming* that when I changed the IP on both private interfaces the cluster would come back up and there would be no downtime but it looks like thats not going to be the case L Last quick question. The article states there may be a failover if I change the IP and subnet. Do you think the cluster will fail over if I just change the IP and dont change the subnet? Thanks again, I appreciate the help. From: Jose Medeiros [mailto:[EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: Mike Newell Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names.It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server2003 Cluster Configuration Checklist http://www.microsoft.com/technet/itsolutions/msit/operations/exchclustercklist.mspx?pf=true Changing the IP address of network adapters in cluster server http://support.microsoft.com/kb/230356/EN-US/ Or in PDF format at: http://www.maned.com/support/knowledge_base/Roundhouse/Recommended_Reading/Q230356.pdf Also just in case you ever have to change it on a SQL: How to change the network IP addresses of SQL Server virtual servers http://support.microsoft.com/kb/244980/en-us Hope this helps, Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell - Original Message - From: Mike Newell [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 12:53 PM Subject: [ActiveDir] Change private IP on a cluster Doh! Didn't mean to let this go without the OT:. Sorry. From: [EMAIL PROTECTED] on behalf of Mike Newell Sent: Sun 6/4/2006 11:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change private IP on a cluster Hey, I have an Exchange 2003 active/passive cluster on Windows 2003 and I need to change the private ip on both nodes. I realize that while I'm changing the IP the nodes will not talk to each other and likely kick the passive node off or stop the cluster service for a few minutes on the passive node. Is there anything else I will need to do or look out for? I don't *think* this is a big deal but since it's a production cluster, and I've never had to do this, I thought I would check before I tried it. Thanks again. Mike. This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCsto 2K3 SP1
Z, I think the firewall was supposedly between the clients and the DC which invalidated the machine accounts after updates. There might be more than a single firewall (internal and external). -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Monday, June 05, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCsto 2K3 SP1 If you have to open high ports than what are the reasons of having a firewall in the first place?-Z.V.Clay, Justin (ITS) wrote: Darren, RPC connects initially on 135 and then the DC tells the client to establish a new connection on one of the free high ports. They start at 1024 and move up from there, so if there are already 2 clients connected starting at 1024, then the next client would be told to connect to the DC on port 1026 and so on. At least thats my understanding of it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Friday, June 02, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Good to know Justin. Exactly where were higher ports blocked? At the DCs? Did MS say what wasexpecting touse those higher ports? Presumably some RPC communication? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 02, 2006 2:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 02, 2006 2:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, June 02, 2006 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, June 02, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
I wonder if they do work? or if some of them don't because only the first 20 chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why a loophole of 64 is allowed? Any thoughts? On 6/4/06, Joe Kaplan [EMAIL PROTECTED] wrote: My understanding is that the DS enforces a limit of 64 char forsAMAccountName for groups, but 20 for users.I know we have thousands of groups with sAMAccountName longer than 20.They still work and the DSdoesn't balk.:)These are all created programmatically through tools though and are notcreated or modified with ADUC.There might be some behavior difference there.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Sunday, June 04, 2006 11:58 AMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?That's on the target? Or that's in the source?On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote:Hi AlI have one of this group with way more than 20charsamaccountnameAKL.AST.Assistance Management.Assistant GM- Assistance ServicesThank you and have a splendid day!Kind Regards, Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9785List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Change private IP on a cluster
Hi Mike, I am not sure what your project involves and you fail to mention why you are doing this. Are you moving the cluster to a new switch? Replacing the Router? Why are you making this change? It will take several minutes for your ARP table on the router or routers to be updated unless you enable Gratuitous Arp , and since your clients connect via name lookup to IP address mapping, you probably will have disconnects, and may want to manually tombstone the record on your WINS servers, not to mention your DNS record will be cached on your DNS servers, unless you are in a small environment and have very few DNS servers ( I am not sure how long Microsofts DNS takes to replicate via AD integrated DNS but the default time for AD replication between DCs is 5 minutes ). Also these articles may be helpful to you: MAC Address Changes for Virtual Server During a Failover with Clustering http://support.microsoft.com/?kbid=244331 Behavior of Gratuitous ARP in Windows NT 4.0 http://support.microsoft.com/kb/199773/EN-US/ To be safe I would notify your IT customers of this change and plan on doing this during non business hours. Let me know how every thing works out, I am curious to see what issues you may find. Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, June 05, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change private IP on a cluster Thanks Jose, This is just going to affect the private IPs in the cluster so no name resolution issues will come into play. This helped a lot. It lead me to http://support.microsoft.com/kb/241828/ which is pretty clear. Im looking at some downtime on the cluster and thats what I needed to know. I was *assuming* that when I changed the IP on both private interfaces the cluster would come back up and there would be no downtime but it looks like thats not going to be the case L Last quick question. The article states there may be a failover if I change the IP and subnet. Do you think the cluster will fail over if I just change the IP and dont change the subnet? Thanks again, I appreciate the help. From: Jose Medeiros [mailto:[EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: Mike Newell Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names.It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server2003 Cluster Configuration Checklist http://www.microsoft.com/technet/itsolutions/msit/operations/exchclustercklist.mspx?pf=true Changing the IP address of network adapters in cluster server http://support.microsoft.com/kb/230356/EN-US/ Or in PDF format at: http://www.maned.com/support/knowledge_base/Roundhouse/Recommended_Reading/Q230356.pdf Also just in case you ever have to change it on a SQL: How to change the network IP addresses of SQL Server virtual servers http://support.microsoft.com/kb/244980/en-us Hope this helps, Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell - Original Message - From: Mike Newell [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 12:53 PM Subject: [ActiveDir] Change private IP on a cluster Doh! Didn't mean to let this go without the OT:. Sorry. From: [EMAIL PROTECTED] on behalf of Mike Newell Sent: Sun 6/4/2006 11:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change private IP on a cluster Hey, I have an Exchange 2003 active/passive cluster on Windows 2003 and I need to change the private ip on both nodes. I realize that while I'm changing the IP the nodes will not talk to each other and likely kick the passive node off or stop the cluster service for a few minutes on the passive node. Is there anything else I will need to do or look out for? I don't *think* this is a big deal but since it's a production cluster, and I've never had to do this, I thought I would check before I tried it. Thanks again. Mike. This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Thanks Justin. I know how RPC works. I was asking where you had the firewall and what RPC services were identified as using those. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Monday, June 05, 2006 6:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Darren, RPC connects initially on 135 and then the DC tells the client to establish a new connection on one of the free high ports. They start at 1024 and move up from there, so if there are already 2 clients connected starting at 1024, then the next client would be told to connect to the DC on port 1026 and so on. At least thats my understanding of it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, June 02, 2006 5:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Good to know Justin. Exactly where were higher ports blocked? At the DCs? Did MS say what wasexpecting touse those higher ports? Presumably some RPC communication? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 02, 2006 2:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 02, 2006 2:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, June 02, 2006 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, June 02, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag,
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
How do I test that? I'd love to change all of these to match the samaccountname to the objectcn = as its showing half complete on the samaccountname for those adc created objects and is not neat... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, June 05, 2006 10:55 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I wonder if they do work? or if some of them don't because only the first 20 chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why a loophole of 64 is allowed? Any thoughts? On 6/4/06, Joe Kaplan [EMAIL PROTECTED] wrote: My understanding is that the DS enforces a limit of 64 char forsAMAccountName for groups, but 20 for users.I know we have thousands of groups with sAMAccountName longer than 20.They still work and the DSdoesn't balk.:)These are all created programmatically through tools though and are notcreated or modified with ADUC.There might be some behavior difference there.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Sunday, June 04, 2006 11:58 AMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?That's on the target? Or that's in the source?On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote:Hi AlI have one of this group with way more than 20charsamaccountnameAKL.AST.Assistance Management.Assistant GM- Assistance ServicesThank you and have a splendid day!Kind Regards, Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9785List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
I may be missing something basic during this discussion. Please help me with understanding. Generally, it makes sense that an inability to access domain resources will cause a lengthy and error-filled login process. Question 1: Why doesnt it happen all of the time to off-site laptops if the user logs in with a domain account? There must be a critical decision point during login where the OS decides whether or not to pursue full domain authentication. Question 2: If VPN is needed, then does the Microsoft client have an Auto-Init function similar to chapter 3 of http://www.netometer.com/books/vpnclient.pdf ? Thank you. Richard
RE: [ActiveDir] Windows 2003 R2
Thanks this helps Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 26, 2006 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 R2 R2 is about the Option Packs, the core binaries are Windows Server 2003 SP1. Look over the option packs (ADFS, DFSR, ADAM, UNIX stuff, etc)and if there is something there, then that is why you will want to go in that direction. The coolest thing in R2 in terms of AD, IMO, is the inclusion of ADAM in the base media and the new and improved AD tools in the ADAM installation (you can also get those in the ADAM SP1 installation as well). If you have any up and coming schema mods I would look at incorporating the R2 bits then so if you end up building R2 DCs later you don't need to schedule something special, also some of the option packs need some of that info. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, May 26, 2006 12:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows 2003 R2 Did R2 make any changes to Active Directory and its supporting services? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] Windows 2003 R2
I meant active directory itself. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Friday, May 26, 2006 12:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 R2 Eryes? Can you be more specific? A reason behind your question could make for a better answer DFSR PMC FSM SRM MMC3.0 ADAM ADFS Enhanced subsystem for UNIX/NIS/Password sync CLFS Integrated SAN LUN management .NET Framework 2.0 WSS SP2 Some of which do require changes to the schema. Some or all of which could be considered supporting. Some of which are available outside of the R2 release itself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, May 26, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows 2003 R2 Did R2 make any changes to Active Directory and its supporting services? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] DC and ADC replication prob.
