RE: [ActiveDir] OT: Vista Activation and KMS

2006-12-07 Thread Dave Wade 
I have read all this, and it seems any thing but straight forward to me.
It looks like we are going to have to invest a lot more money in
managing licenses.
 
I could also find nothing about what happens if we need to re-install
Windows. It appears we need to re-activate, and it appears as its a new
sid it will use a second license... Any one any pointers on this?
 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: 05 December 2006 00:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Vista Activation and KMS


Actually, it is clearly documented, along with a lot more
information on KMS, MAK and Vista Volume Activation (btw, Volume
Licensing doesn't exist in Vista; VL and VA are not the same things).
You probably don't want to get me started on a big long explanation of
how volume activation works, so I'll just point you to this site:
http://www.microsoft.com/technet/windowsvista/plan/volact.mspx
:-)
 
I highly recommend both the FAQ and the step-by-step guide. The
latter provides information on how to change from KMS to MAK and vice
versa (there are several ways), as well as documentation of defaults,
configuration options, etc.
 
Laura
 
 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi
Sent: Monday, December 04, 2006 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Vista Activation and KMS



You need to go to Control Panel  System then at the
bottom select Change Product Key. This will allow you to enter your VL
key which will result in Vista activating via the web. Definitely not
well documented unfortunately.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Monday, December 04, 2006 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Vista Activation and KMS

 

I was testing out the RTM of Vista Enterprise last night
and noticed I didn't have to enter a key at any point during the
install. When Windows tried to activate, it told me there was a DNS
error, so I suspected it looks for a local activation server by default.
Sure enough, in the DNS cache was a lookup for a nonexistent
_vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has
not released KMS yet, and I couldn't find any option to activate
directly with Microsoft. For the moment, is telephone activation the
only option?

Brian Cline, Applications Developer 
Department of Information Technology 
GP Trucking Company, Inc. 
803.936.8595 Direct Line 
800.922.1147 Toll-Free (x8595) 
803.739.1176 Fax 


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 -
Release Date: 12/4/2006 7:18 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date:
12/4/2006 7:18 AM




**
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this 
email,  or any response to it,  under the Freedom of Information Act 2000, 
unless the information in it is covered by one of the exemptions in the Act. 

If you receive this email in error please notify Stockport e-Services via 
[EMAIL PROTECTED] and then permanently remove it from your system. 

Thank you.

http://www.stockport.gov.uk
**

[ActiveDir] Group Membership Update Frequency

2006-12-07 Thread Thomas Hess 

hi there,

when does a server recognize that he is part of AD global Security group?
Do i have to reboot every system or is there an update frequency where
the server checks the AD?

I need this to know because i want to use the Security Group Filtering
with GPO´s

Thanks in advance
Thomas
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Pagefile not being seen?

2006-12-07 Thread Larry Wahlers 
Thanks, Kevin. Yes, I had read that article before I posted, but it
seemed that I had things set right.

When I put 4096Mb pagefile on one drive, hit the set button, and reboot,
coming back to the screen just before you set the pagefile on all the
drives, it still says 2050 total pagefile on all drives. When I set 2048
on two different drives, then I get the correct number, 4096 total
pagefile on all drives.

Still a mystery. And, what's more, when I changed from 4096 on drive C
to 2048 on C and another 2048 on F, it took two reboots before the total
pagefile on all drives went up to 4096 as expected.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
 Sent: Wednesday, December 06, 2006 2:32 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Pagefile not being seen?
 
 Check out this article for the Exchange memory settings.  There are a
 few other tweaks in the registry.
 http://support.microsoft.com/kb/815372
 
 Do you have any third-party apps running on your Exchange servers?  I
 have seen memory leaks in third-party apps cause this kind of virtual
 memory issue.  
 2K3 Standard does allow 4GB on a drive.  The way you have it 
 set up with
 2048 on two separate drives will give you a performance boost if they
 are actually separate physical disks or RAID sets.  
 
 I have typically heard 1.5 times physical for virtual, but I 
 don't think
 that is as much a best practice as a general rule of thumb.  Depending
 on circumstances I have certainly set it lower or higher.  4 
 GB virtual
 should certainly be enough.
 
 Sorry for the random order of my answers.  I also have 
 trouble following
 directions and don't play well with others.
 
 Hope this helps
 Kevin
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
 Sent: Wednesday, December 06, 2006 1:28 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Pagefile not being seen?
 
 Colleagues,
 
 On two different Windows 2003 servers in as many weeks I have seen a
 popup when I logged in that says Your system is low on 
 virtual memory.
 Windows is increasing the size of your virtual memory paging file.
 During this process, memory requests for some applications may be
 denied.
 
 On one server, I had 2048 pagefile on C. On the other, I had 4096
 pagefile on C, but the note at the bottom of the screen showed only
 2050. Both servers have 2Gb physical RAM, and both are Exchange 2003
 servers. I have now put 2048 on C: and another 2048 on F: on both
 servers.
 
 So, I wonder if I have things set up right, so I have a few questions:
 
 1. Isn't the pagefile limit in 2K3 Standard 4Gb per drive as I have
 read? Or is it actually 2Gb per drive? 
 2. With 2Gb physical RAM, isn't 4Gb pagefile the standard?
 3. With the /3GB and /USERVA=3030 switches set, which is what 
 I learned
 to do in class, why do I still get the Event Log error 
 message that says
 The memory settings for this server are not optimal for Exchange.?
 
 -- 
 Larry Wahlers
 Concordia Technologies
 The Lutheran Church - Missouri Synod
 mailto:[EMAIL PROTECTED]
 direct office line: (314) 996-1876
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir@mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir@mail.activedir.org/
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Pagefile not being seen?

2006-12-07 Thread Larry Wahlers 
Thanks, Chuck. If I had more users on these Exchange servers, I'd buy
more memory. But, there are only about 300 users on each one, so I'm
thinking upping the pagefile will do the trick. But, as I wrote to
Kevin, I couldn't get the total pagefile on all drives to be 4GB unless
I split it up between 2 drives, which is not what I expected.
 

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876


 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Pagefile not being seen?


It's better to use 2x installed memory for Exchange as a
starting point.  Splitting the page file on separate physical disks
should be OK as long as it is a total of 4 GB.  Depending on the how
much messaging activity you have you might want to bump up the memory to
4 GB and then the pagefile would need to obviously be increased
substantially to about double the installed memory.
 
Chuck 
 
 
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wed, 6 Dec 2006 3:31 PM
Subject: RE: [ActiveDir] Pagefile not being seen?


Check out this article for the Exchange memory settings.  There
are a
few other tweaks in the registry.
http://support.microsoft.com/kb/815372

Do you have any third-party apps running on your Exchange
servers?  I
have seen memory leaks in third-party apps cause this kind of
virtual
memory issue.  
2K3 Standard does allow 4GB on a drive.  The way you have it set
up with
2048 on two separate drives will give you a performance boost if
they
are actually separate physical disks or RAID sets.  

I have typically heard 1.5 times physical for virtual, but I
don't think
that is as much a best practice as a general rule of thumb.
Depending
on circumstances I have certainly set it lower or higher.  4 GB
virtual
should certainly be enough.

Sorry for the random order of my answers.  I also have trouble
following
directions and don't play well with others.

Hope this helps
Kevin

-Original Message-
From: [EMAIL PROTECTED]
mailto:ActiveDir-owner%40mail.activedir.org 
[mailto:[EMAIL PROTECTED]
mailto:ActiveDir-owner%40mail.activedir.org ] On Behalf Of Larry
Wahlers
Sent: Wednesday, December 06, 2006 1:28 PM
To: ActiveDir@mail.activedir.org
mailto:ActiveDir%40mail.activedir.org 
Subject: [ActiveDir] Pagefile not being seen?

Colleagues,

On two different Windows 2003 servers in as many weeks I have
seen a
popup when I logged in that says Your system is low on virtual
memory.
Windows is increasing the size of your virtual memory paging
file.
During this process, memory requests for some applications may
be
denied.

On one server, I had 2048 pagefile on C. On the other, I had
4096
pagefile on C, but the note at the bottom of the screen showed
only
2050. Both servers have 2Gb physical RAM, and both are Exchange
2003
servers. I have now put 2048 on C: and another 2048 on F: on
both
servers.

So, I wonder if I have things set up right, so I have a few
questions:

1. Isn't the pagefile limit in 2K3 Standard 4Gb per drive as I
have
read? Or is it actually 2Gb per drive? 
2. With 2Gb physical RAM, isn't 4Gb pagefile the standard?
3. With the /3GB and /USERVA=3030 switches set, which is what I
learned
to do in class, why do I still get the Event Log error message
that says
The memory settings for this server are not optimal for
Exchange.?

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
mailto:larry.wahlers%40concordiatech.org 
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/



Check out the new AOL
http://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redi
r=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol . Most comprehensive set of
free safety and security tools, free access to

Re: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Martin Tuip 

Competition benefits customers.


Martin

- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro products 
for eval, and watch how fast the Quest price goes to zero. Its like the old 
Crazy Eddy's TV ads in New York.


Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the 
year for the salesmen and they need to make their year this month (if so 
this is an excellent time to buy Quest software)




Ha! Show me a sales person from ANY software company who doesn't get that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to do 
that, you gotta discount! I would think most IT shops are wise to it by now. 
Its kind of a sick dance we all do J




Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond

Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors you 
want a little webinar (they love these), and then compare your notes after 
each/all of them again. Rule out any ones now that don't do the trick



Then go get ready to have it shoved way up your ass when they give you the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime while 
you further discuss how expensive their stuff is and what they can do for 
you to make it more attractive. The Quest guys told me the other day they 
had a lot of leeway on some pricing for one of my clients so I'm wondering 
if this is the end of the year for the salesmen and they need to make their 
year this month (if so this is an excellent time to buy Quest software).




Now that said, I've worked in a few large shops, and we haven't had any of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per 
whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you 
learn how it does it, because then you'll be smarter, and you can go get a 
new better job with your new found talents.




That said there is some cool shit from quest and NetIQ and those guys - I'm 
into the change control/management stuff in shops where there are too many 
cooks in the kitchen. Quest's migration stuff is of course great if you can 
afford it.




Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]

Sent: Wednesday, December 06, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



I don't think there are many independent rankings out there.  You have to 
figure that Windows ITPro and SearchWindows are probably the easiest sources 
to get access to online, but they are influenced by ad dollars sometimes. 
It is possible that Burton Group and possibly Gartner have done some 
research But I doubt it.  I know that directions on Microsoft hasn't 
covered it.  It is a pretty niche topic.




I think the best way to approach this is to have a good old fashion bake off 
of the technologies.  Depending how big a player you are, you can probably 
get Quest, Netpro, Veritas, and Commvalt to step-up.  I would say that all 
the technologies are pretty stable at the moment; there isn't a lot of 
innovation going on anymore, so it is pretty hard to make a mistake choosing 
one of these products.






Todd



From: Tim Onsomu [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 2:06 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Does anybody know what independent rankings look like for AD DR tools?




-Original Message-
From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 12/6/2006 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

shamelss plug

NetPro has an AD data recovery product called RestoreADmin that competes
very well with the Quest product. It's solves the AD object recovery
problem nicely.

See

Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

2006-12-07 Thread Javier Jarava 

Thanks for the advice; I really think it's more than two-cents based.

As you suggest, going other route means getting a MAPI plugin for
whatever solution, so you add another complexity layer on the setup.
The only reason I might see to do something like that is price
(exchange is not a cheap beast ;)

On the bringing the thing inhouse issue, the feeling is that having
an MX in-house means inviting all kind of naties to come knocking
(spammer, DOS-ers, etc) and that means aditional babysitting: we don't
have full-time admin staff, but rather the people in the testing dept.
are the ones who run the servers. All of the technical staff are
familiar with AD (after all, we sell a product that is AD-based), but
messaging is another beast Not to talk about the data pipe needed:
We get quite a lot of spam, and 10+ PPT files are not uncommon ;)

At the moment, if the DSL goes down, the problem is we can't get our
mail, but at least we don't lose any... I might be able to sell a
setup with an entry point (including spam filtering) that is outside
the office, and then having an in-house server.. but again the fact
that over half our employees are NOT in our offce makes it difficult
to jutify having the server inhouse IMO. Of course, the cost issue has
to be taken into account: maybe an aditional DSL line and a part-time
admin may add up to the cost of external maiboxes...

Thanks a lot for the input, anyhow.

 Javier

On 06/12/06, Dave Wade [EMAIL PROTECTED] wrote:

My two cents (these could euro cents or dollar cents). Exchange and Outlook are designed 
to work together. Despite having declared MAPI dead several times Microsoft continues to 
enhance and expand it, for example with RPC over HTTP. I am pretty sure you will either 
see reduced functionality, or face additional work on the clients to install add-ins if 
you go with a non-exchange based server. That is I support your conclusion that 
getting the real thing is the way to go.

