RE: [ActiveDir] OT: Vista Activation and KMS
I have read all this, and it seems any thing but straight forward to me. It looks like we are going to have to invest a lot more money in managing licenses. I could also find nothing about what happens if we need to re-install Windows. It appears we need to re-activate, and it appears as its a new sid it will use a second license... Any one any pointers on this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 00:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS Actually, it is clearly documented, along with a lot more information on KMS, MAK and Vista Volume Activation (btw, Volume Licensing doesn't exist in Vista; VL and VA are not the same things). You probably don't want to get me started on a big long explanation of how volume activation works, so I'll just point you to this site: http://www.microsoft.com/technet/windowsvista/plan/volact.mspx :-) I highly recommend both the FAQ and the step-by-step guide. The latter provides information on how to change from KMS to MAK and vice versa (there are several ways), as well as documentation of defaults, configuration options, etc. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, December 04, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS You need to go to Control Panel System then at the bottom select Change Product Key. This will allow you to enter your VL key which will result in Vista activating via the web. Definitely not well documented unfortunately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 11:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM ** This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk **
[ActiveDir] Group Membership Update Frequency
hi there, when does a server recognize that he is part of AD global Security group? Do i have to reboot every system or is there an update frequency where the server checks the AD? I need this to know because i want to use the Security Group Filtering with GPO´s Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Pagefile not being seen?
Thanks, Kevin. Yes, I had read that article before I posted, but it seemed that I had things set right. When I put 4096Mb pagefile on one drive, hit the set button, and reboot, coming back to the screen just before you set the pagefile on all the drives, it still says 2050 total pagefile on all drives. When I set 2048 on two different drives, then I get the correct number, 4096 total pagefile on all drives. Still a mystery. And, what's more, when I changed from 4096 on drive C to 2048 on C and another 2048 on F, it took two reboots before the total pagefile on all drives went up to 4096 as expected. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Wednesday, December 06, 2006 2:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pagefile not being seen? Check out this article for the Exchange memory settings. There are a few other tweaks in the registry. http://support.microsoft.com/kb/815372 Do you have any third-party apps running on your Exchange servers? I have seen memory leaks in third-party apps cause this kind of virtual memory issue. 2K3 Standard does allow 4GB on a drive. The way you have it set up with 2048 on two separate drives will give you a performance boost if they are actually separate physical disks or RAID sets. I have typically heard 1.5 times physical for virtual, but I don't think that is as much a best practice as a general rule of thumb. Depending on circumstances I have certainly set it lower or higher. 4 GB virtual should certainly be enough. Sorry for the random order of my answers. I also have trouble following directions and don't play well with others. Hope this helps Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Wednesday, December 06, 2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Pagefile not being seen? Colleagues, On two different Windows 2003 servers in as many weeks I have seen a popup when I logged in that says Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. On one server, I had 2048 pagefile on C. On the other, I had 4096 pagefile on C, but the note at the bottom of the screen showed only 2050. Both servers have 2Gb physical RAM, and both are Exchange 2003 servers. I have now put 2048 on C: and another 2048 on F: on both servers. So, I wonder if I have things set up right, so I have a few questions: 1. Isn't the pagefile limit in 2K3 Standard 4Gb per drive as I have read? Or is it actually 2Gb per drive? 2. With 2Gb physical RAM, isn't 4Gb pagefile the standard? 3. With the /3GB and /USERVA=3030 switches set, which is what I learned to do in class, why do I still get the Event Log error message that says The memory settings for this server are not optimal for Exchange.? -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Pagefile not being seen?
Thanks, Chuck. If I had more users on these Exchange servers, I'd buy more memory. But, there are only about 300 users on each one, so I'm thinking upping the pagefile will do the trick. But, as I wrote to Kevin, I couldn't get the total pagefile on all drives to be 4GB unless I split it up between 2 drives, which is not what I expected. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Pagefile not being seen? It's better to use 2x installed memory for Exchange as a starting point. Splitting the page file on separate physical disks should be OK as long as it is a total of 4 GB. Depending on the how much messaging activity you have you might want to bump up the memory to 4 GB and then the pagefile would need to obviously be increased substantially to about double the installed memory. Chuck -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wed, 6 Dec 2006 3:31 PM Subject: RE: [ActiveDir] Pagefile not being seen? Check out this article for the Exchange memory settings. There are a few other tweaks in the registry. http://support.microsoft.com/kb/815372 Do you have any third-party apps running on your Exchange servers? I have seen memory leaks in third-party apps cause this kind of virtual memory issue. 2K3 Standard does allow 4GB on a drive. The way you have it set up with 2048 on two separate drives will give you a performance boost if they are actually separate physical disks or RAID sets. I have typically heard 1.5 times physical for virtual, but I don't think that is as much a best practice as a general rule of thumb. Depending on circumstances I have certainly set it lower or higher. 4 GB virtual should certainly be enough. Sorry for the random order of my answers. I also have trouble following directions and don't play well with others. Hope this helps Kevin -Original Message- From: [EMAIL PROTECTED] mailto:ActiveDir-owner%40mail.activedir.org [mailto:[EMAIL PROTECTED] mailto:ActiveDir-owner%40mail.activedir.org ] On Behalf Of Larry Wahlers Sent: Wednesday, December 06, 2006 1:28 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir%40mail.activedir.org Subject: [ActiveDir] Pagefile not being seen? Colleagues, On two different Windows 2003 servers in as many weeks I have seen a popup when I logged in that says Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. On one server, I had 2048 pagefile on C. On the other, I had 4096 pagefile on C, but the note at the bottom of the screen showed only 2050. Both servers have 2Gb physical RAM, and both are Exchange 2003 servers. I have now put 2048 on C: and another 2048 on F: on both servers. So, I wonder if I have things set up right, so I have a few questions: 1. Isn't the pagefile limit in 2K3 Standard 4Gb per drive as I have read? Or is it actually 2Gb per drive? 2. With 2Gb physical RAM, isn't 4Gb pagefile the standard? 3. With the /3GB and /USERVA=3030 switches set, which is what I learned to do in class, why do I still get the Event Log error message that says The memory settings for this server are not optimal for Exchange.? -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] mailto:larry.wahlers%40concordiatech.org direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Check out the new AOL http://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redi r=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol . Most comprehensive set of free safety and security tools, free access to
Re: [ActiveDir] Quest Recovery Manager
Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I don't think there are many independent rankings out there. You have to figure that Windows ITPro and SearchWindows are probably the easiest sources to get access to online, but they are influenced by ad dollars sometimes. It is possible that Burton Group and possibly Gartner have done some research But I doubt it. I know that directions on Microsoft hasn't covered it. It is a pretty niche topic. I think the best way to approach this is to have a good old fashion bake off of the technologies. Depending how big a player you are, you can probably get Quest, Netpro, Veritas, and Commvalt to step-up. I would say that all the technologies are pretty stable at the moment; there isn't a lot of innovation going on anymore, so it is pretty hard to make a mistake choosing one of these products. Todd From: Tim Onsomu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 2:06 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Does anybody know what independent rankings look like for AD DR tools? -Original Message- From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Wed 12/6/2006 9:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager shamelss plug NetPro has an AD data recovery product called RestoreADmin that competes very well with the Quest product. It's solves the AD object recovery problem nicely. See
Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