What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. winmail.dat
RE: [ActiveDir] Change private IP on a cluster
Hey Jose, I need to change the IP on the two network cards that the servers use to monitor the heartbeat between them. Each server in the cluster has two NICs in them, one for monitoring the heartbeat between them (private), and one for the internal LAN. We have just added an office that shares the same subnet as the private side of the cluster so no one in that office can see the cluster. I dont need to change the IPs on the LAN side of the servers or change the VIP used for the cluster. I was hoping that it would only affect the communications between the servers and not fail over or prevent anyone from accessing the cluster. My thought was that I could just change the IP on each server and after a few seconds the clustered servers would see each other again and continue to function normally. Again, I really appreciate the help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: 05 June 2006 07:58 To: ActiveDir@mail.activedir.org Cc: Jose Medeiros; Medeiros, Jose; Douglas R. Spindler; [EMAIL PROTECTED] Subject: [ActiveDir] Change private IP on a cluster Hi Mike, I am not sure what your project involves and you fail to mention why you are doing this. Are you moving the cluster to a new switch? Replacing the Router? Why are you making this change? It will take several minutes for your ARP table on the router or routers to be updated unless you enable Gratuitous Arp , and since your clients connect via name lookup to IP address mapping, you probably will have disconnects, and may want to manually tombstone the record on your WINS servers, not to mention your DNS record will be cached on your DNS servers, unless you are in a small environment and have very few DNS servers ( I am not sure how long Microsofts DNS takes to replicate via AD integrated DNS but the default time for AD replication between DCs is 5 minutes ). Also these articles may be helpful to you: MAC Address Changes for Virtual Server During a Failover with Clustering http://support.microsoft.com/?kbid=244331 Behavior of Gratuitous ARP in Windows NT 4.0 http://support.microsoft.com/kb/199773/EN-US/ To be safe I would notify your IT customers of this change and plan on doing this during non business hours. Let me know how every thing works out, I am curious to see what issues you may find. Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, June 05, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change private IP on a cluster Thanks Jose, This is just going to affect the private IPs in the cluster so no name resolution issues will come into play. This helped a lot. It lead me to http://support.microsoft.com/kb/241828/ which is pretty clear. Im looking at some downtime on the cluster and thats what I needed to know. I was *assuming* that when I changed the IP on both private interfaces the cluster would come back up and there would be no downtime but it looks like thats not going to be the case L Last quick question. The article states there may be a failover if I change the IP and subnet. Do you think the cluster will fail over if I just change the IP and dont change the subnet? Thanks again, I appreciate the help. From: Jose Medeiros [mailto:[EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: Mike Newell Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names.It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server2003 Cluster Configuration Checklist http://www.microsoft.com/technet/itsolutions/msit/operations/exchclustercklist.mspx?pf=true Changing the IP address of network adapters in cluster server http://support.microsoft.com/kb/230356/EN-US/ Or in PDF format at: http://www.maned.com/support/knowledge_base/Roundhouse/Recommended_Reading/Q230356.pdf Also just in case you ever have to change it on a SQL: How to change the network IP addresses of SQL Server virtual servers http://support.microsoft.com/kb/244980/en-us Hope this helps, Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell - Original Message - From: Mike Newell
[ActiveDir] DSID-020A06F3 error from French platform AD
I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, "CN=Configuration,DC=francais,DC=local", 2, "(objectclass=*)", attrList, 0, msg)Error: Search: Erreur d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, SanthoshSent: Monday, June 05, 2006 10:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay KumarSent: Sun 6/4/2006 10:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doaminof 50Pc'swith a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay.
[ActiveDir] User Logon Hour
Title: User Logon Hour Hi everybody. How can I change user logon hours making bind directly to user object. Is this possible? I know that is possible using another object user as template. Thank´s Atila Firmino Essa mensagem é destinada exclusivamente ao seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional ou cuja divulgação seja proibida por lei. O uso não autorizado de tais informações é proibido e está sujeito às penalidades cabíveis.This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties.
