Re: [ActiveDir] OT: Security Policy Thoughts
Nominations for sucky apps are always welcome at www.threatcode.com Noah Eiger wrote: Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. We’ll see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe I’ll put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? *From:* Brian Desmond [mailto:[EMAIL PROTECTED] *Sent:* Thursday, June 08, 2006 9:05 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Security Policy Thoughts *They’re keeping me a little busy down at the fun factory, so I’m up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog.* * * *How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you don’t need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Thursday, June 08, 2006 12:59 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Don’t you sleep? It’s late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less “can I control this access” but “should I”? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see /how/ to control its distribution. The question is /should/ I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme *From:* Brian Desmond [mailto:[EMAIL PROTECTED] *Sent:* Wednesday, June 07, 2006 10:43 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Security Policy Thoughts *My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe.* * * *Isn’t the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. * * * *I don’t see how you plan to prohibit OS X at least – put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Thursday, June 08, 2006 12:16 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DC’s run W2k3. Any thoughts on these topics welcome. _Connecting to the wired network_. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a “public” VLAN that goes only to the Internet. I would apply this even to staff “personal” computers, those of contractors (including me), and machines from those field offices that are not on the domain. _VPN_. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. _Other Operating Systems_. I don’t want to allow other OS’s on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing
RE: [ActiveDir] OT: Security Policy Thoughts
NAC != .1x. The 3560 will certainly do the port based auth, and I believe the 2950 will as well. I have the configs around. Its pretty well explained in the config guide, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, June 09, 2006 12:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. Well see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe Ill put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Theyre keeping me a little busy down at the fun factory, so Im up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you dont need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many
Re : [ActiveDir] AD LDAP Logging.
Hello Tony, Very usefull information ! Thanks. i enabled this config: 15 Field Engineering to 5 Expensive Search Results Threshold to 1 Here arethe LDAP operation, : 1644INFORMATIONALNTDS GeneralFri Jun 09 09:55:16 2006childdomain\user1Internal event: A client issued a search operation with the following options. Client:11.22.33.44 Starting node: OU=MyOU OU=myou1DC=childdomainDC=parentDomain DC=rootDC=fr Filter: (objectClass=user) Search scope: subtree Attribute selection: givenNamesAMAccountNamesn Server controls: Visited entries: 63 Returned entries: 58 Followed by this: 1139INFORMATIONALNTDS LDAPFri Jun 09 09:55:16 2006childdomain\user1Internal event: Function ldap_search completed with an elapsed time of 16 ms. = for 63 visited entries, only 58 are returned and the ldap search lasted16 ms (Sometimes the ldap search took 140 ms...). Questions: Would the IDs 1644 + 1139 tell me that the web app. is performing Inefficient and Expensive LDAP Query to my DC ? Thanks for advices, Yann Message d'origine De : Tony Murray [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Mercredi, 7 Juin 2006, 11h16mn 33sObjet: RE: [ActiveDir] AD LDAP Logging. Hi Yann One option would be to enable logging of all LDAP searches against the DC. http://www.activedir.org/article.aspx?aid=97 Tony PS. We’re just loading a new version of the site, so it might take a few minutes before you can load the page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, 8 June 2006 6:39 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD LDAP Logging. Hello , I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3. An application named ZOPE running on a linux box accesses my DC. Users use a web page, viaZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC and the admin that is responsible for the ZOPE app. called me to resolve this issue. What arethe different steps to tshoot possible problem with LDAP connections to my DC ? Thanks in advance for help, Yann __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
[ActiveDir] FW: OT: Exchange OMA
Hi, This is a bit off topic but one of my colleagues is trying to establish if anyone has any experience of the following issue when using OMA. This is his posting from other newsgroups. As yet he has had no response. I know this list is quite good even off topic so I offered to post here too. Cheers in advance. I have a single Exchange 2003 SP2 Server that is also a GC running Windows Server 2003 SP1. The Server is setup for forms based authentication and requires SSL for OWA. Access to OMA is not working with the following event being logged on the exchange server every time the OMA app fails. Event Type: Error Event Source: MSExchangeOMA Event Category: (1000) Event ID: 1503 Date: 02/06/2006 Time: 14:24:51 User: N/A Computer: FLINTJACK Description: An unknown error occurred while processing the current request: Message: Input string was not in a correct format. Source: mscorlib Stack trace: at System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info) at System.Web.Mobile.MobileCapabilities.get_ScreenCharactersWidth() at Microsoft.Exchange.OMA.UserInterface.MainMenu.OnInit(EventArgs e) at System.Web.UI.Control.InitRecursive(Control namingContainer) at System.Web.UI.Control.AddedControl(Control control, Int32 index) at System.Web.UI.MobileControls.MobilePage.AddedControl(Control control, Int32 index) at System.Web.UI.ControlCollection.Add(Control child) at Microsoft.Exchange.OMA.UserInterface.Page.Page_Load(Object sender, EventArgs e) at System.Web.UI.Control.OnLoad(EventArgs e) at System.Web.UI.MobileControls.MobilePage.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain() Message: Exception of type System.Web.HttpUnhandledException was thrown. Source: System.Web Stack trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain() at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean completedSynchronously) Also get the following in IE 6.0 SP2 A System error has occurred while processing your request. Please try again. If the problem persists, contact your administrator. Home For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I have been through KBs 817379, 842119, 898131 all with no resolution. The server is patched up with no critical downloads available from Microsoft and has the following hotfixes: 907747, 911829, 916640, 916803 The server is also running Trend Micro Scanmail version 7.0 with the latest pattern files and updates applied. I cannot find anything in Trend Micro KB's on this issue and there are no warnings of any virus detections in either this or the file virus scanner which is Symantect Anti Virus version 10.1.0.394 and it is excluding the exchange directories. Interestingly if I test this locally using localhost/oma it works perfectly well until I try this remotely from another server, then after the failure from the other server I get the issue locally as well and OMA stops working. So it appears that something remotely is causing the OMA application in the ExchangeMobileBrowseApplicationPool to die. Recycling the app pool allows me to restart the application and this works again locally. The identity for this application pool is correctly set to Network Service. I have have no host headers and although ASP 2.0 is installed the Web Sites are all set to use ASP 1.1. OWA works perfectly, I cannot test ActiveSync as I have no device and I have not setup an emulator. It seems to me OMA is not as robust as hoped as there are still lots of issues arounf event ID 1503. Any help appreciated.