Thanks for the advice; I really think it's more than two-cents based. As you suggest, going other route means getting a MAPI plugin for whatever solution, so you add another complexity layer on the setup. The only reason I might see to do something like that is price (exchange is not a cheap beast ;) On the bringing the thing inhouse issue, the feeling is that having an MX in-house means inviting all kind of naties to come knocking (spammer, DOS-ers, etc) and that means aditional babysitting: we don't have full-time admin staff, but rather the people in the testing dept. are the ones who run the servers. All of the technical staff are familiar with AD (after all, we sell a product that is AD-based), but messaging is another beast Not to talk about the data pipe needed: We get quite a lot of spam, and 10+ PPT files are not uncommon ;) At the moment, if the DSL goes down, the problem is we can't get our mail, but at least we don't lose any... I might be able to sell a setup with an entry point (including spam filtering) that is outside the office, and then having an in-house server.. but again the fact that over half our employees are NOT in our offce makes it difficult to jutify having the server inhouse IMO. Of course, the cost issue has to be taken into account: maybe an aditional DSL line and a part-time admin may add up to the cost of external maiboxes... Thanks a lot for the input, anyhow. Javier On 06/12/06, Dave Wade [EMAIL PROTECTED] wrote: My two cents (these could euro cents or dollar cents). Exchange and Outlook are designed to work together. Despite having declared MAPI dead several times Microsoft continues to enhance and expand it, for example with RPC over HTTP. I am pretty sure you will either see reduced functionality, or face additional work on the clients to install add-ins if you go with a non-exchange based server. That is I support your conclusion that getting the real thing is the way to go. As for infrastructure well I am not sure about the amount of resilience that's needed. If you set the users up to use OST files they may be able to tolerate short breaks in comms on your DSL, as they will still be able to read existing mails, compose new mails and meetings. Perhaps now is the time to move the query to an Exchange list, there are a number of them at Yahoo. Probably :- http://groups.yahoo.com/group/exchange-2003/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 06 December 2006 16:57 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations? Hi! Thanks for the prompt reply... As for hosted solutions, I guess that I don't much care wether the backend is Exchange, SBS or whatever the hosting company choses to provide ;) From what I've seen (http://www.arsys.es/aplicaciones/correo-exchange.htm, http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we are based in Spain - or http://www.mi8.com/ to show that I'm looking elsewhere) basically what you get is a webbased admin panel and a number of accounts that you configure... not too much control but good enough Of course, I'd love to get recommendations for other providers or to be shown that not all of them are similar ;) As for the lack of a server for 40+ users, well, that's not really true: We have an AD (2003) domain (basic setup: single forest, single domain, 2 DCs) for the users, it's just that the email is hosted on a external server, to avoid downtime and lessen the administrative load on network admin (we don't have a full time person for that). Also, we currently have 2 main offices in Spain (conneted by DSL) and people working or tele-working in the US, Mexico, Colombia, Germany and the UK (2/3 people on each place at most): I believe that creating the infrastructure (relability-wise) to serve all those locations inhouse would be a tad expensive and (I belive) not really warranted. Of course, I'd love to hear opinions either way... As for control freak, we have an VPS so we have root on the mail server; as a matter of fact the hardest point for the internal acceptance of a hosted solution would probably lack of root access on the email server... I agree with you that to manage that that many (ok, those who manage Multi-K domains, please stop laughing) users, AD is a must And, besides, we delvelop security software that runs on top of AD, so I'd be a bit odd if we didn't use our own SW ;) In any case, I really am starting to believe that the simpler thing will be to get the real thing, so the options seem to be: 1) Get an Exchange Server inhouse. But that means making sure that our DSL line doesn't go down, and having the bandwith etc... 2) House a server on some co-lo. The comm. problems disappear, but we still have to babysit the thing... 3) Go for a hosted exchange provider. I've
Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
Hi! Thanks for the input. At the moment we're paying ~250 € for the VPS server that host our email, so the cost would be similar. Of course I know that a server+exch. licenses are cheaper on the long run than the monthly cost of the service. What worries me is: - Admin. costs: We develop security software that runs on top of AD, so all out technical staff is AD-aware (as a matter of fact, I joined the list for its AD content ;) so we don't have a dedicated admin: the staff in the testing dept. are the ones who manage our network. But we don't have messagging experience in-house, and we're worried about the things that having an MX published brings: spammers and other nasties knocking on our door, etc. - DSL provider: We're already working with the ex-national telco; they're the ones who -the local wisdom goes- provide better service. But we have experienced downtimes every now and then. Having an external MX would be an idea :) - Bandwith: We have a 8mb/1Mb line. Our worry is with the outgoing leg: if the mail server is behind a 1mb line, and around half our staff is hitting it from the internet, we believe the office might end up being a bit internet-starved. In any case, you've got me thinking on the issue :) It's not as clear-cut as I would've liked ;) Thanks a lot for your advice. JJ On 06/12/06, Brian Desmond [EMAIL PROTECTED] wrote: Well with 40 people you're paying 280 euro a month. Some quick currency conversions tells me that an Exchange server for an org your size would likely set you back between 2300 and 3000 Euro from Dell. 280 goes into 2300 8.2 times - or it will pay for itself in 9 months. If you're already managing AD and other infrastructure, Exchange isn't going to add that much overhead. Create the mailboxes for your users, import the PSTs or whatever they have now, and make sure it's getting backed up and updated (which I'm sure you're already doing with your other servers). Has the DSL been reliable so far? If so, then I wouldn't worry about it. If not, either get a better DSL provider or find someone to be your MX or backup MX. Regarding bandwidth, ADSL goes to 6mbps these days - what limitations are on your circuit? Outlook 2003 in cached mode doesn't chew that much. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: Wednesday, December 06, 2006 11:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations? Hi! Thanks for the prompt reply... As for hosted solutions, I guess that I don't much care wether the backend is Exchange, SBS or whatever the hosting company choses to provide ;) From what I've seen (http://www.arsys.es/aplicaciones/correo-exchange.htm, http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we are based in Spain - or http://www.mi8.com/ to show that I'm looking elsewhere) basically what you get is a webbased admin panel and a number of accounts that you configure... not too much control but good enough Of course, I'd love to get recommendations for other providers or to be shown that not all of them are similar ;) As for the lack of a server for 40+ users, well, that's not really true: We have an AD (2003) domain (basic setup: single forest, single domain, 2 DCs) for the users, it's just that the email is hosted on a external server, to avoid downtime and lessen the administrative load on network admin (we don't have a full time person for that). Also, we currently have 2 main offices in Spain (conneted by DSL) and people working or tele-working in the US, Mexico, Colombia, Germany and the UK (2/3 people on each place at most): I believe that creating the infrastructure (relability-wise) to serve all those locations inhouse would be a tad expensive and (I belive) not really warranted. Of course, I'd love to hear opinions either way... As for control freak, we have an VPS so we have root on the mail server; as a matter of fact the hardest point for the internal acceptance of a hosted solution would probably lack of root access on the email server... I agree with you that to manage that that many (ok, those who manage Multi-K domains, please stop laughing) users, AD is a must And, besides, we delvelop security software that runs on top of AD, so I'd be a bit odd if we didn't use our own SW ;) In any case, I really am starting to believe that the simpler thing will be to get the real thing, so the options seem to be: 1) Get an Exchange Server inhouse. But that means making sure that our DSL line doesn't go down, and having the bandwith etc... 2) House a server on some co-lo. The comm. problems disappear, but we still have to babysit the thing... 3) Go for a hosted exchange provider. I've seen offers on the range of ~7€/mo/user; I believe that for a limited
[ActiveDir] DFS-R Issue
All, We have some issues where folders with DFS-R implemented have what I call relapse. Here are some symptoms. We can add files and folders, no problem. We can change file names, no problem. When we rename folders, we have a problem - many times, the folder name reverts back to the old name. It will take us 3-5 tries before the rename takes. Sometimes, when we modify a file, later that day, the file reverts back to the original status (e.g. and Excel spreadsheet with added data). Not all our folders and files exhibit this issue. Has anyone come across these symptoms and/or have recommendations? Our setup has 2 sites, with a domain controller in each, Win2k3 R2, with at least 100Mb connectivity between sites. The folders replicated are about 180G of data total, but the daily changes are very minimal (my guess is 100M/day max). We don't schedule the replication due to the abundant bandwidth. Actually, we do schedule one folder to replicate at night because that folder has been giving me the most issues. Since I have changed from instant replication to a scheduled replication at night, the problem seems to have been alleviated. However, all the other folders require immediate replication. Thank you! Steve Comeau IT Manager Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA, 83 Rockafeller Road, Piscataway, NJ www.scarletknights.com *** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: SpecOps GPUPDATE tool
Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny
RE: [ActiveDir] OT: SpecOps GPUPDATE tool