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Answers in-line On 6/5/06, Richard Kline [EMAIL PROTECTED] wrote: I may be missing something basic during this discussion. Please help me with understanding. Generally, it makes sense that an inability to access domain resources will cause a lengthy and error-filled login process. Question 1: Why doesn't it happen all of the time to off-site laptops if the user logs in with a domain account? [Al] Laptops have a nasty habit of giving users a pop-up that they subsequently ignore with alarming regularity. This occurs when the laptop alerts said user that no network Dc's were found and that the user is using cached credentials to authenticate. If you further don't change passwords in the domain on a regular basis, then you may never notice this. There must be a critical decision point during login where the OS decides whether or not to pursue full domain authentication. Question 2: If VPN is needed, then does the Microsoft client have an Auto-Init function similar to chapter 3 of http://www.netometer.com/books/vpnclient.pdf ? Yes, but possibly not like you are thinking. The problem with a layer-7 product is that layer-7 has to be initiated. This means that the client/server must be fully initialized before the application can take effect thereby limiting some of what you can and can't do. For this functionality, check out ipsec vpn's can do for you. You can set them up between the computer and the resources if you choose. Doing this across firewalls is a little more tricky, but can also be done such that when the client logs onto the workstation, the tunnel is already setup. Does that help you understand the conversation a little better? Suffice it to say, the organization that he works in setup firewalls between the user workstations/laptops and the domain controllers. What the reason is or the effectiveness of the decision is not really important to the conversation. That's a red herring and purely a debatable portion of another conversation. Thank you. Richard
[ActiveDir] Change private IP on a cluster
I am reposting this reply. I do not recall receiving the email back from the list server the first time I posted it. My apologies if you are receiving this a second time. Jose From: Medeiros, Jose Sent: Monday, June 05, 2006 7:58 AM To: 'ActiveDir@mail.activedir.org' Cc: Jose Medeiros; Medeiros, Jose; 'Douglas R. Spindler'; '[EMAIL PROTECTED]' Subject: Change private IP on a cluster Hi Mike, I am not sure what your project involves and you fail to mention why you are doing this. Are you moving the cluster to a new switch? Replacing the Router? Why are you making this change? It will take several minutes for your ARP table on the router or routers to be updated unless you enable Gratuitous Arp , and since your clients connect via name lookup to IP address mapping, you probably will have disconnects, and may want to manually tombstone the record on your WINS servers, not to mention your DNS record will be cached on your DNS servers, unless you are in a small environment and have very few DNS servers ( I am not sure how long Microsofts DNS takes to replicate via AD integrated DNS but the default time for AD replication between DCs is 5 minutes ). Also these articles may be helpful to you: MAC Address Changes for Virtual Server During a Failover with Clustering http://support.microsoft.com/?kbid=244331 Behavior of Gratuitous ARP in Windows NT 4.0 http://support.microsoft.com/kb/199773/EN-US/ To be safe I would notify your IT customers of this change and plan on doing this during non business hours. Let me know how every thing works out, I am curious to see what issues you may find. Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, June 05, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change private IP on a cluster Thanks Jose, This is just going to affect the private IPs in the cluster so no name resolution issues will come into play. This helped a lot. It lead me to http://support.microsoft.com/kb/241828/ which is pretty clear. Im looking at some downtime on the cluster and thats what I needed to know. I was *assuming* that when I changed the IP on both private interfaces the cluster would come back up and there would be no downtime but it looks like thats not going to be the case L Last quick question. The article states there may be a failover if I change the IP and subnet. Do you think the cluster will fail over if I just change the IP and dont change the subnet? Thanks again, I appreciate the help. From: Jose Medeiros [mailto:[EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: Mike Newell Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names.It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server2003 Cluster Configuration Checklist http://www.microsoft.com/technet/itsolutions/msit/operations/exchclustercklist.mspx?pf=true Changing the IP address of network adapters in cluster server http://support.microsoft.com/kb/230356/EN-US/ Or in PDF format at: http://www.maned.com/support/knowledge_base/Roundhouse/Recommended_Reading/Q230356.pdf Also just in case you ever have to change it on a SQL: How to change the network IP addresses of SQL Server virtual servers http://support.microsoft.com/kb/244980/en-us Hope this helps, Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell - Original Message - From: Mike Newell [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 12:53 PM Subject: [ActiveDir] Change private IP on a cluster Doh! Didn't mean to let this go without the OT:. Sorry. From: [EMAIL PROTECTED] on behalf of Mike Newell Sent: Sun 6/4/2006 11:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change private IP on a cluster Hey, I have an Exchange 2003 active/passive cluster on Windows 2003 and I need to change the private ip on both nodes. I realize that while I'm changing the IP the nodes will not talk to each other and likely kick the passive node off or stop the cluster service for a few minutes on the passive node. Is there
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