RE: [ActiveDir] AD LDAP Logging.
When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out.Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion conversations we have had here on the list about disk layouts. joe [1] Virtualization really screws with this from the disk standpoint because you need to look at counters for the physical machine and while your DC may not be generating many read ops, if other virtual machines are, you could be slowed down considerably by those without the Read Ops reflecting much on the individual DC. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 5:31 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Hello Tony, Very usefull information ! Thanks. i enabled this config: 15 Field Engineering to 5 Expensive Search Results Threshold to 1 Here arethe LDAP operation, : 1644INFORMATIONALNTDS GeneralFri Jun 09 09:55:16 2006childdomain\user1Internal event: A client issued a search operation with the following options. Client:11.22.33.44 Starting node: OU=MyOU OU=myou1DC=childdomainDC=parentDomain DC=rootDC=fr Filter: (objectClass=user) Search scope: subtree Attribute selection: givenNamesAMAccountNamesn Server controls: Visited entries: 63 Returned entries: 58 Followed by this: 1139INFORMATIONALNTDS LDAPFri Jun 09 09:55:16 2006childdomain\user1Internal event: Function ldap_search completed with an elapsed time of 16 ms. = for 63 visited entries, only 58 are returned and the ldap search lasted16 ms (Sometimes the ldap search took 140 ms...). Questions: Would the IDs 1644 + 1139 tell me that the web app. is performing Inefficient and Expensive LDAP Query to my DC ? Thanks for advices, Yann Message d'origine De : Tony Murray [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Mercredi, 7 Juin 2006, 11h16mn 33sObjet: RE: [ActiveDir] AD LDAP Logging. Hi Yann One option would be to enable logging of all LDAP searches against the DC. http://www.activedir.org/article.aspx?aid=97 Tony PS. Were just loading a new version of the site, so it might take a few minutes before you can load the page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, 8 June 2006 6:39 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD LDAP Logging.
Re: [ActiveDir] SBS and reducing downtime on crash
Totally agree on the points said by Susan. Practive is important though, it's even documented by MS and that works just fine. And I use the built in backup, no issues poped up and I had the server up and running in now time! On 6/8/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: 1.Go to TechEd 2006 in Boston2.Go to Jeff Middleton's Myths of DR on SBSAny questions? Okay so seriously...3.Remember that under the hood we're AD.. so even though the big guysaround here cringe at a single DC, all on one box.. all the tricks forAD restoration still work.Okay Susan's first and foremost SBS rule of DR 1. Buy good hardware.I have been running SBS since SBS 4.0 and here's what nailed me in the pastNIC diedHub died (back when we did hubs)NIC diedSwitch diedHarddrive dropped off raid Switch froze up required hard reset(just two weeks ago.. good excusefor upgrading to gig switches don't you think?)In all those years I've had minimal downtime.Notice that I've onlylost one drive and that was on my adaptec raid screaming like crazy but the network still chugged just fine ..so these days I buy spare nics andharddrives.I've also always had SCSI drives, and with my current baby (HP) havethat lovely hardware monitoring stuff that sends me emails when the hardware gets even a sniffle.Now I have a Dell OEM with IDE drives and it's not a server and you canso tell.The SATA drive ones are ... well ask us again in aboutanother year or so of the 'three year let's see how they do compared to SCSI'.My home server is a cheap SATA HP but even that is better thanthe cheap Dell OEM version I got.Lesson 1 - buy HP.. buy good server quality hardware.2.Consider adding to that backup a drive image software (okay someone go tell the Garage door guy, the AD guru and the Joewareguy to stick fingers in their ears and don't read this)We are only one DC.It's a little hard to have replication andtombstone issues when you only have one AD.Acronis may not say they will support imaging a DC... but when you only have one... it's not abiggie and it works.We've done it.Heck we can even restore a systemstate that's getting gray hairs.When you only have one...sometimes you can do things that in big server land you absolutely would neverever do.3.Consider adding a secondary DC.These days with virtual pc/server/vmware load up a server os on aworkstation even and park an additional domain controller to replicate that AD.4.Practice that restore.A few days to get it back in the air?Worst case scenerio... Hurricane Katrina.. Jeff Middleton is from NewOrleans Louisiana.. you know what he found? (and I'm ccing him so he can chat with you more directly).. ever try to buy a server hardware in acomputer store?He was buying MCE editions as they were the beefierones have offsite backups of mediaas he was scrambling in some cases to get the right media.Sometimes it was the little things thatnailed him.Your worst case scenerio is replacing that hardware... bare metalrecovery in the 2k3 era is not the same as we had it in the 2k era with the SFN issues.SBS is no different of a DR recovery than the big guys... it justmagnifies it is allIn a normal DR setup ... to get that back in the air.. on an SBS box?Not if you know what you are doing and have practiced. 5.Cold server rights.If you have SA you have cold serverrightsyou can park another server with a copy of the OS and thenturn it off and leave it.Okay now let's review some of that 'the firm is down'. 1.Cached credentials, cached outlook means that the server can dropoff the face of the earth and the workstations just kinda hang out untilit comes back on.2.Have alternative ways to get to key data.I have a robocopy that pulls a copy of certain folders over to a spare drive on myworkstation.. Excel and Word docs.. should the gang absopositively needto get into a doc for a case, even if the server is down, we have aduplicate that can be gotten into. But honestly we're no different of a DR story than the big guys..a tadmore complicated due to the all on one box... but the same rules applyRAIDHardwaredon't skimpPracticeDecide if you are not going to do the secondary DC and to a server image...or do the secondary DC and don't image.and don't panic.and in my case I'm calling Jeff and paying him to bemy calm DR buddy should something occur...btw I don't like Veritas in a single SBS setup.. the built in SBS backup works fine.. if you need to backup additional servers, then do VeritasQuatro Info wrote:Hi all,Have a general question / case.On small companies ( 10 - 20 employees), what config is the best to set the downtime in case of a crash to a minimum. Especially in a SBS environment / small company.Lets keep it an easy example: -company has 15 employees -15 XP workstations -one SBS 2k3 server installed with all necessary tools etc..veritas backup exec / groupshield etc etc.. -raid mirror installed -network is configured well...firewall / updates etcLets say all ingredients are
[ActiveDir] OT:Exchange mailnickname
My company wants to use a mail stubing app called Mailbox Manager from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about mailnickname(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
Re : [ActiveDir] AD LDAP Logging.
Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out.Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion conversations we have had here on the list about disk layouts. joe [1] Virtualization really screws with this from the disk standpoint because you need to look at counters for the physical machine and while your DC may not be generating many read ops, if other virtual machines are, you could be slowed down considerably by those without the Read Ops reflecting much on the individual DC. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 5:31 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Hello Tony, Very usefull information ! Thanks. i enabled this config: 15 Field Engineering to 5 Expensive Search Results Threshold to 1 Here arethe LDAP operation, : 1644INFORMATIONALNTDS GeneralFri Jun 09 09:55:16 2006childdomain\user1Internal event: A client issued a search operation with the following options. Client:11.22.33.44 Starting node: OU=MyOU OU=myou1DC=childdomainDC=parentDomain DC=rootDC=fr Filter: (objectClass=user) Search scope: subtree Attribute selection: givenNamesAMAccountNamesn Server controls: Visited entries: 63 Returned entries: 58 Followed by this: 1139INFORMATIONALNTDS LDAPFri Jun 09 09:55:16 2006childdomain\user1Internal event: Function ldap_search completed with an elapsed time of 16 ms. = for 63 visited entries, only 58 are returned and the ldap search lasted16 ms (Sometimes the ldap search took 140 ms...). Questions: Would the IDs 1644 + 1139 tell me that the web app. is performing Inefficient and Expensive LDAP Query to my DC ? Thanks for advices, Yann Message d'origine
RE: [ActiveDir] AD LDAP Logging.
Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out.Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion conversations we have had here on the list about disk layouts. joe [1] Virtualization really screws with this from the disk standpoint because you need to look at counters for the physical machine and while your DC may not be generating many read ops, if other virtual machines are, you could be slowed down considerably by those without the Read Ops reflecting much on the individual DC. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 5:31 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Hello Tony, Very usefull information ! Thanks. i enabled this config: 15 Field Engineering to 5 Expensive Search
RE: [ActiveDir] OT:Exchange mailnickname
Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called "Mailbox Manager" from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about "mailnickname"(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
Re: [ActiveDir] OT:Exchange mailnickname
Thanks. What about mailNickname? Arethere any issues if mailNickname is different than sAMAccountName in re: to WebDAV? Thanks again On 6/9/06, Coleman, Hunter [EMAIL PROTECTED] wrote: Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called Mailbox Manager from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about mailnickname(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
Re : [ActiveDir] AD LDAP Logging.
Ok thanks. When you said "..use event tracing ...", do you mean using Perfmon Trace Logs ? - Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 4h34mn 33sObjet: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out.Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion conversations we have had here on the list about disk layouts. joe [1] Virtualization really screws with this from the disk standpoint because you need to look at counters for the physical machine and while your DC may not be generating many read ops, if other virtual machines are, you could be slowed down considerably by those without the Read Ops reflecting much on the individual DC. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 5:31 AMTo:
RE: [ActiveDir] OT:Exchange mailnickname
We make mailnickname=alias=samaccountname. I'm pretty sure that we started making most of this happen when we renamed accounts a long time ago (possibly NT4/Exchange 5.5 long ago!) because we did get problems if the alias wasn't the same as samaccountname. We do have an email address matching samaccountname for students but that was just to make sure it was unique (9 James Taylors; 9 Bharat Patels amongst other duplicates!) but we don't for staff. Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: 09 June 2006 15:53To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:Exchange mailnickname Thanks. What about mailNickname? Arethere any issues if mailNickname is different than sAMAccountName in re: to WebDAV? Thanks again On 6/9/06, Coleman, Hunter [EMAIL PROTECTED] wrote: Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called "Mailbox Manager" from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about "mailnickname"(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
RE: [ActiveDir] AD LDAP Logging.
I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 09, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 2h25mn 26s Objet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing Expensive to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that
RE: Re : [ActiveDir] AD LDAP Logging.
