RE: [ActiveDir] OT: How to find non-primary SMTP addresses?

[Akomolafe, Deji]

Were the answers along the lines of it can't be done?

http://www.akomolafe.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%20of%20users%20OR%20Groups.txt

YMWV


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Michael B. Smith
Sent: Thu 1/25/2007 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: How to find non-primary SMTP addresses?


I'm guessing you didn't like the answers you got on the exchange list?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Thursday, January 25, 2007 6:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?


How does one go about getting the non-primary SMTP addresses for every Exchange 
user?  I can't seem to find a way via csvde, but maybe I'm doing something 
wrong.  Thanks again. 

RE: [ActiveDir] Question about DNS SRV registration.

[Akomolafe, Deji]

Read http://www.netpro.com/forum/files/authentication_topology.pdf


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Yann
Sent: Tue 1/23/2007 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question about DNS SRV registration.


Hello all and happy new year:-),

Say:
- Site A with DCa that is also dns (integrated to AD).
- Site B that is a new site.
my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to 
AD).
- DCa  DCb belong to the same domain (domain.local).
My AD is w2k3 FFL mode.

In order to add the new DCb in the existing domain.com, DCb is  dns client to 
DCa.

When dcpromo is finished, i configured:
- DCb as dns client for himself 
- DCa as secondary dns sever for DCb.

Everything looks good .. BUT:
When clients in site B ask for all DCs in site B (with netlogon process),DCb 
returns DCb and DCa !
a  nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs
- DCa.domain.local
- DCb.domain.local

When i search in dns console, i found that DCa still present in site B, i 
think, this is due to the fact that DCb's nic allow dynamic update and thus 
dynamically records DCa srv records.
The only way i found to avoid DCb returning DCa to clients in site B is to 
delete srv records for DCa in dns (site B).

Question:
What is the best practice to avoid DCb to return DCa to clients and where in 
the process i'm wrong ?

Thanks,

Yann




Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur 
Yahoo! Questions/Réponses. 

RE: RE : RE: [ActiveDir] Question about DNS SRV registration.

[Akomolafe, Deji]

I would not recommend that you do this. Please read the document I referenced 
in my previous response. Also, see Ulf's brief description/explanation of the 
behavior that you are seeing. I really recommend that you try to understand 
what is going on here.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Yann
Sent: Tue 1/23/2007 2:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] Question about DNS SRV registration.


Steve,

Thanks for fast reply;
My example is the reflect of what i had in real production.

So in my production, i have about 15 sites AD and we are in the process of 
migration (adding more sites).

So you mean that i have to create 15 child dns domain and set each DCs in each 
site authoriatative for their respective child domain ?

It seems to be a lot of work ... but i will follow into your direction.

Thanks again,

Yann


Molkentin, Steve [EMAIL PROTECTED] a écrit :
Yann,

Create a child DNS domain for the site containing DCb, and establish DCb as the 
authoritative server for that domain. If you have resources in Sitea you'll 
then need to ensure there is a forwarder set up for resolution, etc. Remember 
that separate DNS domains can exist within the one logical windows domain.

At least I think this would solve your problem...

themolk.





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Wednesday, 24 January 2007 7:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question about DNS SRV registration.


Hello all and happy new year:-),

Say:
- Site A with DCa that is also dns (integrated to AD).
- Site B that is a new site.
my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to 
AD).
- DCa  DCb belong to the same domain (domain.local).
My AD is w2k3 FFL mode.

In order to add the new DCb in the existing domain.com, DCb is  dns client to 
DCa.

When dcpromo is finished, i configured:
- DCb as dns client for himself 
- DCa as secondary dns sever for DCb.

Everything looks good .. BUT:
When clients in site B ask for all DCs in site B (with netlogon process),DCb 
returns DCb and DCa !
a  nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs
- DCa.domain.local
- DCb.domain.local

When i search in dns console, i found that DCa still present in site B, i 
think, this is due to the fact that DCb's nic allow dynamic update and thus 
dynamically records DCa srv records.
The only way i found to avoid DCb returning DCa to clients in site B is to 
delete srv records for DCa in dns (site B).

Question:
What is the best practice to avoid DCb to return DCa to clients and where in 
the process i'm wrong ?

Thanks,

Yann




Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur 
Yahoo! Questions/Réponses.
This email (including any attachments) contains confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this email. Please notify the sender 
immediately by email if you have received this email by mistake and delete this 
email from your system and destroy any copies.

This email is also subject to copyright. No part of it should be reproduced, 
adapted or communicated without the written consent of the copyright owner.

Email transmission cannot be guaranteed to be secure or error-free and emails 
may be interfered with, may contain computer viruses or other defects and may 
not be successfully replicated on other systems. The sender does not give any 
warranties nor accepts any liability in relation to any of these matters. If 
you have any doubt about the authenticity of an email purportedly sent by us, 
please contact us immediately. 






Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Profitez des connaissances, des opinions et des expériences des internautes sur 
Yahoo! Questions/Réponses. 

RE: [ActiveDir] adsiedit question

[Akomolafe, Deji]

Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard 
work for your needs?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Condra, Jerry W Mr HP
Sent: Tue 1/23/2007 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] adsiedit question


Hi all
I didn't OT this even though I'm making modifications to Exchange since
the question seems to be adsiedit related and therefore related to AD.
I'm trying to modify an attribute for a mailbox using adsiedit.
Particularly I'm rehoming it's database by modifying the homeMDB
attribute. 

The problem I'm running into is I'm getting an error stating The name
reference is invalid when I try to apply the change. I've done this a
few times but this is the first time I've run into this error. Google
doesn't give enough info to determine the cause...or maybe it is and I
just don't know enough about the response to see itthat never
happens. ;-)

If anyone can shed some light it would be greatly appreciated.

Many thanks 
Jerry 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] AD Security Auditing

[Akomolafe, Deji]

Sometimes, rebuilding OUs is not a Bad Idea :)

Try DSacls or something GUI-sh from Netpro and co.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Casey Robertson
Sent: Tue 1/23/2007 2:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security Auditing


We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and individual 
object types (users, computers, etc) so that we can determine who has rights to 
what.  The prospect of doing this manually is daunting at best and for the most 
part I have only seen 3rd party tools (read: expensive) that do this in an easy 
to use fashion.
 
Any suggestions for tools, scripts etc would be appreciated.  Either that or we 
can rebuild our OU structure J
 
Casey Robertson
 

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

Who's Ben? Well, now you know :)

Sorry about that.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Bernard, Aric
Sent: Sun 1/21/2007 1:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Regarding  http://www.support.microsoft.com/kb/897615 - agreed.  I often forget 
that not all customers have a premier support agreement in place.and cannot 
necessary afford third-party support as my organization will provide.
 
To be clear, I did not state that ESX was easier to deploy:  and from an 
enterprise perspective often considered easier to manage given the wide range 
of tools available for it. Certainly for a smaller organization or a home 
lab, VS2005 will be easier to implement based on the underlying host OS and the 
less restrictive hardware requirements. As for System Center VMM - it will be a 
good tool when it is complete but is currently lacking many features that 
should show up in the next beta.  I think I have made it clear that my 
perspective is from that of the Enterprise customer (also known as large, 
global, etc.) and as such I have not run into a single instance of recycled 
hardware - although I should probably highlight my bias based on who my 
employer is.  Regardless, I certainly agree with you that MSVS must be part of 
the conversation as to what VE should be used and is appropriate in many 
situations and customer environments.
 
Finally, my point was not to support one over the other just to make a 
statement based on what I see in the field.  And FWIW I only run VS2005 in 
all of my test environments (outside of customers) although currently 
non-support for x64 guests is becoming a sticking point for me.
 
Regads,
 
Aric   (who's Ben?)
 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Saturday, January 20, 2007 9:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server
 
All indications to the contrary are likely due to insufficient operational 
experience with the product - not an attack on anyone just a statement based 
on my personal experience and interactions with others
Not at all, Ben. I can speak from both side of the aisle as far as VMWare and 
VS are concerned, although my bias, to which I have already confessed, plays a 
role in my dislike of VMWare. My dislike, though, is driven largely based on 
the original (apples and oranges) statement to which I responded. I have not 
disputed that VMWare is ahead of VS at this present time. I have simply 
stipulated that the perceived gap is so considerably narrowed now that 
dismissing VS as a non-starter is no longer a technically sound or tenable 
position.
 
However, MS stated virtual machine support is the same regardless of virtual 
environment provider.
This is just wrong. Please see http://www.support.microsoft.com/kb/897615
 
You will also notice that my observation and opinion were based mostly on where 
we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, 
but at what cost? I disagree with your assertion that ESX is easier to deploy 
and manage than VS - that just defies logic (no offense). Not with the 
availability of System Center.  When you need to provision a lab of, say, 20 
servers running various OSes, and you are under the gun to get it done, like 4 
hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend.
 
I was afraid that this thread will go down the undesirable path of Us vs 
Them, and I apologize for making it so. The point I'm trying to make is that, 
if you are looking for a Virtualization solution, VS does NOT stink one bit. 
Factor in the cost overlay, the deployment and maintenance efforts, divide that 
by what EXACTLY you are looking for in virtualization, then give VS a fair 
shake and not just go with the popular VMWare Rules opinion. ESX may have 
been sexy a while back when VS was truly ugly, but that is not the case today. 
VS is evolving, and you may just be pleasantly surprised that it adequately 
meets your need without breaking your bank and back.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From: Bernard, Aric
Sent: Sat 1/20/2007 5:41 PM
To: ActiveDir

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

All indications to the contrary are likely due to insufficient operational 
experience with the product - not an attack on anyone just a statement based 
on my personal experience and interactions with others
Not at all, Ben. I can speak from both side of the aisle as far as VMWare and 
VS are concerned, although my bias, to which I have already confessed, plays a 
role in my dislike of VMWare. My dislike, though, is driven largely based on 
the original (apples and oranges) statement to which I responded. I have not 
disputed that VMWare is ahead of VS at this present time. I have simply 
stipulated that the perceived gap is so considerably narrowed now that 
dismissing VS as a non-starter is no longer a technically sound or tenable 
position.

However, MS stated virtual machine support is the same regardless of virtual 
environment provider.
This is just wrong. Please see http://www.support.microsoft.com/kb/897615

You will also notice that my observation and opinion were based mostly on where 
we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, 
but at what cost? I disagree with your assertion that ESX is easier to deploy 
and manage than VS - that just defies logic (no offense). Not with the 
availability of System Center.  When you need to provision a lab of, say, 20 
servers running various OSes, and you are under the gun to get it done, like 4 
hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend.

I was afraid that this thread will go down the undesirable path of Us vs 
Them, and I apologize for making it so. The point I'm trying to make is that, 
if you are looking for a Virtualization solution, VS does NOT stink one bit. 
Factor in the cost overlay, the deployment and maintenance efforts, divide that 
by what EXACTLY you are looking for in virtualization, then give VS a fair 
shake and not just go with the popular VMWare Rules opinion. ESX may have 
been sexy a while back when VS was truly ugly, but that is not the case today. 
VS is evolving, and you may just be pleasantly surprised that it adequately 
meets your need without breaking your bank and back.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Bernard, Aric
Sent: Sat 1/20/2007 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Other points to clear up...

MS supports VS2005 as it is there product.  However, MS stated virtual machine 
support is the same regardless of virtual environment provider.

MS recently (nore than a year ago?) made some changes to their licensing model 
for virtual environments in terms of the Windows OS and how many instances can 
be run given a single license.  This is applicable to any virtual environment, 
not just VS2005.

In my role I am a supporter (technically, politically, and marketing) of MS 
products.  However, from an Enterprise perspective (management and operations) 
VMWare is generally regarded as the superior product for all the reasons 
mentioned and more. VMWare is not difficult to implement and operate as 
compared to VS2005 and from an enterprise perspective often considered easier 
to manage given the wide range of tools available for it.  All indications to 
the contrary are likely due to insufficient operational experience with the 
product - not an attack on anyone just a statement based on my personal 
experience and interactions with others.

That


Sent from my Windows Mobile device.

-Original Message-
From: Brett Shirley [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 1/20/07 3:28 PM
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Does anyone know if the vmware stuff, allows ba xxx w4 in the windows
debugger (obviously running on windows guest VM)?

ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which is
a pointer.  This kind of bp is set through a register directly on the CPU.

I know for a fact VS doesn't support it ... not sure if its impossible to
support, switching machines would mean you simply have to swap out that
set of registers as well, I guess ... just curious.

Cheers,
BrettSh [msft]

posting as is


On Thu, 18 Jan 2007, Akomolafe, Deji wrote:

  one runs on bare metal and other runs under a host OS

 Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. 
 So, one can argue that, because it is bundled with its own OS, ESX does not 
 really run on bare metal in the way some people describe it.


 Sincerely

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

I don't think that is a Microsoft position. Probably a personal preference 
and opinion of the internal people. Publicly, MS supports Exchange 
virtualization starting from E2K3 SP2, running on VS R2.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Fri 1/19/2007 8:09 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Remote DC's on Virtual Server


Btw, internally Microsoft doesn't recommend Exchange virtually due to I/O 
issues ...  It's possible to run DCs on Virtual Server but I have questions 
about possible issues that I've heard about doing this.

Chuck

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And 
complex to setup and administer. And, I could be wrong on this, NOT 
(MS)-supported for virtualizing DCs.

Virtual Server, on the other hand, is good, not pricey, less picky, more 
supported (I believe it's actually validated) for DCs virtualization. Plus, the 
liberal OS licensing scheme is very attractive to me.

Yes, I know, VMWare rules the market. Yes, I am biased.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Salandra, Justin A.
Sent: Thu 1/18/2007 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote DC's on Virtual Server


What would you recommend for the following situation.
 
We are thinking of having a hot site where Exchange will be replicated to a 
remote location.  Since Exchange will be remote over the Internet, we will need 
to have DC's for each domain available in that remote site.  (This would all be 
going across a VPN)
 
I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server 
Enterprise edition.  These DC's would really only be used in the event of a 
disaster and people started connecting to Exchange up in the remote site.
 
Is VMWare Infrastructure 3 good?  What would you use?
 
Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]
 

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

Interesting points, Hunter.

Not to engage in a holy war or something, but would you mind mentioning what 
makes one of these Orange and the other Apple (the fruit)? No, don't mention 
64-bit Guest, thank you very much :)[1]


[1]Grumbling I wish MS will hurry up on this front already. /grumbling

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Coleman, Hunter
Sent: Thu 1/18/2007 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. 
Yes, they are both virtualization environments, but have vastly different 
capabilities. VM Infrastructure has a much broader and deeper feature set that 
does come with added cost and complexity.

Regardless, in the context of the original question I'd be concerned about the 
load Exchange is going to place on the host hardware. How many Exchange users 
are in the 8 domains, and how many of these would potentially be connecting to 
the alternate site? Are you going to have GC availability to support Exchange? 
What other resources at the hotsite might be looking for DC/GC services?