As for infrastructure well I am not sure about the amount of resilience 
that's needed. If you set the users up to use OST files they may be able to tolerate 
short breaks in comms on your DSL, as they will still be able to read existing mails, 
compose new mails and meetings.

Perhaps now is the time to move the query to an Exchange list, there are a 
number of them at Yahoo. Probably :-

http://groups.yahoo.com/group/exchange-2003/


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 06 December 2006 16:57
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using
 Exchange? Tips/Suggestions/Recommedations?

 Hi!

 Thanks for the prompt reply...

 As for hosted solutions, I guess that I don't much care
 wether the backend is Exchange, SBS or whatever the hosting
 company choses to provide ;) From what I've seen
 (http://www.arsys.es/aplicaciones/correo-exchange.htm,
 http://www.acens.com/seccion.web/correo/acens-exchange/678 -
 yes, we are based in Spain - or http://www.mi8.com/ to show
 that I'm looking
 elsewhere) basically what you get is a webbased admin panel
 and a number of accounts that you configure... not too much
 control but good enough Of course, I'd love to get
 recommendations for other providers or to be shown that not
 all of them are similar ;)

 As for the lack of a server for 40+ users, well, that's not really
 true: We have an AD (2003) domain (basic setup: single
 forest, single domain, 2 DCs) for the users, it's just that
 the email is hosted on a external server, to avoid downtime
 and lessen the administrative load on network admin (we
 don't have a full time person for that). Also, we currently
 have 2 main offices in Spain (conneted by DSL) and people
 working or tele-working in the US, Mexico, Colombia, Germany
 and the UK (2/3 people on each place at most): I believe that
 creating the infrastructure (relability-wise) to serve all
 those locations inhouse would be a tad expensive and (I
 belive) not really warranted. Of course, I'd love to hear
 opinions either way...

 As for control freak, we have an VPS so we have root on the
 mail server; as a matter of fact the hardest point for the
 internal acceptance of a hosted solution would probably lack
 of root access
 on the email server...

 I agree with you that to manage that that many (ok, those
 who manage Multi-K domains, please stop laughing) users, AD
 is a must And, besides, we delvelop security software
 that runs on top of AD, so I'd be a bit odd if we didn't use
 our own SW ;)

 In any case, I really am starting to believe that the simpler
 thing will be to get the real thing, so the options seem to
 be: 1) Get an Exchange Server inhouse. But that means making
 sure that our DSL line doesn't go down, and having the
 bandwith etc... 2) House a server on some co-lo. The comm.
 problems disappear, but we still have to babysit the thing...
 3) Go for a hosted exchange provider. I've

Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

2006-12-07 Thread Javier Jarava 

Hi!

Thanks for the input. At the moment we're paying ~250 € for the VPS
server that host our email, so the cost would be similar. Of course I
know that a server+exch. licenses are cheaper on the long run than the
monthly cost of the service.

What worries me is:

- Admin. costs: We develop security software that runs on top of AD,
so all out technical staff is AD-aware (as a matter of fact, I joined
the list for its AD content ;) so we don't have a dedicated admin: the
staff in the testing dept. are the ones who manage our network. But we
don't have messagging experience in-house, and we're worried about the
things that having an MX published brings: spammers and other nasties
knocking on our door, etc.

- DSL provider: We're already working with the ex-national telco;
they're the ones who -the local wisdom goes- provide better service.
But we have experienced downtimes every now and then. Having an
external MX would be an idea :)

- Bandwith: We have a 8mb/1Mb line. Our worry is with the outgoing
leg: if the mail server is behind a 1mb line, and around half our
staff is hitting it from the internet, we believe the office might end
up being a bit internet-starved.

In any case, you've got me thinking on the issue :) It's not as
clear-cut as I would've liked ;)

Thanks a lot for your advice.

 JJ

On 06/12/06, Brian Desmond [EMAIL PROTECTED] wrote:

Well with 40 people you're paying 280 euro a month. Some quick currency 
conversions tells me that an Exchange server for an org your size would likely 
set you back between 2300 and 3000 Euro from Dell. 280 goes into 2300 8.2 times 
- or it will pay for itself in 9 months.

If you're already managing AD and other infrastructure, Exchange isn't going to 
add that much overhead. Create the mailboxes for your users, import the PSTs or 
whatever they have now, and make sure it's getting backed up and updated (which 
I'm sure you're already doing with your other servers). Has the DSL been 
reliable so far? If so, then I wouldn't worry about it. If not, either get a 
better DSL provider or find someone to be your MX or backup MX.

Regarding bandwidth, ADSL goes to 6mbps these days - what limitations are on 
your circuit? Outlook 2003 in cached mode doesn't chew that much.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: Wednesday, December 06, 2006 11:57 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange?
 Tips/Suggestions/Recommedations?

 Hi!

 Thanks for the prompt reply...

 As for hosted solutions, I guess that I don't much care wether the
 backend is Exchange, SBS or whatever the hosting company choses to
 provide ;) From what I've seen
 (http://www.arsys.es/aplicaciones/correo-exchange.htm,
 http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we
 are based in Spain - or http://www.mi8.com/ to show that I'm looking
 elsewhere) basically what you get is a webbased admin panel and a
 number of accounts that you configure... not too much control but
 good enough Of course, I'd love to get recommendations for other
 providers or to be shown that not all of them are similar ;)

 As for the lack of a server for 40+ users, well, that's not really
 true: We have an AD (2003) domain (basic setup: single forest, single
 domain, 2 DCs) for the users, it's just that the email is hosted on a
 external server, to avoid downtime and lessen the administrative load
 on network admin (we don't have a full time person for that). Also,
 we currently have 2 main offices in Spain (conneted by DSL) and people
 working or tele-working in the US, Mexico, Colombia, Germany and the
 UK (2/3 people on each place at most): I believe that creating the
 infrastructure (relability-wise) to serve all those locations inhouse
 would be a tad expensive and (I belive) not really warranted. Of
 course, I'd love to hear opinions either way...

 As for control freak, we have an VPS so we have root on the mail
 server; as a matter of fact the hardest point for the internal
 acceptance of a hosted solution would probably lack of root access
 on the email server...

 I agree with you that to manage that that many (ok, those who manage
 Multi-K domains, please stop laughing) users, AD is a must And,
 besides, we delvelop security software that runs on top of AD, so I'd
 be a bit odd if we didn't use our own SW ;)

 In any case, I really am starting to believe that the simpler thing
 will be to get the real thing, so the options seem to be: 1) Get an
 Exchange Server inhouse. But that means making sure that our DSL line
 doesn't go down, and having the bandwith etc... 2) House a server on
 some co-lo. The comm. problems disappear, but we still have to babysit
 the thing... 3) Go for a hosted exchange provider. I've seen offers on
 the range of ~7€/mo/user; I believe that for a limited

[ActiveDir] DFS-R Issue

2006-12-07 Thread Steve Comeau 
All,

We have some issues where folders with DFS-R implemented have what I
call relapse.  Here are some symptoms.  We can add files and folders,
no problem.  We can change file names, no problem.  When we rename
folders, we have a problem - many times, the folder name reverts back to
the old name.  It will take us 3-5 tries before the rename takes.
Sometimes, when we modify a file, later that day, the file reverts back
to the original status (e.g. and Excel spreadsheet with added data).
Not all our folders and files exhibit this issue.

Has anyone come across these symptoms and/or have recommendations?

Our setup has 2 sites, with a domain controller in each, Win2k3 R2, with
at least 100Mb connectivity between sites.  The folders replicated are
about 180G of data total, but the daily changes are very minimal (my
guess is 100M/day max).  We don't schedule the replication due to the
abundant bandwidth.  Actually, we do schedule one folder to replicate at
night because that folder has been giving me the most issues.  Since I
have changed from instant replication to a scheduled replication at
night, the problem seems to have been alleviated.  However, all the
other folders require immediate replication.

Thank you!

Steve Comeau
IT Manager
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com


***  This message contains confidential information and is intended only for 
the individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. E-mail transmission cannot be guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender therefore 
does not accept liability for any errors or omissions in the contents of this 
message, which arise as a result of e-mail transmission. If verification is 
required please request a hard-copy version. Rutgers University - DIA, 83 
Rockafeller Road, Piscataway, NJ  www.scarletknights.com ***


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] OT: SpecOps GPUPDATE tool

2006-12-07 Thread McCann, Danny 
Hi

Has anyone used the WoL feature of this tool? If so, can you let me know
of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers

Danny

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

2006-12-07 Thread neil.ruston 
I would expect specops to provide that info, if I were in your position.
 
neil

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool



Hi 

Has anyone used the WoL feature of this tool? If so, can you let me know
of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers 

Danny 


PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

RE: [ActiveDir] OT: Vista Activation and KMS

2006-12-07 Thread Khurshid_Anwar 
Return Receipt
   
   Your   RE: [ActiveDir] OT: Vista Activation and KMS 
   document:   
   
   was[EMAIL PROTECTED]
   received
   by: 
   
   at:12/07/2006 09:42:44 AM EST   
   




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

2006-12-07 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 

[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]


All three lists are populated by folks that are var/vaps that do the 
IT for small businesses.  You say that you are concerned about dedicated 
messaging admin... you outsource it.  You get a Brian to be your 
admin for you.


MX records published? 
First off my MX records point to a hosted pre-filterer that cleans the 
spam and then forwards it to me.  Email these days is boring... As far 
as knocking on your door you have that now if you have a server an 
open ports.


And I'm a SBS box if I reboot for that Exchange patch that came down 
from WSUS yesterday ...is my mail offline?  Nope 'cause the MX record at 
Exchangedefender.com is up 24/7.


There's a ton of pre Exchange hosted platforms that stay up so you 
don't have to.


Even without the pre-Exchange stuff... we use backup MX records around 
my space all the time to hold email while the server is rebooting or 
down or whatever.


Quite frankly...as an admin/postmaster for several listserves, it's a 
miracle email gets delivered at all. there's a lot more moving parts 
that email relies on than just your MX record.


There's ways to deal with these issues and quite frankly every SBS box 
on the planet is chugging along just fine with typically no dedicated 
admin on staff and no messaging admin.


Javier Jarava wrote:

Hi!

Thanks for the input. At the moment we're paying ~250 € for the VPS
server that host our email, so the cost would be similar. Of course I
know that a server+exch. licenses are cheaper on the long run than the
monthly cost of the service.

What worries me is:

- Admin. costs: We develop security software that runs on top of AD,
so all out technical staff is AD-aware (as a matter of fact, I joined
the list for its AD content ;) so we don't have a dedicated admin: the
staff in the testing dept. are the ones who manage our network. But we
don't have messagging experience in-house, and we're worried about the
things that having an MX published brings: spammers and other nasties
knocking on our door, etc.

- DSL provider: We're already working with the ex-national telco;
they're the ones who -the local wisdom goes- provide better service.
But we have experienced downtimes every now and then. Having an
external MX would be an idea :)

- Bandwith: We have a 8mb/1Mb line. Our worry is with the outgoing
leg: if the mail server is behind a 1mb line, and around half our
staff is hitting it from the internet, we believe the office might end
up being a bit internet-starved.

In any case, you've got me thinking on the issue :) It's not as
clear-cut as I would've liked ;)

Thanks a lot for your advice.

 JJ

On 06/12/06, Brian Desmond [EMAIL PROTECTED] wrote:
Well with 40 people you're paying 280 euro a month. Some quick 
currency conversions tells me that an Exchange server for an org your 
size would likely set you back between 2300 and 3000 Euro from Dell. 
280 goes into 2300 8.2 times - or it will pay for itself in 9 months.


If you're already managing AD and other infrastructure, Exchange 
isn't going to add that much overhead. Create the mailboxes for your 
users, import the PSTs or whatever they have now, and make sure it's 
getting backed up and updated (which I'm sure you're already doing 
with your other servers). Has the DSL been reliable so far? If so, 
then I wouldn't worry about it. If not, either get a better DSL 
provider or find someone to be your MX or backup MX.


Regarding bandwidth, ADSL goes to 6mbps these days - what limitations 
are on your circuit? Outlook 2003 in cached mode doesn't chew that much.


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: Wednesday, December 06, 2006 11:57 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using 
Exchange?

 Tips/Suggestions/Recommedations?

 Hi!

 Thanks for the prompt reply...

 As for hosted solutions, I guess that I don't much care wether the
 backend is Exchange, SBS or whatever the hosting company choses to
 provide ;) From what I've seen
 (http://www.arsys.es/aplicaciones/correo-exchange.htm,
 http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we
 are based in Spain - or http://www.mi8.com/ to show that I'm looking
 elsewhere) basically what you get is a webbased admin panel and a
 number of accounts that you configure... not too much control but
 good enough Of course, I'd love to get recommendations for other
 providers or to be shown that not all of them are similar ;)

 As for the lack of a server for 40+ users, well, that's not really
 true: We have an AD (2003) domain (basic setup: single forest, single
 domain, 2 DCs) for the users, it's just that the email is hosted on a
 external server, to avoid downtime and lessen the administrative load
 on network admin (we don't have a full time person for

[ActiveDir] http://www.microsoft.com/technet/security/advisory/929433.mspx

2006-12-07 Thread Ramon Linan 
I don't know if someone already ported this, but just in case.

http://www.microsoft.com/technet/security/advisory/929433.mspx

Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Users Not receiving Logon Script GPO

2006-12-07 Thread Washington, Booker 
I think I nailed it.