That's a good question. Ambiguity is what I'd be concerned about in this case so I think that most of the noticeable errors would occur in messaging (Exchange DG's) and administration efforts. Since everything relies on sid's, it wouldn't be in the form of logging on, but rather when you search for or try to use a group by samaccountname. Interaction with legacy domains would be impacted (only due to replication I would think. ) I don't imagine you'll get enough ammo from any testing to push somebody to convert those. As JoeK said, you can use that length and make it work (they do so programmatically). I'm just wondering out loud if there are errors that have yet to be attributed to that. Since it's expected to be 20 chars, even if the directory only enforces 64 chars I would expect some apps to have some issues with it. Only the GDO for building 7 or somebody on that team likely knows while it's not enforced at 20 like those used on user objects. On 6/5/06, Freddy HARTONO [EMAIL PROTECTED] wrote: How do I test that? I'd love to change all of these to match the samaccountname to the objectcn = as its showing half complete on the samaccountname for those adc created objects and is not neat... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Monday, June 05, 2006 10:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I wonder if they do work? or if some of them don't because only the first 20 chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why a loophole of 64 is allowed? Any thoughts? On 6/4/06, Joe Kaplan [EMAIL PROTECTED] wrote: My understanding is that the DS enforces a limit of 64 char forsAMAccountName for groups, but 20 for users.I know we have thousands of groups with sAMAccountName longer than 20.They still work and the DSdoesn't balk.:)These are all created programmatically through tools though and are notcreated or modified with ADUC.There might be some behavior difference there.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 11:58 AMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?That's on the target? Or that's in the source? On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote:Hi Al I have one of this group with way more than 20charsamaccountnameAKL.AST.Assistance Management.Assistant GM- Assistance ServicesThank you and have a splendid day!Kind Regards, Freddy Hartono Group Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED] phone: (+65) 6330-9785List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Change private IP on a cluster- reply
Hi Mike, My apologies, I did not realize that you were only changing the heartbeat IP ( I should have caught that when you stated private ). Here at Intel, we run Microsoft Network Load Balancing, NLBS. The NLBS interface is called private ( How the clients connect ), and the internal interface is called public which confused me. Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, June 05, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: Jose Medeiros; Douglas R. Spindler; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Change private IP on a cluster Hey Jose, I need to change the IP on the two network cards that the servers use to monitor the heartbeat between them. Each server in the cluster has two NICs in them, one for monitoring the heartbeat between them (private), and one for the internal LAN. We have just added an office that shares the same subnet as the private side of the cluster so no one in that office can see the cluster. I dont need to change the IPs on the LAN side of the servers or change the VIP used for the cluster. I was hoping that it would only affect the communications between the servers and not fail over or prevent anyone from accessing the cluster. My thought was that I could just change the IP on each server and after a few seconds the clustered servers would see each other again and continue to function normally. Again, I really appreciate the help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: 05 June 2006 07:58 To: ActiveDir@mail.activedir.org Cc: Jose Medeiros; Medeiros, Jose; Douglas R. Spindler; [EMAIL PROTECTED] Subject: [ActiveDir] Change private IP on a cluster Hi Mike, I am not sure what your project involves and you fail to mention why you are doing this. Are you moving the cluster to a new switch? Replacing the Router? Why are you making this change? It will take several minutes for your ARP table on the router or routers to be updated unless you enable Gratuitous Arp , and since your clients connect via name lookup to IP address mapping, you probably will have disconnects, and may want to manually tombstone the record on your WINS servers, not to mention your DNS record will need to be updated on your DNS servers, unless you are in a small environment and have very few DNS servers ( I am not sure how long Microsofts DNS takes to replicate via AD integrated DNS but the default time for AD replication between DCs is 5 minutes ). Also these articles may be helpful to you: MAC Address Changes for Virtual Server During a Failover with Clustering http://support.microsoft.com/?kbid=244331 Behavior of Gratuitous ARP in Windows NT 4.0 http://support.microsoft.com/kb/199773/EN-US/ To be safe I would notify your IT customers of this change and plan on doing this during non business hours. Let me know how every thing works out, I am curious to see what issues you may find. Sincerely, Jose Medeiros Storage Area Network Systems Engineer MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell Anyone who has never made a mistake has never tried anything new. Albert Einstein From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Monday, June 05, 2006 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change private IP on a cluster Thanks Jose, This is just going to affect the private IPs in the cluster so no name resolution issues will come into play. This helped a lot. It lead me to http://support.microsoft.com/kb/241828/ which is pretty clear. Im looking at some downtime on the cluster and thats what I needed to know. I was *assuming* that when I changed the IP on both private interfaces the cluster would come back up and there would be no downtime but it looks like thats not going to be the case L Last quick question. The article states there may be a failover if I change the IP and subnet. Do you think the cluster will fail over if I just change the IP and dont change the subnet? Thanks again, I appreciate the help. From: Jose Medeiros [mailto:[EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: Mike Newell Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names.It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server2003
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'op?ration. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh Sent: Monday, June 05, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Exchange 2k3 info on IMF
http://www.microsoft.com/downloads/details.aspx?familyid=b1218d8c-e8b3-48fb-9208-6f75707870c2displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=b1218d8c-e8b3-48fb-9208-6f75707870c2displaylang=en This guide explains how to deploy and configure Intelligent Message Filter in your Microsoft Exchange Server 2003 organization. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
Whats the version of ldp? Are there any issues using ADAM sp1's ldp from the english version? I assume other ldap cliients are fine? other than this ldp? Wire traces show anything weird?Just my $0.02M@ On 6/5/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg)Error: Search: Erreur d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Sivarajan, SanthoshSent: Monday, June 05, 2006 10:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay KumarSent: Sun 6/4/2006 10:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doaminof 50Pc'swith a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay.