Perfomon trace logs will generate the raw binary trace data but it has to be processed. The easiest way to get at this data is to use SPA which will collect the binary trace data and process it into human readable format. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 10:09 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Ok thanks. When you said ..use event tracing ..., do you mean using Perfmon Trace Logs ? - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 4h34mn 33s Objet: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 2h25mn 26s Objet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing Expensive to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you 100 IOPS capability. That can be generous so if you are on the edge keep that in mind, but if you are at 20 OPS and you have 8 spindles in a RAID 0+1 it is unlikely disk is your bottleneck[1] and the disk queues should bear that out.Of course I tend to focus on disk because I memory is almost always boosted up there because most people realize how important RAM is but only folks who think about Exchange tend to think about disk and the only guideline I have seen from MSFT recommends 3 RAID-1 sets for anything above several thousand users which I don't feel is very good. Again, as a general rule I would rather see a single RAID 0+1 (or even better if you don't care about faul tolerance a RAID 0) or RAID-5 than 3 RAID-1's. But this is all just recanting a zillion
RE: [ActiveDir] OT:Exchange mailnickname
Not that I've run into, as far as accessing subfolders via OWA. Again, this would be very easy for you to confirm in your environment and throw back at the CA tech, though you might consider this a good indicator of what you're in for support-wise from them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, June 09, 2006 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:Exchange mailnickname Thanks. What about mailNickname? Arethere any issues if mailNickname is different than sAMAccountName in re: to WebDAV? Thanks again On 6/9/06, Coleman, Hunter [EMAIL PROTECTED] wrote: Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called "Mailbox Manager" from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about "mailnickname"(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
Re: [ActiveDir] OT:Exchange mailnickname
gets on soapbox Credentials should be unique within an organization. Mail attributes, logons of any type, and any identifying information such as samaccountname, alias, cn, etc should be the same across a user for the sake of troubleshooting and preventing duplicates and the issues that come along with that. /soapbox While it shouldn't matter, I have seen some cases that not having attributes match could be a problem. There have been a lot of changes between versions around this behavior, but you never really know where in the legacy code this is going to come up. Even though it should not. IIRC, one issue that comes to mind is that the LHS of the UPN was not the same as the alias field. This resulted in the user being able to authenticate, but thencould not render the dataor to get partial access etc. via OWA. If you check the troubleshooting docs for Exchange, you'll see that it's advised to troubleshoot with domain\user credentials when trying to figure out logon/display issues with OWA. There's a reason for that. :) My $0.04 (USD) anyway. On 6/9/06, Steve Rochford [EMAIL PROTECTED] wrote: We make mailnickname=alias=samaccountname. I'm pretty sure that we started making most of this happen when we renamed accounts a long time ago (possibly NT4/Exchange 5.5 long ago!) because we did get problems if the alias wasn't the same as samaccountname. We do have an email address matching samaccountname for students but that was just to make sure it was unique (9 James Taylors; 9 Bharat Patels amongst other duplicates!) but we don't for staff. Steve From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 09 June 2006 15:53To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT:Exchange mailnickname Thanks. What about mailNickname? Arethere any issues if mailNickname is different than sAMAccountName in re: to WebDAV? Thanks again On 6/9/06, Coleman, Hunter [EMAIL PROTECTED] wrote: Empirical evidence suggests that he shouldn't be insisting so much. Very few of our users have a proxy address of [EMAIL PROTECTED], and we have no problems getting to subfolders via OWA. I'm sure you could take a test user account in your environment and duplicate this. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, June 09, 2006 7:41 AMTo: activedirectorySubject: [ActiveDir] OT:Exchange mailnickname My company wants to use a mail stubing app called Mailbox Manager from CA. I've been going back and forth with the tech there. He claims that, according to him, due to a limitation in WebDAV, one of the user's proxy addresses needs to be in the format of [EMAIL PROTECTED], for users to be able to see subfolders underneath their inbox in OWA. I've never heard of such a limitation and think he may be talking about mailnickname(alias), but he inisits I'm wrong. Can anyone shed some light on this? Thanks
RE: [ActiveDir] OT: Security Policy Thoughts
Thanks. Ill take a look. -- nme P.S. Susan, I will get my nominations in order! From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts NAC != .1x. The 3560 will certainly do the port based auth, and I believe the 2950 will as well. I have the configs around. Its pretty well explained in the config guide, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, June 09, 2006 12:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks all for the thoughts. I think that the thing I will need to communicate to these folks is simply the tradeoffs and the risks. They run many apps that force full admin rights on the workstations and have concluded that this is an acceptable risk. Well see what they say. In the end, I feel okay about it if they are fully cognizant of the risks and then accept them. Maybe Ill put something in about double the hourly rate for cleanup ;-) -- nme P.S. Brian, could you elaborate on the inexpensive NAC products? I see that IAS will be a RADIUS provider to 802.1x switches. Is there a feature set within the IOS that can handle this (Catalyst 29xx and 35xx) or is it a separate device? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Theyre keeping me a little busy down at the fun factory, so Im up pretty late. Actually I just flew back in yesterday from a client so I was handling backlog. How is .1x cost prohibitive. Have you looked at the NAC products most major VPN providers have to handle your fears about viruses and such? Also realize you dont need to open a lot of the ports representative of that sort of stuff. Lock it down by job role. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts Thanks, Brian. Dont you sleep? Its late in Chicago ;-) 802.1x is the direction they are heading. Right now, it is cost-prohibitive. So the question is less can I control this access but should I? Is that over-reacting? Again with the VPN. My thoughts were to push it with an MSI, so I see how to control its distribution. The question is should I limit it to just the domain computers? How big is the risk? If the risk from home computers is virus and malware, how do I justify preventing folks from running it on their home Macs? Thanks. -- nme From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 07, 2006 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Security Policy Thoughts My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client
RE: [ActiveDir] [OT] User Accounts
The limit on the number non-linked multi-values (~800 - ~1300 depending) probably wouldn't apply (even if you put each post for a given thread it's own value) ... the max LDAP packet size (10MBs) would apply though, your posts can get Looonnngg. Cheers, BrettSh On Thu, 8 Jun 2006, joe wrote: I don't know, some of my posts might invoke the dreaded Admin Limit Exceeded in ADAM... You know the one... The one you were going to write a blog entry about when there were too many entries in a non-linked multivalue attribute... :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, June 08, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts You could build the archive on ADAM, and enable the indexes to allow for efficient medial substring indexes. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 08, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Great info ~Eric! The link to the start of the thread is: http://www.activedir.org/ml/msg08620.aspx We've just moved the archive onto the ActiveDir.org web site and we're having one or two teething problems with the search feature. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, 9 June 2006 10:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some
RE : RE: [ActiveDir] AD LDAP Logging.
Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...).Will this version of spa work on a w2k3 sp1 French version ?Regards,YannSteve Linehan [EMAIL PROTECTED] a écrit: I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues.You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks,-Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, June 09, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD LDAP Logging.Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped.-- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe.I will use perfmon to monitor the health of my DC.An nother question.The Web app timed out with thisgeneric error "the serveur is down", where "the server" = mydc.At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server.With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ?Thanks for taking time to reply,Cheers,Yann- Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it.Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed.When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is that it has to go to disk instead of pulling from cache. Either way you should be looking at your perf counters to see how the DC is performing. I tend to really look at disk counters because that is where it often falls down at. Things like disk queue and and number of read ops for the DIT drive (write ops are usually a rounding error except during heavy population periods)are the things I immediately focus on. Just seeing the number of read ops doesn't help, you have to understand your disk architecture because on some systems 500 read ops may be just fine, but on others it could beover what the disk system is capable of sustaining so you start backing up. As a quick rule of thumbI start with the assumptionthat each spindle that is part of the volume gives you
[ActiveDir] WMI Filter
I think I did something wrong... I was using this WMI filter on a GPO: "select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" OR Caption = "Microsoft Windows 2000 Professional"" I was doing this to keep this GPO from applying to server operating systems, and when I tested it with Windows 2003 and XP and 2000 Pro, everything seemed to be fine. Well, I just tested it with a couple of 2000 Advanced Server boxes and the policy is applying. DId I do something wrong with the filter? Is caption not the best method to filter by OS? Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] WMI Filter
I thought WMI filters could only be evaluated by XP or 2003 ?, 2000, NT will ignore the filter and apply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 09, 2006 10:55To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI Filter I think I did something wrong... I was using this WMI filter on a GPO: "select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" OR Caption = "Microsoft Windows 2000 Professional"" I was doing this to keep this GPO from applying to server operating systems, and when I tested it with Windows 2003 and XP and 2000 Pro, everything seemed to be fine. Well, I just tested it with a couple of 2000 Advanced Server boxes and the policy is applying. DId I do something wrong with the filter? Is caption not the best method to filter by OS? Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] WMI Filter
That would explain it! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Friday, June 09, 2006 1:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filter I thought WMI filters could only be evaluated by XP or 2003 ?, 2000, NT will ignore the filter and apply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 09, 2006 10:55To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI Filter I think I did something wrong... I was using this WMI filter on a GPO: "select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" OR Caption = "Microsoft Windows 2000 Professional"" I was doing this to keep this GPO from applying to server operating systems, and when I tested it with Windows 2003 and XP and 2000 Pro, everything seemed to be fine. Well, I just tested it with a couple of 2000 Advanced Server boxes and the policy is applying. DId I do something wrong with the filter? Is caption not the best method to filter by OS? Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: RE : RE: [ActiveDir] AD LDAP Logging.
It is true that SPA is not localized but I believe the French version will be ok. The problem comes about with the localization of the perfmon data. If you have problems post back and we can try a few work arounds because we are only really interested in the trace data at this point which should not be impacted. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 11:31 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] AD LDAP Logging. Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, Yann Steve Linehan [EMAIL PROTECTED] a écrit: I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 09, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Friday, June 09, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error the serveur is down, where the server = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED] À : ActiveDir@mail.activedir.org Envoyé le : Vendredi, 9 Juin 2006, 2h25mn 26s Objet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing Expensive to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you have changed your schema, objectclass isn't indexed and a filter with no indexed attributes is generally considered inefficient unless it is properly scoped. The fact that you are returning 58 of 63 entries means that that isn't too bad, but just the same, I would work on getting the query changed to using an indexed attribute or more likely, because so many apps/scripts screw up around objectclass,indexing objectclass AND getting the query changed. When you see big noticable deltas in how long the same query takes to run, it is usually a couple of things that could be at fault, possibly Eric will pipe in with more. The first is that the DC is tied up with something else and just can't give you the proc time, the other is
[ActiveDir] question regarding Tony's article on linked attributes
Hi, I was just reading Tony's article (http://www.activedir.org/article.aspx?aid=92) on linked attributes, and encountered something that I wondered about. This section Why have linked attributes? says: I haven't seen an official explanation, but I can think of two reasons why they would be useful. The first is consistency. By storing one half of the link only in the directory database, it ensures that queries for the back link attribute values are always consistent with the information stored in the forward link. The second reason is that it is an efficient means of storage in the directory database and keeps the space used to a minimum. My guess would be that the primary function of back links is to enable efficient backward lookups: of which groups is this user a member? Secondly, the quote suggests that the backlinks are not stored in the database. I'd think they are stored there because it would be pretty hard/inefficient to calculate them on the fly, but that they are not replicated. Anybody care to comment? -- Cheers, Willem.
[ActiveDir] GPO deployment limit
I'm wanting to deploy an MSI (office communicator) to 100% of the desktops in our domain. These desktops are scattered across the world over various wan links. I'd like to deploy it with a GPO (assign the software, not force the install), but I also don't want to kill our wan links. Is there any way to limit the number of concurrent deployments of a software package assigned to 9500+ users? Or is the right answer to use DFS so they don't all pull from the central fileserver? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Another GPO question
If I assign a software GPO to all users (domain users), how do I ensure that if one of those users is in the IT department, they won't unknowingly push the Office Communicator installation to every server in our server room? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Is this like AD blog season or what?