 

 I have a separate Folder Redirection policy that was set for loopback
processing, and the mode was set to replace.

 

I think that overrode the separate GPO for the user's that applied the
logon script.

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Blair, James
Sent: Wednesday, December 06, 2006 6:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users Not receiving Logon Script GPO

 

Booker,

 

Have a look at the security filtering component of the policy and verify
that designated uses have Read and Apply Group Policy. I would
implicitly add one of the effected uses to the security filtering see
post gpupdate whether the policy is applied. Check if block inheritance
is not enable and temporarily enforce the policy to see if it is
applied.

 

What does GPReult come back with from one of the effected users?

 

James

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Washington,
Booker
Sent: Thursday, 7 December 2006 7:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users Not receiving Logon Script GPO

 

 

 I have a situation wherein after I applied a Folder
redirection policy to a 

 group of users, wherein I had a deny set on the apply group
policy for the 

 Group wherein I had the users computer and user accounts

 

 Now all of a sudden, for an entirely different User logon
Script 

 policy(Separate GPO), the policy will not flow down to the
users.  I have 

 moved the users to different OU's with different user logon
script GPO's, 

 and none of the GPO's seem to make it to the users, even
though a RSPO, shows 

 that the users are in the right OU to receive the policy.

 

 Futher more, if i perform a GPO Model of the user, or even of
the container 

 that has the users, the model SHOWS that the user logon script
GPO should 

 apply,..

 But by using the GP results  wizard, the policy will not show
in the user 

 Applied Policy section and via checking, it is not in the
denied policy 

 section either.

 

 The policy simply will NOT go down to the user.

 

 

 As a separate test, if i set a Computer start up policy GPO to
the computer, 

 after a gpupdate, the Computer will see the policy, but for
some reason the 

 user(s0 will not get the policy.

 

 

 Any ideas?

 

 

Let me add that I ran gpotool, and everything for that policy
checks out ok.  Also, there is no special security filtering for the
logon script GPO.

 

 


Note: This email, including any attachments, is confidential. If you
have received this email in error, please advise the sender and delete
it and all copies of it from your system. If you are not the intended
recipient of this email, you must not use, print, distribute, copy or
disclose its content to anyone. 

 


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.9/571 - Release Date:
12/5/2006 11:50 AM

[ActiveDir] Please help me

2006-12-07 Thread adriaoramos 
I have a strange problem and can not find any solution

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is 
a network computer, but replication fails with message:

 
SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN 
CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE)
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 13018091/OU, 13018091/PU
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c):
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg
uir devido a uma falha de pesquisa de DNS.
96 consecutive failure(s).
Last success @ 2006-12-01 07:58:08.

 
Adrião Ferreira Ramos 

Depto. de Operações e Infra-Estrutura - CII.14

[EMAIL PROTECTED]


(11) 3388.8193



Esta mensagem pode conter informação confidencial e/ou privilegiada. Se 
você não for o destinatário ou a pessoa autorizada a receber esta 
mensagem, não pode usar, copiar ou divulgar as informações nela contidas 
ou tomar qualquer ação baseada nessas informações. Se você recebeu esta 
mensagem por engano, por favor avise imediatamente o remetente, 
respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If 
you are not the addressee or authorized to receive this for the addressee, 
you must not use, copy, disclose or take any action based on this message 
or any information herein. If you have received this message in error, 
please advise the sender immediately by reply e-mail and delete this 
message. Thank you for your cooperation.


jpgWsKMjOVZxP.jpg
Description: JPEG image


gifRWmYWu9Qjb.gif
Description: GIF image


jpgHmNVV1njFz.jpg
Description: JPEG image

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

2006-12-07 Thread McCann, Danny 
Including bugs! :)
Maybe should have been 2 emails - One here for any problems encountered
and one to SpecOps for technical detail.
Any users encountered any problems with this tool? :)))
 
Kind regards
 
Danny
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 07 December 2006 14:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool


I would expect specops to provide that info, if I were in your
position.
 
neil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool



Hi 

Has anyone used the WoL feature of this tool? If so, can you let
me know of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers 

Danny 

PLEASE READ: The information contained in this email is
confidential and 
intended for the named recipient(s) only. If you are not an
intended 
recipient of this email please notify the sender immediately and
delete your 
copy from your system. You must not copy, distribute or take any
further 
action in reliance on it. Email is not a secure method of
communication and 
Nomura International plc ('NIplc') will not, to the extent
permitted by law, 
accept responsibility or liability for (a) the accuracy or
completeness of, 
or (b) the presence of any virus, worm or similar malicious or
disabling 
code in, this message or any attachment(s) to it. If
verification of this 
email is sought then please request a hard copy. Unless
otherwise stated 
this email: (1) is not, and should not be treated or relied upon
as, 
investment research; (2) contains views or opinions that are
solely those of 
the author and do not necessarily represent those of NIplc; (3)
is intended 
for informational purposes only and is not a recommendation,
solicitation or 
offer to buy or sell securities or related financial
instruments. NIplc 
does not provide investment services to private customers.
Authorised and 
regulated by the Financial Services Authority. Registered in
England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

2006-12-07 Thread McCann, Danny 
Hi Neil
 
You were right, they did. It's no good for us as the tool won't work
with non-windows DHCP, which I guess is used to retrieve the MAC
addresses.
Sould have though of this in the first instance, but to quote the parrot
sketch, I have a cold. :)
 
All the best
 
Danny
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 07 December 2006 14:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool


I would expect specops to provide that info, if I were in your
position.
 
neil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool



Hi 

Has anyone used the WoL feature of this tool? If so, can you let
me know of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers 

Danny 

PLEASE READ: The information contained in this email is
confidential and 
intended for the named recipient(s) only. If you are not an
intended 
recipient of this email please notify the sender immediately and
delete your 
copy from your system. You must not copy, distribute or take any
further 
action in reliance on it. Email is not a secure method of
communication and 
Nomura International plc ('NIplc') will not, to the extent
permitted by law, 
accept responsibility or liability for (a) the accuracy or
completeness of, 
or (b) the presence of any virus, worm or similar malicious or
disabling 
code in, this message or any attachment(s) to it. If
verification of this 
email is sought then please request a hard copy. Unless
otherwise stated 
this email: (1) is not, and should not be treated or relied upon
as, 
investment research; (2) contains views or opinions that are
solely those of 
the author and do not necessarily represent those of NIplc; (3)
is intended 
for informational purposes only and is not a recommendation,
solicitation or 
offer to buy or sell securities or related financial
instruments. NIplc 
does not provide investment services to private customers.
Authorised and 
regulated by the Financial Services Authority. Registered in
England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems

RE: [ActiveDir] Group Membership Update Frequency

2006-12-07 Thread Andrew Cace 
Thomas,
  The server will not update its group memberships until it refreshes its 
kerberos ticket.  That can take up to a week.  Alternatively, you can reboot 
the system, or, if you have console access, open a command line under the 
system's credentials.  You can then use 'klist purge' to delete the existing 
tickets and force the system to generate a new one.  If you use 'klist purge' 
in a normal command window, you will only delete your tickets, not the systems.
 
-Andrew

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess
Sent: Thursday, December 07, 2006 6:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Membership Update Frequency

hi there,

when does a server recognize that he is part of AD global Security group?
Do i have to reboot every system or is there an update frequency where the 
server checks the AD?

I need this to know because i want to use the Security Group Filtering with 
GPO´s

Thanks in advance
Thomas
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Vista Activation and KMS

2006-12-07 Thread Rich Milburn 
 ISA still doesn't have a firewall client that works for one...
You noticed that one, did you?  

Though I have had pretty good experience in general with Vista on good
hardware.  If I built a Vista box for KMS only, I would turn off aero
and probably disable the sound card and maybe some other stuff
(indexing, we could keep going) but then I would have pretty good
confidence in the Vista box. At present I think that's the way I'd
recommend us doing it, until it'll run on a server of some sort.

Fortunately  (as has probably been discussed here at length seeing Laura
R's affinity for slmgr.vbs :)  you can of course test on a VL copy for
90 (or is it 120?) days - 
slmgr.vbs -rearm
extends for 30 days, and you can run it either 2 or 3 times (I don't
recall which)...

Rich

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, December 05, 2006 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista Activation and KMS

I personally am not ready to stick a Vista box as a Licensing server.

ISA still doesn't have a firewall client that works for one... and I've 
yet to find a a/v that doesn't BSOD my tablet pc or act strangely on 
another box I built.

In fact I'm still using my Technet 'for testing purposes' ones as I'm 
not ready to play with my VL ones.  Activation on the VL ones means I'm

serious to roll...and quite frankly.. I'm not.

I still want to see a more formal support story on Activations in 
general for folks that aren't TAM supported...

YMMV and all that.

Laura A. Robinson wrote:
 I am not at all talking about solutions that don't exist today. Go to 
 a Vista machine and take a look at slmgr.vbs.
  
 Laura



 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim
 Vander Kooi
 *Sent:* Tuesday, December 05, 2006 12:39 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS

 While Laura and yourself make valid points, you are both talking
 about solutions that do not exist today. I'm just trying to help
 the OP with the problem he is having right now. Getting into the
 full licensing overhead of Vista, not to mention LH, could, and
 undoubtedly will, take weeks and/or months.

 For right now, at this very moment, using your VL key (and I will
 continue to refer to it as a VL key as long as the page on which I
 am reading it says  Volume License Product Keys at the top of
 it) for Vista - KMS will allow you to activate your installation
 via the web just fine. This is not something I would do for an
 entire enterprise, but for your first few test machines on your
 production network I would do it.

 Again YMMV,

 Tim

  

 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Harvey
 Kamangwitz
 *Sent:* Tuesday, December 05, 2006 10:28 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] OT: Vista Activation and KMS

  

 If you have any kind of a complex environment, you'll find volume
 activation to be very frustrating indeed:

  

 1. The KMS service can't support more than one key, so if you have
 Longhorn VL clients in your environment you have to put up a
 second KMS infrastructure for them.

  

 2. You can't (rather, shouldn't) use autodiscovery If you do have
 both LH and Vista.  The KMS client can't distinguish between a KMS
 with LH and a KMS with Vista, and there's nothing in the client
 that says oh, I hit a KMS but it has the wrong key so try again
 immediately so ~50% of a client's activation attempts will fail.

  

 3.  Autodiscovery isn't practical if you have more than a few
 forests that don't trust the forest your KMS is in. All admins of
 the untrusted forests must manually register the _vlmcs record in
 their forest to find the KMS.

  

 ...the list goes on. (I haven't even mentioned the practical
 aspects of volume activation in a lab or firewalled environment.)
 It's not a fully-baked solution.

  

 Depending on your environment, it might be easier to scrap the
 whole autodiscovery, create a DNS CNAME with a couple of KMS
 behind it, stuff the FQDN in the KMS client's registry if you have
 a standard build, and fugeddaboutit :-).

  



  

 On 12/4/06, *Laura A. Robinson* [EMAIL PROTECTED]

RE: [ActiveDir] OT: Vista Activation and KMS

2006-12-07 Thread Rich Milburn 
 My hope was that KMS could support more than one key. I was astonished
when I discovered it didn't. If you were Vista, KMS would supply you
with a Vista key. Longhorn, a Longhorn key. Since KMS only supports one
key, it triggers the need for two separate KMS infrastructures and the
problems in #2 below.   

 

I put this up in the beta volume licensing group, hopefully there will
be some MSFT response on this.  I agree with you - the point of making
it easy by allowing srv records is offset by the fact neither the VL
client nor the KMS server can differentiate between Vista and LHS.  Even
if the solution is to update the KMS service prior to longhorn's
release, and have separate srv records (one for Vista, one for longhorn,
another for ?? because you know they're on a roll now and will soon have
other things doing VLA)  personally I'd rather have multiple records
than multiple KMS servers, and hard-coding reg keys or using MAKS for
all servers is not really a good solution, IMHO.

 

Rich

 

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harvey
Kamangwitz
Sent: Tuesday, December 05, 2006 11:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista Activation and KMS

 

 

On 12/5/06, Laura A. Robinson [EMAIL PROTECTED] wrote:

Inline...

 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] On Behalf Of Harvey Kamangwitz
Sent: Tuesday, December 05, 2006 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista Activation and KMS

 

If you have any kind of a complex environment, you'll
find volume activation to be very frustrating indeed:

 

1. The KMS service can't support more than one key, so
if you have Longhorn VL clients in your environment you have to put up a
second KMS infrastructure for them.  