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
Who knew he spoke French... I'm impressed. (feel free to throw something at me.. ) Susan Brett Shirley wrote: This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'op�ration. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh Sent: Monday, June 05, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Start your own thread :) Joe blogged about this DSID thingy a while back, and it was a very informative piece. I suggest you start from there. This may require you peeking into the source code. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Mon 6/5/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSID-020A06F3 error from French platform AD I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh Sent: Monday, June 05, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
Man I regret trying to even answer that. I didnt look at the name of the poster for crying out loud! Note to self a fool is not known until he opens his mouth /Note to self Sorry Gil. Wont happen again. M@ On 6/5/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Start your own thread :) Joe blogged about this DSID thingy a while back, and it was a very informative piece. I suggest you start from there. This may require you peeking into the source code. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Mon 6/5/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DSID-020A06F3 error from French platform AD I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh Sent: Monday, June 05, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx [EMAIL PROTECTED])
Re: [ActiveDir] DSID-020A06F3 error from French platform AD
With 3 major exceptions. - every word that ends tion and sion in French is the same in English. So only Erreur to translate and that's not rocket science. Not taking anything away from Brett though. M. -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Date: Mon, 05 Jun 2006 13:19:51 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD Who knew he spoke French... I'm impressed. (feel free to throw something at me.. ) Susan Brett Shirley wrote: This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'op�ration. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh Sent: Monday, June 05, 2006 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay Kumar Sent: Sun 6/4/2006 10:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doamin of 50 Pc's with a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other activities all seemed to work normally, so the corruption thing is a surprise. Hey Brett, if I consider the hardware suspect, does that mean I have to file a bug with the VS team? I'll kill it and rebuild and see what happens. You want to know what sucks? Trying to type French on an US-English keyboard. Its like those French, they have a different key for everything! Thanks for your help. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, June 05, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Just read and followBrett's response... That error is being thrown by a fairly low-level part of AD (from the DSID)anda low value negative number like thatis almost always an ESE error. The combination of those pieces of info aligned with Brett responding saying it is physical corruption tells me... listen to Brett. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, June 05, 2006 1:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSID-020A06F3 error from French platform AD I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, "CN=Configuration,DC=francais,DC=local", 2, "(objectclass=*)", attrList, 0, msg)Error: Search: Erreur d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Very interesting. Can we see the VHD before you blow it away? I can set up a place for you to upload it to. Please let me now how large it isjust ping me offline and we can coordinate. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, June 05, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other activities all seemed to work normally, so the corruption thing is a surprise. Hey Brett, if I consider the hardware suspect, does that mean I have to file a bug with the VS team? I'll kill it and rebuild and see what happens. You want to know what sucks? Trying to type French on an US-English keyboard. Its like those French, they have a different key for everything! Thanks for your help. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, June 05, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Note that in that DSID message, the ESE error is the one in DATA section. Here is the ESE error decode... http://windowssdk.msdn.microsoft.com/library/default.asp?url=""> JET_errReadVerifyFailure -1018 There is a checksum error on a database page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, June 05, 2006 5:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Just read and followBrett's response... That error is being thrown by a fairly low-level part of AD (from the DSID)anda low value negative number like thatis almost always an ESE error. The combination of those pieces of info aligned with Brett responding saying it is physical corruption tells me... listen to Brett. :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, June 05, 2006 1:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSID-020A06F3 error from French platform AD I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, "CN=Configuration,DC=francais,DC=local", 2, "(objectclass=*)", attrList, 0, msg)Error: Search: Erreur d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil
Re: [ActiveDir] max password age where else to look?
Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W StelleySent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, May 24, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look?What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire. you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire. The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1Set objUserLDAP = GetObject _(LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com)intCurrentValue = objUserLDAP.Get(userAccountControl) If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo The password does not expire.Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo The password was last changed on _ DateValue(dtmValue) at TimeValue(dtmValue) VbCrLf _ The difference between when the password was last set _ and today is int(now - dtmValue) days intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject(WinNT://fabrikam) intMaxPwdAge = objDomainNT.Get(MaxPasswordAge) If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire. Else intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY) Wscript.Echo The maximum password age is intMaxPwdAge days If intTimeInterval = intMaxPwdAge ThenWscript.Echo The password has expired. Else Wscript.Echo The password will expire on _ DateValue(dtmValue + intMaxPwdAge) ( _int((dtmValue + intMaxPwdAge) - now) days from today _ ). End If End IfEnd If
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
I've blown the image away already, but I have a backup. I'll check to see if the backup exhibits the same behavior. Send me an email with the upload particulars. It's a differencing disk, and the total will be in the 3-4GB range, uncompressed. It may be that throughput over the FedEx network will be better in this case... -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, June 05, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Very interesting. Can we see the VHD before you blow it away? I can set up a place for you to upload it to. Please let me now how large it isjust ping me offline and we can coordinate. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, June 05, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other activities all seemed to work normally, so the corruption thing is a surprise. Hey Brett, if I consider the hardware suspect, does that mean I have to file a bug with the VS team? I'll kill it and rebuild and see what happens. You want to know what sucks? Trying to type French on an US-English keyboard. Its like those French, they have a different key for everything! Thanks for your help. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, June 05, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
The schema defines rangeUpper for sAMAccountName at 64. Where are you getting a field size of 20? All I can say is that they do seem to work fine in our environment and the DS does not reject them, although I am pretty sure the DS rejects requests to create users with sAMAccountName 20 char. I am unaware of any APIs that aren't working as a result of what we are doing, but it is certainly possible that there are some. What should I check? I'm almost curious enough to go back and dig into this a bit more, as I remember testing this years ago and coming to the conclusion that we could do this safely, but I don't remember everything I did. :) Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 9:55 AM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I wonder if they do work? or if some of them don't because only the first 20 chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why a loophole of 64 is allowed? Any thoughts? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Interesting. The online version I see says rangeupper is 256. Not sure how important that is, but... http://msdn.microsoft.com/library/default.asp?url="" Given the purpose of samaccountname I have a hard time believing something doesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, well, to be usable it's limited to 20 chars and since Microsoft has that number published everywhere, we'll just assume it's 20 chars all the time... or something like that. Al On 6/5/06, Joe Kaplan [EMAIL PROTECTED] wrote: The schema defines rangeUpper for sAMAccountName at 64.Where are yougetting a field size of 20? All I can say is that they do seem to work fine in our environment and theDS does not reject them, although I am pretty sure the DS rejects requeststo create users with sAMAccountName 20 char.I am unaware of any APIs that aren't working as a result of what we are doing, but it is certainlypossible that there are some.What should I check?I'm almost curious enough to go back and dig into this a bit more, as Iremember testing this years ago and coming to the conclusion that we could do this safely, but I don't remember everything I did.:)Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Monday, June 05, 2006 9:55 AM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) notapplicable to gr oups?I wonder if they do work? or if some of them don't because only the first 20chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why aloophole of 64 is allowed? Any thoughts?List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] max password age where else to look?