Active Directory Discussion : Introducing the Active Directory Discussion Blog: http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] GPO deployment limit
Russ- The right answer with Software Installation is pretty much to always use DFS. That way if the package ever has to physically move off of a server, the path doesn't have to change. Path changes aren't supported in GPSI without a re-install. So,to answer your question, yes, I would use DFS to distribute the package. There is no way to control the deployment rate, unfortunately, unless you artificially do it using something like security filters--where you gradually add regional-based groups to the security filter on the GPO as the previous groups deploy the package. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO deployment limit I'm wanting to deploy an MSI (office communicator) to 100% of the desktops in our domain. These desktops are scattered across the world over various wan links. I'd like to deploy it with a GPO (assign the software, not force the install), but I also don't want to kill our wan links. Is there any way to limit the number of concurrent deployments of a software package assigned to 9500+ users? Or is the right answer to use DFS so they don't all pull from the central fileserver? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] WMI Filter
Yes, definitely true. Win2K is blind to WMI Filters... Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 09, 2006 11:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filter That would explain it! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Friday, June 09, 2006 1:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] WMI Filter I thought WMI filters could only be evaluated by XP or 2003 ?, 2000, NT will ignore the filter and apply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 09, 2006 10:55To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] WMI Filter I think I did something wrong... I was using this WMI filter on a GPO: "select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" OR Caption = "Microsoft Windows 2000 Professional"" I was doing this to keep this GPO from applying to server operating systems, and when I tested it with Windows 2003 and XP and 2000 Pro, everything seemed to be fine. Well, I just tested it with a couple of 2000 Advanced Server boxes and the policy is applying. DId I do something wrong with the filter? Is caption not the best method to filter by OS? Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Another GPO question
First I wouldn't use such a wide-open group as Domain Users to target your install. If you do, then you pick up a lot of unwilling victims. I would try creating a special group just for this deployment and use that to security filter either the GPO or the individual app. But, if you need to use Domain Users or just in general want to exclude the install from servers, then there's probably a couple of ways to skin it. You could put all your admins into a special Admin Group and then set a Deny ACE on that GPO or package for that group. The Deny would take precedence over the Allow of the Domain Users. Or, you can enable loopback on all your servers, in replace mode, and control user policy from the computer GPOs that apply to those servers. In this scenario, any user policies (like software installation) would be ignored when those admins logged into those servers. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Another GPO question If I assign a software GPO to all users (domain users), how do I ensure that if one of those users is in the IT department, they won't unknowingly push the Office Communicator installation to every server in our server room? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Password Policy change
Hello, When the default domain controller policy is changed in respect to password complexity, length, etc., how long is it before the change takes affect? We have an automated system that is trying to change passwords but is getting bounced back that the password doesn't meet complexity. I changed the policy about 45 minutes ago and it has propogated to all DC's. Any info would be appreciated. Christopher Flesher The University of Chicago NSIT/DCS (773)-834-8477 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] question regarding Tony's article on linked attributes
It is 1/2 a dozen of one, 1/2 a dozen of the other ... We store forward links, but AD defines a table, with indices such that we have an efficient way to lookup backlinks for a given object. Don't have time right now to show you what I mean, but my Daddy says there are 24 usable hours in the day, so maybe at 3 AM ... Cheers, BrettSh On Fri, 9 Jun 2006, Willem Kasdorp wrote: Hi, I was just reading Tony's article (http://www.activedir.org/article.aspx?aid=92) on linked attributes, and encountered something that I wondered about. This section Why have linked attributes? says: I haven't seen an official explanation, but I can think of two reasons why they would be useful. The first is consistency. By storing one half of the link only in the directory database, it ensures that queries for the back link attribute values are always consistent with the information stored in the forward link. The second reason is that it is an efficient means of storage in the directory database and keeps the space used to a minimum. My guess would be that the primary function of back links is to enable efficient backward lookups: of which groups is this user a member? Secondly, the quote suggests that the backlinks are not stored in the database. I'd think they are stored there because it would be pretty hard/inefficient to calculate them on the fly, but that they are not replicated. Anybody care to comment? -- Cheers, Willem. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Password Policy change
Password policy changes for domain user accounts can only take affect if they are linked to a GPO at the domain level. I have a short video training session that explains this at www.gpoguy.com/training.htm if you're interested in understanding more. So, bottom line is that if you're making password complexity changes to domain user accounts, it must be done on a GPO linked at the domain level. Since the Default DC Policy is linked at the OU level, it won't effect anything. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, June 09, 2006 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Policy change Hello, When the default domain controller policy is changed in respect to password complexity, length, etc., how long is it before the change takes affect? We have an automated system that is trying to change passwords but is getting bounced back that the password doesn't meet complexity. I changed the policy about 45 minutes ago and it has propogated to all DC's. Any info would be appreciated. Christopher Flesher The University of Chicago NSIT/DCS (773)-834-8477 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] GPO deployment limit
Are you saying that if I deployed an MSI to a bunch of users from a single fileshare and later get rid of that share, all those users GPO installed apps are going to break even though they completely have the software installed? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, June 09, 2006 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO deployment limit Russ- The right answer with Software Installation is pretty much to always use DFS. That way if the package ever has to physically move off of a server, the path doesn't have to change. Path changes aren't supported in GPSI without a re-install. So,to answer your question, yes, I would use DFS to distribute the package. There is no way to control the deployment rate, unfortunately, unless you artificially do it using something like security filters--where you gradually add regional-based groups to the security filter on the GPO as the previous groups deploy the package. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO deployment limit I'm wanting to deploy an MSI (office communicator) to 100% of the desktops in our domain. These desktops are scattered across the world over various wan links. I'd like to deploy it with a GPO (assign the software, not force the install), but I also don't want to kill our wan links. Is there any way to limit the number of concurrent deployments of a software package assigned to 9500+ users? Or is the right answer to use DFS so they don't all pull from the central fileserver? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Another GPO question