 

Actually, when you purchase a KMS key, you get to
activate TWO KMS hosts with that key, up to ten times each. Therefore,
you don't have to put up a second KMS infrastructure.  

From a subsequent post on this thread:

Doh! Okay, now I think I get what you're referencing in item 1.

There's a reason for that- LH isn't out yet. When LH is out, that won't
be an issue. :-)

 

My hope was that KMS could support more than one key. I was astonished
when I discovered it didn't. If you were Vista, KMS would supply you
with a Vista key. Longhorn, a Longhorn key. Since KMS only supports one
key, it triggers the need for two separate KMS infrastructures and the
problems in #2 below.   I'm assuming that Microsoft will be using Volume
Activation for other products in the future; are we to put up a separate
KMS for each?


 

 

2. You can't (rather, shouldn't) use autodiscovery If
you do have both LH and Vista.  The KMS client can't distinguish between
a KMS with LH and a KMS with Vista, and there's nothing in the client
that says oh, I hit a KMS but it has the wrong key so try again
immediately so ~50% of a client's activation attempts will fail.   

 

So remove the DNS records for the LH KMS, or am I
misunderstanding your point? 

To be more specific: In a Vista / Longhorn environment, you should only
use autodiscovery for one KMS infrastructure because of 50% failure rate
above. The other systems (Longhorn, if you choose autodiscovery for
Vista) must be explictly pointed to a KMS with slmgr. How much of an
adminstrative headache this is depends on how great a penetration of a
standard build is in your company; you can code it into the build. 

 


 

 

3.  Autodiscovery isn't practical if you have more than
a few forests that don't trust the forest your KMS is in. All admins of
the untrusted forests must manually register the _vlmcs record in their
forest to find the KMS.   

 

slmgr.vbs. We're not talking about a ton of records here
or a difficult population mechanism.  

It's the logistics and overhead that's a pain. No, the act of
registering a _vlmcs record in a domain is not in itself a difficult
task; it's the help desk scripts and calls from panicky system
administrators when all the clients in their forest start complaining
about failure to activate and reduced functionality mode that have
to be handled. In a large enterprise we could see a lot of these
(everyone that brings up a sandbox forest for

RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

2006-12-07 Thread Rich Milburn 
I saw something similar in the beta home networking newsgroup, 50 people
in the office, with laptops, and they do peer to peer sharing, and they
wanted to know how to get that working on Vista... I think my
contribution to that thread was about 3 pages, and it started with
SBS... ;)

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, December 05, 2006 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange?
Tips/Suggestions/Recommedations?

Hosted SBS with Outlook 2003

Office Live
http://office.microsoft.com/en-us/outlook/HA100809831033.aspx
Not 2003 without a SBS box on the backend but 2007 uses Office Live to 
share calendars.

40 people and you don't have a server... wow.the control freak in me

is freaking out.  We put SBS servers in at 5 to 10 people and even less.

Shared calendars pushes the sale of many a SBS box I don't know of 
non MS solutions.


Javier Jarava wrote:
 Hi!

 Sorry if this question is a bit off-topic to the list, but I've seen
 some Exchange-related questions here, so I know there is Exchange
 expertise hanging around ;) and I didn't know where to ask; please
 feel free to point me to the proper forums (forii?) to ask in.

 I am looking for a way to implement shared calendars a la exchange
 (ie, they have to be visible and used from within Outlook 2003), but
 without actually using/hosting an Exchange Server ourselves. The idea
 is that people should be able to see/manage the calendar of the people
 they manage, so free/busy info is not enough. And the outlook
 requisite is a must (as my CEO put it yesterday: I live within
 Outlook; I don't want to meddle with web apps or the like)

 I know that it's a bit odd of a requisite, but we are a small co. (~
 40 employees) and the president feels that having to babysit a server
 in-house is a bit of a needless burden.

 At present we host our email / web presence / customer ticketing
 system in a pair of VPS from Verio, so if the proposed solution could
 run on top of FreeBSD it'd be a big plus ;)

 Of course (now going for the and ask about the KitchenSink part ;)
 if we could put it into place without having to tweak our email setup
 that'd be wonderful!!.

 We understand that we'd probably have to install some Outlook plugin,
 so that's OK...

 If there is no way to have the Shared Calendar feature as a
 stand-alone service/server, I guess the next step would be to ask
 those of you who know Exchange for an exchange clone that runs on
 FreeBDS / Unix. Or last but not least, I guess that there must be
 hosted Exchange providers out there that you can recommend. That'd
 mean re-doing our mail system, but I guess that we could live with it,
 if need be.

 Thanks a lot for those of you who have read this far.

  Best Regards

  Javier Jarava
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED 
/ 
CONFIDENTIAL INFORMATION may be contained in this message or any attachments. 
This information is strictly confidential and may be subject to attorney-client 
privilege. This message is intended only for the use of the named addressee. If 
you are not the intended recipient of this message, unauthorized forwarding, 
printing, copying, distribution, or using such information is strictly 
prohibited and may be unlawful. If you have received this in error, you should 
kindly notify the sender by reply e-mail and immediately destroy this message. 
Unauthorized interception of this e-mail is a violation of federal criminal 
law. 
Applebee's International, Inc. reserves the right to monitor and review the 
content of all messages sent to and from this e-mail address. Messages sent to 
or from this e-mail address may be stored on the Applebee's International, Inc. 
e-mail system.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Myrick, Todd \(NIH/CC/DCRI\) [E] 
I would say companies competing via innovative features benefit
customers more than just low balling each other in this space / vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products 
for eval, and watch how fast the Quest price goes to zero. Its like the
old 
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the

year for the salesmen and they need to make their year this month (if so

this is an excellent time to buy Quest software)



Ha! Show me a sales person from ANY software company who doesn't get
that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about
to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to
do 
that, you gotta discount! I would think most IT shops are wise to it by
now. 
Its kind of a sick dance we all do J



Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors
you 
want a little webinar (they love these), and then compare your notes
after 
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you
the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime
while 
you further discuss how expensive their stuff is and what they can do
for 
you to make it more attractive. The Quest guys told me the other day
they 
had a lot of leeway on some pricing for one of my clients so I'm
wondering 
if this is the end of the year for the salesmen and they need to make
their 
year this month (if so this is an excellent time to buy Quest software).



Now that said, I've worked in a few large shops, and we haven't had any
of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per

whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you

learn how it does it, because then you'll be smarter, and you can go get
a 
new better job with your new found talents.



That said there is some cool shit from quest and NetIQ and those guys -
I'm 
into the change control/management stuff in shops where there are too
many 
cooks in the kitchen. Quest's migration stuff is of course great if you
can 
afford it.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



I don't think there are many independent rankings out there.  You have
to 
figure that Windows ITPro and SearchWindows are probably the easiest
sources 
to get access to online, but they are influenced by ad dollars
sometimes. 
It is possible that Burton Group and possibly Gartner have done some 
research But I doubt it.  I know that directions on Microsoft hasn't

covered it.  It is a pretty niche topic.



I think the best way to approach this is to have a good old fashion bake
off 
of the technologies.  Depending how big a player you are, you can
probably 
get Quest, Netpro, Veritas, and Commvalt to step-up.  I would say that
all 
the technologies are pretty stable at the moment; there isn't a lot of 
innovation going on anymore, so it is pretty hard to make a mistake
choosing 
one of these products.





Todd



From: Tim Onsomu [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 2:06 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

2006-12-07 Thread Darren Mar-Elia 
I know the SpecOps guys lurk on this forum so you should get a response, but
I would also suggest that they have a forum on their website for asking
questions and getting feedback from other users.

 

Darren

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Thursday, December 07, 2006 8:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool

 

Including bugs! :)

Maybe should have been 2 emails - One here for any problems encountered and
one to SpecOps for technical detail.

Any users encountered any problems with this tool? :)))

 

Kind regards

 

Danny

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 07 December 2006 14:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool

I would expect specops to provide that info, if I were in your position.

 

neil

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool

Hi 

Has anyone used the WoL feature of this tool? If so, can you let me know of
any issues that you came across please? We are currently only interested in
the Shutdown/WoL feature, and would be interested to know how it obtains the
MAC addresses required and the method of transmission of the wake up packet
across the subnets - to keep our active network team happy. They had a
recent incident with a Ghost server and they're a bit edgy. :)

Cheers 

Danny 

PLEASE READ: The information contained in this email is confidential and 

intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete your


copy from your system. You must not copy, distribute or take any further 

action in reliance on it. Email is not a secure method of communication and 

Nomura International plc ('NIplc') will not, to the extent permitted by law,


accept responsibility or liability for (a) the accuracy or completeness of, 

or (b) the presence of any virus, worm or similar malicious or disabling 

code in, this message or any attachment(s) to it. If verification of this 

email is sought then please request a hard copy. Unless otherwise stated 

this email: (1) is not, and should not be treated or relied upon as, 

investment research; (2) contains views or opinions that are solely those of


the author and do not necessarily represent those of NIplc; (3) is intended 

for informational purposes only and is not a recommendation, solicitation or


offer to buy or sell securities or related financial instruments. NIplc 

does not provide investment services to private customers. Authorised and 

regulated by the Financial Services Authority. Registered in England 

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 

London, EC1A 4NP. A member of the Nomura group of companies. 

Email has been scanned for viruses http://www.altman.co.uk/emailsystems
by Altman Technologies' email management service

RE: [ActiveDir] Please help me

2006-12-07 Thread Thompson, Elizabeth 
Check and see if it still has the dead server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually 
deleted the NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a 
network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN CONTROLER 
THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.

Adrião Ferreira Ramos 
Depto. de Operações e Infra-Estrutura - CII.14 
[EMAIL PROTECTED]   
(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por engano, por favor 
avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. 
Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please advise the sender 
immediately by reply e-mail and delete this message. Thank you for your 
cooperation.

attachment: ATT31653434.jpg


ATT31653435.gif
Description: ATT31653435.gif
attachment: ATT31653436.jpg

[ActiveDir] Please help me

2006-12-07 Thread Khurshid_Anwar 
Return Receipt
   
   Your   [ActiveDir] Please help me   
   document:   
   
   was[EMAIL PROTECTED]
   received
   by: 
   
   at:12/07/2006 01:10:43 PM EST   
   




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Please help me

2006-12-07 Thread Jason_Centenni 
Return Receipt
   
   Your   [ActiveDir] Please help me   
   document:   
   
   wasJason Centenni/CDS/CG/CAPITAL
   received
   by: 
   
   at:12/07/2006 12:30:09 PM CST   
   




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] DNS scavenging question

2006-12-07 Thread Daniel Gilbert 
I have a rather off the wall DNS scavenging question.

I have a bunch of DNS records that are stale and need to be scavenged
out of the zone.  Following the O'REILLY book: DNS on Windows Server
2003 I have configured aging and scavenging.  (Don't ask why this
wasn't done when the zone was first setup, that is another story)

Now I know: If scavenging is disabled on a standard zone and you enable
scavenging, the server does not scavenge records that existed before
you enabled scavenging. The server does not scavenge those records even
if you convert the zone to an Active Directory–integrated zone first. 

To enable scavenging of such records, use the AgeAllRecords in
Dnscmd.exe.  I know this must be done in order to configure existing
records to a scavengable state.

Is there a way to immediately force a scavenge cycle that will remove
all stale records?  I would not to have to wait unitl the no-refresh
and refresh intervals expire.


Daniel Gilbert


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] NetBT errors 4321

2006-12-07 Thread Simon Bembridge 
 

 

Laura,

 

Sorry for not getting back sooner, the answer to your questions our.

 

Both IP addresses are DC's

 

The first IP address is the one exhibiting all the NETBT 4321 event log
errors, the second IP address is the DC refusing the name to be claimed.

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 05 December 2006 01:28
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NetBT errors 4321

 

Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the
second xxx.xxx.xxx.xxx, or are they actually different addresses? Second,
if we're talking two IPs, which one is the DC's IP? Basically, I can't get
enough from your genericized [I made that word up] error to figure out which
machine is which, where this error came from, what machine(s) is/are
identified by the IPs in the error, and therefore, why I should care about
the Nbstat entries. :-)

 

Laura

 


  _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge
Sent: Monday, December 04, 2006 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NetBT errors 4321

Hi All,

 

I cannot find a resolution to event log error that we are having within our
development domain the event is logged every 3-6 mins. I have exhausted the
internet results but to no avail, any help would be greatly appreciated.

 

We have two DC's living on different subnets both acting as BH servers. 

 

1st DC holds all FSMO roles, single domain, D  FFL 2003

 

Anyway below is the event log message I have done all the searches possible
and come up with nothing at all. 

 

Source NetBT

EventID: 4321

 

The name DEV..:Id Could not be registered on the interface with IP
address xxx.xxx.xxx.xxx 

The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be
claimed by the machine.