Nah, I think joe's just lazy and doesn't want to type it again. And again. And again. And ag. http://groups.google.com/group/microsoft.public.win2000.active_directory/browse_thread/thread/639b5262e419fac8/0bbc9401b9d8a473?lnk=stq=joe+91+days+policyrnum=1hl=en#0bbc9401b9d8a473 On 6/5/06, Steve [EMAIL PROTECTED] wrote: Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W StelleySent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, May 24, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look?What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire. you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire. The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1Set objUserLDAP = GetObject _(LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com)intCurrentValue = objUserLDAP.Get(userAccountControl) If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo The password does not expire.Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo The password was last changed on _ DateValue(dtmValue) at TimeValue(dtmValue) VbCrLf _ The difference between when the password was last set _ and today is int(now - dtmValue) days intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject(WinNT://fabrikam) intMaxPwdAge = objDomainNT.Get(MaxPasswordAge) If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire. Else intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY) Wscript.Echo The maximum password age is intMaxPwdAge days If intTimeInterval = intMaxPwdAge ThenWscript.Echo The password has expired. Else Wscript.Echo The password will expire on _ DateValue(dtmValue + intMaxPwdAge) ( _int((dtmValue + intMaxPwdAge) - now) days from today _ ). End If End IfEnd If
Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Sure enough, rangeUpper is 256. I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again. Anyone else? Is it safe or not for groups to have a sAMAccountName 20 characters but = 64? I'm going to assume that users definitely need to be = 20. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 5:46 PM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting. The online version I see says rangeupper is 256. Not sure how important that is, but... http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_samaccountname.asp Given the purpose of samaccountname I have a hard time believing something doesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, well, to be usable it's limited to 20 chars and since Microsoft has that number published everywhere, we'll just assume it's 20 chars all the time... or something like that. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Move Enterprise CA
Hi all I have to move an Enterprise CA from one DC to another. The following article appears to show the required steps. How to move a certification authority to another server http://support.microsoft.com/?kbid=298138 For those of you that have done this, is the process as straightforward as it appears? Anything to look for that isnt mentioned in the article? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
[ActiveDir] PSS Active Directory Security Blog (uh no NOT OT)
Guard Dog: http://blogs.technet.com/guarddog/default.aspx Test 1… 2… 3 … Hello Cleveland! Welcome to Guard Dog! GD is a blog run by Microsoft Support Engineers. It covers authentication, authorization, account lockouts, auditing, interactive logon, Kerberos, NTLM, and just about anything else related to controlling your network security in an enterprise environment. GD has news for ongoing issues, hands out best practice info, covers frequent questions, and most importantly, listens and responds! This first post was made with Word 2007’s nifty new blog component. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Change private IP on a cluster- Reply
Hi Jim, Looks like your post never made it to the Active Dir list. If I recall Exchange 2000 clustered still had dependencies on Wins, and I was told at a Microsoft Technet event that Exchange 2003 clustered no longer had this requirement, until I saw the Microsoft article that I pointed out http://support.microsoft.com/default.aspx?scid=kb;en-us;837391 . Jose - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Monday, June 05, 2006 6:17 AM Subject: [ExchangeList] Re: Change private IP on a cluster http://www.msexchange.org ---837391 is getting changed. I'm putting in the technical update today. It's wrong Wrong, wrong, wrong. Wrgonggitty-wrong-wrong Wrong! WINS is *NOT* required for Exch functionality, but proper name resolution support in the network *IS* required. If you've built your network, name services clients properly, using a simple name gets you the same response as using FQDN in a ping command. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Sunday, June 04, 2006 10:29 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [ExchangeList] Change private IP on a cluster http://www.msexchange.org ---Hi Mike, Looks like you are going to also have dependencies on Wins and with the MSDTC: Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality http://support.microsoft.com/default.aspx?scid=kb;en-us;837391 How to configure Microsoft Distributed Transaction Coordinator on a Windows Server 2003 cluster http://support.microsoft.com/default.aspx?scid=kb;en-us;301600 Regards, Jose :-) - Original Message - From: Jose Medeiros To: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names. It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server 2003 Cluster Configuration Checklist http://www.microsoft.com/technet/itsolutions/msit/operations/exchcluster cklist.mspx?pf=true Changing the IP address of network adapters in cluster server http://support.microsoft.com/kb/230356/EN-US/ Or in PDF format at: http://www.maned.com/support/knowledge_base/Roundhouse/Recommended_Readi ng/Q230356.pdf Also just in case you ever have to change it on a SQL: How to change the network IP addresses of SQL Server virtual servers http://support.microsoft.com/kb/244980/en-us Hope this helps, Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell - Original Message - From: Mike Newell [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 12:53 PM Subject: [ActiveDir] Change private IP on a cluster Doh! Didn't mean to let this go without the OT:. Sorry. From: [EMAIL PROTECTED] on behalf of Mike Newell Sent: Sun 6/4/2006 11:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Change private IP on a cluster Hey, I have an Exchange 2003 active/passive cluster on Windows 2003 and I need to change the private ip on both nodes. I realize that while I'm changing the IP the nodes will not talk to each other and likely kick the passive node off or stop the cluster service for a few minutes on the passive node. Is there anything else I will need to do or look out for? I don't *think* this is a big deal but since it's a production cluster, and I've never had to do this, I thought I would check before I tried it. Thanks again. Mike. --- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Speaking of SamAccountName...