I would expect specops to provide that info, if I were in your position. neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 07 December 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SpecOps GPUPDATE tool Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] OT: Vista Activation and KMS
Return Receipt Your RE: [ActiveDir] OT: Vista Activation and KMS document: was[EMAIL PROTECTED] received by: at:12/07/2006 09:42:44 AM EST List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
[EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] All three lists are populated by folks that are var/vaps that do the IT for small businesses. You say that you are concerned about dedicated messaging admin... you outsource it. You get a Brian to be your admin for you. MX records published? First off my MX records point to a hosted pre-filterer that cleans the spam and then forwards it to me. Email these days is boring... As far as knocking on your door you have that now if you have a server an open ports. And I'm a SBS box if I reboot for that Exchange patch that came down from WSUS yesterday ...is my mail offline? Nope 'cause the MX record at Exchangedefender.com is up 24/7. There's a ton of pre Exchange hosted platforms that stay up so you don't have to. Even without the pre-Exchange stuff... we use backup MX records around my space all the time to hold email while the server is rebooting or down or whatever. Quite frankly...as an admin/postmaster for several listserves, it's a miracle email gets delivered at all. there's a lot more moving parts that email relies on than just your MX record. There's ways to deal with these issues and quite frankly every SBS box on the planet is chugging along just fine with typically no dedicated admin on staff and no messaging admin. Javier Jarava wrote: Hi! Thanks for the input. At the moment we're paying ~250 € for the VPS server that host our email, so the cost would be similar. Of course I know that a server+exch. licenses are cheaper on the long run than the monthly cost of the service. What worries me is: - Admin. costs: We develop security software that runs on top of AD, so all out technical staff is AD-aware (as a matter of fact, I joined the list for its AD content ;) so we don't have a dedicated admin: the staff in the testing dept. are the ones who manage our network. But we don't have messagging experience in-house, and we're worried about the things that having an MX published brings: spammers and other nasties knocking on our door, etc. - DSL provider: We're already working with the ex-national telco; they're the ones who -the local wisdom goes- provide better service. But we have experienced downtimes every now and then. Having an external MX would be an idea :) - Bandwith: We have a 8mb/1Mb line. Our worry is with the outgoing leg: if the mail server is behind a 1mb line, and around half our staff is hitting it from the internet, we believe the office might end up being a bit internet-starved. In any case, you've got me thinking on the issue :) It's not as clear-cut as I would've liked ;) Thanks a lot for your advice. JJ On 06/12/06, Brian Desmond [EMAIL PROTECTED] wrote: Well with 40 people you're paying 280 euro a month. Some quick currency conversions tells me that an Exchange server for an org your size would likely set you back between 2300 and 3000 Euro from Dell. 280 goes into 2300 8.2 times - or it will pay for itself in 9 months. If you're already managing AD and other infrastructure, Exchange isn't going to add that much overhead. Create the mailboxes for your users, import the PSTs or whatever they have now, and make sure it's getting backed up and updated (which I'm sure you're already doing with your other servers). Has the DSL been reliable so far? If so, then I wouldn't worry about it. If not, either get a better DSL provider or find someone to be your MX or backup MX. Regarding bandwidth, ADSL goes to 6mbps these days - what limitations are on your circuit? Outlook 2003 in cached mode doesn't chew that much. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: Wednesday, December 06, 2006 11:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations? Hi! Thanks for the prompt reply... As for hosted solutions, I guess that I don't much care wether the backend is Exchange, SBS or whatever the hosting company choses to provide ;) From what I've seen (http://www.arsys.es/aplicaciones/correo-exchange.htm, http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we are based in Spain - or http://www.mi8.com/ to show that I'm looking elsewhere) basically what you get is a webbased admin panel and a number of accounts that you configure... not too much control but good enough Of course, I'd love to get recommendations for other providers or to be shown that not all of them are similar ;) As for the lack of a server for 40+ users, well, that's not really true: We have an AD (2003) domain (basic setup: single forest, single domain, 2 DCs) for the users, it's just that the email is hosted on a external server, to avoid downtime and lessen the administrative load on network admin (we don't have a full time person for
[ActiveDir] http://www.microsoft.com/technet/security/advisory/929433.mspx
I don't know if someone already ported this, but just in case. http://www.microsoft.com/technet/security/advisory/929433.mspx Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Users Not receiving Logon Script GPO
I think I nailed it. I have a separate Folder Redirection policy that was set for loopback processing, and the mode was set to replace. I think that overrode the separate GPO for the user's that applied the logon script. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Wednesday, December 06, 2006 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users Not receiving Logon Script GPO Booker, Have a look at the security filtering component of the policy and verify that designated uses have Read and Apply Group Policy. I would implicitly add one of the effected uses to the security filtering see post gpupdate whether the policy is applied. Check if block inheritance is not enable and temporarily enforce the policy to see if it is applied. What does GPReult come back with from one of the effected users? James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Washington, Booker Sent: Thursday, 7 December 2006 7:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users Not receiving Logon Script GPO I have a situation wherein after I applied a Folder redirection policy to a group of users, wherein I had a deny set on the apply group policy for the Group wherein I had the users computer and user accounts Now all of a sudden, for an entirely different User logon Script policy(Separate GPO), the policy will not flow down to the users. I have moved the users to different OU's with different user logon script GPO's, and none of the GPO's seem to make it to the users, even though a RSPO, shows that the users are in the right OU to receive the policy. Futher more, if i perform a GPO Model of the user, or even of the container that has the users, the model SHOWS that the user logon script GPO should apply,.. But by using the GP results wizard, the policy will not show in the user Applied Policy section and via checking, it is not in the denied policy section either. The policy simply will NOT go down to the user. As a separate test, if i set a Computer start up policy GPO to the computer, after a gpupdate, the Computer will see the policy, but for some reason the user(s0 will not get the policy. Any ideas? Let me add that I ran gpotool, and everything for that policy checks out ok. Also, there is no special security filtering for the logon script GPO. Note: This email, including any attachments, is confidential. If you have received this email in error, please advise the sender and delete it and all copies of it from your system. If you are not the intended recipient of this email, you must not use, print, distribute, copy or disclose its content to anyone. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date: 12/5/2006 11:50 AM
[ActiveDir] Please help me
I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. jpgWsKMjOVZxP.jpg Description: JPEG image gifRWmYWu9Qjb.gif Description: GIF image jpgHmNVV1njFz.jpg Description: JPEG image
RE: [ActiveDir] OT: SpecOps GPUPDATE tool
Including bugs! :) Maybe should have been 2 emails - One here for any problems encountered and one to SpecOps for technical detail. Any users encountered any problems with this tool? :))) Kind regards Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 07 December 2006 14:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool I would expect specops to provide that info, if I were in your position. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 07 December 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SpecOps GPUPDATE tool Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems
RE: [ActiveDir] OT: SpecOps GPUPDATE tool
Hi Neil You were right, they did. It's no good for us as the tool won't work with non-windows DHCP, which I guess is used to retrieve the MAC addresses. Sould have though of this in the first instance, but to quote the parrot sketch, I have a cold. :) All the best Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 07 December 2006 14:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool I would expect specops to provide that info, if I were in your position. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 07 December 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SpecOps GPUPDATE tool Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Email has been scanned for viruses by Altman Technologies' email management service http://www.altman.co.uk/emailsystems
RE: [ActiveDir] Group Membership Update Frequency
Thomas, The server will not update its group memberships until it refreshes its kerberos ticket. That can take up to a week. Alternatively, you can reboot the system, or, if you have console access, open a command line under the system's credentials. You can then use 'klist purge' to delete the existing tickets and force the system to generate a new one. If you use 'klist purge' in a normal command window, you will only delete your tickets, not the systems. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess Sent: Thursday, December 07, 2006 6:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Membership Update Frequency hi there, when does a server recognize that he is part of AD global Security group? Do i have to reboot every system or is there an update frequency where the server checks the AD? I need this to know because i want to use the Security Group Filtering with GPO´s Thanks in advance Thomas List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Vista Activation and KMS
ISA still doesn't have a firewall client that works for one... You noticed that one, did you? Though I have had pretty good experience in general with Vista on good hardware. If I built a Vista box for KMS only, I would turn off aero and probably disable the sound card and maybe some other stuff (indexing, we could keep going) but then I would have pretty good confidence in the Vista box. At present I think that's the way I'd recommend us doing it, until it'll run on a server of some sort. Fortunately (as has probably been discussed here at length seeing Laura R's affinity for slmgr.vbs :) you can of course test on a VL copy for 90 (or is it 120?) days - slmgr.vbs -rearm extends for 30 days, and you can run it either 2 or 3 times (I don't recall which)... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 05, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS I personally am not ready to stick a Vista box as a Licensing server. ISA still doesn't have a firewall client that works for one... and I've yet to find a a/v that doesn't BSOD my tablet pc or act strangely on another box I built. In fact I'm still using my Technet 'for testing purposes' ones as I'm not ready to play with my VL ones. Activation on the VL ones means I'm serious to roll...and quite frankly.. I'm not. I still want to see a more formal support story on Activations in general for folks that aren't TAM supported... YMMV and all that. Laura A. Robinson wrote: I am not at all talking about solutions that don't exist today. Go to a Vista machine and take a look at slmgr.vbs. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* Tuesday, December 05, 2006 12:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS While Laura and yourself make valid points, you are both talking about solutions that do not exist today. I'm just trying to help the OP with the problem he is having right now. Getting into the full licensing overhead of Vista, not to mention LH, could, and undoubtedly will, take weeks and/or months. For right now, at this very moment, using your VL key (and I will continue to refer to it as a VL key as long as the page on which I am reading it says Volume License Product Keys at the top of it) for Vista - KMS will allow you to activate your installation via the web just fine. This is not something I would do for an entire enterprise, but for your first few test machines on your production network I would do it. Again YMMV, Tim *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Harvey Kamangwitz *Sent:* Tuesday, December 05, 2006 10:28 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) It's not a fully-baked solution. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). On 12/4/06, *Laura A. Robinson* [EMAIL PROTECTED]
RE: [ActiveDir] OT: Vista Activation and KMS
My hope was that KMS could support more than one key. I was astonished when I discovered it didn't. If you were Vista, KMS would supply you with a Vista key. Longhorn, a Longhorn key. Since KMS only supports one key, it triggers the need for two separate KMS infrastructures and the problems in #2 below. I put this up in the beta volume licensing group, hopefully there will be some MSFT response on this. I agree with you - the point of making it easy by allowing srv records is offset by the fact neither the VL client nor the KMS server can differentiate between Vista and LHS. Even if the solution is to update the KMS service prior to longhorn's release, and have separate srv records (one for Vista, one for longhorn, another for ?? because you know they're on a roll now and will soon have other things doing VLA) personally I'd rather have multiple records than multiple KMS servers, and hard-coding reg keys or using MAKS for all servers is not really a good solution, IMHO. Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz Sent: Tuesday, December 05, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS On 12/5/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Inline... From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz Sent: Tuesday, December 05, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. Actually, when you purchase a KMS key, you get to activate TWO KMS hosts with that key, up to ten times each. Therefore, you don't have to put up a second KMS infrastructure. From a subsequent post on this thread: Doh! Okay, now I think I get what you're referencing in item 1. There's a reason for that- LH isn't out yet. When LH is out, that won't be an issue. :-) My hope was that KMS could support more than one key. I was astonished when I discovered it didn't. If you were Vista, KMS would supply you with a Vista key. Longhorn, a Longhorn key. Since KMS only supports one key, it triggers the need for two separate KMS infrastructures and the problems in #2 below. I'm assuming that Microsoft will be using Volume Activation for other products in the future; are we to put up a separate KMS for each? 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. So remove the DNS records for the LH KMS, or am I misunderstanding your point? To be more specific: In a Vista / Longhorn environment, you should only use autodiscovery for one KMS infrastructure because of 50% failure rate above. The other systems (Longhorn, if you choose autodiscovery for Vista) must be explictly pointed to a KMS with slmgr. How much of an adminstrative headache this is depends on how great a penetration of a standard build is in your company; you can code it into the build. 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. slmgr.vbs. We're not talking about a ton of records here or a difficult population mechanism. It's the logistics and overhead that's a pain. No, the act of registering a _vlmcs record in a domain is not in itself a difficult task; it's the help desk scripts and calls from panicky system administrators when all the clients in their forest start complaining about failure to activate and reduced functionality mode that have to be handled. In a large enterprise we could see a lot of these (everyone that brings up a sandbox forest for
RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
I saw something similar in the beta home networking newsgroup, 50 people in the office, with laptops, and they do peer to peer sharing, and they wanted to know how to get that working on Vista... I think my contribution to that thread was about 3 pages, and it started with SBS... ;) --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 05, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations? Hosted SBS with Outlook 2003 Office Live http://office.microsoft.com/en-us/outlook/HA100809831033.aspx Not 2003 without a SBS box on the backend but 2007 uses Office Live to share calendars. 40 people and you don't have a server... wow.the control freak in me is freaking out. We put SBS servers in at 5 to 10 people and even less. Shared calendars pushes the sale of many a SBS box I don't know of non MS solutions. Javier Jarava wrote: Hi! Sorry if this question is a bit off-topic to the list, but I've seen some Exchange-related questions here, so I know there is Exchange expertise hanging around ;) and I didn't know where to ask; please feel free to point me to the proper forums (forii?) to ask in. I am looking for a way to implement shared calendars a la exchange (ie, they have to be visible and used from within Outlook 2003), but without actually using/hosting an Exchange Server ourselves. The idea is that people should be able to see/manage the calendar of the people they manage, so free/busy info is not enough. And the outlook requisite is a must (as my CEO put it yesterday: I live within Outlook; I don't want to meddle with web apps or the like) I know that it's a bit odd of a requisite, but we are a small co. (~ 40 employees) and the president feels that having to babysit a server in-house is a bit of a needless burden. At present we host our email / web presence / customer ticketing system in a pair of VPS from Verio, so if the proposed solution could run on top of FreeBSD it'd be a big plus ;) Of course (now going for the and ask about the KitchenSink part ;) if we could put it into place without having to tweak our email setup that'd be wonderful!!. We understand that we'd probably have to install some Outlook plugin, so that's OK... If there is no way to have the Shared Calendar feature as a stand-alone service/server, I guess the next step would be to ask those of you who know Exchange for an exchange clone that runs on FreeBDS / Unix. Or last but not least, I guess that there must be hosted Exchange providers out there that you can recommend. That'd mean re-doing our mail system, but I guess that we could live with it, if need be. Thanks a lot for those of you who have read this far. Best Regards Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Quest Recovery Manager
I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I don't think there are many independent rankings out there. You have to figure that Windows ITPro and SearchWindows are probably the easiest sources to get access to online, but they are influenced by ad dollars sometimes. It is possible that Burton Group and possibly Gartner have done some research But I doubt it. I know that directions on Microsoft hasn't covered it. It is a pretty niche topic. I think the best way to approach this is to have a good old fashion bake off of the technologies. Depending how big a player you are, you can probably get Quest, Netpro, Veritas, and Commvalt to step-up. I would say that all the technologies are pretty stable at the moment; there isn't a lot of innovation going on anymore, so it is pretty hard to make a mistake choosing one of these products. Todd From: Tim Onsomu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 2:06 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]
RE: [ActiveDir] OT: SpecOps GPUPDATE tool
I know the SpecOps guys lurk on this forum so you should get a response, but I would also suggest that they have a forum on their website for asking questions and getting feedback from other users. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Thursday, December 07, 2006 8:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool Including bugs! :) Maybe should have been 2 emails - One here for any problems encountered and one to SpecOps for technical detail. Any users encountered any problems with this tool? :))) Kind regards Danny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 07 December 2006 14:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool I would expect specops to provide that info, if I were in your position. neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 07 December 2006 13:54 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SpecOps GPUPDATE tool Hi Has anyone used the WoL feature of this tool? If so, can you let me know of any issues that you came across please? We are currently only interested in the Shutdown/WoL feature, and would be interested to know how it obtains the MAC addresses required and the method of transmission of the wake up packet across the subnets - to keep our active network team happy. They had a recent incident with a Ghost server and they're a bit edgy. :) Cheers Danny PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. Email has been scanned for viruses http://www.altman.co.uk/emailsystems by Altman Technologies' email management service
RE: [ActiveDir] Please help me
Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. attachment: ATT31653434.jpg ATT31653435.gif Description: ATT31653435.gif attachment: ATT31653436.jpg
[ActiveDir] Please help me
Return Receipt Your [ActiveDir] Please help me document: was[EMAIL PROTECTED] received by: at:12/07/2006 01:10:43 PM EST List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Please help me
Return Receipt Your [ActiveDir] Please help me document: wasJason Centenni/CDS/CG/CAPITAL received by: at:12/07/2006 12:30:09 PM CST List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] DNS scavenging question
I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directoryintegrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] NetBT errors 4321
Laura, Sorry for not getting back sooner, the answer to your questions our. Both IP addresses are DC's The first IP address is the one exhibiting all the NETBT 4321 event log errors, the second IP address is the DC refusing the name to be claimed. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 01:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NetBT errors 4321 Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the second xxx.xxx.xxx.xxx, or are they actually different addresses? Second, if we're talking two IPs, which one is the DC's IP? Basically, I can't get enough from your genericized [I made that word up] error to figure out which machine is which, where this error came from, what machine(s) is/are identified by the IPs in the error, and therefore, why I should care about the Nbstat entries. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, December 04, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NetBT errors 4321 Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DC's living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name DEV..:Id Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DC's are as follows: Nbtstat -an DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM
RE: [ActiveDir] Quest Recovery Manager
Just to give an idea of how insane it can get A good friend of mine works at a software company (not in the Microsoft space)... lets call it company G. Company G is small (300 people or so) and privately held, with a superior product. Company G's main competition is Company W, a large, bloated publically held company, with a decidely inferior product. Company W hasn't developed anything inovative in years... all their new products have come through acquisitions. Now check this out: Company G has a competitive sales program for Company W's customers. If a customer has decided on Company W, for whatever reason, and there is no way that they will buy Company G's product, Company G will work with the customer to provide a competitive bid *just to drive Company W's prices down.* The customer doesn't even have to look at Company G's products. Now THAT's ruthless sales behavior! -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, December 07, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday,
Re: [ActiveDir] Please help me
How long ago was it dcpromoed out? DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC On 12/7/06, Thompson, Elizabeth [EMAIL PROTECTED] wrote: Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of * [EMAIL PROTECTED] *Sent:* Thursday, December 07, 2006 10:50 AM *To:* ActiveDir@mail.activedir.org *Cc:* ActiveDir@mail.activedir.org; [EMAIL PROTECTED] *Subject:* [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 * -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE)* DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. *Adrião Ferreira Ramos* Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. attachment: ATT31653436.jpg attachment: ATT31653434.jpg
[ActiveDir] Delegate join computer to domain
Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS scavenging question
http://technet2.microsoft.com/WindowsServer/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx?mfr=true dnscmd /startscavenging I would recommend you make a backup of your zone before you ageall and start scavenging, have you taken into consideration records that need to be there that you will need to recreate as static entries ie. www.company.com etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, December 07, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS scavenging question I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directory?integrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Please help me
http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTphase=1 [EMAIL PROTECTED] p.com.br Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc ActiveDir@mail.activedir.org, [EMAIL PROTECTED] 12/07/2006 09:49 Subject AM[ActiveDir] Please help me Please respond to [EMAIL PROTECTED] tivedir.org I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos (Embe Depto. de Operações e dded Infra-Estrutura - CII.14 image moved to file: pic18 630.j pg) (Embe [EMAIL PROTECTED] dded image moved to file: pic19 172.g if) (Embe (11) 3388.8193 dded image moved to file: pic19 864.j pg) Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a
Re: [ActiveDir] Please help me
ooops, sorry replied to the wrong one [EMAIL PROTECTED] p.com.br Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc ActiveDir@mail.activedir.org, [EMAIL PROTECTED] 12/07/2006 09:49 Subject AM[ActiveDir] Please help me Please respond to [EMAIL PROTECTED] tivedir.org I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos (Embe Depto. de Operações e dded Infra-Estrutura - CII.14 image moved to file: pic20 577.j pg) (Embe [EMAIL PROTECTED] dded image moved to file: pic10 737.g if) (Embe (11) 3388.8193 dded image moved to file: pic14 091.j pg) Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não
RE: [ActiveDir] NetBT errors 4321
http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTphase=1 Simon Bembridge [EMAIL PROTECTED] onesolutions.co.u To kActiveDir@mail.activedir.org Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] NetBT errors 4321 12/07/2006 01:06 PM Please respond to [EMAIL PROTECTED] tivedir.org Laura, Sorry for not getting back sooner, the answer to your questions our. Both IP addresses are DCâs The first IP address is the one exhibiting all the NETBT 4321 event log errors, the second IP address is the DC refusing the name to be claimed. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 01:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NetBT errors 4321 Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the second xxx.xxx.xxx.xxx, or are they actually different addresses? Second, if we're talking two IPs, which one is the DC's IP? Basically, I can't get enough from your genericized [I made that word up] error to figure out which machine is which, where this error came from, what machine(s) is/are identified by the IPs in the error, and therefore, why I should care about the Nbstat entries. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, December 04, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NetBT errors 4321 Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DCâs living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name âDEVâ¦â¦â¦â¦â¦.:Idâ Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DCâs are as follows: Nbtstat âan DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM [EMAIL PROTECTED] ��V�r�y���-�÷¹ï¿½ï¿½V��+�v*��
RE: [ActiveDir] Quest Recovery Manager
Boy that just makes me proud to be in the software business... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, December 07, 2006 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Just to give an idea of how insane it can get A good friend of mine works at a software company (not in the Microsoft space)... lets call it company G. Company G is small (300 people or so) and privately held, with a superior product. Company G's main competition is Company W, a large, bloated publically held company, with a decidely inferior product. Company W hasn't developed anything inovative in years... all their new products have come through acquisitions. Now check this out: Company G has a competitive sales program for Company W's customers. If a customer has decided on Company W, for whatever reason, and there is no way that they will buy Company G's product, Company G will work with the customer to provide a competitive bid *just to drive Company W's prices down.* The customer doesn't even have to look at Company G's products. Now THAT's ruthless sales behavior! -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, December 07, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where
RE: [ActiveDir] Quest Recovery Manager
Understood Gil, I wonder what would happen if the Federal Trade Commission got wind of such activity. Depending on who is in office... they tend to frown upon that type of activity, especially from companies outside of the US. Todd -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Just to give an idea of how insane it can get A good friend of mine works at a software company (not in the Microsoft space)... lets call it company G. Company G is small (300 people or so) and privately held, with a superior product. Company G's main competition is Company W, a large, bloated publically held company, with a decidely inferior product. Company W hasn't developed anything inovative in years... all their new products have come through acquisitions. Now check this out: Company G has a competitive sales program for Company W's customers. If a customer has decided on Company W, for whatever reason, and there is no way that they will buy Company G's product, Company G will work with the customer to provide a competitive bid *just to drive Company W's prices down.* The customer doesn't even have to look at Company G's products. Now THAT's ruthless sales behavior! -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, December 07, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found
Re: [ActiveDir] DNS scavenging question
If you immediately (with respect to using the ageall switch) tell the scavenging server to scavenge all records, wouldn't you expect all the records to be scavenged at that point? Wouldn't it be better to mark them all, and wait a cycle or two of refresh prior to pushing the issue? Otherwise, the most immediate way to do this would be to delete the zone. I don't recommend that however :) On 12/7/06, Daniel Gilbert [EMAIL PROTECTED] wrote: I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directory–integrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate join computer to domain
Ben, There is a larger list of required ACE entries to JOIN a computer to the domain. They are: List Contents Read All Properties Delete Delete Subtree Read Perms All Extended Rights(gives you Allowed to Authenticate Change Pwd Receive As Reset Pwd Send As) Validate write to DNS host name Validated write to service principal name (Property permissions) Write Account Restrictions Read DNS Host Name Attributes Read Personal Information Read Public Information Good luck! (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K Compatible Access grants extra permissions letting users join computers, even when dropping the workstation quota to 0). --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, December 07, 2006 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate join computer to domain Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ [EMAIL
RE: [ActiveDir] DNS scavenging question
You are correct. Due to the fact that aging/scavenging was not enabled the records which were dynamically registered were not stamped with a date/time. Therefore the aging/scavenging process ignores them upon starting it's scavenging process. You can use the AgeAllRecords which will do just that. Age ALL your records. You have to be careful though. I haven't proven this but I believe that it will also turn your static records into dynamic record (time stamp them). Then when you run AgeAllRecords.well guess what?... To prevent this, Once you ageallrecords you will have to go back into the DNS console and ensure that static/manually created records you need are not set to Delete this record when it becomes stale by unchecking the box in the record properties. You might have to enable the advanced view (View --Advanced) to view this as well as the timestamp of the record. Once you've completed this you can then right click on the DNS server name in the DNS console and select Scavenge Stale Resource Records or via command prompt: dnscmd servername /StartScavenging Note: In order to successfully configure Scavenging and Aging you will need to enable it both on the zone and the DNS server. Which I'm sure you have already.but just in case. Right click on server name--Properties--Advanced tab--check the Enable automatic scavenging of stale records or you can enable it for all zones by right clicking on the server name and selecting Set Aging/Scavenging for all Zones.--check the box Scavenge stale resource records--OK--check the box to apply these settings to the existing Active Directory-integrated zones (if AD integrated)--OK then go to the zone and right click--Properties--General tab--Aging button and check the Scavenge stale resource records--OK Hope this will help.please chime in. -vC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, December 07, 2006 11:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS scavenging question I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directoryintegrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Delegate join computer to domain
Nevermind guys, I'm out on vacation and I was unable to verify that the desktop support staff were pre-creating the computer accounts properly. I got back to my hotel and was able to VPN in and check up on everything and they were not creating the accounts properly. Everything is working as intended. Thanks, ~Ben -Original Message- From: WATSON, BEN Sent: Thursday, December 07, 2006 11:45 AM To: ActiveDir@mail.activedir.org Subject: Delegate join computer to domain Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
RE: [ActiveDir] DNS scavenging question
I don't believe that static records age, so they should not be affected by scavenging? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: Thursday, December 07, 2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS scavenging question http://technet2.microsoft.com/WindowsServer/en/library/d652a163-279f-404 7-b3e0-0c468a4d69f31033.mspx?mfr=true dnscmd /startscavenging I would recommend you make a backup of your zone before you ageall and start scavenging, have you taken into consideration records that need to be there that you will need to recreate as static entries ie. www.company.com etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, December 07, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS scavenging question I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directory?integrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Quest Recovery Manager
I'll see that and raise you... The company I work for makes door furniture, padlocks, etc. We have a competitor in the retail market that has been buying our stock from our customers to gain shelf space in their stores. Now, while we still get the sale, and the stock does initially go on the shelf, it is then removed to make way for the second company's stock seeing as they purchased all our stock from the customer. They end up dumping it. How are we competing with that? We've brought out a 'cheaper' product to compete with theirs (our product is usually higher priced, due to name recognition and quality) and are beating them at their own game by selling a product that sells in greater quantities than their product. No more shelf space problems for us! In fact, due to this new line we are offering, the customer is choosing to no longer stock our competitor at all. themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, 8 December 2006 7:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Understood Gil, I wonder what would happen if the Federal Trade Commission got wind of such activity. Depending on who is in office... they tend to frown upon that type of activity, especially from companies outside of the US. Todd -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Just to give an idea of how insane it can get A good friend of mine works at a software company (not in the Microsoft space)... lets call it company G. Company G is small (300 people or so) and privately held, with a superior product. Company G's main competition is Company W, a large, bloated publically held company, with a decidely inferior product. Company W hasn't developed anything inovative in years... all their new products have come through acquisitions. Now check this out: Company G has a competitive sales program for Company W's customers. If a customer has decided on Company W, for whatever reason, and there is no way that they will buy Company G's product, Company G will work with the customer to provide a competitive bid *just to drive Company W's prices down.* The customer doesn't even have to look at Company G's products. Now THAT's ruthless sales behavior! -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, December 07, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would
[ActiveDir] What is Websence
Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Delegate join computer to domain
In the default domain set up ... a domain user can set up 10 computers as was pointed out After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. Why not just change the group to have that right again? As you know there's a specific group policy setting for that. What's the risk for this group to not have this right? (Threats and Countermeasures guide discusses the pros/cons) Wells, James Arthur wrote: Ben, There is a larger list of required ACE entries to JOIN a computer to the domain. They are: List Contents Read All Properties Delete Delete Subtree Read Perms All Extended Rights(gives you Allowed to Authenticate Change Pwd Receive As Reset Pwd Send As) Validate write to DNS host name Validated write to service principal name (Property permissions) Write Account Restrictions Read DNS Host Name Attributes Read Personal Information Read Public Information Good luck! (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K Compatible Access grants extra permissions letting users join computers, even when dropping the workstation quota to 0). --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, December 07, 2006 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate join computer to domain Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the
RE: [ActiveDir] NetBT errors 4321
Okay, and you've ruled out all of this stuff? HYPERLINK http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTp hase=1http://www.eventid.net/display.asp?eventid=4321eventno=1822source=N etBTphase=1 If so, can you do an ipconfig /all on each machine? You can anonymize an octet or two so as to protect your IPs. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Thursday, December 07, 2006 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NetBT errors 4321 Laura, Sorry for not getting back sooner, the answer to your questions our. Both IP addresses are DC’s The first IP address is the one exhibiting all the NETBT 4321 event log errors, the second IP address is the DC refusing the name to be claimed. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 01:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NetBT errors 4321 Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the second xxx.xxx.xxx.xxx, or are they actually different addresses? Second, if we're talking two IPs, which one is the DC's IP? Basically, I can't get enough from your genericized [I made that word up] error to figure out which machine is which, where this error came from, what machine(s) is/are identified by the IPs in the error, and therefore, why I should care about the Nbstat entries. :-) Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge Sent: Monday, December 04, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NetBT errors 4321 Hi All, I cannot find a resolution to event log error that we are having within our development domain the event is logged every 3-6 mins. I have exhausted the internet results but to no avail, any help would be greatly appreciated. We have two DC’s living on different subnets both acting as BH servers. 1st DC holds all FSMO roles, single domain, D FFL 2003 Anyway below is the event log message I have done all the searches possible and come up with nothing at all. Source NetBT EventID: 4321 The name “DEV….:Id” Could not be registered on the interface with IP address xxx.xxx.xxx.xxx The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be claimed by the machine. The results of both DC’s are as follows: Nbtstat –an DC1 DC2 00 unique 00 unique 00 Group 00 Group 1c Group 1c Group 20 Unique 20 Unique 1D Unique 1E Group 1E Group -MSBROWSE Mac address -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 AM -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM
RE: [ActiveDir] What is Websence
Websense is software you put on one or more servers to do the filtering of http requests. You can either do it parallel to your firewalls (Pixen and others support passing http requests to a Websense farm in realtime), or I believe you can put them inline as a proxy. If you're doing a large deployment of it there is significant planning involved, FYI. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] What is Websence
You can check their website: www.websense.com I evaluated the software version a couple of months ago and wasn't impressed -- stayed with SurfControl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] What is Websence
http://www.websense.com/docs/Datasheets/en/v6.3/Websense_ProductOverview.pdf http://www.websense.com/global/en/Partners/TAPartners/SecurityEcosystem/ Depending upon which websense product you're referencing, it can be an appliance or just software. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006 1:27 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] What is Websence
The WebSense deployment we have uses a combination of Cisco hardware and a Windows-based server. The Cisco product (in our case a Catalyst 6509) using WCCP redirects web traffic to a Windows-based server for content inspection and then filters the traffic based upon a list of policies. Web traffic destined for inappropriate sites is presented with a web page stating that the site they are trying to reach is blocked. The redirection can also come in the form of policy based routing as well. WebSense can also connect to AD and allow overrides and logging of web surfing. AD groups can be abstained from certain policies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] What is Websence
Umm, it's a suite of products and services. Depends on what you buy :-) http://www.websense.com/global/en/ProductsServices/ What we have is for our websense installation is several windows servers that serve as content filters and proxy servers with a subscription based filter. All the logs roll to a common reporting database, they sit behind loadbalancers so client proxy configuration and redundancy is simplified -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate join computer to domain
Not really the risk - more the ability to delegate the right on a very granular level. Semi-independent organizations are given OUs in our domains, with limited rights. One of those rights needed to be the ability to precreate computer objects and then join them to the domain (and to be nice, to allow one SA to create the object and a DIFFERENT SA to join the computer, so the extra parameter in ADUC at creation time to specify a security principle didn't help). We also use Quest ActiveRoles for AD security ACLs and auditing, so we needed to know the specific ACEs necessaryand, voila! Now, if there were some way to script the delegation wizard tasks, and build in easy auditing and administration like Quest ActiveRoles has, I would have gone that route...but not sure such an API exists... The GPO wasn't the direction we wanted to go, because we also handle patching and compliance (different apps for different OUs even), so computers going into the Computers container isn't a good option, which I think that GPO would allow for - correct? (That's why WE did all of the above. Not sure what Ben's list of goals is). --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, December 07, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate join computer to domain In the default domain set up ... a domain user can set up 10 computers as was pointed out After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. Why not just change the group to have that right again? As you know there's a specific group policy setting for that. What's the risk for this group to not have this right? (Threats and Countermeasures guide discusses the pros/cons) Wells, James Arthur wrote: Ben, There is a larger list of required ACE entries to JOIN a computer to the domain. They are: List Contents Read All Properties Delete Delete Subtree Read Perms All Extended Rights(gives you Allowed to Authenticate Change Pwd Receive As Reset Pwd Send As) Validate write to DNS host name Validated write to service principal name (Property permissions) Write Account Restrictions Read DNS Host Name Attributes Read Personal Information Read Public Information Good luck! (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K Compatible Access grants extra permissions letting users join computers, even when dropping the workstation quota to 0). --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, December 07, 2006 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate join computer to domain Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but
RE: [ActiveDir] DNS scavenging question
Thanks for the input. Luckily for us we do not have any static records, at least I have not created any but I will check with the other Admins to be sure. I thought AGEALLRECORDS for bring the prior records into the fold and then they would be scavenged out in the next cycle. Guess we will give it a try and let everyone know how it turned out. Dan _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Thursday, December 07, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS scavenging question You are correct. Due to the fact that aging/scavenging was not enabled the records which were dynamically registered were not stamped with a date/time. Therefore the aging/scavenging process ignores them upon starting it's scavenging process. You can use the AgeAllRecords which will do just that. Age ALL your records. You have to be careful though. I haven't proven this but I believe that it will also turn your static records into dynamic record (time stamp them). Then when you run AgeAllRecords.well guess what?... To prevent this, Once you ageallrecords you will have to go back into the DNS console and ensure that static/manually created records you need are not set to Delete this record when it becomes stale by unchecking the box in the record properties. You might have to enable the advanced view (View --Advanced) to view this as well as the timestamp of the record. Once you've completed this you can then right click on the DNS server name in the DNS console and select Scavenge Stale Resource Records or via command prompt: dnscmd servername /StartScavenging Note: In order to successfully configure Scavenging and Aging you will need to enable it both on the zone and the DNS server. Which I'm sure you have already.but just in case. Right click on server name--Properties--Advanced tab--check the Enable automatic scavenging of stale records or you can enable it for all zones by right clicking on the server name and selecting Set Aging/Scavenging for all Zones.--check the box Scavenge stale resource records--OK--check the box to apply these settings to the existing Active Directory-integrated zones (if AD integrated)--OK then go to the zone and right click--Properties--General tab--Aging button and check the Scavenge stale resource records--OK Hope this will help.please chime in. -vC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, December 07, 2006 11:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS scavenging question I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directoryintegrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Vista Activation and KMS
Okay, let me see if I can summarize this in a gazillion words or less... There are two types of activations for Vista- MAK activation and KMS activation. MAK activation works much like an MSDN subscription. You tell Microsoft how many MAK activations you want to purchase. Microsoft sells you a MAK key with that many activations. A machine that is activated via MAK activation never has to renew. A MAK-activated client either directly contacts Microsoft servers for activation or (in 2007, when the VAMT tool is released) it activates against a proxy in your company that feeds the activation to Microsoft activation servers. If you reinstall the OS and specify MAK activation again, then that will use another of your allocated activations. MAK activation is designed for machines that are NEVER connected to your network (VPN counts as connected) in any given six-month period. Therefore, we're talking about a machine that goes out your door and you don't see it again for a very long time. MAK keys should not be commonly or lightly used. In the reinstall scenario, much as you can now, you can contact Microsoft at that time and explain the situation and get another activation. KMS activation DOES NOT REPORT ANYTHING TO MICROSOFT. You activate the KMS host against a Microsoft activation server, and your KMS clients get activated by YOUR KMS host. Once a week, they try to renew. If renewal is successful, the KMS client now has six months from that day to renew again. The client will still renew once a week and will be extending that six month window each time. In other words, you always have six months from initial activation or renewal of activation before the client MUST contact a KMS host again. If it's day 179 and your KMS host has been down that entire time, when you bring it back up on day 179, your clients can renew their activations for another six months. During those 179 days while the KMS host was down, they are unaffected unless their 180 days of validity expired during that time and they were unable to locate and contact another KMS server. If you reinstall the OS on a KMS-activated client, IT DOESN'T MATTER, because Microsoft doesn't track KMS clients. In fact, even the KMS server only keeps track of the last fifty activations it has performed. Now, if you want to keep this information for your own records, you can easily extract it from the event logs or you can use the MOM management pack for KMS. With KMS activation, you are simply saying to Microsoft, we anticipate that we will have 10,000 [or whatever] Vista clients. Therefore, we'll pay you for that many Vista clients. That's the end of the story as far as Microsoft is concerned. If you exceed 10,000 active Vista clients, then you're in violation of your agreement, but Microsoft won't know about it via some magic mechanism. KMS-activated clients don't talk to Microsoft. They talk to your KMS host. The step-by-step guide I referenced tends to look dry and overwhelming to people and I suspect that many folks don't really sit down and take the time to read it thoroughly (can't blame 'em), but it really is all explained there. Laura Hopefully I didn't put any typos or other doofusness in the above; it's been a bad week for me when it comes to typing. :-) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade Sent: Thursday, December 07, 2006 5:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS I have read all this, and it seems any thing but straight forward to me. It looks like we are going to have to invest a lot more money in managing licenses. I could also find nothing about what happens if we need to re-install Windows. It appears we need to re-activate, and it appears as its a new sid it will use a second license... Any one any pointers on this? _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 05 December 2006 00:57 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Vista Activation and KMS Actually, it is clearly documented, along with a lot more information on KMS, MAK and Vista Volume Activation (btw, Volume Licensing doesn't exist in Vista; VL and VA are not the same things). You probably don't want to get me started on a big long explanation of how volume activation works, so I'll just point you to this site: HYPERLINK http://www.microsoft.com/technet/windowsvista/plan/volact.mspxhttp://www.m icrosoft.com/technet/windowsvista/plan/volact.mspx :-) I highly recommend both the FAQ and the step-by-step guide. The latter provides information on how to change from KMS to MAK and vice versa (there are several ways), as well as documentation of defaults, configuration options, etc. Laura _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, December 04, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:
Re: [ActiveDir] Quest Recovery Manager
Interesting strategy .. I can't seem to find the point why they would buy it. Since they are one of your biggest customers have you contacted them to discuss volume pricing ? Martin - Original Message - From: Molkentin, Steve [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, December 07, 2006 3:20 PM Subject: RE: [ActiveDir] Quest Recovery Manager I'll see that and raise you... The company I work for makes door furniture, padlocks, etc. We have a competitor in the retail market that has been buying our stock from our customers to gain shelf space in their stores. Now, while we still get the sale, and the stock does initially go on the shelf, it is then removed to make way for the second company's stock seeing as they purchased all our stock from the customer. They end up dumping it. How are we competing with that? We've brought out a 'cheaper' product to compete with theirs (our product is usually higher priced, due to name recognition and quality) and are beating them at their own game by selling a product that sells in greater quantities than their product. No more shelf space problems for us! In fact, due to this new line we are offering, the customer is choosing to no longer stock our competitor at all. themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Friday, 8 December 2006 7:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Understood Gil, I wonder what would happen if the Federal Trade Commission got wind of such activity. Depending on who is in office... they tend to frown upon that type of activity, especially from companies outside of the US. Todd -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Just to give an idea of how insane it can get A good friend of mine works at a software company (not in the Microsoft space)... lets call it company G. Company G is small (300 people or so) and privately held, with a superior product. Company G's main competition is Company W, a large, bloated publically held company, with a decidely inferior product. Company W hasn't developed anything inovative in years... all their new products have come through acquisitions. Now check this out: Company G has a competitive sales program for Company W's customers. If a customer has decided on Company W, for whatever reason, and there is no way that they will buy Company G's product, Company G will work with the customer to provide a competitive bid *just to drive Company W's prices down.* The customer doesn't even have to look at Company G's products. Now THAT's ruthless sales behavior! -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, December 07, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From:
RE: [ActiveDir] DNS scavenging question
Hi Daniel If this is an AD-integrated zone, it might be helpful to back-up the zone to file before you go ahead with the change - just in case you lose any records you might later want back. http://www.activedir.org/article.aspx?aid=102 Tony -- Original Message -- From: Daniel Gilbert [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 7 Dec 2006 19:22:25 -0700 Thanks for the input. Luckily for us we do not have any static records, at least I have not created any but I will check with the other Admins to be sure. I thought AGEALLRECORDS for bring the prior records into the fold and then they would be scavenged out in the next cycle. Guess we will give it a try and let everyone know how it turned out. Dan _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Thursday, December 07, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS scavenging question You are correct. Due to the fact that aging/scavenging was not enabled the records which were dynamically registered were not stamped with a date/time. Therefore the aging/scavenging process ignores them upon starting it's scavenging process. You can use the AgeAllRecords which will do just that. Age ALL your records. You have to be careful though. I haven't proven this but I believe that it will also turn your static records into dynamic record (time stamp them). Then when you run AgeAllRecords.well guess what?... To prevent this, Once you ageallrecords you will have to go back into the DNS console and ensure that static/manually created records you need are not set to Delete this record when it becomes stale by unchecking the box in the record properties. You might have to enable the advanced view (View --Advanced) to view this as well as the timestamp of the record. Once you've completed this you can then right click on the DNS server name in the DNS console and select Scavenge Stale Resource Records or via command prompt: dnscmd servername /StartScavenging Note: In order to successfully configure Scavenging and Aging you will need to enable it both on the zone and the DNS server. Which I'm sure you have already.but just in case. Right click on server name--Properties--Advanced tab--check the Enable automatic scavenging of stale records or you can enable it for all zones by right clicking on the server name and selecting Set Aging/Scavenging for all Zones.--check the box Scavenge stale resource records--OK--check the box to apply these settings to the existing Active Directory-integrated zones (if AD integrated)--OK then go to the zone and right click--Properties--General tab--Aging button and check the Scavenge stale resource records--OK Hope this will help.please chime in. -vC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, December 07, 2006 11:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS scavenging question I have a rather off the wall DNS scavenging question. I have a bunch of DNS records that are stale and need to be scavenged out of the zone. Following the O'REILLY book: DNS on Windows Server 2003 I have configured aging and scavenging. (Don't ask why this wasn't done when the zone was first setup, that is another story) Now I know: If scavenging is disabled on a standard zone and you enable scavenging, the server does not scavenge records that existed before you enabled scavenging. The server does not scavenge those records even if you convert the zone to an Active Directoryintegrated zone first. To enable scavenging of such records, use the AgeAllRecords in Dnscmd.exe. I know this must be done in order to configure existing records to a scavengable state. Is there a way to immediately force a scavenge cycle that will remove all stale records? I would not to have to wait unitl the no-refresh and refresh intervals expire. Daniel Gilbert List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Global Catalog /DNS Question
Hi, I have a mix of Windows and Linux users. Most of my Linux users use Evolution as a mail client which needs to point to a GC for its configuration. My question is does anyone know a way to basically round robin a wildcard entry for those mail clients? So in case the DC/GC they're pointing to crashes half my users won't have to re-point their clients. Thanks in advance - Mike