One more question - if you assign a software package to users, does it push to their PC when they login next or when they click add in add/remove programs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, June 09, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Another GPO question First I wouldn't use such a wide-open group as Domain Users to target your install. If you do, then you pick up a lot of unwilling victims. I would try creating a special group just for this deployment and use that to security filter either the GPO or the individual app. But, if you need to use Domain Users or just in general want to exclude the install from servers, then there's probably a couple of ways to skin it. You could put all your admins into a special Admin Group and then set a Deny ACE on that GPO or package for that group. The Deny would take precedence over the Allow of the Domain Users. Or, you can enable loopback on all your servers, in replace mode, and control user policy from the computer GPOs that apply to those servers. In this scenario, any user policies (like software installation) would be ignored when those admins logged into those servers. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Another GPO question If I assign a software GPO to all users (domain users), how do I ensure that if one of those users is in the IT department, they won't unknowingly push the Office Communicator installation to every server in our server room? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] GPO deployment limit
Generally speaking, no, they won't break. It gets a little complicated. Let's say that the application is a single MSI with embedded files. That MSI gets cached on the workstation during install. So if, for example, the app needs to be repaired or removed, then it will find that cached MSI and life is good. Where it gets tricky is when the app is composed of an MSI and separate CAB files. If those files go away (on the server) and the app needs to reference them, then you get that annoying dialog about having to enter the path to the install files. What I was referring to below is, if you need to move a package from one server to another and still want that GPO application relationship to be maintained on the workstation, that process of moving the package, and then having to create a new GPO package, will typically trigger a reinstall on the client, to re-establish that relationship between client and GPO. Hope that helps. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO deployment limit Are you saying that if I deployed an MSI to a bunch of users from a single fileshare and later get rid of that share, all those users GPO installed apps are going to break even though they completely have the software installed? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, June 09, 2006 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO deployment limit Russ- The right answer with Software Installation is pretty much to always use DFS. That way if the package ever has to physically move off of a server, the path doesn't have to change. Path changes aren't supported in GPSI without a re-install. So,to answer your question, yes, I would use DFS to distribute the package. There is no way to control the deployment rate, unfortunately, unless you artificially do it using something like security filters--where you gradually add regional-based groups to the security filter on the GPO as the previous groups deploy the package. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO deployment limit I'm wanting to deploy an MSI (office communicator) to 100% of the desktops in our domain. These desktops are scattered across the world over various wan links. I'd like to deploy it with a GPO (assign the software, not force the install), but I also don't want to kill our wan links. Is there any way to limit the number of concurrent deployments of a software package assigned to 9500+ users? Or is the right answer to use DFS so they don't all pull from the central fileserver? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Another GPO question
Well, both really. If you User Assign an application, it can be installed at logon or just advertised (i.e. install on first use). It will also appear in ARP unless you check the box for it to not appear. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Another GPO question One more question - if you assign a software package to users, does it push to their PC when they login next or when they click add in add/remove programs? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, June 09, 2006 3:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Another GPO question First I wouldn't use such a wide-open group as Domain Users to target your install. If you do, then you pick up a lot of unwilling victims. I would try creating a special group just for this deployment and use that to security filter either the GPO or the individual app. But, if you need to use Domain Users or just in general want to exclude the install from servers, then there's probably a couple of ways to skin it. You could put all your admins into a special Admin Group and then set a Deny ACE on that GPO or package for that group. The Deny would take precedence over the Allow of the Domain Users. Or, you can enable loopback on all your servers, in replace mode, and control user policy from the computer GPOs that apply to those servers. In this scenario, any user policies (like software installation) would be ignored when those admins logged into those servers. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO tips, tools and whitepapers. Also check out the Windows Group Policy Guide, a soup-to-nuts resource for Group Policy information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Another GPO question If I assign a software GPO to all users (domain users), how do I ensure that if one of those users is in the IT department, they won't unknowingly push the Office Communicator installation to every server in our server room? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: RE : RE: [ActiveDir] AD LDAP Logging.
You can use SPA, or you can use logman and tracerpt to get detailed LDAP stats. SPA does a lot of analysis for you and diagnoses several classes of AD perf problems. Tracerpt will give you a fairly raw look at all the LDAP traffic. I covered all three in my DEC AD Performance session (which I didn't actually deliver at DEC :). Its available on the NetPro website at http://www.netpro.com/community/medialibrary.cfm. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Friday, June 09, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: RE : RE: [ActiveDir] AD LDAP Logging. It is true that SPA is not localized but I believe the French version will be ok. The problem comes about with the localization of the perfmon data. If you have problems post back and we can try a few work arounds because we are only really interested in the trace data at this point which should not be impacted. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 11:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE : RE: [ActiveDir] AD LDAP Logging. Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, YannSteve Linehan [EMAIL PROTECTED] a écrit: I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, June 09, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you
RE: [ActiveDir] WMI Filter
That is correct. XP and newer only. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Friday, June 09, 2006 1:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WMI Filter I thought WMI filters could only be evaluated by XP or 2003 ?, 2000, NT will ignore the filter and apply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 09, 2006 10:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WMI Filter I think I did something wrong... I was using this WMI filter on a GPO: select * from Win32_OperatingSystem where Caption = Microsoft Windows XP Professional OR Caption = Microsoft Windows 2000 Professional I was doing this to keep this GPO from applying to server operating systems, and when I tested it with Windows 2003 and XP and 2000 Pro, everything seemed to be fine. Well, I just tested it with a couple of 2000 Advanced Server boxes and the policy is applying. DId I do something wrong with the filter? Is caption not the best method to filter by OS? Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] GPO deployment limit
What you need to do is get your file servers at strategic points on your WAN (hub, edges, etc) setup and use DFSR to replicate the MSI. Then you can deploy the MSI from the DFS path and your clients will use the local copy. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, June 09, 2006 2:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO deployment limit I'm wanting to deploy an MSI (office communicator) to 100% of the desktops in our domain. These desktops are scattered across the world over various wan links. I'd like to deploy it with a GPO (assign the software, not force the install), but I also don't want to kill our wan links. Is there any way to limit the number of concurrent deployments of a software package assigned to 9500+ users? Or is the right answer to use DFS so they don't all pull from the central fileserver? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