Title: Speaking of SamAccountName... Guys, I have a dumb question.. A 3rd party app that uses LDAP for authentication... What attribute should be utilized for username? SamAccountName is the pre-Windows 2000 name. DistinguishedName is the long form OU/CN gobbledygook. So what is the name of the attribute for the actual user logon name?Thx,RM
[ActiveDir] Change private IP on a cluster- Reply-Reply
Hi Jim, Are you sure that holds true on a clustered Exchange 2000 server? I recall from my Microsoft 2000 server clustering class at Quickstart Intelligence back in 2001, http://www.quickstart.com/courses/course.asp?cat=Windowstype=88course=2087 that the instructor stated that both Exchange 2000 and SQL 2000 clustered was dependent on NETBIOS. Was this changed in a later service pack? Why would Microsoft create this article dated:Article ID : 837391 Last Review : March 30, 2006 Revision : 4.0 Jose :-) - - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 10:01 PM Subject: [ExchangeList] Re: Change private IP on a cluster- Reply http://www.msexchange.org ---Neither one had this dependency. Exch 2000 runs only on Win2K and Win2K3. Both of these OS prefer DNS to WINS for name resolution and if your network structure provides good DNS services, WINS is a non-issue for Exchange 2K+. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Monday, June 05, 2006 9:56 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ExchangeList] Change private IP on a cluster- Reply http://www.msexchange.org ---Hi Jim, Looks like your post never made it to the Active Dir list. If I recall Exchange 2000 clustered still had dependencies on Wins, and I was told at a Microsoft Technet event that Exchange 2003 clustered no longer had this requirement, until I saw the Microsoft article that I pointed out http://support.microsoft.com/default.aspx?scid=kb;en-us;837391 . Jose - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Monday, June 05, 2006 6:17 AM Subject: [ExchangeList] Re: Change private IP on a cluster http://www.msexchange.org ---837391 is getting changed. I'm putting in the technical update today. It's wrong Wrong, wrong, wrong. Wrgonggitty-wrong-wrong Wrong! WINS is *NOT* required for Exch functionality, but proper name resolution support in the network *IS* required. If you've built your network, name services clients properly, using a simple name gets you the same response as using FQDN in a ping command. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Sunday, June 04, 2006 10:29 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [ExchangeList] Change private IP on a cluster http://www.msexchange.org ---Hi Mike, Looks like you are going to also have dependencies on Wins and with the MSDTC: Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality http://support.microsoft.com/default.aspx?scid=kb;en-us;837391 How to configure Microsoft Distributed Transaction Coordinator on a Windows Server 2003 cluster http://support.microsoft.com/default.aspx?scid=kb;en-us;301600 Regards, Jose :-) - Original Message - From: Jose Medeiros To: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Sunday, June 04, 2006 9:53 PM Subject: Re: [ActiveDir] Change private IP on a cluster Hi Mike, I've only had to change a SQL 2000 Active / Active Cluster IP and it involves some additional steps for SQL Virtual Names. It's been over 5 years since I built an Exchange 2000 cluster, but I do not recall if Exchange has any dependencies (I would probably post this to the Exchange list and I am cc'ing them as well) Take a look at : Exchange Server 2003 Cluster Configuration Checklist http://www.microsoft.com/technet/itsolutions/msit/operations/exchcluster cklist.mspx?pf=true Changing the IP address of network adapters in cluster server http://support.microsoft.com/kb/230356/EN-US/ Or in PDF format at: http://www.maned.com/support/knowledge_base/Roundhouse/Recommended_Readi ng/Q230356.pdf Also just in case you ever have to change it on a SQL: How to change the network IP addresses of SQL Server virtual servers http://support.microsoft.com/kb/244980/en-us Hope this helps, Sincerely, Jose Medeiros MCP+I, MCSE, NT4 MCT 408-765-0437 Direct 408-449-6621 Cell - Original Message - From: Mike Newell [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 12:53 PM Subject: [ActiveDir] Change private IP on a cluster Doh! Didn't mean to let this go without the OT:. Sorry.