 

 

The results of both DC's are as follows:

 

Nbtstat -an

 

DC1  DC2

00 unique  00 unique

00 Group   00 Group

1c Group   1c Group

20 Unique  20 Unique

1D Unique 1E Group

1E Group

-MSBROWSE 

 

Mac address 

 

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM

RE: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Gil Kirkpatrick 
Just to give an idea of how insane it can get

A good friend of mine works at a software company (not in the Microsoft
space)... lets call it company G. Company G is small (300 people or so)
and privately held, with a superior product. Company G's main
competition is Company W, a large, bloated publically held company, with
a decidely inferior product. Company W hasn't developed anything
inovative in years... all their new products have come through
acquisitions.

Now check this out: Company G has a competitive sales program for
Company W's customers. If a customer has decided on Company W, for
whatever reason, and there is no way that they will buy Company G's
product, Company G will work with the customer to provide a competitive
bid *just to drive Company W's prices down.* The customer doesn't even
have to look at Company G's products.

Now THAT's ruthless sales behavior!

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, December 07, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I would say companies competing via innovative features benefit
customers more than just low balling each other in this space / vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products 
for eval, and watch how fast the Quest price goes to zero. Its like the
old 
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the

year for the salesmen and they need to make their year this month (if so

this is an excellent time to buy Quest software)



Ha! Show me a sales person from ANY software company who doesn't get
that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about
to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to
do 
that, you gotta discount! I would think most IT shops are wise to it by
now. 
Its kind of a sick dance we all do J



Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors
you 
want a little webinar (they love these), and then compare your notes
after 
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you
the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime
while 
you further discuss how expensive their stuff is and what they can do
for 
you to make it more attractive. The Quest guys told me the other day
they 
had a lot of leeway on some pricing for one of my clients so I'm
wondering 
if this is the end of the year for the salesmen and they need to make
their 
year this month (if so this is an excellent time to buy Quest software).



Now that said, I've worked in a few large shops, and we haven't had any
of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per

whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you

learn how it does it, because then you'll be smarter, and you can go get
a 
new better job with your new found talents.



That said there is some cool shit from quest and NetIQ and those guys -
I'm 
into the change control/management stuff in shops where there are too
many 
cooks in the kitchen. Quest's migration stuff is of course great if you
can 
afford it.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]
Sent: Wednesday,

Re: [ActiveDir] Please help me

2006-12-07 Thread Al Mulnick 

How long ago was it dcpromoed out?

DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC


On 12/7/06, Thompson, Elizabeth [EMAIL PROTECTED] wrote:


 Check and see if it still has the dead server listed under its the NTDS
Settings in AD Sites and Services. Had this happen once to me. I manually
deleted the NTDS reference and it was happy.


Elizabeth Thompson
Service and Support Technician/Exchange Admin
Information Technology Services
The Community College of Baltimore County

 --
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *
[EMAIL PROTECTED]
*Sent:* Thursday, December 07, 2006 10:50 AM
*To:* ActiveDir@mail.activedir.org
*Cc:* ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
*Subject:* [ActiveDir] Please help me


I have a strange problem and can not find any solution

I used DCpromo to depromote a computer. It worked ok, the Domain
controller was depromoted. But when I use repadmin to show other dc´s
replication, it show replications from the domain controler depromoted. I
didn´t find anything to explain how to solve that.
Where can I find it, to remove it from replication. The machine is
a network computer, but replication fails with message:


SPO-COSTA\SPO-CENTRO5  * --   (THIS IS THE DOMAIN
CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE)*
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 13018091/OU, 13018091/PU
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c):
A operação de agente do sistema de diretórios (DSA) não pode
prosseg
uir devido a uma falha de pesquisa de DNS.
96 consecutive failure(s).
Last success @ 2006-12-01 07:58:08.
*Adrião Ferreira Ramos*  Depto. de Operações e Infra-Estrutura -
CII.14  [EMAIL PROTECTED]
 (11) 3388.8193



Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não pode usar, copiar ou divulgar as informações nela contidas ou tomar
qualquer ação baseada nessas informações. Se você recebeu esta mensagem por
engano, por favor avise imediatamente o remetente, respondendo o e-mail e em
seguida apague-o. Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose or take any action based on this message or
any information herein. If you have received this message in error, please
advise the sender immediately by reply e-mail and delete this message. Thank
you for your cooperation.

attachment: ATT31653436.jpg
attachment: ATT31653434.jpg

[ActiveDir] Delegate join computer to domain

2006-12-07 Thread WATSON, BEN 
Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.

It seems that the members of the IT security group can pre-create the computer 
accounts, but when they attempt to go through the join process, they are caught 
at the check that determines if they have surpassed the number of machines a 
user can join to the domain (which is now zero).  

What must I do so this security group is not subject to that check?

Thanks,
Ben

-Original Message-
From: Thompson, Elizabeth [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the dead server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually 
deleted the NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a 
network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN CONTROLER 
THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.

Adrião Ferreira Ramos 
Depto. de Operações e Infra-Estrutura - CII.14 
[EMAIL PROTECTED]   
(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por engano, por favor 
avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. 
Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please advise the sender 
immediately by reply e-mail and delete this message. Thank you for your 
cooperation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] DNS scavenging question

2006-12-07 Thread Kurt Falde 
http://technet2.microsoft.com/WindowsServer/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx?mfr=true

dnscmd /startscavenging

I would recommend you make a backup of your zone before you ageall and start 
scavenging, have you taken into consideration records that need to be there 
that you will need to recreate as static entries ie. www.company.com etc?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

I have a rather off the wall DNS scavenging question.

I have a bunch of DNS records that are stale and need to be scavenged
out of the zone.  Following the O'REILLY book: DNS on Windows Server
2003 I have configured aging and scavenging.  (Don't ask why this
wasn't done when the zone was first setup, that is another story)

Now I know: If scavenging is disabled on a standard zone and you enable
scavenging, the server does not scavenge records that existed before
you enabled scavenging. The server does not scavenge those records even
if you convert the zone to an Active Directory?integrated zone first.

To enable scavenging of such records, use the AgeAllRecords in
Dnscmd.exe.  I know this must be done in order to configure existing
records to a scavengable state.

Is there a way to immediately force a scavenge cycle that will remove
all stale records?  I would not to have to wait unitl the no-refresh
and refresh intervals expire.


Daniel Gilbert


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Please help me

2006-12-07 Thread jpsalemi 

http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTphase=1




   
 [EMAIL PROTECTED] 
 p.com.br  
 Sent by:   To
 [EMAIL PROTECTED] ActiveDir@mail.activedir.org
 ail.activedir.org  cc
   ActiveDir@mail.activedir.org,   
   [EMAIL PROTECTED]
 12/07/2006 09:49  Subject
 AM[ActiveDir] Please help me  
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   





I have a strange problem and can not find any solution

I used DCpromo to depromote a computer. It worked ok, the Domain
controller was depromoted. But when I use repadmin to show other dc´s
replication, it show replications from the domain controler depromoted. I
didn´t find anything to explain how to solve that.
Where can I find it, to remove it from replication. The machine is
a network computer, but replication fails with message:


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN
CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE)
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 13018091/OU, 13018091/PU
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c):
A operação de agente do sistema de diretórios (DSA) não pode
prosseg
uir devido a uma falha de pesquisa de DNS.
96 consecutive failure(s).
Last success @ 2006-12-01 07:58:08.
   
   Adrião Ferreira Ramos 
   
 (Embe Depto. de Operações e   
 dded  Infra-Estrutura - CII.14
 image 
 moved 
 to
 file: 
 pic18 
 630.j 
 pg)   
   
 (Embe [EMAIL PROTECTED]   
 dded  
 image 
 moved 
 to
 file: 
 pic19 
 172.g 
 if)   
   
 (Embe (11) 3388.8193  
 dded  
 image 
 moved 
 to
 file: 
 pic19 
 864.j 
 pg)   
   



Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
você não for o destinatário ou a

Re: [ActiveDir] Please help me

2006-12-07 Thread jpsalemi 

ooops, sorry replied to the wrong one




   
 [EMAIL PROTECTED] 
 p.com.br  
 Sent by:   To
 [EMAIL PROTECTED] ActiveDir@mail.activedir.org
 ail.activedir.org  cc
   ActiveDir@mail.activedir.org,   
   [EMAIL PROTECTED]
 12/07/2006 09:49  Subject
 AM[ActiveDir] Please help me  
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   





I have a strange problem and can not find any solution

I used DCpromo to depromote a computer. It worked ok, the Domain
controller was depromoted. But when I use repadmin to show other dc´s
replication, it show replications from the domain controler depromoted. I
didn´t find anything to explain how to solve that.
Where can I find it, to remove it from replication. The machine is
a network computer, but replication fails with message:


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN
CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE)
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
USNs: 13018091/OU, 13018091/PU
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c):
A operação de agente do sistema de diretórios (DSA) não pode
prosseg
uir devido a uma falha de pesquisa de DNS.
96 consecutive failure(s).
Last success @ 2006-12-01 07:58:08.
   
   Adrião Ferreira Ramos 
   
 (Embe Depto. de Operações e   
 dded  Infra-Estrutura - CII.14
 image 
 moved 
 to
 file: 
 pic20 
 577.j 
 pg)   
   
 (Embe [EMAIL PROTECTED]   
 dded  
 image 
 moved 
 to
 file: 
 pic10 
 737.g 
 if)   
   
 (Embe (11) 3388.8193  
 dded  
 image 
 moved 
 to
 file: 
 pic14 
 091.j 
 pg)   
   



Esta mensagem pode conter informação confidencial e/ou privilegiada. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não

RE: [ActiveDir] NetBT errors 4321

2006-12-07 Thread jpsalemi 
http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTphase=1




   
 Simon Bembridge 
 [EMAIL PROTECTED] 
 onesolutions.co.u  To 
 kActiveDir@mail.activedir.org  
 Sent by:   cc 
 [EMAIL PROTECTED] 
 ail.activedir.org Subject 
   RE: [ActiveDir] NetBT errors 4321   
   
 12/07/2006 01:06  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   






Laura,

Sorry for not getting back sooner, the answer to your questions our.

Both IP addresses are DC’s

The first IP address is the one exhibiting all the NETBT 4321 event log
errors, the second IP address is the DC refusing the name to be claimed.


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 05 December 2006 01:28
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NetBT errors 4321

Okay, first question- is the first xxx.xxx.xxx.xxx address the same as
the second xxx.xxx.xxx.xxx, or are they actually different addresses?
Second, if we're talking two IPs, which one is the DC's IP? Basically, I
can't get enough from your genericized [I made that word up] error to
figure out which machine is which, where this error came from, what
machine(s) is/are identified by the IPs in the error, and therefore, why I
should care about the Nbstat entries. :-)

Laura


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge
 Sent: Monday, December 04, 2006 4:23 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] NetBT errors 4321
 Hi All,

 I cannot find a resolution to event log error that we are having within
 our development domain the event is logged every 3-6 mins. I have
 exhausted the internet results but to no avail, any help would be greatly
 appreciated.

 We have two DC’s living on different subnets both acting as BH servers.

 1st DC holds all FSMO roles, single domain, D  FFL 2003

 Anyway below is the event log message I have done all the searches
 possible and come up with nothing at all.

 Source NetBT
 EventID: 4321

 The name “DEV…………….:Id” Could not be registered on the interface with IP
 address xxx.xxx.xxx.xxx
 The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to
 be claimed by the machine.


 The results of both DC’s are as follows:

 Nbtstat –an

 DC1  DC2
 00 unique  00 unique
 00 Group   00 Group
 1c Group   1c Group
 20 Unique  20 Unique
 1D Unique 1E Group
 1E Group
 -MSBROWSE

 Mac address




 --
 No virus found in this incoming message.
 Checked by AVG Free Edition.
 Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
 7:18 AM





--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM

[EMAIL PROTECTED]   ��V�r�y���-�÷Š¹ï¿½ï¿½V��+�v*��

RE: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Darren Mar-Elia 
Boy that just makes me proud to be in the software business...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Thursday, December 07, 2006 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

Just to give an idea of how insane it can get

A good friend of mine works at a software company (not in the Microsoft
space)... lets call it company G. Company G is small (300 people or so)
and privately held, with a superior product. Company G's main
competition is Company W, a large, bloated publically held company, with
a decidely inferior product. Company W hasn't developed anything
inovative in years... all their new products have come through
acquisitions.

Now check this out: Company G has a competitive sales program for
Company W's customers. If a customer has decided on Company W, for
whatever reason, and there is no way that they will buy Company G's
product, Company G will work with the customer to provide a competitive
bid *just to drive Company W's prices down.* The customer doesn't even
have to look at Company G's products.

Now THAT's ruthless sales behavior!

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, December 07, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I would say companies competing via innovative features benefit
customers more than just low balling each other in this space / vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products 
for eval, and watch how fast the Quest price goes to zero. Its like the
old 
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the

year for the salesmen and they need to make their year this month (if so

this is an excellent time to buy Quest software)



Ha! Show me a sales person from ANY software company who doesn't get
that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about
to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to
do 
that, you gotta discount! I would think most IT shops are wise to it by
now. 
Its kind of a sick dance we all do J



Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors
you 
want a little webinar (they love these), and then compare your notes
after 
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you
the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime
while 
you further discuss how expensive their stuff is and what they can do
for 
you to make it more attractive. The Quest guys told me the other day
they 
had a lot of leeway on some pricing for one of my clients so I'm
wondering 
if this is the end of the year for the salesmen and they need to make
their 
year this month (if so this is an excellent time to buy Quest software).



Now that said, I've worked in a few large shops, and we haven't had any
of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per

whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you

learn how it does it, because then you'll be smarter, and you can go get
a 
new better job with your new found talents.



That said there is some cool shit from quest and NetIQ and those guys -
I'm 
into the change control/management stuff in shops where

RE: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Myrick, Todd \(NIH/CC/DCRI\) [E] 
Understood Gil,

I wonder what would happen if the Federal Trade Commission got wind of
such activity. Depending on who is in office... they tend to frown upon
that type of activity, especially from companies outside of the US.

Todd
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 2:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

Just to give an idea of how insane it can get

A good friend of mine works at a software company (not in the Microsoft
space)... lets call it company G. Company G is small (300 people or so)
and privately held, with a superior product. Company G's main
competition is Company W, a large, bloated publically held company, with
a decidely inferior product. Company W hasn't developed anything
inovative in years... all their new products have come through
acquisitions.

Now check this out: Company G has a competitive sales program for
Company W's customers. If a customer has decided on Company W, for
whatever reason, and there is no way that they will buy Company G's
product, Company G will work with the customer to provide a competitive
bid *just to drive Company W's prices down.* The customer doesn't even
have to look at Company G's products.

Now THAT's ruthless sales behavior!

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, December 07, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I would say companies competing via innovative features benefit
customers more than just low balling each other in this space / vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products 
for eval, and watch how fast the Quest price goes to zero. Its like the
old 
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the

year for the salesmen and they need to make their year this month (if so

this is an excellent time to buy Quest software)



Ha! Show me a sales person from ANY software company who doesn't get
that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about
to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to
do 
that, you gotta discount! I would think most IT shops are wise to it by
now. 
Its kind of a sick dance we all do J



Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors
you 
want a little webinar (they love these), and then compare your notes
after 
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you
the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime
while 
you further discuss how expensive their stuff is and what they can do
for 
you to make it more attractive. The Quest guys told me the other day
they 
had a lot of leeway on some pricing for one of my clients so I'm
wondering 
if this is the end of the year for the salesmen and they need to make
their 
year this month (if so this is an excellent time to buy Quest software).



Now that said, I've worked in a few large shops, and we haven't had any
of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per

whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you

learn how it does it, because then you'll be smarter, and you can go get
a 
new better job with your new found

Re: [ActiveDir] DNS scavenging question

2006-12-07 Thread Al Mulnick 

If you immediately (with respect to using the ageall switch) tell the
scavenging server to scavenge all records, wouldn't you expect all the
records to be scavenged at that point? Wouldn't it be better to mark them
all, and wait a cycle or two of refresh prior to pushing the issue?

Otherwise, the most immediate way to do this would be to delete the zone. I
don't recommend that however :)

On 12/7/06, Daniel Gilbert [EMAIL PROTECTED] wrote:


I have a rather off the wall DNS scavenging question.

I have a bunch of DNS records that are stale and need to be scavenged
out of the zone.  Following the O'REILLY book: DNS on Windows Server
2003 I have configured aging and scavenging.  (Don't ask why this
wasn't done when the zone was first setup, that is another story)

Now I know: If scavenging is disabled on a standard zone and you enable
scavenging, the server does not scavenge records that existed before
you enabled scavenging. The server does not scavenge those records even
if you convert the zone to an Active Directory–integrated zone first.

To enable scavenging of such records, use the AgeAllRecords in
Dnscmd.exe.  I know this must be done in order to configure existing
records to a scavengable state.

Is there a way to immediately force a scavenge cycle that will remove
all stale records?  I would not to have to wait unitl the no-refresh
and refresh intervals expire.


Daniel Gilbert


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Delegate join computer to domain

2006-12-07 Thread Wells, James Arthur 
Ben,

There is a larger list of required ACE entries to JOIN a computer to the domain.

They are:

List Contents
Read All Properties
Delete
Delete Subtree
Read Perms
All Extended Rights(gives you Allowed to Authenticate
Change Pwd
Receive As
Reset Pwd
Send As)
Validate write to DNS host name
Validated write to service principal name

(Property permissions)
Write Account Restrictions
Read DNS Host Name Attributes
Read Personal Information
Read Public Information

Good luck!


(I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K 
Compatible Access grants extra permissions letting users join computers, even 
when dropping the workstation quota to 0).


--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, December 07, 2006 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate join computer to domain

Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.

It seems that the members of the IT security group can pre-create the computer 
accounts, but when they attempt to go through the join process, they are caught 
at the check that determines if they have surpassed the number of machines a 
user can join to the domain (which is now zero).  

What must I do so this security group is not subject to that check?

Thanks,
Ben

-Original Message-
From: Thompson, Elizabeth [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the dead server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually 
deleted the NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a 
network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN CONTROLER 
THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.

Adrião Ferreira Ramos 
Depto. de Operações e Infra-Estrutura - CII.14 
[EMAIL PROTECTED]   
(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por
engano, por favor avise imediatamente o remetente, respondendo o e-mail e em 
seguida apague-o. Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please
advise the sender immediately by reply e-mail and delete this message. Thank 
you for your cooperation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[EMAIL

RE: [ActiveDir] DNS scavenging question

2006-12-07 Thread Vinnie Cardona 
You are correct.  

 

Due to the fact that aging/scavenging was not enabled the records which
were dynamically registered were not stamped with a date/time.  Therefore
the aging/scavenging process ignores them upon starting it's scavenging
process.

 

You can use the AgeAllRecords which will do just that.  Age ALL your
records.  You have to be careful though.  I haven't proven this but I
believe that it will also turn your static records into dynamic record
(time stamp them).  Then when you run AgeAllRecords.well guess what?...

 

To prevent this, Once you ageallrecords you will have to go back into the
DNS console and ensure that static/manually created records you need are
not set to Delete this record when it becomes stale by unchecking the box
in the record properties.  You might have to enable the advanced view
(View --Advanced) to view this as well as the timestamp of the record.

 

Once you've completed this you can then right click on the DNS server name
in the DNS console and select Scavenge Stale Resource Records or via
command prompt: dnscmd servername /StartScavenging

 

Note: In order to successfully configure Scavenging and Aging you will
need to enable it both on the zone and the DNS server. Which I'm sure you
have already.but just in case.

 

Right click on server name--Properties--Advanced tab--check the Enable
automatic scavenging of stale records or you can enable it for all zones
by right clicking on the server name and selecting Set Aging/Scavenging
for all Zones.--check the box Scavenge stale resource
records--OK--check the box to apply these settings to the existing
Active Directory-integrated zones (if AD integrated)--OK then go to the
zone and right click--Properties--General tab--Aging button and check
the Scavenge stale resource records--OK

 

Hope this will help.please chime in.

 

-vC

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

 

I have a rather off the wall DNS scavenging question.

 

I have a bunch of DNS records that are stale and need to be scavenged

out of the zone.  Following the O'REILLY book: DNS on Windows Server

2003 I have configured aging and scavenging.  (Don't ask why this

wasn't done when the zone was first setup, that is another story)

 

Now I know: If scavenging is disabled on a standard zone and you enable

scavenging, the server does not scavenge records that existed before

you enabled scavenging. The server does not scavenge those records even

if you convert the zone to an Active Directoryintegrated zone first. 

 

To enable scavenging of such records, use the AgeAllRecords in

Dnscmd.exe.  I know this must be done in order to configure existing

records to a scavengable state.

 

Is there a way to immediately force a scavenge cycle that will remove

all stale records?  I would not to have to wait unitl the no-refresh

and refresh intervals expire.

 

 

Daniel Gilbert

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Delegate join computer to domain

2006-12-07 Thread WATSON, BEN 
Nevermind guys, I'm out on vacation and I was unable to verify that the desktop 
support staff were pre-creating the computer accounts properly.  I got back to 
my hotel and was able to VPN in and check up on everything and they were not 
creating the accounts properly.  Everything is working as intended.

Thanks,
~Ben

-Original Message-
From: WATSON, BEN 
Sent: Thursday, December 07, 2006 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: Delegate join computer to domain

Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.

It seems that the members of the IT security group can pre-create the computer 
accounts, but when they attempt to go through the join process, they are caught 
at the check that determines if they have surpassed the number of machines a 
user can join to the domain (which is now zero).  

What must I do so this security group is not subject to that check?

Thanks,
Ben

-Original Message-
From: Thompson, Elizabeth [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the dead server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually 
deleted the NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a 
network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN CONTROLER 
THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.

Adrião Ferreira Ramos 
Depto. de Operações e Infra-Estrutura - CII.14 
[EMAIL PROTECTED]   
(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por engano, por favor 
avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. 
Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please advise the sender 
immediately by reply e-mail and delete this message. Thank you for your 
cooperation.

RE: [ActiveDir] DNS scavenging question

2006-12-07 Thread Figueroa, Johnny 

I don't believe that static records age, so they should not be affected
by scavenging? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde
Sent: Thursday, December 07, 2006 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS scavenging question

http://technet2.microsoft.com/WindowsServer/en/library/d652a163-279f-404
7-b3e0-0c468a4d69f31033.mspx?mfr=true

dnscmd /startscavenging

I would recommend you make a backup of your zone before you ageall and
start scavenging, have you taken into consideration records that need to
be there that you will need to recreate as static entries ie.
www.company.com etc?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

I have a rather off the wall DNS scavenging question.

I have a bunch of DNS records that are stale and need to be scavenged
out of the zone.  Following the O'REILLY book: DNS on Windows Server
2003 I have configured aging and scavenging.  (Don't ask why this wasn't
done when the zone was first setup, that is another story)

Now I know: If scavenging is disabled on a standard zone and you enable
scavenging, the server does not scavenge records that existed before you
enabled scavenging. The server does not scavenge those records even if
you convert the zone to an Active Directory?integrated zone first.

To enable scavenging of such records, use the AgeAllRecords in
Dnscmd.exe.  I know this must be done in order to configure existing
records to a scavengable state.

Is there a way to immediately force a scavenge cycle that will remove
all stale records?  I would not to have to wait unitl the no-refresh
and refresh intervals expire.


Daniel Gilbert


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Molkentin, Steve 

I'll see that and raise you...

The company I work for makes door furniture, padlocks, etc.

We have a competitor in the retail market that has been buying our stock
from our customers to gain shelf space in their stores. Now, while we
still get the sale, and the stock does initially go on the shelf, it is
then removed to make way for the second company's stock seeing as they
purchased all our stock from the customer. They end up dumping it.

How are we competing with that? We've brought out a 'cheaper' product to
compete with theirs (our product is usually higher priced, due to name
recognition and quality) and are beating them at their own game by
selling a product that sells in greater quantities than their product.
No more shelf space problems for us! In fact, due to this new line we
are offering, the customer is choosing to no longer stock our competitor
at all.

themolk.



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Myrick, Todd (NIH/CC/DCRI) [E]
 Sent: Friday, 8 December 2006 7:14 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quest Recovery Manager

 Understood Gil,

 I wonder what would happen if the Federal Trade Commission got wind of
 such activity. Depending on who is in office... they tend to
 frown upon
 that type of activity, especially from companies outside of the US.

 Todd
 -Original Message-
 From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 07, 2006 2:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quest Recovery Manager

 Just to give an idea of how insane it can get

 A good friend of mine works at a software company (not in the
 Microsoft
 space)... lets call it company G. Company G is small (300
 people or so)
 and privately held, with a superior product. Company G's main
 competition is Company W, a large, bloated publically held
 company, with
 a decidely inferior product. Company W hasn't developed anything
 inovative in years... all their new products have come through
 acquisitions.

 Now check this out: Company G has a competitive sales program for
 Company W's customers. If a customer has decided on Company W, for
 whatever reason, and there is no way that they will buy Company G's
 product, Company G will work with the customer to provide a
 competitive
 bid *just to drive Company W's prices down.* The customer doesn't even
 have to look at Company G's products.

 Now THAT's ruthless sales behavior!

 -gil

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
 (NIH/CC/DCRI) [E]
 Sent: Thursday, December 07, 2006 10:12 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quest Recovery Manager

 I would say companies competing via innovative features benefit
 customers more than just low balling each other in this space
 / vertical
 market.

 And just like a free puppy... If you don't train it... you eventually
 have to call in the Directory Whispers.

 I think I might have just found some inspiration for a new TV Show.

 Todd

 -Original Message-
 From: Martin Tuip [mailto:[EMAIL PROTECTED]
 Sent: Thursday, December 07, 2006 8:16 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Quest Recovery Manager

 Competition benefits customers.


 Martin

 - Original Message -
 From: Gil Kirkpatrick [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Wednesday, December 06, 2006 7:46 PM
 Subject: RE: [ActiveDir] Quest Recovery Manager


 It gets even nuttier in competitive situations. Bring in the NetPro
 products
 for eval, and watch how fast the Quest price goes to zero.
 Its like the
 old
 Crazy Eddy's TV ads in New York.

 Of course its free like a puppy... :)

 -gil

 

 From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
 Sent: Wed 12/6/2006 4:18 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quest Recovery Manager



 The Quest guys told me the other day they had a lot of
 leeway on some
 pricing for one of my clients so I'm wondering if this is the
 end of the

 year for the salesmen and they need to make their year this
 month (if so

 this is an excellent time to buy Quest software)



 Ha! Show me a sales person from ANY software company who doesn't get
 that
 wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around
 quarter-end or year-end and I'll show you a sales person that is about
 to be
 fired. Its part of the game. Gotta make quota, esp. at year
 end, and to
 do
 that, you gotta discount! I would think most IT shops are
 wise to it by
 now.
 Its kind of a sick dance we all do J



 Darren



 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
 Sent: Wednesday, December 06, 2006 1:54 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Quest Recovery Manager



 Yeah. Sit down with your team and figure out what it is you
 need - must
 have, would

[ActiveDir] What is Websence

2006-12-07 Thread Ravi Dogra 

Is it a box or software driven web filtering. Please provide some info on this.

--
Thanks,
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Delegate join computer to domain

2006-12-07 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
In the default domain set up ... a domain user can set up 10 computers 
as was pointed out


After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can join to the domain down to zero.


Why not just change the group to have that right again?  As you know 
there's a specific group policy setting for that.


What's the risk for this group to not have this right?

(Threats and Countermeasures guide discusses the pros/cons)

Wells, James Arthur wrote:

Ben,

There is a larger list of required ACE entries to JOIN a computer to the domain.

They are:

List Contents
Read All Properties
Delete
Delete Subtree
Read Perms
All Extended Rights(gives you Allowed to Authenticate
Change Pwd
Receive As
Reset Pwd
Send As)
Validate write to DNS host name
Validated write to service principal name

(Property permissions)
Write Account Restrictions
Read DNS Host Name Attributes
Read Personal Information
Read Public Information

Good luck!


(I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K 
Compatible Access grants extra permissions letting users join computers, even 
when dropping the workstation quota to 0).


--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, December 07, 2006 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate join computer to domain

Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.

It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero).  


What must I do so this security group is not subject to that check?

Thanks,
Ben

-Original Message-
From: Thompson, Elizabeth [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the dead server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually deleted the 
NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   --   (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.


  	Adrião Ferreira Ramos 
  	Depto. de Operações e Infra-Estrutura - CII.14 
  	[EMAIL PROTECTED] 	

(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por
engano, por favor avise imediatamente o remetente, respondendo o e-mail e em 
seguida apague-o. Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the

RE: [ActiveDir] NetBT errors 4321

2006-12-07 Thread Laura A. Robinson 
Okay, and you've ruled out all of this stuff?
 
HYPERLINK
http://www.eventid.net/display.asp?eventid=4321eventno=1822source=NetBTp
hase=1http://www.eventid.net/display.asp?eventid=4321eventno=1822source=N
etBTphase=1
 
If so, can you do an ipconfig /all on each machine? You can anonymize an
octet or two so as to protect your IPs. 
 
Laura
 


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge
Sent: Thursday, December 07, 2006 2:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NetBT errors 4321



 

 

Laura,

 

Sorry for not getting back sooner, the answer to your questions our.

 

Both IP addresses are DC’s

 

The first IP address is the one exhibiting all the NETBT 4321 event log
errors, the second IP address is the DC refusing the name to be claimed.

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 05 December 2006 01:28
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NetBT errors 4321

 

Okay, first question- is the first xxx.xxx.xxx.xxx address the same as the
second xxx.xxx.xxx.xxx, or are they actually different addresses? Second,
if we're talking two IPs, which one is the DC's IP? Basically, I can't get
enough from your genericized [I made that word up] error to figure out which
machine is which, where this error came from, what machine(s) is/are
identified by the IPs in the error, and therefore, why I should care about
the Nbstat entries. :-)

 

Laura

 


   _  


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Simon Bembridge
Sent: Monday, December 04, 2006 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NetBT errors 4321

Hi All,

 

I cannot find a resolution to event log error that we are having within our
development domain the event is logged every 3-6 mins. I have exhausted the
internet results but to no avail, any help would be greatly appreciated.

 

We have two DC’s living on different subnets both acting as BH servers. 

 

1st DC holds all FSMO roles, single domain, D  FFL 2003

 

Anyway below is the event log message I have done all the searches possible
and come up with nothing at all. 

 

Source NetBT

EventID: 4321

 

The name “DEV….:Id” Could not be registered on the interface with IP
address xxx.xxx.xxx.xxx 

The machine with the IP address xxx.xxx.xxx.xxx did not allow the name to be
claimed by the machine.

 

 

The results of both DC’s are as follows:

 

Nbtstat –an

 

DC1  DC2

00 unique  00 unique

00 Group   00 Group

1c Group   1c Group

20 Unique  20 Unique

1D Unique 1E Group

1E Group

-MSBROWSE 

 

Mac address 

 

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006
7:18 AM



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006
1:27 AM



-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006
1:27 AM

RE: [ActiveDir] What is Websence

2006-12-07 Thread Brian Desmond 
Websense is software you put on one or more servers to do the filtering
of http requests. You can either do it parallel to your firewalls (Pixen
and others support passing http requests to a Websense farm in
realtime), or I believe you can put them inline as a proxy.

If you're doing a large deployment of it there is significant planning
involved, FYI.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Thursday, December 07, 2006 6:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What is Websence

Is it a box or software driven web filtering. Please provide some info
on this.

-- 
Thanks,
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] What is Websence

2006-12-07 Thread Derek Harris 
You can check their website: www.websense.com

I evaluated the software version a couple of months ago and wasn't
impressed -- stayed with SurfControl.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Thursday, December 07, 2006 4:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What is Websence

Is it a box or software driven web filtering. Please provide some info
on this.

-- 
Thanks,
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] What is Websence

2006-12-07 Thread Laura A. Robinson 
http://www.websense.com/docs/Datasheets/en/v6.3/Websense_ProductOverview.pdf
http://www.websense.com/global/en/Partners/TAPartners/SecurityEcosystem/

Depending upon which websense product you're referencing, it can be an
appliance or just software.

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
 Sent: Thursday, December 07, 2006 6:30 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] What is Websence
 
 Is it a box or software driven web filtering. Please provide 
 some info on this.
 
 --
 Thanks,
 RD
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir@mail.activedir.org/
 
 --
 No virus found in this incoming message.
 Checked by AVG Free Edition.
 Version: 7.5.432 / Virus Database: 268.15.14/578 - Release 
 Date: 12/7/2006 1:27 AM
  
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.14/578 - Release Date: 12/7/2006
1:27 AM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] What is Websence

2006-12-07 Thread Stockbrugger, Brian L. 
The WebSense deployment we have uses a combination of Cisco hardware and
a Windows-based server.  The Cisco product (in our case a Catalyst 6509)
using WCCP redirects web traffic to a Windows-based server for content
inspection and then filters the traffic based upon a list of policies.
Web traffic destined for inappropriate sites is presented with a web
page stating that the site they are trying to reach is blocked.  The
redirection can also come in the form of policy based routing as well.
WebSense can also connect to AD and allow overrides and logging of web
surfing.  AD groups can be abstained from certain policies.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Thursday, December 07, 2006 3:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What is Websence

Is it a box or software driven web filtering. Please provide some info
on this.

-- 
Thanks,
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


This communication and any documents, files, or previous e-mail messages 
attached to it constitute an electronic communication within the scope of the 
Electronic Communication Privacy Act, 18 USCA 2510. This communication may 
contain non-public, confidential, or legally privileged information intended 
for the sole use of the designated recipient(s). The unlawful interception, use 
or disclosure of such information is strictly prohibited under 18 USCA 2511 and 
any applicable laws.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] What is Websence

2006-12-07 Thread Free, Bob 
Umm, it's a suite of products and services. Depends on what you buy :-)

http://www.websense.com/global/en/ProductsServices/ 

What we have is for our websense installation is several windows servers
that serve as content filters and proxy servers with a subscription
based  filter. All the logs roll to a common reporting database, they
sit behind loadbalancers so client proxy configuration and redundancy is
simplified

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Thursday, December 07, 2006 3:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What is Websence

Is it a box or software driven web filtering. Please provide some info
on this.

--
Thanks,
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Delegate join computer to domain

2006-12-07 Thread Wells, James Arthur 
Not really the risk - more the ability to delegate the right on a very granular 
level.  Semi-independent organizations are given OUs in our domains, with 
limited rights.  One of those rights needed to be the ability to precreate 
computer objects and then join them to the domain (and to be nice, to
allow one SA to create the object and a DIFFERENT SA to join the computer, so 
the extra parameter in ADUC at creation time to specify a security principle 
didn't help).

We also use Quest ActiveRoles for AD security ACLs and auditing, so we needed 
to know the specific ACEs necessaryand, voila!

Now, if there were some way to script the delegation wizard tasks, and build in 
easy auditing and administration like Quest ActiveRoles has, I would have gone 
that route...but not sure such an API exists...

The GPO wasn't the direction we wanted to go, because we also handle patching 
and compliance (different apps for different OUs even), so computers going into 
the Computers container isn't a good option, which I think that GPO would 
allow for - correct?


(That's why WE did all of the above.  Not sure what Ben's list of goals is).

--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, December 07, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate join computer to domain

In the default domain set up ... a domain user can set up 10 computers 
as was pointed out

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can join to the domain down to zero.

Why not just change the group to have that right again?  As you know 
there's a specific group policy setting for that.

What's the risk for this group to not have this right?

(Threats and Countermeasures guide discusses the pros/cons)

Wells, James Arthur wrote:
 Ben,

 There is a larger list of required ACE entries to JOIN a computer to the 
 domain.

 They are:

 List Contents
 Read All Properties
 Delete
 Delete Subtree
 Read Perms
 All Extended Rights(gives you Allowed to Authenticate
 Change Pwd
 Receive As
 Reset Pwd
 Send As)
 Validate write to DNS host name
 Validated write to service principal name

 (Property permissions)
 Write Account Restrictions
 Read DNS Host Name Attributes
 Read Personal Information
 Read Public Information

 Good luck!


 (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K 
 Compatible Access grants extra permissions letting users join computers, even 
 when dropping the workstation quota to 0).


 --James

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
 Sent: Thursday, December 07, 2006 1:45 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Delegate join computer to domain

 Hello everyone,

 Our desktop support group are all a part of a security group called IT.  I 
 delegated the Create and Delete Computer ACEs to the security group over the 
 OU that I want them to add computer accounts into when a machine is joined to 
 the domain.

 After I adjusted the security settings, I reduced the default number of 
 computers an authenticated user can  join to the domain down to zero.

 It seems that the members of the IT security group can pre-create the 
 computer accounts, but when they attempt to go through the join process, they 
 are caught at the check that determines if they have surpassed the number of 
 machines a user can join to the domain (which is now zero).  

 What must I do so this security group is not subject to that check?

 Thanks,
 Ben

 -Original Message-
 From: Thompson, Elizabeth [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
 Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]
 Sent: 12/7/06 11:31 AM
 Subject: RE: [ActiveDir] Please help me

 Check and see if it still has the dead server listed under its the NTDS 
 Settings in AD Sites and Services. Had this happen once to me. I manually 
 deleted the NTDS reference and it was happy.
  
 Elizabeth Thompson 
 Service and Support Technician/Exchange Admin 
 Information Technology Services 
 The Community College of Baltimore County 



 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
 PROTECTED]
 Sent: Thursday, December 07, 2006 10:50 AM
 To: ActiveDir@mail.activedir.org
 Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
 Subject: [ActiveDir] Please help me



 I have a strange problem and can not find any solution 

 I used DCpromo to depromote a computer. It worked ok, the Domain 
 controller was depromoted. But when I use repadmin to show other dc´s 
 replication, it show replications from the domain controler depromoted. I 
 didn´t find anything to explain how to solve that. 
 Where can I find it, to remove it from replication. The machine is a 
 network computer, but

RE: [ActiveDir] DNS scavenging question

2006-12-07 Thread Daniel Gilbert 
Thanks for the input.  Luckily for us we do not have any static records, at
least I have not created any but I will check with the other Admins to be
sure.