And when you put ISA on a DC... we prob go into negative layers... ;-) Brian Desmond wrote: *When I think of a firewall I think of a layer 4 contraption. Layer 7 is like putting ISA or something on the box.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Friday, June 09, 2006 9:54 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Interesting. I'm fascinated by the architecture. FWIW, I was hinting around at layer-7 firewalls being a better choice than a traditional ACL on a router or a port-forwarding type of firewall. Firewall technology gives fine control, but it also opens pandora's box in terms of support, coordination, etc. It also doesn't do anything for application layer attacks because for that only one port is needed. The downside is that layer-7 firewalls have a hard time reaching line speed due to the amount of work and analysis they do. You almost need a grid cluster to power such a thing. :) Thanks for the responses. It's helpful to me at least. Al On 6/9/06, *Clay, Justin (ITS)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Sorry for the mega-delay in responding to my own thread, I've been sick! I don't control our firewalls at all, but my understanding is that this firewall is there for the exact reasons that Brian described. It's especially important to us to separate the clients from the servers and DCs in this case because all of the PCs in this forest are public-facing (Public Library, Public Parks, etc). I believe we're either going to go with the method that Brian is using, or they might possibly use the application-level (I think that's the term they use) filtering, where, as I understand it, the Checkpoint firewall would dynamically open the high ports based on information it received by looking inside the RPC packets and determining which high port the DC is telling the client to connect on. I think there's a lot more overhead with this method, but it seems like something our firewall guys would like to at least try. As to some of the earlier questions, our firewall guys only opened such a large range for me so quickly so that the problem would go away while we researched a more secure solution. It's amazing what they'll do when they have the director of the Nashville Public Libraries on the phone yelling at them. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Brian Desmond *Sent:* Thursday, June 08, 2006 11:07 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 *Yes. It isolates different applications and tiers. One of the big isolation issues is in house managed vs vendor managed stuff. Database tier vs app tier vs web tier. Web shouldn't be able to talk to database at all, generally. Your HR database should not be in a subnet that a vendor with TS access to another DB server has access to, and so forth. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Thursday, June 08, 2006 7:50 AM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Interesting. So, more or less, the firewall between tiers is more of a control mechanism? i.e. you can impose fine control over new applications that should be there, while preventing malicious applications from running amok on the network at the high port ranges? Rather, you either use the proposed ports, else take your packets and go home? Or am I missing the idea of putting the FW's in between the tiers? Does this provide you much benefit? What's been the trade-off? On 6/7/06, *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: *I haven't really read this thread thru (too busy) but I think I have the gist of it. I'll generally throw a firewall between each of my server tiers (some sort of trunked interface of course) and then of course between my clients and these tiers. I'm not about to open TCP 1024-65535 between clients and the servers, might as well just put an any rule in. Weird stuff that's not belonging on a box has a habit of running on weird high range ports anyway, this is just conducive to it. * * * *I guess I also have the very large enterprise datacenter network model of subnet for each little item
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
No, that's a layer 8 issue - operator error. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, June 09, 2006 7:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 And when you put ISA on a DC... we prob go into negative layers... ;-) Brian Desmond wrote: *When I think of a firewall I think of a layer 4 contraption. Layer 7 is like putting ISA or something on the box.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Friday, June 09, 2006 9:54 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Interesting. I'm fascinated by the architecture. FWIW, I was hinting around at layer-7 firewalls being a better choice than a traditional ACL on a router or a port-forwarding type of firewall. Firewall technology gives fine control, but it also opens pandora's box in terms of support, coordination, etc. It also doesn't do anything for application layer attacks because for that only one port is needed. The downside is that layer-7 firewalls have a hard time reaching line speed due to the amount of work and analysis they do. You almost need a grid cluster to power such a thing. :) Thanks for the responses. It's helpful to me at least. Al On 6/9/06, *Clay, Justin (ITS)* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Sorry for the mega-delay in responding to my own thread, I've been sick! I don't control our firewalls at all, but my understanding is that this firewall is there for the exact reasons that Brian described. It's especially important to us to separate the clients from the servers and DCs in this case because all of the PCs in this forest are public-facing (Public Library, Public Parks, etc). I believe we're either going to go with the method that Brian is using, or they might possibly use the application-level (I think that's the term they use) filtering, where, as I understand it, the Checkpoint firewall would dynamically open the high ports based on information it received by looking inside the RPC packets and determining which high port the DC is telling the client to connect on. I think there's a lot more overhead with this method, but it seems like something our firewall guys would like to at least try. As to some of the earlier questions, our firewall guys only opened such a large range for me so quickly so that the problem would go away while we researched a more secure solution. It's amazing what they'll do when they have the director of the Nashville Public Libraries on the phone yelling at them. -- -- *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Brian Desmond *Sent:* Thursday, June 08, 2006 11:07 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 *Yes. It isolates different applications and tiers. One of the big isolation issues is in house managed vs vendor managed stuff. Database tier vs app tier vs web tier. Web shouldn't be able to talk to database at all, generally. Your HR database should not be in a subnet that a vendor with TS access to another DB server has access to, and so forth. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick *Sent:* Thursday, June 08, 2006 7:50 AM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Interesting. So, more or less, the firewall between tiers is more of a control mechanism? i.e. you can impose fine control over new applications that should be there, while preventing malicious applications from running amok on the network at the high port ranges? Rather, you either use the proposed ports, else take your packets and go home? Or am I missing the idea of putting the FW's in between the tiers? Does this provide you much benefit? What's been the trade-off? On 6/7/06, *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: *I haven't really read this thread thru (too busy) but I think I have the gist of it. I'll generally throw a firewall
Re: [ActiveDir] Is this like AD blog season or what?
Not an AD blog, but I quite enjoy Raymond Chen's blog: http://blogs.msdn.com/oldnewthing/ Interesting stuff, even if you're not a Win32 API guru. And let's not forget the blog of the SBS Diva ;-) http://msmvps.com/blogs/bradley/ On 09/06/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Active Directory Discussion : Introducing the Active Directory Discussion Blog: http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx