RE: [ActiveDir] Remote DC's on Virtual Server
Sorry to jump in ;) But after all, you could say that ESX is linux-based and be right... And also it's true that they run on bare metal, because the overhead is *quite* different than the one you get when you load up all of a general-purpose OS (no matter if it's Windows or Linux, although IMO Windows tends to place a bit more load on the computer just to be ready to serve). So I believe that the comparison would be more appropiate if you pitch VmWare Server and VS thatn ESX/VS (you know, it's the classic appliance vs software service face-off). I've done some light use of all of them ESX, VS, VmWare Server... and I'll agree that VS is *much* simpler to set-up than the vmware offerings, but also the possibilities are somewhat more limited... As for the real life use, I don't have the needs/hardware to really take any of these products to their limits... but I know of those who use them (in large datacenters for real business critical apps) and, at least to my knoweldge, what people are deploying is ESX. Just my 0,002 (and no, I don't own EMC nor MS stock, nor am I affiliated with them in any way... though I believe VMWARE would be a great place to work, and I am a longtime user of their products). Let's see what VirtualServer 2007 brings to the table :) Javier Jarava De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Akomolafe, Deji Enviado el: viernes, 19 de enero de 2007 2:14 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Remote DC's on Virtual Server one runs on bare metal and other runs under a host OS Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. So, one can argue that, because it is bundled with its own OS, ESX does not really run on bare metal in the way some people describe it. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah Eiger Sent: Thu 1/18/2007 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server I realize this is now getting a bit OT, but. Deji, I think the fruit distinction is based on the fact that one runs on bare metal and other runs under a host OS. (Or at least that is how I have always thought of them.) Beyond that, I agree there are simply feature comparisons. That said, (and with the caveat that I have not worked with ESX) I find the MS product to be much simpler than VM Server (nee GSX). I started halfway down the path of migrating my MS VMs to VM Server and found it overly complex and the video emulation performance using the VM Ware client was so bad as to be unacceptable. And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any problems. In the situation you describe, Justin, it seems like performance and cost would be the deciding factor. --- nme From: Akomolafe, Deji [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server :) Interesting points, again. Did I remember to say that I am biased? I think so. I expect that I'm going to catch some flaks for what I'm about to write, but . These do not make VS and ESX apples and oranges. VMotion, Host clustering. Different nomenclature, different capabilities, same purpose, Resource allocation guarantee, CPU Resource allocation weight. Superior Networking capabilities. Sure. Does VS have networking capabilities? Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and its proxy). Administration - show of hands, quick - ESX or VS, which is easier and less complex to deploy and administer? Which has easier and faster client deployment option? I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the superiority of ESX over VS is largely driven by a combination of historical trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we are on a Windows-centric list here, I do not mind admitting that I do not subscribe to the notion that if it's not Windows, it must be better than Windows. Mind you, Hunter, I am NOT implying that this is where you are coming from, but the reason I asked you to enunciate the reasoning behind your thinking was because I was hoping to hear something I haven't heard before on this issue. VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is
Re: [ActiveDir] Remote DC's on Virtual Server
That's a common misconception which VMware unfortunately aren't very good at dispelling. The adapted redhat linux system you see when booting ESX is the Service Console, merely the first virtual machine running. Being the service console, its got some hooks into the guts of the vmkernel but the vmkernel isnt the linux kernel with some added modules. Even though he's never come public with it, vmkernel is probably based from Dr Mendel Rosemblums (one of the founders) work at Stanford where he and some of his students developed an OS, a machine simulator and a virtual machine monitor. Even so, base your choice on the capabilities needed and cost. Both ESX and VS are quite stable. And as far as I know, the license considerations aren't limited to VS. It's quite common for people to buy a DataCenter license per cpu for machines running ESX. Regards, Anders On 1/19/07, Akomolafe, Deji [EMAIL PROTECTED] wrote: one runs on bare metal and other runs under a host OS Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. So, one can argue that, because it is bundled with its own OS, ESX does not really run on bare metal in the way some people describe it. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -- *From:* Noah Eiger *Sent:* Thu 1/18/2007 4:53 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Remote DC's on Virtual Server I realize this is now getting a bit OT, but… Deji, I think the fruit distinction is based on the fact that one runs on bare metal and other runs under a host OS. (Or at least that is how I have always thought of them.) Beyond that, I agree there are simply feature comparisons. That said, (and with the caveat that I have not worked with ESX) I find the MS product to be much simpler than VM Server (nee GSX). I started halfway down the path of migrating my MS VMs to VM Server and found it overly complex and the video emulation performance using the VM Ware client was so bad as to be unacceptable. And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any problems. In the situation you describe, Justin, it seems like performance and cost would be the deciding factor. --- nme -- *From:* Akomolafe, Deji [mailto:[EMAIL PROTECTED] *Sent:* Thursday, January 18, 2007 3:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Remote DC's on Virtual Server :) Interesting points, again. Did I remember to say that I am biased? I think so. I expect that I'm going to catch some flaks for what I'm about to write, but . These do not make VS and ESX apples and oranges. VMotion, Host clustering. Different nomenclature, different capabilities, same purpose, Resource allocation guarantee, CPU Resource allocation weight. Superior Networking capabilities. Sure. Does VS have networking capabilities? Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and its proxy). Administration - show of hands, quick - ESX or VS, which is easier and less complex to deploy and administer? Which has easier and faster client deployment option? I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the superiority of ESX over VS is largely driven by a combination of historical trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we are on a Windows-centric list here, I do not mind admitting that I do not subscribe to the notion that if it's not Windows, it must be better than Windows. Mind you, Hunter, I am NOT implying that this is where you are coming from, but the reason I asked you to enunciate the reasoning behind your thinking was because I was hoping to hear something I haven't heard before on this issue. VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is considerably narrowed with what's currently going into VS and what ESX 3.0.1 has today. Will VS catch and surpass ESX in a few months, no. Will it ever catch up, maybe. But, today, if we factor in the cost overlay (in licensing, hardware and administrative values), and discount our preconceived (or received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair shake, one would be pleasantly surprised at how narrow the gap really is. To me, these 2 products are all bananas - one is a just banana and the other is organic banana. They are certainly not more apple and orange than your convertible and my jalopy are apple and orange. They are both virtualization tools, and they each serve the same purpose.
[ActiveDir] Unsubing
Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups winmail.dat
RE: [ActiveDir] Unsubing
You are with us now - - - - you may never leave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Unsubing
You're not yet assimilated ?? On 1/19/07, Oliver Marshall [EMAIL PROTECTED] wrote: Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups
[ActiveDir] OT: Apache LDAP authentication oddity
We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
[ActiveDir] [OT] Partitioning
Hi folks, we've got a few partitions we need to enlarge on about 3 of our servers - the space is there and available, but the partition just needs to be expanded. Seeing as how PartitionMagic Pro has been discontinued, can anyone recommend a good product for this? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] OT: Apache LDAP authentication oddity
So you're describing searching for something and talking about authentication. Which is it? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] OT: Apache LDAP authentication oddity
Also try this, on a Windows 2003 box use the dsquery command and issue the following. ( as the same account you are using to do the Authentication) dsquery * CN=Users,DC=Your_Account_Domain,DC=Your_Parent_Domain,DC=COM you should get a dump of the first 1000 users in the Users container. If you get this then you done an Authenticated LDAP query to AD and dumped accounts. You can also use the same LDAP Construct in the Custom Searches within Windows 2003 ADUC to see if this will also give you the information you are looking for. Also note that your developer might need to page his queries, because AD is only going to return the first 1000, of you get an error 4 that is a indicative of a paging issue with the query. HTH, Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 19, 2007 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Apache LDAP authentication oddity So you're describing searching for something and talking about authentication. Which is it? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] Unsubing
No no no no no, Craig: You can check out any time you want, But you can *never* leave! Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, January 19, 2007 5:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing You are with us now - - - - you may never leave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Apache LDAP authentication oddity
Get a network trace of the LDAP calls and responses. Possibly it is an apache issue, possibly the developer is a knucklehead. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
Re: [ActiveDir] [OT] Partitioning
diskpart from MS ? On 1/19/07, Brian Cline [EMAIL PROTECTED] wrote: Hi folks, we've got a few partitions we need to enlarge on about 3 of our servers – the space is there and available, but the partition just needs to be expanded. Seeing as how PartitionMagic Pro has been discontinued, can anyone recommend a good product for this? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Unsubing
http://www.activedir.org/List.aspx Careful... some affairs can get you jail time... An affair with a tiger or leopard is likely one of them... Plus once you have gone that direction, you may find your overall pool of possible dates shrinks drammatically, especially if you admit where you have been. Certainly a majority of the business world frowns on affairs with those creatures. lol. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups attachment: winmail.dat
Re: [ActiveDir] [OT] Partitioning
NTFSResize: http://mlf.linux.rulez.org/mlf/ezaz/ntfsresize.html or maybe http://gparted.sourceforge.net/ As with anything that's going to mess with partition sectors, you'll want to make a full backup first. HTH, Adam. On 19/01/07, Brian Cline [EMAIL PROTECTED] wrote: Hi folks, we've got a few partitions we need to enlarge on about 3 of our servers – the space is there and available, but the partition just needs to be expanded. Seeing as how PartitionMagic Pro has been discontinued, can anyone recommend a good product for this? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
OT RE: [ActiveDir] Unsubing
Either way, Oliveer is ours no matter how hard he fights :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing No no no no no, Craig: You can check out any time you want, But you can *never* leave! Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, January 19, 2007 5:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing You are with us now - - - - you may never leave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION
HI, I have 2 questions. We need more storage space but we don't know if we should go with an attached storage solution (NAS, SAN, etc) or just get a big file server, can anyone tell me benefit and disadvantage of each one, or point me to URL with this info? Also, my hardware knowledge is very obsolete, how can I get up to speed in terms of hardware Thanks all Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] [OT] Partitioning
If you are extending the last partition (and it is not the system or boot drive) on the disk into free space, diskpart will do the trick. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 19, 2007 9:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Partitioning Hi folks, we've got a few partitions we need to enlarge on about 3 of our servers - the space is there and available, but the partition just needs to be expanded. Seeing as how PartitionMagic Pro has been discontinued, can anyone recommend a good product for this? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
Re: [ActiveDir] Unable to logon after DCPromo - oddness
On 18/01/07, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote: You can run dcdiag on the enterprise which will gather data from every server. Try doing that and collecting data on the issue. Also, do the objects exist in Sites and Services for the server to replicate among its peers? Thanks to all for the many suggestions. I hadn't realised that things like dcdiag didn't need to be run on the affected DC. Sadly, it's too late now, as the DC has gone to that big server-room in the sky (or rather, Windows has been re-installed). I checked the unattend file that was used to run dcpromo and found it was being run by a VBS, with 'On Error Resume Next'. Running the dcpromo on other servers since then has worked fine, and now the decision's been made to run dcpromo manually for this batch of 50 servers. Oh well, it'll have to remain one of life's unsolved mysteries. -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION
Without knowing your requirements I can't tell you which of those is something you want. They all have different applications... I keep up to speed on hardware by specifying and installing it. I can rattle off the right Compaq or Dell server model number given what you're going to do with it. I'm pretty good with Cisco switches and routers in that respect too. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, January 19, 2007 11:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION HI, I have 2 questions. We need more storage space but we don't know if we should go with an attached storage solution (NAS, SAN, etc) or just get a big file server, can anyone tell me benefit and disadvantage of each one, or point me to URL with this info? Also, my hardware knowledge is very obsolete, how can I get up to speed in terms of hardware Thanks all Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Remote DC's on Virtual Server
Ben, you are correct: I was using W2k3. I did the full acceleration thing. Locally, the speed was ok after that. Over any sort of WAN or VPN connection, it was still unusable. The only reason I found this notable was because the MS VMRC performs really well in that scenario. Thanks. -- nme P.S. Deji, thanks for the note about the base Linux OS on ESX. _ From: WATSON, BEN [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 5:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Noah, I initially thought that as well in regards to the video emulation performance. Now correct me if I'm wrong, but I'll bet that you were using virtualized Windows Server 2003 operating systems. The default setting in Windows Server 2003 is that your display hardware acceleration is turned off. If you set your hardware acceleration to full, then your video emulation performance issues will go away. Personally, I have used both Microsoft and VMWare products, and have found the video performance to be pretty much the same. ~Ben _ From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Thu 1/18/2007 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server I realize this is now getting a bit OT, but... Deji, I think the fruit distinction is based on the fact that one runs on bare metal and other runs under a host OS. (Or at least that is how I have always thought of them.) Beyond that, I agree there are simply feature comparisons. That said, (and with the caveat that I have not worked with ESX) I find the MS product to be much simpler than VM Server (nee GSX). I started halfway down the path of migrating my MS VMs to VM Server and found it overly complex and the video emulation performance using the VM Ware client was so bad as to be unacceptable. And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any problems. In the situation you describe, Justin, it seems like performance and cost would be the deciding factor. --- nme _ From: Akomolafe, Deji [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server :) Interesting points, again. Did I remember to say that I am biased? I think so. I expect that I'm going to catch some flaks for what I'm about to write, but . These do not make VS and ESX apples and oranges. VMotion, Host clustering. Different nomenclature, different capabilities, same purpose, Resource allocation guarantee, CPU Resource allocation weight. Superior Networking capabilities. Sure. Does VS have networking capabilities? Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and its proxy). Administration - show of hands, quick - ESX or VS, which is easier and less complex to deploy and administer? Which has easier and faster client deployment option? I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the superiority of ESX over VS is largely driven by a combination of historical trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we are on a Windows-centric list here, I do not mind admitting that I do not subscribe to the notion that if it's not Windows, it must be better than Windows. Mind you, Hunter, I am NOT implying that this is where you are coming from, but the reason I asked you to enunciate the reasoning behind your thinking was because I was hoping to hear something I haven't heard before on this issue. VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is considerably narrowed with what's currently going into VS and what ESX 3.0.1 has today. Will VS catch and surpass ESX in a few months, no. Will it ever catch up, maybe. But, today, if we factor in the cost overlay (in licensing, hardware and administrative values), and discount our preconceived (or received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair shake, one would be pleasantly surprised at how narrow the gap really is. To me, these 2 products are all bananas - one is a just banana and the other is organic banana. They are certainly not more apple and orange than your convertible and my jalopy are apple and orange. They are both virtualization tools, and they each serve the same purpose. One is cheap (like, FREE cheap, while giving you liberal Windows licensing terms and flexibility to boot), the other is not. Now, I'm off to find my Teflon :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services
Re: [ActiveDir] OT: Apache LDAP authentication oddity
On Fri, 19 Jan 2007 09:19:03 -0600 Thommes, Michael M. [EMAIL PROTECTED] wrote: We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. What Apache LDAP authentication are you using? Is it one of those ldap_authz modules or a scripted ldap_bind hack? A network capture would tell you definitively what authentication mechanism is being used and at which end the problem resides. If you have tcpdump on the web server this is simply: # tcpdump -s 0 -w mycapture.pcap 'port 389 | port 80' run the test ctrl-c to stop Ldapsearch queries from the Apache machine might also help debug the problem. For example, the following ldapsearch query gets the CN=Users,DC=win,DC=net container (obvoiusly you would need to adjust things a little): $ ldapsearch -h 192.168.2.104 -p 389 -Y digest-md5 -U mthommes \ -w thepass -b DC=foo,DC=net -s one -z 100 '(CN=User)' Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Largest AD DIT
Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Largest AD DIT
Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was
RE: [ActiveDir] Largest AD DIT
I'm curious about a production DIT. A DIT that some poor soul is losing sleep over at night ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 19, 2007 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: OT RE: [ActiveDir] Unsubing
Funny... because one of our SBS MVPs is our Mac expert and we are relying on him more and more as Mac are in our SBS networks. I think it's somewhat religious thinking to think that just because you are running a Mac you suddenly don't need to be AD aware. We certainly do in our Running Kitchen sinks and Macintosh's in our network, networks. Try parallels virtualization on those suckers for some really fun stuff. Our Mac guru also states that while there are times that he recommends the Mac server, there are more often times that it's a Windows server that's the best. Entourage works great on the Exchange back end. I think it's a bit myopic to be un-subing when you could parlay that Mac knowledge of AD goodness into something bigger and more job venues as we go more and more interop in business. (We may not be running Vista for a while...but we're not ripping out these XP's for a while But that's just my SBS view... so what do I know. :-) Craig Cerino wrote: Either way, Oliveer is ours no matter how hard he fights :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing No no no no no, Craig: You can check out any time you want, But you can *never* leave! Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, January 19, 2007 5:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing You are with us now - - - - you may never leave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Did you try disabling media sense that someone suggested, in this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;239924? Also, try the reg hack described in this article, just for giggles: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 I don't recall seeing it, but did you try a different switch port? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC
RE: OT RE: [ActiveDir] Unsubing
Its always a nice feeling of being apart of the collective Borg, known as this list and the Patch management list. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 12:39 PM To: ActiveDir@mail.activedir.org Subject: Re: OT RE: [ActiveDir] Unsubing Funny... because one of our SBS MVPs is our Mac expert and we are relying on him more and more as Mac are in our SBS networks. I think it's somewhat religious thinking to think that just because you are running a Mac you suddenly don't need to be AD aware. We certainly do in our Running Kitchen sinks and Macintosh's in our network, networks. Try parallels virtualization on those suckers for some really fun stuff. Our Mac guru also states that while there are times that he recommends the Mac server, there are more often times that it's a Windows server that's the best. Entourage works great on the Exchange back end. I think it's a bit myopic to be un-subing when you could parlay that Mac knowledge of AD goodness into something bigger and more job venues as we go more and more interop in business. (We may not be running Vista for a while...but we're not ripping out these XP's for a while But that's just my SBS view... so what do I know. :-) Craig Cerino wrote: Either way, Oliveer is ours no matter how hard he fights :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing No no no no no, Craig: You can check out any time you want, But you can *never* leave! Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, January 19, 2007 5:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing You are with us now - - - - you may never leave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network
Re: [ActiveDir] Largest AD DIT
Size on disk or number of objects? On 1/19/07, Isenhour, Joseph [EMAIL PROTECTED] wrote: I'm curious about a production DIT. A DIT that some poor soul is losing sleep over at night ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 19, 2007 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Unsubing
OS X? You've been cheating on us with that %#(! ? I don't know what's so special about her I mean, after all the plastic surgery she's nothing but UNIX. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 7:39 AM To: ActiveDir@mail.activedir.org Subject: Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Well, I disabled media sensing again (first time for this Intel card though, disabling didn't work with the Broadcoms) and it actually may have worked this time around. I'll watch it and do some testing but for now consider it fixed pending. 8-) Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, January 19, 2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Did you try disabling media sense that someone suggested, in this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;239924? Also, try the reg hack described in this article, just for giggles: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 I don't recall seeing it, but did you try a different switch port? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netw o rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Given the fact that its intermittent, that its just this one server, that you've already replaced the NIC and that the error is an unexpected network error occurred, there's not much else to do I think, other than get MS involved. Either its something in the OS or the network switch you're using is flaky. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netw o rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
You might want to test the network connection. We have a public tester at http://miranda.ctd.anl.gov:7123/ that might detect duplex mismatches or faulty cables. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, January 19, 2007 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Given the fact that its intermittent, that its just this one server, that you've already replaced the NIC and that the error is an unexpected network error occurred, there's not much else to do I think, other than get MS involved. Either its something in the OS or the network switch you're using is flaky. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netw o rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change
[ActiveDir] release date for W2K3/SP2?
Has anyone heard of a release date for Windows Server 2003/SP2? Thanks. Mike Thommes
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Test came up clean. Thanks for the link as that may come in handy in the future! I've been doing random gpupdate commands since the last userenv error at 2:51PM EST and I haven't gotten a single 1054 error since so I'm crossing my fingers that the DisableDHCPMediaSense works with this new Intel card. Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) You might want to test the network connection. We have a public tester at http://miranda.ctd.anl.gov:7123/ that might detect duplex mismatches or faulty cables. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, January 19, 2007 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Given the fact that its intermittent, that its just this one server, that you've already replaced the NIC and that the error is an unexpected network error occurred, there's not much else to do I think, other than get MS involved. Either its something in the OS or the network switch you're using is flaky. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent:
RE: [ActiveDir] Largest AD DIT
I am aware of a 20GB DIT or two. Generally most of the DITs seem to be 10GB or smaller for many/most companies even with hundreds of thousands of users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT I'm curious about a production DIT. A DIT that some poor soul is losing sleep over at night ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 19, 2007 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault.
Also, Cisco released a new client about a week ago. Don't ask, my laptop
is stored for the weekend. Something like 4.881720344-1 or some
such.
Anyhow, it sounds like a RADIUS problem within the server but check with a
local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any electronically
transmitted information will remain confidential. If the reader of this
email is not the intended recipient you are hereby notified that any use,
reproduction, disclosure or distribution of the information contained in
the email in error, please reply to us immediately and delete the
document.
Viruses, Malware, Phishing and other known and unknown electronic threats:
It is the recipient/client's duties to perform virus scans and otherwise
test the information provided before loading onto any computer system. No
warranty is made that this material is free from computer virus or any
other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Steve Egan \(Temp\) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I’ve been troubleshooting a VPN access problem for about two days now and
have almost scratched a groove in my head – this one’s a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third week
of December, allowing her to use Dialup to get into our HQ domain from her
house. When the logins failed, I thought it was due to crappy dialup
connection, since noise in the link will cause the VPN tunnel to go down.
However, I just got her link at her house to go on wireless, and it works
just spiffy (11M up/down), and she still can’t log on to the domain with
the VPN software. The connection works just fine, she can browse with no
problem. OWA works just fine.
Here’s some of the troubleshooting I’ve done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it’s not the drivers or hardware. Her problem is replicated from
ANYBODY’s laptop utilizing the VPN software. It’s got to be her account,
which is why I think it’s something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn’t working, sometimes it says there’s
no domain (“domain = {not specified}”), sometimes it never talks to the
3000 at all (according to the log and the way it comes right back with the
username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was – she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain’t the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing’s worked.
Where should I look to see if something’s amiss? I’m kinda stumped.
Steve Egan
Systems/Network Engineer
Message scanned by TrendMicro
Message scanned by TrendMicro
RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had experience
with RADIUS before. I created a user on the 3000, and it worked fine.
BTW, we use the Kerberos/Active Directory authentication. But you knew
that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at
fault. Also, Cisco released a new client about a week ago. Don't ask, my
laptop is stored for the weekend. Something like 4.881720344-1
or some such.
Anyhow, it sounds like a RADIUS problem within the server but check with
a local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Steve Egan \(Temp\) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
Message scanned by TrendMicro
Message scanned by TrendMicro
RE: [ActiveDir] Cisco VPN user authentication problem
I had similar issues and solved them by recreating the Profile on the
laptop.
Same settings, just created an identical Profile. Almost like the
corruption was in the profile itself.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had experience
with RADIUS before. I created a user on the 3000, and it worked fine.
BTW, we use the Kerberos/Active Directory authentication. But you knew
that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at
fault. Also, Cisco released a new client about a week ago. Don't ask, my
laptop is stored for the weekend. Something like 4.881720344-1
or some such.
Anyhow, it sounds like a RADIUS problem within the server but check with
a local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Steve Egan \(Temp\) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
Message
RE: [ActiveDir] Cisco VPN user authentication problem
What about reversible encryption? (I have no idea if this is required
for the VPN software or not - just a guess.)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 5:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
RE: [ActiveDir] Cisco VPN user authentication problem
Steve; You could setup a new account through AD or blow her existing account away and see if that doesn't clear the stick from the mud. Just attacking this as logically as I can, here. Since I do not know of a utility to check for problems with Kerberos/AD... Though it seems like there should be something out there to do just that. Bueller? Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 05:06 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that… Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I’ve been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head – this one’s a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can’t log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here’s some of the troubleshooting I’ve done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the
RE: [ActiveDir] Cisco VPN user authentication problem
Brent: Great minds think alike... We are thinking of saving all her files that have to be connected thru her profile, blowing it away, and building a new one (NOT with the same username!) to kind of flush things out. I was hoping the Brain Trust had something I hadn't thought of or maybe knew of somewhere to look. I'll let this simmer over the weekend and see if anybody else can contribute something that'll make/help me find the problem, IF it's solvable *without* having to re-create the account. It's gonna be messy to have to re-create email and other stuff . ...besides, you knew the job was dangerous when you took it! Steve Egan Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Steve; You could setup a new account through AD or blow her existing account away and see if that doesn't clear the stick from the mud. Just attacking this as logically as I can, here. Since I do not know of a utility to check for problems with Kerberos/AD... Though it seems like there should be something out there to do just that. Bueller? Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 05:06 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for
RE: [ActiveDir] Cisco VPN user authentication problem
I just realized my response was misleading.
I deleted and recreated the VPN Connection Profile within the Cisco VPN
ClientNOT the users computer profile under Documents and Settings.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett
Sent: Friday, January 19, 2007 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
I had similar issues and solved them by recreating the Profile on the
laptop.
Same settings, just created an identical Profile. Almost like the
corruption was in the profile itself.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cisco VPN user authentication problem
Did that. It was the first thing I looked at, having had experience
with RADIUS before. I created a user on the 3000, and it worked fine.
BTW, we use the Kerberos/Active Directory authentication. But you knew
that...
Steve Egan (temp)
Systems/Network Engineer
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, January 19, 2007 3:00 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cisco VPN user authentication problem
Steve;
Just for kicks. Could you create a local account for testing? This would
bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at
fault. Also, Cisco released a new client about a week ago. Don't ask, my
laptop is stored for the weekend. Something like 4.881720344-1
or some such.
Anyhow, it sounds like a RADIUS problem within the server but check with
a local account on the 3000 just to eliminate what should be obvious.
Brent Eads
Employee Technology Solutions, Inc.
Office: (312) 762-9224
Fax: (312) 762-9275
The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document.
Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.
Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.
Steve Egan \(Temp\) [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/19/2007 04:39 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to
RE: [ActiveDir] Cisco VPN user authentication problem
Al: I knew what you meant, and that was the first thing I did, thinking the client software got hammered somehow by some other misbehaved software (or whatever). No change. Like I said, if somebody else logs in from her machine, it's fine. If she tries to log in from another machine, it breaks. Gotta be something in AD. Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet connection. Anybody else can use her
Re: [ActiveDir] Cisco VPN user authentication problem
Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett [EMAIL PROTECTED] wrote: I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet connection. Anybody else can use her laptop to get in via the VPN, so it's not the drivers or hardware. Her problem is replicated from ANYBODY's laptop utilizing the VPN software. It's got to be her account, which is why I think it's something screwed up in AD. When I monitor her attempts to log into the VPN concentrator (a Cisco 3000),
RE: [ActiveDir] Cisco VPN user authentication problem
Steve - Check the Dial-in tab settings on the user's account in AD. Depending on how your VPN3000 is authenticating, these settings may or may not be checked. One other possibility - I vaguely remember having an issue before we had our VPN3000s authenticate against Cisco ACS where users with passwords longer than 14 characters could not authenticate. If you shortened the password, it worked fine. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Al: I knew what you meant, and that was the first thing I did, thinking the client software got hammered somehow by some other misbehaved software (or whatever). No change. Like I said, if somebody else logs in from her machine, it's fine. If she tries to log in from another machine, it breaks. Gotta be something in AD. Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem
RE: [ActiveDir] Cisco VPN user authentication problem
No on that as well - it was working until she tried to change her password back to what it was after a (normal) password change at her laptop. Remember, her login (and ONLY hers) is broken no matter where she log in, from any machine. The problem is client software independent. Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pogran Sent: Friday, January 19, 2007 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett [EMAIL PROTECTED] wrote: I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1)
RE: [ActiveDir] Cisco VPN user authentication problem
The password issue reminds me of times when people don't synchronize their logins.I.E. they change their password at their desktop and then their laptop is out of sync with the domain. Try setting the VPN Client to log on to Windows first where she would use her new password and then it will sync the laptop with the domain again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem No on that as well - it was working until she tried to change her password back to what it was after a (normal) password change at her laptop. Remember, her login (and ONLY hers) is broken no matter where she log in, from any machine. The problem is client software independent. Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pogran Sent: Friday, January 19, 2007 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett [EMAIL PROTECTED] wrote: I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It
RE: [ActiveDir] Cisco VPN user authentication problem
Jeff: Yep, thought of that too. Also, her password has been changed and changed back, disabled, re-enabled, folded, spindled, and mutilated. So far, nothing. See why I'm getting prematurely grey?? Password is only 7 characters long, BTW. The most it has been is 13 characters. Steve Egan Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Friday, January 19, 2007 4:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Steve - Check the Dial-in tab settings on the user's account in AD. Depending on how your VPN3000 is authenticating, these settings may or may not be checked. One other possibility - I vaguely remember having an issue before we had our VPN3000s authenticate against Cisco ACS where users with passwords longer than 14 characters could not authenticate. If you shortened the password, it worked fine. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Al: I knew what you meant, and that was the first thing I did, thinking the client software got hammered somehow by some other misbehaved software (or whatever). No change. Like I said, if somebody else logs in from her machine, it's fine. If she tries to log in from another machine, it breaks. Gotta be something in AD. Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform
RE: [ActiveDir] Cisco VPN user authentication problem