 

I thought AGEALLRECORDS for bring the prior records into the fold and then
they would be scavenged out in the next cycle.  Guess we will give it a try
and let everyone know how it turned out.

 

Dan

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Thursday, December 07, 2006 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS scavenging question

 

You are correct.  

 

Due to the fact that aging/scavenging was not enabled the records which were
dynamically registered were not stamped with a date/time.  Therefore the
aging/scavenging process ignores them upon starting it's scavenging process.

 

You can use the AgeAllRecords which will do just that.  Age ALL your
records.  You have to be careful though.  I haven't proven this but I
believe that it will also turn your static records into dynamic record (time
stamp them).  Then when you run AgeAllRecords.well guess what?...

 

To prevent this, Once you ageallrecords you will have to go back into the
DNS console and ensure that static/manually created records you need are not
set to Delete this record when it becomes stale by unchecking the box in the
record properties.  You might have to enable the advanced view (View
--Advanced) to view this as well as the timestamp of the record.

 

Once you've completed this you can then right click on the DNS server name
in the DNS console and select Scavenge Stale Resource Records or via command
prompt: dnscmd servername /StartScavenging

 

Note: In order to successfully configure Scavenging and Aging you will need
to enable it both on the zone and the DNS server. Which I'm sure you have
already.but just in case.

 

Right click on server name--Properties--Advanced tab--check the Enable
automatic scavenging of stale records or you can enable it for all zones by
right clicking on the server name and selecting Set Aging/Scavenging for all
Zones.--check the box Scavenge stale resource records--OK--check the box
to apply these settings to the existing Active Directory-integrated zones
(if AD integrated)--OK then go to the zone and right
click--Properties--General tab--Aging button and check the Scavenge stale
resource records--OK

 

Hope this will help.please chime in.

 

-vC

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

 

I have a rather off the wall DNS scavenging question.

 

I have a bunch of DNS records that are stale and need to be scavenged

out of the zone.  Following the O'REILLY book: DNS on Windows Server

2003 I have configured aging and scavenging.  (Don't ask why this

wasn't done when the zone was first setup, that is another story)

 

Now I know: If scavenging is disabled on a standard zone and you enable

scavenging, the server does not scavenge records that existed before

you enabled scavenging. The server does not scavenge those records even

if you convert the zone to an Active Directoryintegrated zone first. 

 

To enable scavenging of such records, use the AgeAllRecords in

Dnscmd.exe.  I know this must be done in order to configure existing

records to a scavengable state.

 

Is there a way to immediately force a scavenge cycle that will remove

all stale records?  I would not to have to wait unitl the no-refresh

and refresh intervals expire.

 

 

Daniel Gilbert

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Vista Activation and KMS

2006-12-07 Thread Laura A. Robinson 
Okay, let me see if I can summarize this in a gazillion words or less...
 
There are two types of activations for Vista- MAK activation and KMS
activation.
 
MAK activation works much like an MSDN subscription. You tell Microsoft how
many MAK activations you want to purchase. Microsoft sells you a MAK key
with that many activations. A machine that is activated via MAK activation
never has to renew. A MAK-activated client either directly contacts
Microsoft servers for activation or (in 2007, when the VAMT tool is
released) it activates against a proxy in your company that feeds the
activation to Microsoft activation servers. If you reinstall the OS and
specify MAK activation again, then that will use another of your allocated
activations. MAK activation is designed for machines that are NEVER
connected to your network (VPN counts as connected) in any given six-month
period. Therefore, we're talking about a machine that goes out your door and
you don't see it again for a very long time. MAK keys should not be commonly
or lightly used. In the reinstall scenario, much as you can now, you can
contact Microsoft at that time and explain the situation and get another
activation. 
 
KMS activation DOES NOT REPORT ANYTHING TO MICROSOFT. You activate the KMS
host against a Microsoft activation server, and your KMS clients get
activated by YOUR KMS host. Once a week, they try to renew. If renewal is
successful, the KMS client now has six months from that day to renew again.
The client will still renew once a week and will be extending that six month
window each time. In other words, you always have six months from initial
activation or renewal of activation before the client MUST contact a KMS
host again. If it's day 179 and your KMS host has been down that entire
time, when you bring it back up on day 179, your clients can renew their
activations for another six months. During those 179 days while the KMS host
was down, they are unaffected unless their 180 days of validity expired
during that time and they were unable to locate and contact another KMS
server.
 
If you reinstall the OS on a KMS-activated client, IT DOESN'T MATTER,
because Microsoft doesn't track KMS clients. In fact, even the KMS server
only keeps track of the last fifty activations it has performed. Now, if you
want to keep this information for your own records, you can easily extract
it from the event logs or you can use the MOM management pack for KMS.
 
With KMS activation, you are simply saying to Microsoft, we anticipate that
we will have 10,000 [or whatever] Vista clients. Therefore, we'll pay you
for that many Vista clients. That's the end of the story as far as
Microsoft is concerned. If you exceed 10,000 active Vista clients, then
you're in violation of your agreement, but Microsoft won't know about it via
some magic mechanism. KMS-activated clients don't talk to Microsoft. They
talk to your KMS host. 
 
The step-by-step guide I referenced tends to look dry and overwhelming to
people and I suspect that many folks don't really sit down and take the time
to read it thoroughly (can't blame 'em), but it really is all explained
there.
 
Laura
 
Hopefully I didn't put any typos or other doofusness in the above; it's been
a bad week for me when it comes to typing. :-)


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, December 07, 2006 5:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Vista Activation and KMS


I have read all this, and it seems any thing but straight forward to me. It
looks like we are going to have to invest a lot more money in managing
licenses.
 
I could also find nothing about what happens if we need to re-install
Windows. It appears we need to re-activate, and it appears as its a new sid
it will use a second license... Any one any pointers on this?
 


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 05 December 2006 00:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Vista Activation and KMS


Actually, it is clearly documented, along with a lot more information on
KMS, MAK and Vista Volume Activation (btw, Volume Licensing doesn't exist in
Vista; VL and VA are not the same things). You probably don't want to get me
started on a big long explanation of how volume activation works, so I'll
just point you to this site:
HYPERLINK
http://www.microsoft.com/technet/windowsvista/plan/volact.mspxhttp://www.m
icrosoft.com/technet/windowsvista/plan/volact.mspx
:-)
 
I highly recommend both the FAQ and the step-by-step guide. The latter
provides information on how to change from KMS to MAK and vice versa (there
are several ways), as well as documentation of defaults, configuration
options, etc.
 
Laura
 
 


   _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi
Sent: Monday, December 04, 2006 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:

Re: [ActiveDir] Quest Recovery Manager

2006-12-07 Thread Martin Tuip 
Interesting strategy .. I can't seem to find the point why they would buy 
it.  Since they are one of your biggest customers have you contacted them to 
discuss volume pricing ?



Martin

- Original Message - 
From: Molkentin, Steve [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, December 07, 2006 3:20 PM
Subject: RE: [ActiveDir] Quest Recovery Manager



I'll see that and raise you...

The company I work for makes door furniture, padlocks, etc.

We have a competitor in the retail market that has been buying our stock
from our customers to gain shelf space in their stores. Now, while we
still get the sale, and the stock does initially go on the shelf, it is
then removed to make way for the second company's stock seeing as they
purchased all our stock from the customer. They end up dumping it.

How are we competing with that? We've brought out a 'cheaper' product to
compete with theirs (our product is usually higher priced, due to name
recognition and quality) and are beating them at their own game by
selling a product that sells in greater quantities than their product.
No more shelf space problems for us! In fact, due to this new line we
are offering, the customer is choosing to no longer stock our competitor
at all.

themolk.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Friday, 8 December 2006 7:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

Understood Gil,

I wonder what would happen if the Federal Trade Commission got wind of
such activity. Depending on who is in office... they tend to
frown upon
that type of activity, especially from companies outside of the US.

Todd
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 2:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

Just to give an idea of how insane it can get

A good friend of mine works at a software company (not in the
Microsoft
space)... lets call it company G. Company G is small (300
people or so)
and privately held, with a superior product. Company G's main
competition is Company W, a large, bloated publically held
company, with
a decidely inferior product. Company W hasn't developed anything
inovative in years... all their new products have come through
acquisitions.

Now check this out: Company G has a competitive sales program for
Company W's customers. If a customer has decided on Company W, for
whatever reason, and there is no way that they will buy Company G's
product, Company G will work with the customer to provide a
competitive
bid *just to drive Company W's prices down.* The customer doesn't even
have to look at Company G's products.

Now THAT's ruthless sales behavior!

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, December 07, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I would say companies competing via innovative features benefit
customers more than just low balling each other in this space
/ vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message -
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products
for eval, and watch how fast the Quest price goes to zero.
Its like the
old
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of
leeway on some
pricing for one of my clients so I'm wondering if this is the
end of the

year for the salesmen and they need to make their year this
month (if so

this is an excellent time to buy Quest software)



Ha! Show me a sales person from ANY software company who doesn't get
that
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around
quarter-end or year-end and I'll show you a sales person that is about
to be
fired. Its part of the game. Gotta make quota, esp. at year
end, and to
do
that, you gotta discount! I would think most IT shops are
wise to it by
now.
Its kind of a sick dance we all do J



Darren



From:

RE: [ActiveDir] DNS scavenging question

2006-12-07 Thread Tony Murray 
Hi Daniel

If this is an AD-integrated zone, it might be helpful to back-up the zone to 
file before you go ahead with the change - just in case you lose any records 
you might later want back.

http://www.activedir.org/article.aspx?aid=102

Tony
-- Original Message --
From: Daniel Gilbert [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 7 Dec 2006 19:22:25 -0700

Thanks for the input.  Luckily for us we do not have any static records, at
least I have not created any but I will check with the other Admins to be
sure.

 

I thought AGEALLRECORDS for bring the prior records into the fold and then
they would be scavenged out in the next cycle.  Guess we will give it a try
and let everyone know how it turned out.

 

Dan

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Thursday, December 07, 2006 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS scavenging question

 

You are correct.  

 

Due to the fact that aging/scavenging was not enabled the records which were
dynamically registered were not stamped with a date/time.  Therefore the
aging/scavenging process ignores them upon starting it's scavenging process.

 

You can use the AgeAllRecords which will do just that.  Age ALL your
records.  You have to be careful though.  I haven't proven this but I
believe that it will also turn your static records into dynamic record (time
stamp them).  Then when you run AgeAllRecords.well guess what?...

 

To prevent this, Once you ageallrecords you will have to go back into the
DNS console and ensure that static/manually created records you need are not
set to Delete this record when it becomes stale by unchecking the box in the
record properties.  You might have to enable the advanced view (View
--Advanced) to view this as well as the timestamp of the record.

 

Once you've completed this you can then right click on the DNS server name
in the DNS console and select Scavenge Stale Resource Records or via command
prompt: dnscmd servername /StartScavenging

 

Note: In order to successfully configure Scavenging and Aging you will need
to enable it both on the zone and the DNS server. Which I'm sure you have
already.but just in case.

 

Right click on server name--Properties--Advanced tab--check the Enable
automatic scavenging of stale records or you can enable it for all zones by
right clicking on the server name and selecting Set Aging/Scavenging for all
Zones.--check the box Scavenge stale resource records--OK--check the box
to apply these settings to the existing Active Directory-integrated zones
(if AD integrated)--OK then go to the zone and right
click--Properties--General tab--Aging button and check the Scavenge stale
resource records--OK

 

Hope this will help.please chime in.

 

-vC

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, December 07, 2006 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS scavenging question

 

I have a rather off the wall DNS scavenging question.

 

I have a bunch of DNS records that are stale and need to be scavenged

out of the zone.  Following the O'REILLY book: DNS on Windows Server

2003 I have configured aging and scavenging.  (Don't ask why this

wasn't done when the zone was first setup, that is another story)

 

Now I know: If scavenging is disabled on a standard zone and you enable

scavenging, the server does not scavenge records that existed before

you enabled scavenging. The server does not scavenge those records even

if you convert the zone to an Active Directoryintegrated zone first. 

 

To enable scavenging of such records, use the AgeAllRecords in

Dnscmd.exe.  I know this must be done in order to configure existing

records to a scavengable state.

 

Is there a way to immediately force a scavenge cycle that will remove

all stale records?  I would not to have to wait unitl the no-refresh

and refresh intervals expire.

 

 

Daniel Gilbert

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ: http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Global Catalog /DNS Question

2006-12-07 Thread Mike Hogenauer 
Hi,

 

I have a mix of Windows and Linux users. Most of my Linux users use
Evolution as a mail client which needs to point to a GC for its
configuration. 

 

My question is does anyone know a way to basically round robin a
wildcard entry for those mail clients? So in case the DC/GC they're
pointing to crashes half my users won't have to re-point their clients.

 

Thanks in advance -

Mike