Al: Her laptop IS her desktop. I don't think that's the problem. Remember what I said about how the problem follows her login even on another machine! Steve Egan Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem The password issue reminds me of times when people don't synchronize their logins.I.E. they change their password at their desktop and then their laptop is out of sync with the domain. Try setting the VPN Client to log on to Windows first where she would use her new password and then it will sync the laptop with the domain again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan Sent: Friday, January 19, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem No on that as well - it was working until she tried to change her password back to what it was after a (normal) password change at her laptop. Remember, her login (and ONLY hers) is broken no matter where she log in, from any machine. The problem is client software independent. Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pogran Sent: Friday, January 19, 2007 4:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Have you considered token size? I've had trouble with cisco router firmware that is older dropping udp packet sizes it didn't like with accounts whose token is large. Believe Deji has some good blog posts about it. If that is the case, a router firmware upgrade should help. Is it a win2k or win2k3 domain? James On 1/19/07, Al Garrett [EMAIL PROTECTED] wrote: I just realized my response was misleading. I deleted and recreated the VPN Connection Profile within the Cisco VPN ClientNOT the users computer profile under Documents and Settings. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Friday, January 19, 2007 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem I had similar issues and solved them by recreating the Profile on the laptop. Same settings, just created an identical Profile. Almost like the corruption was in the profile itself. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Cisco VPN user authentication problem Did that. It was the first thing I looked at, having had experience with RADIUS before. I created a user on the 3000, and it worked fine. BTW, we use the Kerberos/Active Directory authentication. But you knew that... Steve Egan (temp) Systems/Network Engineer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 19, 2007 3:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cisco VPN user authentication problem Steve; Just for kicks. Could you create a local account for testing? This would bypass any RADIUS/TAC+ problems and confirm the VPN client isn't at fault. Also, Cisco released a new client about a week ago. Don't ask, my laptop is stored for the weekend. Something like 4.881720344-1 or some such. Anyhow, it sounds like a RADIUS problem within the server but check with a local account on the 3000 just to eliminate what should be obvious. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Steve Egan \(Temp\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/2007 04:39 PM
RE: [ActiveDir] Remote DC's on Virtual Server
Exchange has about 2700 users on it, and yes I will have a GC in the hotsite. The majority of users are in the forest root. Exchange and the DC/GC's will be the only items in the hotsite. Also, the odds of all 8 domains being down at once are very small due to significant distance between sites. If Exchange fails over then all 2700 would be connecting there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Thursday, January 18, 2007 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. Yes, they are both virtualization environments, but have vastly different capabilities. VM Infrastructure has a much broader and deeper feature set that does come with added cost and complexity. Regardless, in the context of the original question I'd be concerned about the load Exchange is going to place on the host hardware. How many Exchange users are in the 8 domains, and how many of these would potentially be connecting to the alternate site? Are you going to have GC availability to support Exchange? What other resources at the hotsite might be looking for DC/GC services? I would also be careful about having a configuration at my hotsite that is significantly different from my normal production environment. When things have melted down to the point of failing over to the hotsite, it's not a good time to be pulling out the manuals for your infrastructure because you don't work with it day in and day out. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And complex to setup and administer. And, I could be wrong on this, NOT (MS)-supported for virtualizing DCs. Virtual Server, on the other hand, is good, not pricey, less picky, more supported (I believe it's actually validated) for DCs virtualization. Plus, the liberal OS licensing scheme is very attractive to me. Yes, I know, VMWare rules the market. Yes, I am biased. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Salandra, Justin A. Sent: Thu 1/18/2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remote DC's on Virtual Server What would you recommend for the following situation. We are thinking of having a hot site where Exchange will be replicated to a remote location. Since Exchange will be remote over the Internet, we will need to have DC's for each domain available in that remote site. (This would all be going across a VPN) I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server Enterprise edition. These DC's would really only be used in the event of a disaster and people started connecting to Exchange up in the remote site. Is VMWare Infrastructure 3 good? What would you use? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Re: [ActiveDir] E-Mail Template
To the best of my recollection, there was no way in 5.5 to do what you want without resorting to serious scripting and programming. The only way to put in a disclaimer was with third party products, like, I believe, Minesweeper. That's one of the many reasons that the whole world has moved on to 03, and MS has stopped supporting 5.5. - Original Message - From: Milton Sancho To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 2:20 PM Subject: [ActiveDir] E-Mail Template Hello, How to create an e-mail template using exchange 5.5? The idea is that when any employee compose a new e-mail, at the bottom of the message has included a company message that would be the same for all the employees. I know that at user level i can create a local signature but I need that information at corporate level, it has to be a way to do it at server level config ! Thanks for comments about it
Re: [ActiveDir] Remote DC's on Virtual Server
yes, we have no bananas - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 3:43 PM Subject: RE: [ActiveDir] Remote DC's on Virtual Server :) Interesting points, again. Did I remember to say that I am biased? I think so. I expect that I'm going to catch some flaks for what I'm about to write, but . These do not make VS and ESX apples and oranges. VMotion, Host clustering. Different nomenclature, different capabilities, same purpose, Resource allocation guarantee, CPU Resource allocation weight. Superior Networking capabilities. Sure. Does VS have networking capabilities? Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and its proxy). Administration - show of hands, quick - ESX or VS, which is easier and less complex to deploy and administer? Which has easier and faster client deployment option? I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the superiority of ESX over VS is largely driven by a combination of historical trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we are on a Windows-centric list here, I do not mind admitting that I do not subscribe to the notion that if it's not Windows, it must be better than Windows. Mind you, Hunter, I am NOT implying that this is where you are coming from, but the reason I asked you to enunciate the reasoning behind your thinking was because I was hoping to hear something I haven't heard before on this issue. VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is considerably narrowed with what's currently going into VS and what ESX 3.0.1 has today. Will VS catch and surpass ESX in a few months, no. Will it ever catch up, maybe. But, today, if we factor in the cost overlay (in licensing, hardware and administrative values), and discount our preconceived (or received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair shake, one would be pleasantly surprised at how narrow the gap really is. To me, these 2 products are all bananas - one is a just banana and the other is organic banana. They are certainly not more apple and orange than your convertible and my jalopy are apple and orange. They are both virtualization tools, and they each serve the same purpose. One is cheap (like, FREE cheap, while giving you liberal Windows licensing terms and flexibility to boot), the other is not. Now, I'm off to find my Teflon :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -- From: Coleman, Hunter Sent: Thu 1/18/2007 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server On the Virtual Infrastructure side: Moving running guests across hosts (vmotion), the network configuration options, lower host overhead, grouping hosts into resource pools and allowing guests to automatically migrate based on allocation guarantees, 4-way SMP guests, 64-bit guests :- Nothing wrong with Virtual Server, but I see it more on par with VMware Server than ESX/Virtual Infrastructure. -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 2:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Interesting points, Hunter. Not to engage in a holy war or something, but would you mind mentioning what makes one of these Orange and the other Apple (the fruit)? No, don't mention 64-bit Guest, thank you very much :)[1] [1]Grumbling I wish MS will hurry up on this front already. /grumbling Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -- From: Coleman, Hunter Sent: Thu 1/18/2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server
Re: [ActiveDir] Remote DC's on Virtual Server
Btw, internally Microsoft doesn't recommend Exchange virtually due to I/O issues ... It's possible to run DCs on Virtual Server but I have questions about possible issues that I've heard about doing this. Chuck
RE: [ActiveDir] Cisco VPN user authentication problem
Steve-
I don't understand your problem.
Is this an IAS issue with AD authentication? Is this a PIX config issue?
Is this just a screwed up laptop issue? I'm lost.
I wrote a couple articles on my blog (click the cisco category in the
tag cloud) specifically about integrating IOS and PIX with IAS/AD. Have
set it up for several people and it works fine.
IAS logs an event with a reason for failed auth every time it fails an
auth in the system log. You can enable aaa debugging on the PIX for info
there. Now I just read you have a VPN 3000 - never touched one - maybe
it has AAA debugging type stuff?
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 5:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cisco VPN user authentication problem
Greetings, Brain Trust:
I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.
My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it. It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house. When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.
However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software. The connection works just fine, she can
browse with no problem. OWA works just fine.
Here's some of the troubleshooting I've done:
1) reloaded the VPN software.
2) Tried to have her log on from another machine.
3) Changed the Group authentication (made a new one) just for her.
Nothing seems to work. She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection. Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware. Her problem is replicated from
ANYBODY's laptop utilizing the VPN software. It's got to be her
account, which is why I think it's something screwed up in AD.
When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).
Want to get even more confused? This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error. Ever
since then, things just ain't the same. I think something got scrambled
in her account. We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.
Where should I look to see if something's amiss? I'm kinda stumped.
Steve Egan
Systems/Network Engineer
RE: [ActiveDir] Remote DC's on Virtual Server
I don't think that is a Microsoft position. Probably a personal preference and opinion of the internal people. Publicly, MS supports Exchange virtualization starting from E2K3 SP2, running on VS R2. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Fri 1/19/2007 8:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Remote DC's on Virtual Server Btw, internally Microsoft doesn't recommend Exchange virtually due to I/O issues ... It's possible to run DCs on Virtual Server but I have questions about possible issues that I've heard about doing this. Chuck
[ActiveDir] OT: (only sort of as they will yet all you when the calendars are all messed up) Recorded webcast on Daylight savings patching
http://blogs.msdn.com/mthree/archive/2007/01/19/now-available-webcast-on-windows-2000-updates-for-daylight-saving-time.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: (only sort of as they will yet all you when the calendars are all messed up) Recorded webcast on Daylight savings patching
...that should read yell at you not yet all you (Mountain Dew wearing off...) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://blogs.msdn.com/mthree/archive/2007/01/19/now-available-webcast-on-windows-2000-updates-for-daylight-saving-time.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