I would also be careful about having a configuration at my hotsite that is 
significantly different from my normal production environment. When things have 
melted down to the point of failing over to the hotsite, it's not a good time 
to be pulling out the manuals for your infrastructure because you don't work 
with it day in and day out.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Thursday, January 18, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And 
complex to setup and administer. And, I could be wrong on this, NOT 
(MS)-supported for virtualizing DCs.

Virtual Server, on the other hand, is good, not pricey, less picky, more 
supported (I believe it's actually validated) for DCs virtualization. Plus, the 
liberal OS licensing scheme is very attractive to me.

Yes, I know, VMWare rules the market. Yes, I am biased.

  
Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Salandra, Justin A.
Sent: Thu 1/18/2007 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote DC's on Virtual Server


What would you recommend for the following situation.
 
We are thinking of having a hot site where Exchange will be replicated to a 
remote location.  Since Exchange will be remote over the Internet, we will need 
to have DC's for each domain available in that remote site.  (This would all be 
going across a VPN)
 
I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server 
Enterprise edition.  These DC's would really only be used in the event of a 
disaster and people started connecting to Exchange up in the remote site.
 
Is VMWare Infrastructure 3 good?  What would you use?
 
Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]
 

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

:)

Interesting points, again. Did I remember to say that I am biased? I think so. 
I expect that I'm going to catch some flaks for what I'm about to write, but 
.

These do not make VS and ESX apples and oranges. VMotion, Host clustering. 
Different nomenclature, different capabilities, same purpose, Resource 
allocation guarantee, CPU Resource allocation weight.

Superior Networking capabilities. Sure. Does VS have networking capabilities? 
Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? 
Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and 
its proxy).

Administration - show of hands, quick - ESX or VS, which is easier and less 
complex to deploy and administer? Which has easier and faster client deployment 
option?

I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the 
superiority of ESX over VS is largely driven by a combination of historical 
trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we 
are on a Windows-centric list here, I do not mind admitting that I do not 
subscribe to the notion that if it's not Windows, it must be better than 
Windows. Mind you, Hunter, I am NOT implying that this is where you are coming 
from, but the reason I asked you to enunciate the reasoning behind your 
thinking was because I was hoping to hear something I haven't heard before on 
this issue.

VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is 
considerably narrowed with what's currently going into VS and what ESX 3.0.1 
has today. Will VS catch and surpass ESX in a few months, no. Will it ever 
catch up, maybe. But, today, if we factor in the cost overlay (in licensing, 
hardware and administrative values), and discount our preconceived (or 
received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair 
shake, one would be pleasantly surprised at how narrow the gap really is.

To me, these 2 products are all bananas - one is a just banana and the other 
is organic banana. They are certainly not more apple and orange than your 
convertible and my jalopy are apple and orange. They are both virtualization 
tools, and they each serve the same purpose. One is cheap (like, FREE cheap, 
while giving you liberal Windows licensing terms and flexibility to boot), the 
other is not.

Now, I'm off to find my Teflon :)


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Coleman, Hunter
Sent: Thu 1/18/2007 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


On the Virtual Infrastructure side: Moving running guests across hosts 
(vmotion), the network configuration options, lower host overhead, grouping 
hosts into resource pools and allowing guests to automatically migrate based on 
allocation guarantees, 4-way SMP guests, 64-bit guests :-

Nothing wrong with Virtual Server, but I see it more on par with VMware Server 
than ESX/Virtual Infrastructure.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Thursday, January 18, 2007 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


Interesting points, Hunter.

Not to engage in a holy war or something, but would you mind mentioning what 
makes one of these Orange and the other Apple (the fruit)? No, don't mention 
64-bit Guest, thank you very much :)[1]


[1]Grumbling I wish MS will hurry up on this front already. /grumbling

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Coleman, Hunter
Sent: Thu 1/18/2007 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. 
Yes, they are both virtualization environments, but have vastly different 
capabilities. VM Infrastructure has a much broader and deeper feature set that 
does come with added cost and complexity.

Regardless, in the context of the original question I'd be concerned about the 
load Exchange is going to place on the host hardware. How many Exchange users 
are in the 8 domains, and how many of these would potentially be connecting to 
the alternate site? Are you going to have

RE: [ActiveDir] Remote DC's on Virtual Server

[Akomolafe, Deji]

 one runs on bare metal and other runs under a host OS

Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. 
So, one can argue that, because it is bundled with its own OS, ESX does not 
really run on bare metal in the way some people describe it.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Noah Eiger
Sent: Thu 1/18/2007 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server


I realize this is now getting a bit OT, but.
 
Deji, I think the fruit distinction is based on the fact that one runs on bare 
metal and other runs under a host OS. (Or at least that is how I have always 
thought of them.) Beyond that, I agree there are simply feature comparisons.
 
That said, (and with the caveat that I have not worked with ESX) I find the MS 
product to be much simpler than VM Server (nee GSX). I started halfway down the 
path of migrating my MS VMs to VM Server and found it overly complex and the 
video emulation performance using the VM Ware client was so bad as to be 
unacceptable. 
 
And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any 
problems. In the situation you describe, Justin, it seems like performance and 
cost would be the deciding factor.
 
--- nme
 



From: Akomolafe, Deji [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 18, 2007 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server
 
:)
 
Interesting points, again. Did I remember to say that I am biased? I think so. 
I expect that I'm going to catch some flaks for what I'm about to write, but 
.
 
These do not make VS and ESX apples and oranges. VMotion, Host clustering. 
Different nomenclature, different capabilities, same purpose, Resource 
allocation guarantee, CPU Resource allocation weight.
 
Superior Networking capabilities. Sure. Does VS have networking capabilities? 
Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? 
Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and 
its proxy).
 
Administration - show of hands, quick - ESX or VS, which is easier and less 
complex to deploy and administer? Which has easier and faster client deployment 
option?
 
I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the 
superiority of ESX over VS is largely driven by a combination of historical 
trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we 
are on a Windows-centric list here, I do not mind admitting that I do not 
subscribe to the notion that if it's not Windows, it must be better than 
Windows. Mind you, Hunter, I am NOT implying that this is where you are coming 
from, but the reason I asked you to enunciate the reasoning behind your 
thinking was because I was hoping to hear something I haven't heard before on 
this issue.
 
VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is 
considerably narrowed with what's currently going into VS and what ESX 3.0.1 
has today. Will VS catch and surpass ESX in a few months, no. Will it ever 
catch up, maybe. But, today, if we factor in the cost overlay (in licensing, 
hardware and administrative values), and discount our preconceived (or 
received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair 
shake, one would be pleasantly surprised at how narrow the gap really is.
 
To me, these 2 products are all bananas - one is a just banana and the other 
is organic banana. They are certainly not more apple and orange than your 
convertible and my jalopy are apple and orange. They are both virtualization 
tools, and they each serve the same purpose. One is cheap (like, FREE cheap, 
while giving you liberal Windows licensing terms and flexibility to boot), the 
other is not.
 
Now, I'm off to find my Teflon :)
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From: Coleman, Hunter
Sent: Thu 1/18/2007 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server
On the Virtual Infrastructure side: Moving running guests across hosts 
(vmotion), the network configuration options, lower host overhead, grouping 
hosts into resource pools and allowing

RE: [ActiveDir] DNS problem. Periodically have to clear the cache

[Akomolafe, Deji]

How are these servers configured in TCP/IP? Who is forwarding to whom? And what 
is the SP level? If you want to take this off-list, you can do so by directly 
emailing me.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Ramon Linan
Sent: Tue 1/16/2007 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache


Hi,

I have 4 DNS servers, they are all AD integrated.

2 of them are supposed to be for internal used only, and the other 2 for the 
internet domain we have, unluckily they we never configured to be split DNS.

Anyway, every none and then I have to clear the cache  for the internal ones 
because they stop resolving for certain addresses.

Sometimes I also have to update server data files for the DNS server to 
resolved certain names.


Any help on how to troubleshoot this?

Thanks

Rezuma

RE: [ActiveDir] Computer accounts getting deleted by unknown process

[Akomolafe, Deji]

I had this issue a long time back with a similar product made by a previous 
employer. I won't go back into the details, but the problem is that computer 
passwords were being restored to previous states that no longer match those on 
the DCs at the present state. A manual or scripted rejoin is usually the cure. 
However, the computer objects themselves were not actually cleaned up, unlike 
in the case that Rich is now describing. Rich needs to eye-ball the directory 
itself and see whether or not the object actually disappeared when the problem 
manifests itself. Third-party eyes relaying information to the troubleshooter - 
not always reliable.


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Al Mulnick
Sent: Tue 1/16/2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process


In that case, you'll want to check out Steve's post and follow some of that advice.  Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. 

Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? 



On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: 
Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). 

I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them. 

Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. 


---
Rich Milburn 
MCSE, Microsoft MVP - Directory Services

Sr Network Analyst, Field Platform Development
Applebee's International, Inc. 
4551 W. 107th St

Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous


From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 16, 2007 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process 

What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. 

I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them.  This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) 

I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. 

So I'm interested to know what's unique about the domain it occurs in.  I'm interested to know why it doesn't occur in the other domains? 

SP1 is highly recommended of course - lots of bug fixes and additional security changes. 


I'm not familiar with the client side apps you mention, but if the environment 
I work in currently is any indication old computer accounts don't become 
suicidal without provocation.  Shame too



On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote:
I've found a little bit of info on this googling, and the results I'm
finding seem to be related to replication problems, lack of SP1, or
other issues with DCs that need to be reinstalled (reason not
identified).  What's happening is that computer accounts are getting 
deleted - most of them are ones that can't update their passwords

because they have been turned off, or in the case of a group of users,
their computers have Deep Freeze running on them, and those computers
update their passwords but apparently the computers reset when they are
rebooted so the password is reset 

RE: [ActiveDir] DNS problem. Periodically have to clear the cache

[Akomolafe, Deji]

That's what I was getting at, too. Sorry to sound selfish and ask him to take 
it off-list :)

He hasn't sent anything yet, though. If he does, I'll send him your way.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Steve Linehan
Sent: Tue 1/16/2007 4:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache


I am also interested in the answers to these questions especially OS version 
and SP level.  We had a few issues with caching around in RTM and a few others 
around SP1.  It is a long story but has to do with how the cache entries are 
organized in memory.  The net affect was that certain lookups would cause the 
cache to have bad data that would cause the behavior you mention.  If you could 
provide the version of DNS.EXE, full build number using something like 
filever.exe, that would also be helpful.  The last issue I was aware of that 
exhibited these behaviors is documented here: 
http://support.microsoft.com/kb/903720/en-us .  So I would be interested if you 
were experiencing the issue with a build beyond that one.
 
Thanks,
 
-Steve
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, January 16, 2007 3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache
 
How are these servers configured in TCP/IP? Who is forwarding to whom? And what 
is the SP level? If you want to take this off-list, you can do so by directly 
emailing me.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From: Ramon Linan
Sent: Tue 1/16/2007 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache
Hi,
 
I have 4 DNS servers, they are all AD integrated.
 
2 of them are supposed to be for internal used only, and the other 2 for the 
internet domain we have, unluckily they we never configured to be split DNS.
 
Anyway, every none and then I have to clear the cache  for the internal ones 
because they stop resolving for certain addresses.
 
Sometimes I also have to update server data files for the DNS server to 
resolved certain names.
 
 
Any help on how to troubleshoot this?
 
Thanks
 
Rezuma

RE: [ActiveDir] Who needs that much ram anyway?

[Akomolafe, Deji]

One little addition:

There is a 32-bit version of E2K7, although it neither intended to be used in 
production, nor supported if choose to ignore the caveat.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Bernard, Aric
Sent: Tue 1/16/2007 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]  Who needs that much ram anyway?


My understanding is as follows:

All three switches address the 32-bit architecture only.
Exchange has never supported AWE.
Exchange 2007 has RTM'd.


Aric

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros
Sent: Tuesday, January 16, 2007 2:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who needs that much ram anyway?

What about the 3Gb switch in the boot.in that is required to take advantage
of the additional memory.
Also depending on the age of the server and CPU, you may also need a PAE /
AWE switch.
http://support.microsoft.com/kb/283037

Since the final realease of Exchange 2007 will only be 64 bit and require a
64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will
be required, any one else know?

Jose


- Original Message -
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, January 16, 2007 8:47 AM
Subject: Re: [ActiveDir] OT: Who needs that much ram anyway?


 Personally I was surprised that a Windows 2003 server and Exchange 2007
 would need a patch to run more than 4 gigs because
 This problem occurs because of a problem in the Windows kernel

 Seems to me in the x64 era, we're all going to be running more than 4 gigs
 so they should bundle this up in the Exchange 2007 installer from the get
 go rather than having everyone stumble across a KB article.

 I'm assuming it's discussed in the readme that no one reads?


 Brian Desmond wrote:
 The more you can get in memory, the better. 32GB is the threshold for
 Exchange before it stops making sense.

 I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
 ram before...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?


   The Microsoft Exchange Information Store service stops responding on
 a
   computer that is running Windows Server 2003 and Exchange Server

 2007

 http://support.microsoft.com/?kbid=928368

 This problem occurs if Exchange Server 2007 is installed on a computer
 that has more than 4 gigabytes (GB) of RAM.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx



 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] DL information

[Akomolafe, Deji]

See http://msmvps.com/blogs/ehlo/archive/2005/04/21/43813.aspx

HTH


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Milton Sancho
Sent: Mon 1/15/2007 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DL information


Hi,

I have a environment NT 4 ,  running a exchange server 5.5, I need to find the 
way to get a full list of all the Distribution List in the domain . Besides 
that I need to know the owner and members of each DL.

i would like to know if there is any tool to reach that information or I need 
to run a script. At the same time to know if anyone has a script that might 
help me to get the info


Regards

RE: [ActiveDir] DL information

[Akomolafe, Deji]

Or these:

http://support.microsoft.com/kb/152300/EN-US/
http://support.microsoft.com/kb/149447/EN-US/

HTH


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Milton Sancho
Sent: Mon 1/15/2007 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DL information


Hi,

I have a environment NT 4 ,  running a exchange server 5.5, I need to find the 
way to get a full list of all the Distribution List in the domain . Besides 
that I need to know the owner and members of each DL.

i would like to know if there is any tool to reach that information or I need 
to run a script. At the same time to know if anyone has a script that might 
help me to get the info


Regards

RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Akomolafe, Deji]

It's normal. You should be permissioning your resources with groups instead 
of directly with user accounts. Groups tend to last longer, so you don't have 
to deal with the horrible SIDs.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)

AD 2k3 sp1 in FFL mode.

When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.

Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?

Thanks,

Yann


__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Akomolafe, Deji]

: Thursday, January 04, 2007 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
 
Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM 
where the user accounts exist which means you either get to poll or put some 
form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 
 
Here are just a couple of the bad things that could happen if the machines were 
responsible for cleaning up those SIDs
 
1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 
 
2. Mistakes. Since we don't have a change notification capability for deleted 
security principals, and quite honestly you wouldn't (could you imagine 300,000 
machines registering with every domain in your forest for change notifications 
of security principal changes) so that leaves polling and lets say you have a 
tempory network glitch that makes a SID unresolvable to a friendly name... Do 
you then just start stripping the SIDs from the ACLs because a name can't be 
resolved once, twice, three times? What about when an account gets undeleted or 
restored because it was accidently deleted for an hour?
 
I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.
 
Could this be done? Maybe. I think could visualize mechanisms to possibly help 
here but would really have to think it through even more than I have and I have 
thought a lot about things like this... But it would take serious rework with 
how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.
 
As someone else mentioned, use groups. Don't use users. When you go to delete a 
group, make it a point to clean up where that group has been used. If you don't 
know where it has been used, that is a process issue and one of the reasons why 
I am not a fan of universal and global groups because the scope of use is huge. 
Alternately write your own tools to scan all of the various ACLs looking for 
unresolvable SIDs and clean them up, but I would be shy on how agressive you 
are with the cleanup. You can easily screw yourself up.
 
  joe
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04, 2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.
Thanks for replying.
 
You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??
 
I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs 
set on file server.
I'm a bit surprise that the system (AD-file server) leave this dirty sid and 
that there is no synchronisation that updates the link between the AD object 
and the ACE
 
What is the reason ? could this behavior be altering ?
 
I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...
 
Thanks.
 
Yann


Akomolafe, Deji [EMAIL PROTECTED] a écrit :
It's normal. You should be permissioning your resources with groups instead 
of directly with user accounts. Groups tend to last longer, so you don't have 
to deal with the horrible SIDs.
 

Sincerely

RE: [ActiveDir] OT: Hello?

[Akomolafe, Deji]

Santa brought me coupon for a new home computer, redeemed the coupon and 
built the system

So, what exactly did YOU do?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Gil Kirkpatrick
Sent: Thu 1/4/2007 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Hello?


Only if you had to install Linux.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, January 04, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Hello?

Hey, Santa brought me coupon for a new home computer, redeemed the
coupon and built the system.  Doesn't that count as work??

Dan

  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Crawford, Scott [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 3:35 pm
 To: ActiveDir@mail.activedir.org
 
Ive seen a few today, but the list has been quite slow
for the last week or so.  Come on guys, the holidays are the time to
actually get stuff done J   From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
  Sent: Thursday, January 04, 2007 4:21 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail
from the mailing list since yesterday morning. Is anyone else seeing
this e-mail?  Has anyone else received e-mails since then?   Just
curious if the list has just been dead for the past day, or if something
might not be working properly.   ~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] AdminSDHolder orphans

[Akomolafe, Deji]

Sorry, Tony. I've been away from emails for most of the week. Did you get a 
useful response to your question? If not, does my 2-part AdminSDHolder blog 
(http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx and 
http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx) help? No?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Tony Murray
Sent: Mon 12/18/2006 5:32 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans


Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the 
AdminSDHolder, the next run of the SDProp thread will:

.   Replace the object's security descriptor with that of the AdminSDHolder;
.   Disable permissions inheritance on the object;
.   Set a new adminCount attribute with a value  0 on the object.

If the object is then removed from the protected group(s), the changes made by 
the AdminSDHolder are not reversed.  In other words, the adminCount value 
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I am 
finding in many environments is a large number of these AdminSDHolder 
orphans.  These can arise quite easily, e.g. an account is made a temporary 
member of a privileged group to perform a specific task or someone changes role 
within the organisation.  Of course I realise that in a perfect world these 
scenarios would be minimised by the use of dual accounts for splitting standard 
vs. admin functions, but the reality is that it is all too common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation 
issues.  For example, I came across this issue recently when setting up 
permissions for GAL Sync using IIFP.  I had to tidy up before the sync would 
complete without errors.

Does anyone run a regular cleanup using the script provided in this article (or 
similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up after 
itself?  

Tony 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AdminSDHolder orphans

[Akomolafe, Deji]

OK, I'm embarrassed :-s

That was just so lame. I thought the email from Tony was a PM. Oh, well... back 
to hiding from emails :)


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Akomolafe, Deji
Sent: Thu 12/21/2006 6:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolder orphans


Sorry, Tony. I've been away from emails for most of the week. Did you get a 
useful response to your question? If not, does my 2-part AdminSDHolder blog 
(http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx and 
http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx) help? No?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Tony Murray
Sent: Mon 12/18/2006 5:32 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans


Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the 
AdminSDHolder, the next run of the SDProp thread will:

.   Replace the object's security descriptor with that of the AdminSDHolder;
.   Disable permissions inheritance on the object;
.   Set a new adminCount attribute with a value  0 on the object.

If the object is then removed from the protected group(s), the changes made by 
the AdminSDHolder are not reversed.  In other words, the adminCount value 
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I am 
finding in many environments is a large number of these AdminSDHolder 
orphans.  These can arise quite easily, e.g. an account is made a temporary 
member of a privileged group to perform a specific task or someone changes role 
within the organisation.  Of course I realise that in a perfect world these 
scenarios would be minimised by the use of dual accounts for splitting standard 
vs. admin functions, but the reality is that it is all too common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation 
issues.  For example, I came across this issue recently when setting up 
permissions for GAL Sync using IIFP.  I had to tidy up before the sync would 
complete without errors.

Does anyone run a regular cleanup using the script provided in this article (or 
similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up after 
itself?  

Tony 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Disabling DNS updates for a network interface (for real)

[Akomolafe, Deji]

http://support.microsoft.com/default.aspx?scid=kb;KO;275554


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Brian Cline
Sent: Sat 12/16/2006 10:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabling DNS updates for a network interface (for real)


I've got a third network interface on a DC I'm running at home that acquires a 
DHCP address from a completely separate subnet than the rest of the LAN. Since 
the DC kept updating DNS by adding that IP to its list of dcname.domain.com 
records, I removed the Register this connection's addresses in DNS box, but 
the DC still continues to update DNS with that particular address. Is there any 
other method I can use to disable this behavior? I wouldn't mind it so much if 
the other PCs were on that second subnet too, but they are not a part of it and 
thus have trouble connecting to the DC sometimes because of that DNS entry. Any 
ideas are welcome.
Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

 People don't seem to have a problem with that concept when it comes to game 
 consoles :)

Bad analogy. Go stand in the corner, no wii for you :)

When people start running their businesses on game consoles, then you can come 
back and compare. For now, it's just plain incomprehensible that you can't 
manage ADMX from anything but Vista. Yeah, ideally we would want to encourage 
clients to NOT manage things directly from servers, and to ensure that IF they 
are going to introduce Vista, the IT folks' machines should be doing the 
dog-fooding, but realistically, the ideal is always the exception in this 
field. Microsoft should know that. People will insist on managing GPO directly 
from the DCs, best practices be damned.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get people to move to Active Directory??

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can
actually
be read at all, because they are a completely new format that GPEditor
or
GPMC on those older platforms don't understand. In fact, those XP or
2003
will happily copy up the ADMs into the Vista GPO like they used to do,
and
you're back to each GPO storing ADMs in SYSVOL. What I've been
recommending
to folks is that once you introduce Vista desktops into your
environment,
use Vista for all your ongoing GP management. The Vista ADMXs are a
superset
of the latest and greatest ADMs (i.e. they include 2003, XP and Vista
settings) so you can happily manage Vista and non-Vista targeted GP
settings
from a Vista machine.

Darren

Darren Mar-Elia
CTO  Founder
www.sdmsoftware.com
[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 6:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

You may recall, there was a similar case when XP came out too - if
memory serves, you had to manage XP GPO settings from an XP box - if you
opened them on Win2K, there were problems (I can't recall now exactly
what those problems were... it would corrupt the policy? Lose the
settings?) anyway so there are tons more settings (+ side) and you have
to use Vista for now (- side, sorta).  I wouldn't be too surprised if
they fix that with the next server and XP SP... but I haven't actually
heard that.

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... 
shall we say...pragmatic, realistic. Something like, enable its customers to 
run their businesses. I mean, refrain from dictating its wishes. You know? 
Because at the end of the day, it is the clueless customers that actually 
write the checks that add up to those billions in the vault.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Fri 12/15/2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


So Microsoft should encourage their bad practices?

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


 People don't seem to have a problem with that concept when it comes to game 
 consoles :)

Bad analogy. Go stand in the corner, no wii for you :)

When people start running their businesses on game consoles, then you can come 
back and compare. For now, it's just plain incomprehensible that you can't 
manage ADMX from anything but Vista. Yeah, ideally we would want to encourage 
clients to NOT manage things directly from servers, and to ensure that IF they 
are going to introduce Vista, the IT folks' machines should be doing the 
dog-fooding, but realistically, the ideal is always the exception in this 
field. Microsoft should know that. People will insist on managing GPO directly 
from the DCs, best practices be damned.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get people to move to Active Directory??

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can
actually
be read at all, because they are a completely new format that GPEditor
or
GPMC on those older platforms don't understand. In fact, those XP or
2003
will happily copy up the ADMs into the Vista GPO like they used to do,
and
you're back to each GPO storing ADMs in SYSVOL. What I've been
recommending
to folks is that once you introduce Vista desktops into your
environment,
use Vista for all your ongoing GP management. The Vista ADMXs are a
superset
of the latest and greatest ADMs (i.e. they include 2003, XP and Vista
settings) so you can happily manage Vista and non-Vista targeted GP
settings
from a Vista machine.

Darren

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

I'm sure that you are aware that LH is still many years away from significant 
adoption. We will see several intervening years between LH release and its 
reaching the mainstream. In the meantime, Vista would have become the de-facto 
desktop OS in place of XP (yes, I can dream). So, between now, then and 
when-ever, people will be needlessly handicapped in their ADM/ADMX decision 
making. I foresee a lot of gnashing of the teeth, more gripping, beaucoup evil 
M$ rants, and other heart-burn-inducing misunderstandings.

Nobody said it would be non-trivial. If it were, people like me will not need 
people like you.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Darren Mar-Elia
Sent: Fri 12/15/2006 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


Come on Deji-its exactly the same, else why in the world do we upgrade 
perfectly good IT systems? J
 
Folks can manage their GP from DCs when Longhorn ships. Until then, its Vista. 
Also, it would fairly trivial, if not time-consuming, to convert all those 
ADMXs in Vista back to ADMs. There is nothing technically preventing that. But, 
it is not trivial to back-port the other new Vista functionality, like 
published printers, wired policy, the new IPSec and Firewall stuff, back to 
older versions. You wouldn't need to back-port all of it-just enough to support 
GP Editing, but still, it's a lot of work and MS, like most other software 
companies, probably needs to make the hard call about where to put dev and 
testing resources. 
 
I agree that its not ideal, but I don't think having to manage GP from Vista 
for the intervening space of time until Longhorn ships is a terrible thing. It 
will probably take most orgs that much time to decide when to go to Vista 
anyway. And for the aggressive ones, Vista is not a bad choice for a management 
platform. I think the benefits of the central store and other improvements 
outweigh the medium term inconvenience. 
 
I am curious, however, what others think. 
 
Darren
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
 People don't seem to have a problem with that concept when it comes to game 
 consoles :)
 
Bad analogy. Go stand in the corner, no wii for you :)
 
When people start running their businesses on game consoles, then you can come 
back and compare. For now, it's just plain incomprehensible that you can't 
manage ADMX from anything but Vista. Yeah, ideally we would want to encourage 
clients to NOT manage things directly from servers, and to ensure that IF they 
are going to introduce Vista, the IT folks' machines should be doing the 
dog-fooding, but realistically, the ideal is always the exception in this 
field. Microsoft should know that. People will insist on managing GPO directly 
from the DCs, best practices be damned.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)
 
Darren
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

Tim,

it is the height of professional arrogance to think that anyone who 
don't/can't/won't do things the way you think they should be done (best 
practices) are lazy and uninformed.

I know you said that it is just your opinion, and, if I were like you, I would 
hazard that it is a misinformed opinion. But I won't.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Tim Vander Kooi
Sent: Fri 12/15/2006 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft 
should be applauded for forcing admins to do their jobs correctly for a change, 
instead of giving in to the lazy or uninformed amongst us.
Just my opinion,
Tim
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
 People don't seem to have a problem with that concept when it comes to game 
 consoles :)
 
Bad analogy. Go stand in the corner, no wii for you :)
 
When people start running their businesses on game consoles, then you can come 
back and compare. For now, it's just plain incomprehensible that you can't 
manage ADMX from anything but Vista. Yeah, ideally we would want to encourage 
clients to NOT manage things directly from servers, and to ensure that IF they 
are going to introduce Vista, the IT folks' machines should be doing the 
dog-fooding, but realistically, the ideal is always the exception in this 
field. Microsoft should know that. People will insist on managing GPO directly 
from the DCs, best practices be damned.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From: Darren Mar-Elia
Sent: Fri 12/15/2006 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
I hear you Rich. I had a long discussion with someone on the GP newsgroups
who thought that the fact that XP and 2003 couldn't read Vista GP settings
was an abomination and a scandal of the highest order and that MS should be
beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all
be used to the fact that sometimes, you have to adopt the new stuff to get
the new toys. People don't seem to have a problem with that concept when it
comes to game consoles :)
 
Darren
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Friday, December 15, 2006 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
Sorry, I understand it's different, what I meant was merely that we had
some growing pains like this when XP first came out.  Our practice then
became to use only XP desktops for GP management.  I think there's a
tendency to think this is such a terrible thing, this
backwards-incompatibility, and we might forget that Vista is not new
with this, we had similar issues before.  And who remembers the
teeth-pulling to get people to move to Active Directory??
 
---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous
 
 
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, December 15, 2006 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
This is actually a little different because if you view a GPO that was
created with Vista, using XP or 2003, none of the ADMX settings can
actually
be read at all, because they are a completely new format that GPEditor
or
GPMC on those older platforms don't understand. In fact, those XP or
2003
will happily copy up the ADMs into the Vista GPO like they used to do,
and
you're back to each GPO storing ADMs in SYSVOL. What I've been
recommending
to folks is that once you introduce Vista desktops into your
environment,
use Vista for all your ongoing GP management. The Vista ADMXs are a
superset
of the latest and greatest ADMs (i.e

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

Know your audience. Know your customers. Know your consumers.

I can't speak to whether or not you pi$$ off your employer, but I can name a 
few of your colleagues in the trenches (because I run into them every now and 
then) who will be more than glad to tell you that there are more that go into a 
client's administrative decision making, technology adoption, PO approval, etc, 
than best practices.

I will not speak to the security hole boogey-man that you are floating 
because I don't think you want us veering into that arena. Imagine what it 
would sound like if we start saying that MS is not making AMDX administration 
available on non-Vista/LH platform because of security issues.

No, you don't want that. So, what you are left with is nothing but Best 
Practices. You want to draw a line because it is the sensible thing to do. 
Well, my logic is that a lot of things make sense in my head and in my labs. 
They just don't translate well in the real brick and mortar life out there. 
People are going to administer their GPOs from their servers for any number of 
reasons. These same people will NOT install LH until RTM+x number of years. 
These people are the ones paying my bills. They are the ones paying yours.

Unless you are actually making the case that MS is aware of some technical 
inhibitions to making ADMX administrable from legacy OSes, there is no 
compelling reason why MS should not factor in HOW its customers uses its 
products/technologies when decisions as to whether or not to make something 
available. It is this unwillingness/reluctance to relate to the real-word and 
to insist on a set of prescriptive mandates that continue to hurt MS in many 
places.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Fri 12/15/2006 11:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


And it's the clueful customers who (rightly) become angry when something in a 
product that exists purely for backward compatibility opens a security hole. 
Now, I'm not saying that all security holes are due to backward compatibility, 
and I'm not saying that every bit of code that comes out of Redmond is perfect. 
However, I have said for years that many of the things that people don't like 
about Microsoft's products are the result of backward compatibility, not bad 
coding or a lack of consideration on the part of Microsoft's programmers. As 
somebody else (Darren? Richard?) said, there is a point where a line has to be 
drawn in the sand. I personally don't see anything dictatorial about requiring 
a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing 
Vista GPOs, that would imply that you're using Vista machines, and if you're 
using Vista machines, what is the issue with using one of those Vista machines 
as your editing workstation? I think that that *IS* a very pragmatic, realistic 
approach.

Sorry, I just don't follow your logic on this one.

That said, my opinions are purely my own, do not represent those of my 
employer, are not intended to represent those of my employer and for all I 
know, may even pi$$ off my employer. :-)

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... 
shall we say...pragmatic, realistic. Something like, enable its customers to 
run their businesses. I mean, refrain from dictating its wishes. You know? 
Because at the end of the day, it is the clueless customers that actually 
write the checks that add up to those billions in the vault.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Fri 12/15/2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


So Microsoft should encourage their bad practices?

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


 People don't seem to have a problem with that concept when it comes to game 
 consoles

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

Did I actually say that clueless folks are writing you checks? Or are you 
projecting? That those who write you checks but don't/can't/won't do things 
the right way (according to you) are clueless, and you don't like their 
checks?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Fri 12/15/2006 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


BTW, I would disagree with your assessment of Microsoft's customer base. I work 
in Microsoft's largest district, with our largest customers, and I find them 
far from clueless. I also find very few clueless folks writing us checks that 
add up to those billions in the vault. 

Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not 
among my customers, anyway. :-)

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, December 15, 2006 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


And it's the clueful customers who (rightly) become angry when something in a 
product that exists purely for backward compatibility opens a security hole. 
Now, I'm not saying that all security holes are due to backward compatibility, 
and I'm not saying that every bit of code that comes out of Redmond is perfect. 
However, I have said for years that many of the things that people don't like 
about Microsoft's products are the result of backward compatibility, not bad 
coding or a lack of consideration on the part of Microsoft's programmers. As 
somebody else (Darren? Richard?) said, there is a point where a line has to be 
drawn in the sand. I personally don't see anything dictatorial about requiring 
a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing 
Vista GPOs, that would imply that you're using Vista machines, and if you're 
using Vista machines, what is the issue with using one of those Vista machines 
as your editing workstation? I think that that *IS* a very pragmatic, realistic 
approach.

Sorry, I just don't follow your logic on this one.

That said, my opinions are purely my own, do not represent those of my 
employer, are not intended to represent those of my employer and for all I 
know, may even pi$$ off my employer. :-)

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... 
shall we say...pragmatic, realistic. Something like, enable its customers to 
run their businesses. I mean, refrain from dictating its wishes. You know? 
Because at the end of the day, it is the clueless customers that actually 
write the checks that add up to those billions in the vault.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Fri 12/15/2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


So Microsoft should encourage their bad practices?

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 12:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


 People don't seem to have a problem with that concept when it comes to game 
 consoles :)

Bad analogy. Go stand in the corner, no wii for you :)

When people start running their businesses on game consoles, then you can come 
back and compare. For now, it's just plain incomprehensible that you can't 
manage ADMX from anything but Vista. Yeah, ideally we would want to encourage 
clients to NOT manage things directly from servers, and to ensure that IF they 
are going to introduce Vista, the IT folks' machines should be doing the 
dog-fooding, but realistically, the ideal is always the exception in this 
field. Microsoft should know that. People will insist on managing GPO directly 
from the DCs, best practices be damned.

Sincerely

RE: [ActiveDir] Vista GPO

[Akomolafe, Deji]

Again, you are projecting. I don't call MS customers clueless. Why? Because I 
don't believe they are.

Now, will I sometimes call some MS people arrogant? It depends. Will I take 
offence if someone thinks I lack exposure to sophisticated IT environments? 
No, Never. Why? Probably because I move around a lot in the real world, and 
sophisticated IT environments are very hard to come by. I've read and heard 
that there are plenty of them in silos. I just haven't seen enough of them to 
convince me that they come close to the number unevolved IT environments I deal 
with on regular basis.

Come to think of it, I have a bunch of MS technical and marketing materials 
that speak to how much technical, financial and marketing effort MS is going to 
expend this year and next getting a whopping 60% of its customer-base to the 
Rationalized stage of optimization. Mind you, they are not shooting for 
Dynamic. Certainly not Sophisticated. So, yeah, there are more of us than 
there are of you out there, so you better start factoring us in when you make 
decisions that affect how we do things.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Fri 12/15/2006 1:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


Since many of us are in the habit of expressing various opinions, perhaps we 
should refrain from characterizing those with which we disagree as the height 
of professional arrogance and misinformed. See, if we start doing that, I 
might express the opinion that referring to Microsoft's customers as clueless 
and insisting that Microsoft should accommodate cluelessness at the expense 
of new product development, security and code review (which is exactly what the 
expense is to devote resources to doing nothing but backporting new features) 
is the height of professional inexperience, myopia and lack of exposure to 
sophisticated IT environments.

But I won't.

:-)

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 2:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


Tim,

it is the height of professional arrogance to think that anyone who 
don't/can't/won't do things the way you think they should be done (best 
practices) are lazy and uninformed.

I know you said that it is just your opinion, and, if I were like you, I would 
hazard that it is a misinformed opinion. But I won't.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Tim Vander Kooi
Sent: Fri 12/15/2006 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO


They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft 
should be applauded for forcing admins to do their jobs correctly for a change, 
instead of giving in to the lazy or uninformed amongst us.
Just my opinion,
Tim
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Friday, December 15, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO
 
 People don't seem to have a problem with that concept when it comes to game 
 consoles :)
 
Bad analogy. Go stand in the corner, no wii for you :)
 
When people start running their businesses on game consoles, then you can come 
back and compare. For now, it's just plain incomprehensible that you can't 
manage ADMX from anything but Vista. Yeah, ideally we would want to encourage 
clients to NOT manage things directly from servers, and to ensure that IF they 
are going to introduce Vista, the IT folks' machines should be doing the 
dog-fooding, but realistically, the ideal is always the exception in this 
field. Microsoft should know that. People will insist on managing GPO directly 
from the DCs, best practices be damned.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon
 



From

RE: [ActiveDir] Object picker weirdness

[Akomolafe, Deji]

because the problem is confined to W2K3 boxen only.


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Tom Kern
Sent: Thu 12/14/2006 3:47 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Object picker weirdness


Thanks alot! That helped.


I wonder why it worked from my XP box?


Thanks again

On 12/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote:


http://support.microsoft.com/default.aspx/kb/829756



Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


From: Tom Kern
Sent: Wed 12/13/2006 7:07 PM
To: activedirectory
Subject: [ActiveDir] Object picker weirdness

I have this strange issue where when i'm updating the mangedBy

attribute

of a group with another group.
From a winXP sp2 box running ADUC, in the
object picker when I click

object type.., i check off group. And

everything is golden.



From a Win2k3 sp1 box running Exchange 2k3, when I
select object

type... in ADUC, the only options I have are user and

contact.

There is no group option.

Same MMC version on both boxes.

Is

this some known issue I'm butting my head up against?



Thanks
List info :

http://www.activedir.org/List.aspx

List FAQ :

http://www.activedir.org/ListFAQ.aspx

List archive:

http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Strange DNS problem. How to troubleshoot

[Akomolafe, Deji]

convert the zone from AD-intg to Primary. The zone should be written to 
system32\dns folder after that. Once you have the file, you can go back and 
convert the zone to AD-intg again.

Another option is to use dnscmd to dump the zone info to file. You can use 
/enumrecords or /zoneprint, depending on what you want to do with the file.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Ramon Linan
Sent: Wed 12/13/2006 7:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange DNS problem. How to troubleshoot


Hi,

thanks for your reply, I was in panic mode yesterday and sent this email before 
doing more in deep troubleshooting myself, it turns out that the problem was in 
the Nasa DNS server, they were delegating the subdomain to another DNS server, 
but they have them wrongly configured the delegation :(

Thanks anyway.

My DNS are AD integrated, I though a file was written and that you could 
actually modify the dns conf by editing those files, like in Linux, I was wrong 
I guess, is there a way to force that file to be written?

Thanks




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, December 13, 2006 9:00 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange DNS problem. How to troubleshoot


For starters, what version of Windows Server are you using?  Is it fully 
patched? 
What's in the event logs (system, application, and dns event logs) 
before/during/after the dns server goes wonky [1]? 

Is this AD-Integrated DNS?  If so, no dns files are going to be written out. If 
so, they'll be in the directory specified in the properties of the server. 

What is your DNS topology? Is this server authoritative for nasa.gov? Is it a 
forwarder? stub zone? ??

I'm sure there's more, but that's a great place to start. 



[1] Is that the correct use of the term?  If not, please correct me so I don't 
make that gaffe again. 


On 12/12/06, Ramon Linan mailto:[EMAIL PROTECTED] wrote: 
Hi,

I am having a problem with the DNS.

I have a few users that connects to computers at NASA.

Every none and them our DNS server here stop resolving certain machines in the 
domains machine.subdomain.nasa.gov

I have run nslookups asking for those machines to different DNS servers, my DNS 
don't resolve but others DNS are resolving fine, I have also use the online 
tool dnsstuff.com and and that one resolves too.

Last time I solved the problem restarting the dns server service in the 
servers, other time I cleared the cache and updated the server data files and 
that was enough

Any tips of how should I start troubleshooting this?

Also, a separate question, I saw once that windows DNS server keep all the conf 
in  a file, like Linux/UNIX, where is that file located?


Thanks in advance

Rezuma

RE: [ActiveDir] Object picker weirdness

[Akomolafe, Deji]

http://support.microsoft.com/default.aspx/kb/829756


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Tom Kern
Sent: Wed 12/13/2006 7:07 PM
To: activedirectory
Subject: [ActiveDir] Object picker weirdness


I have this strange issue where when  i'm updating the mangedBy
attribute of a group with another group.

From a winXP sp2 box running ADUC, in the object picker when I click

object type.., i check off group. And everything is golden.


From a Win2k3 sp1 box running Exchange 2k3, when I select object

type... in ADUC, the only options I have are user and contact.
There is no group option.

Same MMC version on both boxes.

Is this some known issue I'm butting my head up against?


Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Way OT: Laptop Battery Life

[Akomolafe, Deji]

Lithium batteries are resilient to the charge/discharge issues associated with 
earlier batteries. Generally, you want to replace batteries after about 18 
months, because that's when depreciation sets in.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Brian Desmond
Sent: Tue 12/12/2006 7:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Way OT: Laptop Battery Life


I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is Fn+F2 
I think. 
 
Next, get a media bay battery from Dell - it can give you several (up to 4) 
more hours in my experience.
 
I go through batteries pretty quickly - I think I killed the media bay battery 
(or at met its half life) in about 6 months. A combination of desk work and 
being mobile does this because of the uneven discharge/charge cycles. You can 
either be real meticulous about taking care of the batteries or start hitting 
your IT department up for new ones. 
 
Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, December 12, 2006 10:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Way OT: Laptop Battery Life
 
Hi -
 
When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe two 
hours out of a fully charged battery while doing standard Word, Excel, Outlook 
stuff. Throw in Visio or (ugh) Quickbooks and cut that time in half. Sometimes, 
I try to disable services that I know I will not need on the plane (does 
antivirus really need to autoprotect on the plane?), but I can't tell you that 
this actually gives me any more battery.
 
Any recommendations for battery-life extending tricks, tools, services to 
disable, etc? Greatly appreciated as I head across the country for the late 
December boogie. 
 
Thanks.
 
-- nme
 
 
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006

RE: [ActiveDir] can not browse the internet after dcpromo

[Akomolafe, Deji]

http://support.microsoft.com/kb/300202

Pay attention to the part that says To Remove the Root DNS Zone

Then look at the part that says: To Configure Forwarders. You only NEED to do 
this part IF your ISP is blocking you from running DNS on their network. In 
that case, you will point your DNS server to your ISP's DNS servers for 
forwarding as described here.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: John
Sent: Mon 12/11/2006 8:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] can not browse the internet after dcpromo


Hi,

The internet is not working after a sucessful DCPROMO. This is a secondary DNS 
server. What are the things I need to check to troubleshoot the problem.

Any suggetion is highly appreciated.

Thanks.
John

__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

RE: [ActiveDir] Join a Domain

[Akomolafe, Deji]

John,

now that your DNS is working on the server, you need to make sure that your 
clients are using ONLY this server as their DNS server.

Reconfigure your clients' Primary DNS server entries in TCP/IP configuration 
to have the IP address of your DNS server. Remove any other IP address that you 
find in the DNS configuration. IF you are using DHCP, you need to change your 
scope configuration to now have ONLY this server as the DNS server.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: John
Sent: Mon 12/11/2006 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Join a Domain


There was an error in my one client machine to join a domain. Below are:

An error occurred when DNS was queried for the service location (SRV) resource 
record used to locate a domain controller for domain 
server-2.blackstallions.com.sa.
The error was: No records found for given DNS query.
(error code 0x251D DNS_INFO_NO_RECORDS)
The query was for the SRV record for 
_ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa

What does this SRV record means? There is something I need to re-configure in 
the server? 

Let me know expert.
Thanks.
John



Everyone is raving about the all-new Yahoo! Mail beta. 

RE: [ActiveDir] Join a Domain

[Akomolafe, Deji]

si, padre :)


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Al Mulnick
Sent: Mon 12/11/2006 1:52 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Join a Domain


Sounds like this is a carry over from another thread then? 



On 12/11/06, Akomolafe, Deji [EMAIL PROTECTED]  wrote: 
John,


now that your DNS is working on the server, you need to make sure that your 
clients are using ONLY this server as their DNS server.

Reconfigure your clients' Primary DNS server entries in TCP/IP configuration to have the IP address of your DNS server. Remove any other IP address that you find in the DNS configuration. IF you are using DHCP, you need to change your scope configuration to now have ONLY this server as the DNS server. 



Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 




From: John
Sent: Mon 12/11/2006 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Join a Domain


There was an error in my one client machine to join a domain. Below are:

An error occurred when DNS was queried for the service location (SRV) resource 
record used to locate a domain controller for domain server-2.blackstallions.com.sa.
The error was: No records found for given DNS query.
(error code 0x251D DNS_INFO_NO_RECORDS)
The query was for the SRV record for 
_ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa

What does this SRV record means? There is something I need to re-configure in the server? 


Let me know expert.
Thanks.
John



Everyone is raving about the all-new Yahoo! Mail beta. 

RE: [ActiveDir] no dns servers

[Akomolafe, Deji]

Do you have another DNS server? If yes, then configure the problematic server 
to use this other DNS server (in TCP/IP configuration). If no, then remove and 
reinstall DNS.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: John
Sent: Sun 12/10/2006 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] no dns servers


Hi,

Thanks for your quick reply. It seems am still having an error with the DNS 
test. DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com.
sa. re-registeration on DNS server '10.0.0.6' failed. 

Below are the detailed copy paste messages from my DNS server.

Do you know any recommendation what are the things I need to check further.

Thanks again.

John


C:\Program Files\Support Toolsnetdiag /fix
..
Computer Name: SERVER-2
DNS Host Name: Server-2.blackstallions.com.sa
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 1 Stepping 2, GenuineIntel
List of installed hotfixes :
KB810217
KB823182
KB825119
KB826232
KB828035
KB841872
Q147222
Q311967
Q313450
Q318138
Q320206
q323172
Q323255
Q326830
Q326886
Q329115
Q329170
Q329834
Q810833
Q84
Q811630
Q814033
Q816093

Netcard queries test . . . . . . . : Passed

Per interface results:
Adapter : Local Area Connection 2
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : Server-2
IP Address . . . . . . . . : 10.0.0.6
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.0.0.138
Dns Servers. . . . . . . . : 10.0.0.6

AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{C8E2682E-1F11-43C0-9F7E-DA4402F67D20}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com.
sa. re-registeration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6'
 failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry blackstallions.com.sa. re-registeration
on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.blackstallions.com.sa. re-reg
isteration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.blackstallions.com
.sa. re-registeration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site
s.gc._msdcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' fai
led.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.29caf58f-680d-4c54-be26-085bf
3c39cf2.domains._msdcs.blackstallions.com.sa. re-registeration on DNS server '10
.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry gc._msdcs.blackstallions.com.sa. re-regi
steration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry 174e43f3-2ad3-492f-a2c0-4f27283d7dc2._ms
dcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED

RE: [ActiveDir] no dns servers

[Akomolafe, Deji]

Your Alcatel router is also a DNS server? If yes, does it support SRV resource 
record as well as dynamic registration? If yes, then yes, you can point use its 
IP address as the Primary DNS server of this problematic DC.

Is this a new DC/Domain? If yes, I highly recommend that you start over by 
following Daniel's helpful step-by-step here: 
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm


For DNS support of AD, see: 
http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: John
Sent: Sun 12/10/2006 10:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] no dns servers


Yes we have another DNS server defined directly to our ALCATEL router. So then 
HOW-TO configure the other DNS server (in TCP/IP configuration)? Sorry I am 
newbie on this service.

Also, I already remove and reinstalled the DNS however no luck. The same 
problem.

John


- Original Message 
From: Akomolafe, Deji [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, December 11, 2006 9:17:37 AM
Subject: RE: [ActiveDir] no dns servers


Do you have another DNS server? If yes, then configure the problematic server 
to use this other DNS server (in TCP/IP configuration). If no, then remove and 
reinstall DNS.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: John
Sent: Sun 12/10/2006 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] no dns servers


Hi,

Thanks for your quick reply. It seems am still having an error with the DNS 
test. DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com.
sa. re-registeration on DNS server '10.0.0.6' failed. 

Below are the detailed copy paste messages from my DNS server.

Do you know any recommendation what are the things I need to check further.

Thanks again.

John


C:\Program Files\Support Toolsnetdiag /fix
..
Computer Name: SERVER-2
DNS Host Name: Server-2.blackstallions.com.sa
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 1 Stepping 2, GenuineIntel
List of installed hotfixes :
KB810217
KB823182
KB825119
KB826232
KB828035
KB841872
Q147222
Q311967
Q313450
Q318138
Q320206
q323172
Q323255
Q326830
Q326886
Q329115
Q329170
Q329834
Q810833
Q84
Q811630
Q814033
Q816093

Netcard queries test . . . . . . . : Passed

Per interface results:
Adapter : Local Area Connection 2
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : Server-2
IP Address . . . . . . . . : 10.0.0.6
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.0.0.138
Dns Servers. . . . . . . . : 10.0.0.6

AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{C8E2682E-1F11-43C0-9F7E-DA4402F67D20}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Failed
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com.
sa. re-registeration on DNS server '10.0.0.6' failed.
DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6'
 failed.
DNS Error code

RE: [ActiveDir] _msdcs not propagated in AXFR

[Akomolafe, Deji]

Seen this? http://support.microsoft.com/kb/817470


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Michael B Allen
Sent: Fri 12/1/2006 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] _msdcs not propagated in AXFR


Does anyone know why the _msdcs records are not returned in an AXFR DNS
query? This means that slave zones will not have those records and that
software querying for a domain controller may not find one.

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Selective auth, allowed to auth right, group policy

[Akomolafe, Deji]

http://technet2.microsoft.com/WindowsServer/en/library/b4d96434-0fde-4370-bd29-39e4b3cc7da81033.mspx?mfr=true

You owe me a beer for making me do your google :)


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Charlie Kaiser
Sent: Mon 11/27/2006 5:28 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Selective auth, allowed to auth right, group policy


I have to add the allowed to auth right to a large number of
workstations so that workstation admins from another domain can access
them. Instead of adding that right to each computer object, is there a
way to do it with group policy at the OU level? I haven't been able to
find it. It's a painful manual process.

We're using a selective auth external trust between forests. For other
reasons, we can't set up a normal trust.

Thanks...

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
** 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

[Akomolafe, Deji]

Neil,

You responded to the thread where Steve already corrected himself. Read the doc 
you cited again. Only the EDC membership changes during the process you 
described. EDC itself is NOT created at this point. It is merely made a member 
of the newly-created Windows Authorization Access group.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Wed 11/22/2006 1:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


I believe SteveL may have already suggested that this group is only
available post w2k, and only after the PDC in the domain has been
upgraded. Further info here:
http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0
5-b919-c9311bafae351033.mspx?mfr=true

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 22 November 2006 05:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   [EMAIL PROTECTED]|
| | |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
 
---
---|
  |
|
  |To:  ActiveDir@mail.activedir.org
ActiveDir@mail.activedir.org|
  |cc:
|
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing...   |
 
---
---|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of Windows
Authorization Access group after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to
Windows Server 2003 and then transfer the PDC Emulator role to the
upgraded or added Windows Server 2003 box.  When a Windows Server 2003
box takes over the PDC Emulator FSMO role it will create these new
security principals.
This is documented under the section titled Windows Server 2003 Well
Known Security Principals in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed
b-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED] [EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group
policies, The Enterprise Domain Controllers group does not have read
access to this GPO. The Enterprise 

RE: [ActiveDir] DNS Scavenging - new issue

[Akomolafe, Deji]

Since someone has already taken the time to address this, I will simply refer 
you to 
http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1040355,00.html

If you still have questions after that, then ask away.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Gordon Pegue
Sent: Wed 11/22/2006 8:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging - new issue


The recent thread on DNS scavenging was interesting and
informative. It has lead me to investigate my own DNS
scavenging issue and I'd appreciate some assistance with
figuring out how to resolve it.

I manage a single domain with a mixture of 2 - Win2K 
3 - Win2K3 servers. My 2 DC's are on Win2K boxes, I have
one Win2K3 server running Exchange 2K3 and the other 2
Win2K3 servers are basically file servers at this point
although we plan on promoting one to a DC in the near
future and retiring one of the Win2K DC's.

My DNS is AD integrated.

My issue involves the issue of old, stale DNS RR's not
being properly scavenged and even though I've read some
of the documents linked in the previous thread, I'm still
a bit uncertain how to rectify my issue without totally
botching things - I'm a bit of a newbie...

Anyhow, I examine the contents of my Reverse Lookup Zone
and I find 2 Name entries for the same machine name. If I
examine the properties of each, I see, for example, that
the Record Time Stamp for one is 6-6-05 and 11-21-06 for
the other. Checking DHCP shows that the IP address for the
11-21-06 entry is the active one.

When I check the Aging settings for the zone, I see that the
No-refresh interval is set to 7 hours, the Refresh interval
is set to 7 days and the Scavenge stale RR check box is checked.

OK so far, me thinks.

When I check the properties for the DNS server, under the
Advanced tab, the Enable automatic scavenging of stale records
check box is _not_ checked.

My first question: Should it be checked?
My second question: Are the any negative consequences to doing so?

Next, when I right-click the DNS server and click Set Aging/
Scavenging for All Zones, I see that the No-refresh interval is
set to 7 days, the Refresh interval is also set to 7 days and
the Scavenge stale RR check box is _not_ checked.

My third question: As opposed to my previous 2 questions, is this
where I should be enabling scavenging?

My final question: Once the scavenging has been properly enabled,
will the really stale RR records be removed?


TIA
Gordon Pegue
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

[Akomolafe, Deji]

I can confirm we do not have an Enterprise Domain Controllers group in any 
of the domains.

Really? How did you confirm that? In ADUC (with Advanced Features enabled in 
View) and doing a custom search for enterprise, simply looking in the 
Foreign Security Principals containers?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...


- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Enterprise Domain Controllers group missing...

[Akomolafe, Deji]

Well then, someone fat-fingered it. Run forestprep again, and if that doesn't 
work, it's time to talk to the likes of Steve in private :)


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 6:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


;-)yip sure did..sorry I should have elaborated further

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Akomolafe, Deji  |
| |   [EMAIL PROTECTED]  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:26 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.
Really? How did you confirm that? In ADUC (with Advanced Features enabled
in View) and doing a custom search for enterprise, simply looking in the
Foreign Security Principals containers?


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true

 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



List info   : http://www.activedir.org/List.aspx

RE: [ActiveDir] Enterprise Domain Controllers group missing...

[Akomolafe, Deji]

 Its not viewable/searchable under ADUC even with advanced features turned 
 on 

That is an incorrect statement.

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   [EMAIL PROTECTED]|
| | |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org 
ActiveDir@mail.activedir.org|
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


Sorry read and responded to this to fast you should have an Enterprise
Domain Controllers group however it becomes a member of Windows
Authorization Access group after the PDC upgrade.  You will be missing
some of the other Groups and Security Principals listed in that section
until the PDC is upgraded.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of Steve Linehan
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or
added Windows Server 2003 box.  When a Windows Server 2003 box takes over
the PDC Emulator FSMO role it will create these new security principals.
This is documented under the section titled Windows Server 2003 Well Known
Security Principals in the following link:
http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx
.

Thanks,

-Steve


From: [EMAIL PROTECTED]
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
[EMAIL PROTECTED]
Sent: Tuesday, November 21, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enterprise Domain Controllers group missing...

- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true

 which shows how to fix the GPO issue using

RE: [ActiveDir] Enterprise Domain Controllers group missing...

[Akomolafe, Deji]

I already did. But since you missed this, how about 
http://www.akomolafe.com/Portals/1/EDC.jpeg?


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 10:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...


Then correct it so people can learn rather than simply point out that its
wrong which really gets no one anywhere...

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Akomolafe, Deji  |
| |   [EMAIL PROTECTED]  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 07:12 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--
  
--|
  | 
 |
  |To:  ActiveDir@mail.activedir.org  
 |
  |cc:  
 |
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group 
missing...   |
  
--|


 Its not viewable/searchable under ADUC even with advanced features
turned on

That is an incorrect statement.

Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

From: [EMAIL PROTECTED]
Sent: Tue 11/21/2006 9:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing...

Hi there,

I finally found out where this group was...it is available from Windows
2000 AD forwards and is found at CN=Enterprise Domain
Controllers,CN=WellKnown Security
Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable
under ADUC even with advanced features turned on but you can use it to
apply security on an AD object.

Cheers everyone for your assistance...  ;-)

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   Steve Linehan  |
| |   [EMAIL PROTECTED]|
| | |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   22/11/2006 03:33 p.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--

--|

  |
|
  |To:  ActiveDir@mail.activedir.org
ActiveDir@mail.activedir.org|
  |cc:
|
  |Subject: RE: [ActiveDir] Enterprise Domain Controllers group
missing

RE: [ActiveDir] Kerberos is Killing Me!

[Akomolafe, Deji]

 I know there's a really good how-to out there somewhere on using NTDSUTIL 
 for this purpose

Talking about this http://www.akomolafe.com/Portals/1/Docs/xferfsmos.htm? :-p


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Laura A. Robinson
Sent: Thu 11/16/2006 11:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Kerberos is Killing Me!


You can leave the IP the same. If the demotion fails or goes awry in some 
respect, you may have to do some metadata cleanup in addition to the DNS 
cleanup (which I'm guessing is what Deji meant by AD/DNS/Sites, but just in 
case...). Given the, um, quirkiness of this environment, I suspect you may have 
a difficult demotion ahead. I assume you've done metadata cleanup before? If 
not, feel free to post, or just spend a lot of time typing ? at the ntdstuil 
prompts. I know there's a really good how-to out there somewhere on using 
NTDSUTIL for this purpose, but to be honest, I'm pooped and I have to be up 
early to talk NAP with one customer and convince another that Volume License 
Activation isn't Evil Empire Voodoo designed to suck all of the money out of 
their bank accounts. Otherwise, I'd dig it up for you. Then again, I may be 
thinking of something I wrote, in which case it'll be hard to find by searching 
the Internet. ;-) Seriously, though, if you can't find anything helpful, I'm 
sure any number of people on this list have either great links or great 
documents they wrote on using NTDSUTIL for metadata cleanup.

Laura





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Friday, November 17, 2006 2:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


Thanks Deji.

I understand.

I will re-examine the event log in the morning and plan for a demotion over the 
weekend.

besides removing the reference from AD/DNS/Sites, is there something else i 
should do or look to remove the reference ? 

Also, should i change the IP address ? This i really don't want to do if i 
really don't have to... ?

Thanks.


On 11/16/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: 
I believe I recommended this early on in the thread. Sometimes, it's easier 
(wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you 
have the luxury, wipe and reinstall the box, otherwise, just do a rename of the 
box. Renaming it is strongly recommended unless you have scripts and 
applications into which you have hard-coded the name. 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon 



From: hboogz
Sent: Thu 11/16/2006 7:35 PM 

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!



AD sites.

3 one including the DR-site.

regarding the question about demoting then promoting...if i have to go that 
route, should i keep the same server name ?


On 11/16/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: 
I apologize if I keep asking questions you've already answered, but how many 
sites are involved here?

Of course, by the time this hits the list, any replication that hasn't yet 
occurred probably will have. :-)

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 5:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


**Update***

i changed the user account control attribute using the following direction:

Did you follow: 
When using adsiedit: 
* Connect to the domain NC 
* Navigate to the Domain Controllers OU 
* Right click on the DC for which you want to change the 
UserAccountControl value and select properties 
* Goto the UserAccountControl attribute 
* You should see a value (from what you have described): 536576 
* Change that value to: 532480 

i teh followed the instructions found here: Re: access denied 

http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server 

net stop kdc

clear ticket cache

reset machine pawd 

open sites and services and forced replication with phprint -- which succeced

opened replmon and synchronized with phprint1. 

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull

RE: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel.

[Akomolafe, Deji]

Getting the new Exchange server in there and moving mailboxes, PFs, RG master 
role, etc, is fairly easy. The main work is involved in getting the old server 
out of the mix. This (http://support.microsoft.com/?id=822931) should help 
somewhat.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Mark Parris
Sent: Fri 11/17/2006 1:16 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel.


Hello all,

I am intending to upgrade an Exchange 2000 environment to Exchange 2003 via a 
parallel installation as a opposed to an upgrade, as the hardware will not 
handle an upgrade

The environment consists of a Front End Server and 4 Mailbox servers, there is 
no clustering involved.

Does anyone have any experience of doing the installation vai this method and 
are there any major gotcha's? Any recomedations or perhaps a document? All I 
can find on ms is physical upgrade documentation.


Many thanks,





Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Kerberos is Killing Me!

[Akomolafe, Deji]

I believe I recommended this early on in the thread. Sometimes, it's easier 
(wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you 
have the luxury, wipe and reinstall the box, otherwise, just do a rename of the 
box. Renaming it is strongly recommended unless you have scripts and 
applications into which you have hard-coded the name.


Sincerely, 
  _
 (, /  |  /)   /) /)   
   /---| (/_  __   ___// _   //  _ 
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
  (/   
Microsoft MVP - Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: hboogz
Sent: Thu 11/16/2006 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


AD sites.

3 one including the DR-site.

regarding the question about demoting then promoting...if i have to go that 
route, should i keep the same server name ?


On 11/16/06, Laura A. Robinson [EMAIL PROTECTED] wrote: 
I apologize if I keep asking questions you've already answered, but how many sites are involved here?


Of course, by the time this hits the list, any replication that hasn't yet 
occurred probably will have. :-)

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz
Sent: Thursday, November 16, 2006 5:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Kerberos is Killing Me!


**Update***

i changed the user account control attribute using the following direction:

Did you follow: 
When using adsiedit: 
* Connect to the domain NC 
* Navigate to the Domain Controllers OU 
* Right click on the DC for which you want to change the 
UserAccountControl value and select properties 
* Goto the UserAccountControl attribute 
* You should see a value (from what you have described): 536576 
* Change that value to: 532480 


i teh followed the instructions found here: Re: access denied

http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true

i did this from the phmaindc1 server 


net stop kdc

clear ticket cache

reset machine pawd 


open sites and services and forced replication with phprint -- which succeced

opened replmon and synchronized with phprint1.

net start kdc

ran: repadmin /showreps.

replication to phprint1 came up as succesfull 


however, i still get an error to the child domain indicating access denied.

should i wait for AD replication for this to work ?




--
No virus found in this outgoing message.
Checked by AVG Free Edition.





--
HBooGz:\ 

RE: [ActiveDir] Restrict VPN Access By Computer Name

[Akomolafe, Deji]

Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, because machines are what you want to filter.

Are you providing hosted services to your clients, or what?

Yes, there are ISA appliances. There have been since 2004.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Dan DeStefanoSent: Wed 11/15/2006 5:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name


Cool, I will test that out, thanks.

I am not too familiar with using or configuring EAP  would this solution require installing a CA on the network? Furthermore, would these certificates be assigned to the machine, not the user?

No, I understand the difference between IAS and ISA. I just mentioned ISA because you said that it might be a good idea to use it. For most of our clients, a $1500 firewall solution is overkill. We are pretty much standardized on the Netgear FVL328, which costs under $300, provides 100 VPN tunnels for branch offices and is compact enough to fit in most of our clients wiring closets (the term closet being the operative word as most of our clients do not have or need a server room). I would prefer a firewall appliance to one installed on a server and most ISA appliances are on the expensive side and are designed for rack-mounting.
I cant remember where, but I vaguely remember reading that Microsoft would be offering a light version of ISA2006 that can be used as an embedded solution for small business networks such as those that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am mistaken, but I will try to find out.

I will take your advice and wait for LH server instead of messing with WS2k3 quarantine. I appreciate the recommendation.



Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Tuesday, November 14, 2006 12:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name



You are right, Calling-Station-Identifier(in some cases) maptothe telephone number. In 802.1x scenario, though,it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC.



I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter?



Hope we are not mixing acronyms here, re: IAS vs. ISA.



IAS is the RADIUS server. Free with the OS.

ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the "light" version you mentioned.



If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon





From: Dan DeStefanoSent: Tue 11/14/2006 5:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name

Thank you for your response.
I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well?

Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a light version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists).

Thanks for the advice about ws2k3 quarantine, I guess we wont waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit 

RE: [ActiveDir] Restrict VPN Access By Computer Name

[Akomolafe, Deji]

All "appliances" are expensive, IMO. Not just the monetary part, but also their up-keep. I resell a product that gets grossly marked up in appliance form, and is not as regularly updated as the non-applianced version. But people are willing to pay the additional (unnecessary) cost, just because it is applianced, and they don't like "software solutions". Go figure.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 11/15/2006 8:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restrict VPN Access By Computer Name
"Expensive" ISA appliances... let's qualify that

Akomolafe, Deji wrote:
 Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, 
 because machines are what you want to filter.
 Are you providing hosted services to your clients, or what?
 Yes, there are ISA appliances. There have been since 2004.

 Sincerely,
 _
 (, / | /) /) /)
 /---| (/_ __ ___// _ // _
 ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
 (_/ /)
 (/
 Microsoft MVP - Directory Services
 www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - 
 we know IT
 *-5.75, -3.23*
 Do you now realize that Today is the Tomorrow you were worried about 
 Yesterday? -anon

 
 *From:* Dan DeStefano
 *Sent:* Wed 11/15/2006 5:09 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name

 Cool, I will test that out, thanks.

 I am not too familiar with using or configuring EAP  would this 
 solution require installing a CA on the network? Furthermore, would 
 these certificates be assigned to the machine, not the user?

 No, I understand the difference between IAS and ISA. I just mentioned 
 ISA because you said that it might be a good idea to use it. For most 
 of our clients, a $1500 firewall solution is overkill. We are pretty 
 much standardized on the Netgear FVL328, which costs under $300, 
 provides 100 VPN tunnels for branch offices and is compact enough to 
 fit in most of our clients wiring closets (the term closet being 
 the operative word as most of our clients do not have or need a server 
 room). I would prefer a firewall appliance to one installed on a 
 server and most ISA appliances are on the expensive side and are 
 designed for rack-mounting.

 I cant remember where, but I vaguely remember reading that Microsoft 
 would be offering a light version of ISA2006 that can be used as an 
 embedded solution for small business networks such as those that I 
 manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I 
 am mistaken, but I will try to find out.

 I will take your advice and wait for LH server instead of messing with 
 WS2k3 quarantine. I appreciate the recommendation.

 Dan DeStefano
 Info-lution Corporation
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
 http://www.info-lution.com http://www.info-lution.com/
 Office: 727 546-9143
 FAX: 727 541-5888

 

 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji
 *Sent:* Tuesday, November 14, 2006 12:32 PM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name

 You are right, Calling-Station-Identifier (in some cases) map to the 
 telephone number. In 802.1x scenario, though, it's usually the MAC, 
 but I have also seen it map to the client's IP address. I attribute 
 this to some vendors not reading the RFC or just opting to do it their 
 way. In our situation, MS maps it to MAC.

 I re-read your original message and I have another thought. Since 
 these are computers under your control, why not issue them 
 certificates and use EAP as your authentication filter?

 Hope we are not mixing acronyms here, re: IAS vs. ISA.

 IAS is the RADIUS server. Free with the OS.

 ISA is the proxy/caching/firewall solution. $1,500.00 for Standard 
 edition, comes in a black box version, too. For what it does, ISA is 
 on of the cheapest solutions of its type in the market. I am not aware 
 of the "light" version you mentioned.

 If you think NAP is complex, try your hands on 2K3 qtine. Also, you 
 can combine all the NAP roles on one server, you do not have to 
 separate them. The only strict requirement is that it be installed on 
 a LH server.


 Sincerely,
 _
 (, / | /) /) /)
 /---| (/_ __ ___// _ // _
 ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
 (_/ /)
 (/
 Microsoft MVP - Directory Services
 www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - 
 we know IT
 **-5.75, -3.23**
 Do you now realize that Today is the Tomorrow y

RE: [ActiveDir] Strange DC behaviour and error

[Akomolafe, Deji]

Compare the IP registered for phmaindc1 in DNS to the actual IP address of this machine. Do you see any discrepancy?

Is this your only DC? If not, then I'd demote it, clean it completely out of AD (ADUC, AD Site and services, DNS),and then re-promote it.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: hboogzSent: Wed 11/15/2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Strange DC behaviour and error

Hey Guys,

I receive this error on my DC and my newly created Citrix Server.

Event Type:ErrorEvent Source:KerberosEvent Category:NoneEvent ID:4Date:11/15/2006Time:12:30:17 PMUser:N/AComputer:PHMAINDC1Description:The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was DNS/phmaindc1.phippsny.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The citrix server can't connect to the termincal server licensing component on here and everytime a user logs in, they receive an access denied indicated that they could retrieve their TS profile information.

everytime i try to run dsa.msc on the citrix box, i get an error.

I'm running windows 2003 standard R2 on AD and standard w/ SP1 on the citrix box.

I also get this error/message when i run dcdiag on the dc


 The account PHMAINDC1 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of PHMAINDC1 is: 0x1000 = ( UF_WORKSTATION_TRUST_ACCOUNT ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR USTED_FOR_DELEGATION ) This may be affecting replication?

any ideas ? i'm stuck with all my citrix users being denied logon!




-- HBooGz:\ 

RE: [ActiveDir] DNS Scavenging

[Akomolafe, Deji]

You need some quiet time (and your favorite bottle/keg of liquor) with this 
document 
http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/w2kdns2.mspx

If you are in a hurry, just skip down to the Aging and Scavenging part.

Enjoy

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Rimmerman, Russ
Sent: Wed 11/15/2006 5:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging


We're in the middle of an SMS deployment and SMS is making us very aware
that DNS scavenging and WINS tombstoning doesn't appear to be happening
as much as it should.  Looking through our DNS records for our domain,
there's like 2 and 3 machine names for one IP.  Two of them were tossed
in the trash, one is still alive.  We have scavenging set to 7 days on
the zones, but not enabled at the server level (that seems a bit
scarier).  Shouldn't DNS scavenging work if enabled on the zone?  We're
running Win2k3 on our DNS/DCs, some with sp1 some without.

Thanks in advance

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] DNS Scavenging

[Akomolafe, Deji]

Also keep in mind scavenging only applies to records that have timestamps 
(which are typically dynamically created.)  

Keep in mind that you CAN enable scavenging on static records. The facility is 
in dnscmd. So, please don't assume that your static records are safe from 
scavenging just because you don't see a timestamp.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Roger Longden
Sent: Wed 11/15/2006 7:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Scavenging


Correct.  When a server runs scavenging it'll determine which of the primary 
zones it hosts has it enabled and then which records in those zones are stale 
based on the no-refresh and refresh intervals.  Also keep in mind scavenging 
only applies to records that have timestamps (which are typically dynamically 
created.)  And make sure none of the zones have too short of no-refresh/refresh 
intervals where valid records could be removed.  You can do due diligence by 
ensuring you have current and valid backups.  You may want to also check out 
KB838851 just to be sure it doesn't apply to your environment.

 - Roger


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 15, 2006 10:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Scavenging


OK that explains my problems then.  When I enable it at the server
level, it won't actually do anything to the zones that aren't enabled,
correct?  I mean, is it a two step process, you enable the server, and
then enable the zones you actually want to scavenge one at a time?  I
just don't want anything to disappear out of DNS suddenly when I enable
the server level, that ends up being a CLM (career limiting move).

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Longden
Sent: Wednesday, November 15, 2006 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Scavenging

Unless you enable it on a server (or manually initiate it against a
server) nothing's actually being scavenged.  The settings on the zone
only allow the timestamps to replicate and defines what records would be
deleted assuming scavenging is run.  So until a DNS server that hosts a
primary copy of the zone performs the scavenging process you can
continue to watch those duplicates accumulate and your SMS admins
complain.  :)

- Roger

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, November 15, 2006 8:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Scavenging


We're in the middle of an SMS deployment and SMS is making us very aware
that DNS scavenging and WINS tombstoning doesn't appear to be happening
as much as it should.  Looking through our DNS records for our domain,
there's like 2 and 3 machine names for one IP.  Two of them were tossed
in the trash, one is still alive.  We have scavenging set to 7 days on
the zones, but not enabled at the server level (that seems a bit
scarier).  Shouldn't DNS scavenging work if enabled on the zone?  We're
running Win2k3 on our DNS/DCs, some with sp1 some without.

Thanks in advance

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: 

RE: [ActiveDir] Restrict VPN Access By Computer Name

[Akomolafe, Deji]

You are right, Calling-Station-Identifier(in some cases) maptothe telephone number. In 802.1x scenario, though,it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC.

I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter?

Hope we are not mixing acronyms here, re: IAS vs. ISA.

IAS is the RADIUS server. Free with the OS.
ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the "light" version you mentioned.

If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server.

Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Dan DeStefanoSent: Tue 11/14/2006 5:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name


Thank you for your response.
I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well?

Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a light version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists).

Thanks for the advice about ws2k3 quarantine, I guess we wont waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit complex, requiring a bit more infrastructure than most small businesses need or can afford.

Have you ever tried restricting VPN access by MAC address?



Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Tuesday, November 14, 2006 1:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name



Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well



Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head.



Also, if you haven't started messing withthat2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished.





Hope I haven't thoroughly confused you yet.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon





From: Dan DeStefanoSent: Mon 11/13/2006 9:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restrict VPN Access By Computer Name

I was wondering if there is a way to restrict client VPN 

RE: [ActiveDir] OT: Sonicwall vs ISA (was M$)

[Akomolafe, Deji]

Which part of it do you not understand?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Albert DuroSent: Tue 11/14/2006 7:09 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Sonicwall vs ISA (was M$)
Sonicwall vs. ISA?

That's a new one on me.  I'm not a SBSer, but I do have a Sonicwall.
Would you care to expand?

thank you

- Original Message - 
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" 
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, November 13, 2006 5:17 PM
Subject: Re: [ActiveDir] OT: M$


 (I would just like to go on record as saying that I thought Brett's post 
 was funny)

 In the MVP survey this year the final question was "give three words that 
 best describe Microsoft?"  Boy howdy was that the hardest part of the 
 survey to fill out.  Three words to describe the "company"?  Youch.  Think 
 about that one for a moment will ya?  Ask me to say three words about the 
 people of Microsoft and I'd have that survey done in a nanosecond.  Ask me 
 three words about the "Company" ...this financial entity that files 10Ks 
 and like what do you want me to say?
 Microsoft (or M$ or MF$T whatever you'd like to call it) is a company 
 registered with the SEC to do business.  It is a software company.  It is 
 an entity.  It has a Tax ID number.  It has to make sucky decisions due to 
 Judges and Lawyers and Patents and EU attorneys and stupid EOLA lawsuits 
 and .

 The Employees of Microsoft (no abbreviations)... as was best put by a 
 Security MVP he went looking for the employees of Microsoft that eat 
 babiesyou know...the ones he's heard about in those Department of 
 Justice/SlashDot postings and all that well he can't find them.  Every 
 one of them he (and I) have ever met are sincere, hardworking, trustworthy 
 people.  In fact that's one of the wonderful things about the blogs... 
 they do a total 'end run' around WagEd/PR stuff and show the people for 
 the people.  Even when Brett didn't blog we knew about him via his 
 blog.  Just honest people talking to people.  And that's when Microsoft 
 truly rocks.

 I also know that in the newsgroups when I have someone who challenges my 
 views I find that ends up happening is not that I'll change them, but I'll 
 solidify my views.  To those that use M$ knowing full well that it annoys 
 you (the generic you, not "you", you), if their goal is to annoythey 
 won't change.

 The following items are bound to start arguments/flames etc. in my home 
 base community (most of these are specific to SBS, so my apologies)

 1.  One nic versus two
 2.  Antivirus choice (with the exception of Norton Yellow Box consumer 
 which is nearly universally hated by all in IT)
 3.  Sonicwall versus ISA server
 4.  .local/.lan versus .com
 5.  the lack of inclusion of DFSv2 in SBS 2003 R2

 So I guess if you are doing a list of Arguments/Flamewars in this 
 community I guess I will say
 1.  The use or non use of M$  :-)

 Sometimes you just have to let it roll off your back.  :-)

 How about a lighter less argumentative topic change:  So how about those 
 USA elections, 'eh?  What's your thoughts about Stem Cell Research?

 Laura A. Robinson wrote:
 Disclaimer #1: "You" in the below refers to a generic "you", not a 
 specific person.
 Disclaimer #2: My opinions are in no way intended to represent those of 
 my employer. They're my own, and they were my opinions long before I 
 became a Microsoft employee.
 That said...
  You know what I find amazing here? It has been clearly expressed that 
 there *are* people who find the term irritating (and I assure you, I'm 
 not the only one; I'm just the only one who states it publicly), yet 
 you're still arguing that because *you* think it's funny, it's therefore 
 okay to use it. Please explain this logic to me. If you meet somebody who 
 asks you not to call him "Tiny" because he hates the nickname, do you 
 make a point to call him "Tiny"? If you do, then you have some serious 
 personal issues. If you don't do that, then why do you think it's okay to 
 continue to justify using a name on a Microsoft-centric list that is 
 populated by Microsoft-centric people that you've been told *is* 
 offensive to some of those people?
  This isn't about political correctness and it isn't about different 
 senses of humor. It's about somebody having stated flat-out that the "M$" 
 term is offensive to her (and, again, to a lot more people than you 
 realize) and you continuing to assert that it's just fine for you to use 
 it. Some people might consider that incredibly childish and ignorant. Did 
 it never occur to you simply to not use or defend the use of the term, 
 regardless of whether you think I'm oversensitive about it? 

RE: [ActiveDir] OT: M$

[Akomolafe, Deji]

I've been wondering all day, even after my private mea culpa to you. I've been wondering why that last line would elicit such reaction from you. So, when another trusted fellow brought up the issue in a private conversation I started wondering again.

Something just didn't compute. I expected "Shut up, Laura"to an innocuous statement that will be met with a smiley or VBEG from "Laura". I didn't expect "Laura" to take umbrage at that phrase. As a matter of fact, I expected hugs and kisses and flowers and whatnot. So, I kept wondering...

Well, I'm wondering no more. I got you mixed up, Laura. Beaucoup apologies. I thought you were Laura Hunter (http://www.shutuplaura.com/- WARNING, adult language). I am very sorry.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Laura A. RobinsonSent: Tue 11/14/2006 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$

That last line really was unnecessary, Deji.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, November 13, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$


You know what I find amazing here?

That you felt compelled to lend more visibility to this topic, when it, truly, does not deserve an iota of your time. I see people use "M$" in conversations, I note their names and learn to avoid them. It's the same thing I do with people who use "1337" and similar "elite-speak" in conversation. I put them all in the same column of idiotic wannabes and move on. The only reason I feel impelled to write what I'm writing is because you are still lending your professional credence to a nonentity who should have been duly ignored from the start. I'm surprised that you are expending so much energy in that exercise, seeing as I know that you have been in numerous environments where people do things like thesein attempts to garner attention. Giving them the undeserved attention is, IMNSHO, injurious to your reputation.

So, Laura . shut up already.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Laura A. RobinsonSent: Mon 11/13/2006 4:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$

Disclaimer #1: "You" in the below refers to a generic "you", not a specific person.
Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions long before I became a Microsoft employee.
That said...

You know what I find amazing here? It has been clearly expressed that there *are* people who find the term irritating (and I assure you, I'm not the only one; I'm just the only one who states it publicly), yet you're still arguing that because *you* think it's funny, it's therefore okay to use it. Please explain this logic to me. Ifyou meet somebody who asks you not to call him "Tiny" because he hates the nickname, do you make a point to call him "Tiny"? If you do, then you have some serious personal issues. If you don't do that, then why do you think it's okay to continue to justify using a name on a Microsoft-centric list that is populated by Microsoft-centric people that you've been told *is* offensive to some of those people? 

This isn't about political correctness and it isn't about different senses of humor. It's about somebody having stated flat-out that the "M$" term is offensive to her (and, again, to a lot more people than you realize) and you continuing to assert that it's just fine for you to use it. Some people might consider that incredibly childish and ignorant. Did it never occur to you simply to not use or defend the use ofthe term, regardless of whether you think I'm oversensitive about it? It certainly occurred to the person who originally posted it to stop using the term, and he didn't have to have an argument that boils down to "I think it's funny, so you need to just get over it" before stating that he wouldn't continue to use the term. I found that very adult of him. I don't, however, find it particularly adult to continue to defend the use of a tasteless, inaccurate, slighting moniker because *you* think it's "funny".

Most Microsoft employees are not nearly as well-paid as the public seems to think, and yet, the VAST majority of them contribute their own time and money to charitable organizations. I can give you statistics if you like; Microsoft is actually first in terms of per-capita employee philanthropy. The insistence upon referring to the company as "M$" displays a tremendous amount of ignorance and rudeness to those 

RE: [ActiveDir] OT: M$

[Akomolafe, Deji]

You know what I find amazing here?

That you felt compelled to lend more visibility to this topic, when it, truly, does not deserve an iota of your time. I see people use "M$" in conversations, I note their names and learn to avoid them. It's the same thing I do with people who use "1337" and similar "elite-speak" in conversation. I put them all in the same column of idiotic wannabes and move on. The only reason I feel impelled to write what I'm writing is because you are still lending your professional credence to a nonentity who should have been duly ignored from the start. I'm surprised that you are expending so much energy in that exercise, seeing as I know that you have been in numerous environments where people do things like thesein attempts to garner attention. Giving them the undeserved attention is, IMNSHO, injurious to your reputation.

So, Laura . shut up already.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Laura A. RobinsonSent: Mon 11/13/2006 4:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$

Disclaimer #1: "You" in the below refers to a generic "you", not a specific person.
Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions long before I became a Microsoft employee.
That said...

You know what I find amazing here? It has been clearly expressed that there *are* people who find the term irritating (and I assure you, I'm not the only one; I'm just the only one who states it publicly), yet you're still arguing that because *you* think it's funny, it's therefore okay to use it. Please explain this logic to me. Ifyou meet somebody who asks you not to call him "Tiny" because he hates the nickname, do you make a point to call him "Tiny"? If you do, then you have some serious personal issues. If you don't do that, then why do you think it's okay to continue to justify using a name on a Microsoft-centric list that is populated by Microsoft-centric people that you've been told *is* offensive to some of those people? 

This isn't about political correctness and it isn't about different senses of humor. It's about somebody having stated flat-out that the "M$" term is offensive to her (and, again, to a lot more people than you realize) and you continuing to assert that it's just fine for you to use it. Some people might consider that incredibly childish and ignorant. Did it never occur to you simply to not use or defend the use ofthe term, regardless of whether you think I'm oversensitive about it? It certainly occurred to the person who originally posted it to stop using the term, and he didn't have to have an argument that boils down to "I think it's funny, so you need to just get over it" before stating that he wouldn't continue to use the term. I found that very adult of him. I don't, however, find it particularly adult to continue to defend the use of a tasteless, inaccurate, slighting moniker because *you* think it's "funny".

Most Microsoft employees are not nearly as well-paid as the public seems to think, and yet, the VAST majority of them contribute their own time and money to charitable organizations. I can give you statistics if you like; Microsoft is actually first in terms of per-capita employee philanthropy. The insistence upon referring to the company as "M$" displays a tremendous amount of ignorance and rudeness to those employees, IMO.

Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$

Exactly, is exactly right. You cant impose your own humor preferences on someone because you consider it unfunny. You just dont laugh. You can't stop bad jokes, because someone, somewhere is laughing at them. Just not you.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Monday, November 13, 2006 8:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$

Exactly. M$ just isn't funny. Borg, kool-aid, those are funny. M$ isn't. Go figure.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 7:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$

Useless Air Farce would not be found funny because its just that, not funny. Funnier is US Chair Force. Thats funny, and people here laugh at it all the time.


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 7:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$


;oP


Rob 
Robert Rutherford QuoStar Solutions Limited 
T: +44 (0) 8456 440 

RE: [ActiveDir] Restrict VPN Access By Computer Name

[Akomolafe, Deji]

Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well

Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head.

Also, if you haven't started messing withthat2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished.



Hope I haven't thoroughly confused you yet.

Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Dan DeStefanoSent: Mon 11/13/2006 9:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restrict VPN Access By Computer Name


I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to be conscious of updated antivirus/spyware software.

I saw a setting in Remote Access Policies called Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to set up an IAS server? If not, is there another way I can accomplish my goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though it looks like a bit of a PITA to set up and I am looking for a quick way to fix this problem. We will probably eventually use the new quarantine feature after our techs have had a chance to learn and test it a bit. I think another problem with this feature is for small business networks that have just a single SBS server.

Any help would be greatly appreciated.


Thanks,

Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888
If you have received this message in error please notify the sender, disregard any content and remove it from your possession.

RE: [ActiveDir] Exchange --NDR--

[Akomolafe, Deji]

You should be able to see my email from the response.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Technical SupportSent: Tue 11/7/2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR--


Please let me know how I can contact you Deji




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, November 06, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR--



4.4.7 is "usually" the other server's problem. If you want, I can privately help you verify this, if you send me the domain/ip of the other server in a private (off-list) message.





Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon





From: Technical SupportSent: Mon 11/6/2006 8:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange --NDR--

Hi,

I am sending mail @XYZ.COM and here is the error I am getting. When id to Email ID Verification and MX Record lookup it works fine for xyz.com. Also I am not facing this problem with any other mail id. I am able to send mails to other clients/vendors.

Here is the NDR I am getting.
---
Your message did not reach some or all of the intended recipients.

 Subject: Updated: Undelivered
 Sent: 11/6/2006 6:58 PM

The following recipient(s) could not be reached:

 [EMAIL PROTECTED] on 11/6/2006 9:08 PM
 Could not deliver the message in the time limit specified. Please retry or contact your administrator.
 MyFrontEnd.Domain.local #4.4.7

 [EMAIL PROTECTED] on 11/6/2006 9:08 PM
 Could not deliver the message in the time limit specified. Please retry or contact your administrator.
 MyFrontEnd.Domain.local #4.4.7

 [EMAIL PROTECTED] on 11/6/2006 9:08 PM
 Could not deliver the message in the time limit specified. Please retry or contact your administrator.
 MyFrontEnd.Domain.local #4.4.7
---

Please suggest what the possible reason is for the same. Do I need to change something from my end (a new connector) or get something changed at remote (Client) end?

Thanks!!!
Ravi Dogra

RE: [ActiveDir] Exchange --NDR--

[Akomolafe, Deji]

4.4.7 is "usually" the other server's problem. If you want, I can privately help you verify this, if you send me the domain/ip of the other server in a private (off-list) message.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Technical SupportSent: Mon 11/6/2006 8:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange --NDR--


Hi,

I am sending mail @XYZ.COM and here is the error I am getting. When id to Email ID Verification and MX Record lookup it works fine for xyz.com. Also I am not facing this problem with any other mail id. I am able to send mails to other clients/vendors.

Here is the NDR I am getting.
---
Your message did not reach some or all of the intended recipients.

 Subject: Updated: Undelivered
 Sent: 11/6/2006 6:58 PM

The following recipient(s) could not be reached:

 [EMAIL PROTECTED] on 11/6/2006 9:08 PM
 Could not deliver the message in the time limit specified. Please retry or contact your administrator.
 MyFrontEnd.Domain.local #4.4.7

 [EMAIL PROTECTED] on 11/6/2006 9:08 PM
 Could not deliver the message in the time limit specified. Please retry or contact your administrator.
 MyFrontEnd.Domain.local #4.4.7

 [EMAIL PROTECTED] on 11/6/2006 9:08 PM
 Could not deliver the message in the time limit specified. Please retry or contact your administrator.
 MyFrontEnd.Domain.local #4.4.7
---

Please suggest what the possible reason is for the same. Do I need to change something from my end (a new connector) or get something changed at remote (Client) end?

Thanks!!!
Ravi Dogra

RE: [ActiveDir] Active Directory Health Check tool - where can it run from?

[Akomolafe, Deji]

Title: Active Directory Health Check tool - where can it run from?



The tool actually lists out the specific requirements for running it. You just need to read the "default.htm" that is part of the generated report.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Paul WilliamsSent: Wed 11/1/2006 12:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Health Check tool - where can it run from?

I assume you are referring to the ADST tool that you get if you're a premier customer and MSFT come and do an AD Healthcheck. As far as I know, this can be run from anywhere (in the domain), as it's really just a bunch of VBS scripts that do ADSI and WMI queries against the DCs. The cool thing is these scripts are wrapped behind a decent GUI.

--Paul


- Original Message - 
From: Washington, Booker 
To: ActiveDir@mail.activedir.org 
Sent: Tuesday, October 31, 2006 10:26 PM
Subject: RE: [ActiveDir] Active Directory Health Check tool - where can it run from?


It is the Active Directory Health Check Snapshot Tool. What exactly is ADRAP? I got a copy from our Forest Admins because I am a child domain of the forest.

The reason that I ask is because I seem to get buggy results when I go from an XP workstation, or a member server, and I wondered if I needed to run it from the DC itself.


Thanks







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, October 31, 2006 5:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: Active Directory Health Check tool - where can it run from?



Which tool is this? The AD Snapshot tool that you get from an ADRAP can run from any server.



--brian





From: [EMAIL PROTECTED] on behalf of Washington, BookerSent: Tue 10/31/2006 4:04 PMTo: ActiveDir@mail.activedir.orgSubject: Active Directory Health Check tool - where can it run from?


Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation.
Just curious. 
Thanks 

RE: [ActiveDir] list lastlogontime for every user script

[Akomolafe, Deji]

Tool.penetration

Tony took a vacation and this is what this list is turning into

Time to go wash my brains.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Fri 10/27/2006 9:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script

First off... let's go with using the word utilityversustool ;o)

Second off yeah they are pretty popular. I got a lot of pings from various MSFT and other consultant type friends who seem to run into my utilities in the wild pretty regularly. This penetration is greater in the primarily english speaking world (North America, UK, Western Europe, Australia, and militaries of those areas globally) as the utilities really better for targeted at English environments. UNICODE and other special characters (anything with umlauts, etc) are kind of a pain to deal with from the command line. Anyone who has used adfind to output something that has characters like éèà has noticed that to the command line, that ends up looking something like

dn:CN=TestGroupΘΦα,OU=TestOU,DC=joe,DC=com

but if that same output is redirected to a text file via standard redirection it looks like

dn:CN=TestGroupéèà,OU=TestOU,DC=joe,DC=com

and I can assure you adfind is doing nothing different which is the problem. I have worked through some of that with some new routines and that is the V2 versions of AdFind/AdMod I occasionally mention as it will take very radical changes to use the new strings. I have done it with some other code I have written but nothing I have released yet as I am still tinkering with it. Basically I have to try and work out where you are sending the output in order to determine how to output it. 

I have no clue what would happen if you tried to use adfind in an environment with true multibyte characters like say a Chinese edition. I expect it would blow up magnifiscently. I am curious if even dsquery would work in that environment. 

Doing this in the GUI is immensely easier which sounds odd, most people would tend to think that console apps are easier to write than GUI. I find it just the opposite, GUI is easier for most everything especially character encoding and threaded output but I find the GUI less useful than the console. And with Server Core coming...The joeware stuffwill become even more popular as my utilities are very nice console utilities AND they are all FAT-free, err I mean NET-free. ;o) Twice the power, triple the taste, tenth of the calories and actually work on Server Core... 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 27, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] list lastlogontime for every user script

I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-;

Well, half the world I tend to live in anyway. 

On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: 
I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: mailto:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: 

RE: [ActiveDir] List Groups I'm In?

[Akomolafe, Deji]

whoami -group



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Michael B AllenSent: Wed 10/25/2006 9:46 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List Groups I'm In?
Was is the easiest way for a user (say on a stock XP client) to list
what groups they're in?

Specifically I'd like the user to be able to just type a command like
'net user list groups' or some such and get a list of NT Account names
for tokenGroups.

Or if there is a dialog somewhere that's good too.

Ideas?

Mike

-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] List Groups I'm In?

[Akomolafe, Deji]

You never mentioned anything about a "product".

Anywhooo, see http://www.rlmueller.net/primary_group.htm, then go see what Richard did in http://www.rlmueller.net/Programs/EnumUserGroups.txt



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Michael B AllenSent: Wed 10/25/2006 11:42 AMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: Re: [ActiveDir] List Groups I'm In?
On Wed, 25 Oct 2006 10:06:53 -0700
"Free, Bob" [EMAIL PROTECTED] wrote:

  whoami /groups
 
 C:\Admin\Utilwhere whoami
 C:\Program Files\Support Tools\whoami.exe
 
 Not exacty "stock" but then again I consider Support Tools as an
 essential part of an installation :-)

Well I can't ship that with my product.

I scraped up this VBS script that does the trick.

if WScript.Arguments.Count = 0 then
   WScript.Echo "Usage: [cscript|wscript] ListGroups.vbs nETBIOSName/sAMAccountName"
   WScript.Quit 1
end if

Set UserObj = GetObject("WinNT://"  Replace(WScript.Arguments.Item(0), "\", "/"))
For Each GroupObj In UserObj.Groups
List = List  GroupObj.Name  vbcrlf
Next
WScript.Echo List 

Thanks,
Mike

 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen
 Sent: Wednesday, October 25, 2006 9:47 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] List Groups I'm In?
 
 Was is the easiest way for a user (say on a stock XP client) to list
 what groups they're in?
 
 Specifically I'd like the user to be able to just type a command like
 'net user list groups' or some such and get a list of NT Account names
 for tokenGroups.
 
 Or if there is a dialog somewhere that's good too.
 
 Ideas?
 
 Mike
 
 --
 Michael B Allen
 PHP Active Directory SSO
 http://www.ioplex.com/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
 


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/



A_POLICY_VIOLATED_FILE_WAS_DETECTED_AND_REMOVED.TXT
Description: Click here to view or download the program. Rename .txt file to .vbs before running program..url

RE: [ActiveDir] OT: Jabber and AD authentication

[Akomolafe, Deji]

support.Jabber.com



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Brian DesmondSent: Thu 9/28/2006 1:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Jabber and AD authentication
Assuming it can authenticate against an LDAP source it should work fine
- never done Jabber but they're all about the same when it comes to
this...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Michael Miller
 Sent: Thursday, September 28, 2006 4:42 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Jabber and AD authentication
 
 The powers that be at my site want to implement IM using Jabber and
 would like to leverage our AD for authentication.
 
 We are just starting to think about this.  It's not yet decided if the
 Jabber server will be running on Linux or Windows.
 
 I would imagine several people in this august body would have
 experience
 with this.
 
 I would be interested in your comments before we actually start trying
 to implement something.
 
 TIA,
 
 -mjm
 
 --
 Michael J. Miller
 Computing Services
 College of Veterinary Medicine
 University of Illinois at Urbana-Champaign
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DNS entry won't delete

[Akomolafe, Deji]

Sorry for jumping into this in the middle. I've been partially following the thread.

To the OP, have you tried:
Convert the zone from AD-intg to Primary one DC
Updating the server data file on that server (done by r-clicking the zone and clicking "update")
Delete the zone from the other DC.
After that, check system32\dns on the DC where you did the conversion and open up the corresponding in-addr.arpa file in notepad, delete the offending records and save the file.
After that, go back to DNS console and reload the zone file.

If everything looks OK, wait a while to see if the offending entries re-appear. If they don't, then convert the zone back to AD-intg and let it replicate to the other DC.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Andrew CaceSent: Wed 9/27/2006 7:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't delete
Hi Bruce,
  Can you find the object using ADSIEDIT?  There are three places you
should check for the DNS zone.  You've already checked DomainDNSZones,
so that leaves the domain partition and the ForestDNSZones partition.
The domain partition should be in adsiedit by default, but you will need
to add ForestDNSZones.  Once you have adsiedit opened, right-click "ADSI
Edit" in the left column, then choose "Connect to".  Choose "Select or
type a Distinguished Name or Naming Context" and enter the dn of your
forestdnszones partition in the text box.  It should look something like
dc=forestdnszones,dc=yourforestroot,dc=com.  Change the value of the
Name field to ForestDNSZones.  Click OK.  You should now have the
ForestDNSZones partition in the left column.

Expand the left column as follows (I'm using 192.168.1.0 as the network
in this example): 
(ForestDNSZones) ForestDNSZones 
DC=ForestDNSZones,DC=yourforestroot,DC=com  CN=MicrosoftDNS 
DC=1.168.192.in-addr.arpa.  
 - OR -
(Domain) Domain  DC=yourdomain,DC=com  CN=System  CN=MicrosoftDNS 
DC=1.168.192.in-addr.arpa

Find the duplicate record.  Right-click it and choose Properties.  Find
the distinguishedName attribute and copy/paste the value into a notepad
window.  In your response to William King, you indicated that the record
reappears immediately when you delete it.  Delete the entire record in
adsiedit.  This should remove the good AND the bad records.  Refresh the
reverse lookup zone and see if it's truly gone.  Get on the machine that
currently has the IP address and force registration using "ipconfig
/registerdns".  Verify, in adsiedit and DNS management, that the record
is correct.  If everything is correct, keep an eye on it for a few hours
and make sure that the bad data doesn't return.

If the bad data does return, you can then plug the record's dn into the
"repadmin /showobjmeta" command to find out when the dnsRecord attribute
was last modified.  Then you can look at the security log on the domain
controller to find out who modified that object at that time.

It's possible that you're not auditing these objects.  If that's the
case, then see http://support.microsoft.com/?id=814595 for details on
how to enable auditing.

Let us know if this works out for you.
 
-Andrew

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clingaman,
Bruce
Sent: Wednesday, September 27, 2006 8:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS entry won't delete


The address field is not editable. If I change the host name, the
original entry reappears, then I have two bad entries. 


Bruce Clingaman
Information Technology Department
Pensacola Christian College
850.478.8496 ext. 2198
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Wednesday, September 27, 2006 12:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS entry won't delete

Any chance you can edit the setting so that it points to something not
in your network? (ex. you have a 10.x.x.x network, so you reset it to be
a 192.168.x.x IP)




On 9/26/06, Clingaman, Bruce [EMAIL PROTECTED] wrote:


	My two DCs are Windows 2003 servers, DNS integrated, Primary,
	
	The resiliant entries are from Mac OS X clients and one OS X
server. The
	domain name of the entries are from a domain that was renamed.
	
	
	Bruce Clingaman
	Information Technology Department
	Pensacola Christian College
	850.478.8496 ext. 2198
	[EMAIL PROTECTED]
	
	-Original Message-
	From: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] 
	[mailto:[EMAIL PROTECTED] On Behalf Of Al
Mulnick
	Sent: Tuesday, September 26, 2006 3:18 PM
	To: ActiveDir@mail.activedir.org
mailto:ActiveDir@mail.activedir.org 
	Subject: Re: [ActiveDir] DNS entry won't delete
	
	Bruce, try the command that Andrew posted and see what 

RE: [ActiveDir] Question about computer role

[Akomolafe, Deji]

http://www.rlmueller.net/ComputerRole.htm



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Scott KlassenSent: Wed 9/27/2006 8:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question about computer role
Only peripherally related to AD, but with the technical expertise of many
here, I figure someone may have the answer.

I'll try to make this as "Readers-Digest" as possible.

I recently had to re-install SAV on a particular server.  One of the
optional components wasn't showing up.  After pouring through the install
log, googling, and poking into the MSI with ORCA, I figured out why this was
happening.  In the Condition table of the installer, one of the validation
checks for what can and cannot be installed is based upon the computers
"Role" returned by MsiNTProductType.  This is a member server now, but was
previously a DC (Yeah I know, should have been rebuilt, but it happened
before I worked here and we have a LOB app on this machine which is vendor
installed and supported for big $$$.  Lots of custom permissions, files, and
reg entries to make this app function that we have no documentation of.  A
reinstall would not only stop our business until completed, but would cost
us $10K+ in vendor fees).  

I've edited the validation string in the MSI to take out that check and was
then able to install the option I wanted.  Of course, the next
version/update will have that string back in again and I don't care to have
to custom edit the MSIs in future for this one machine.

I'm looking for two things:

1)  Some way of querying against MsiNTProductType on the machine so that I
can see the results.  I'm guessing that it is returning 500-2 (W2K DC), but
would like to verify.  Been googling around, but haven't had any luck so
far.

2)  If the problem is that the machine thinks that it is still a DC, a
(hopefully) non-disruptive method of changing this information on the
machine to return 500-3 (w2k server).  AD believes this machine is a member
server and there is no remnants in AD of this box once being a DC, so it's
is definitely a setting on the local machine.  I've had one suggestion to
try disjoining and rejoining this machine from the domain to possibly fix
this, but would prefer another method if possible due to the vendor app
issue listed above.

Scott Klassen  



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] I'm Baaaaaaack!

[Akomolafe, Deji]

Yikes! Is it Halloween yet?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack!
Be afraid  Be very afraid!  :-)



Rick

_
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=""

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] I'm Baaaaaaack!

[Akomolafe, Deji]

Not according to my birth certificate.

See anything "random" here: Dèjì Akómöláfé? Me neither ;-p



Sincerely, _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/21/2006 3:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack!

Random is Deji's middle name. :)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, September 21, 2006 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack!

:) allthis is very random


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack!


Yikes! Is it Halloween yet?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack!
Be afraid  Be very afraid!  :-)



Rick

_
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=""

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] different version of R2 available?

[Akomolafe, Deji]

I think there is just one version of theR2 CD. The main CD (CD1) has Standard, Enterprise and Datacenter flavors, but the contents of CD2 look the same to me.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Thommes, Michael M.Sent: Wed 9/20/2006 3:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] different version of R2 available?


My officemate and I were discussing whether there are different versions of the R2 CD depending on whether youre running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA!

Mike Thommes

RE: [ActiveDir] DNS zones expiring

[Akomolafe, Deji]

Yes, I would. From parent to the child DNS server. Then create a Primary or AD-int child zone on the child DNS server. It's a KISS factor.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: HBooGzSent: Fri 9/15/2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring
Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.what about the second part of the question ? would you recommend dns delgation ? 
On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote: 

From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. 

On 9/15/06, HBooGz mailto:[EMAIL PROTECTED] wrote: 

Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the "allow all servers listed under nameservers" selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the "recommended" steps for this type of DNS setup ? Domain delgation ? all AD-integrated ?

On 9/14/06, Akomolafe, Deji  [EMAIL PROTECTED] wrote: 




Here's what I'd do:

Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list. 

If that checks out, then I'd:
Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone.

If that checks out, then I'd:
Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master". 

If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. 




Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 



From: HBooGzSent: Thu 9/14/2006 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS zones expiring

No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date:  9/14/2006Time:  10:08:04 AM User:  N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


On 9/14/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: 






I guess if you have "Widows", then someone must have "expired" :)[1]

What is the exact error message?

[1] Please don't take offense. I'm just in a laughing mood :)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 




From: HBooGzSent: Thu 9/14/2006 8:12 AM
To: mailto:ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS zones expiring



Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every 

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

Paul, did you try this?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

Not really, as it's now 512 and can't get to that state without a password meeting complexity.


--Paul

- Original Message - 
From: Akomolafe, Deji 
To: ActiveDir@mail.activedir.org 
Sent: Friday, September 15, 2006 4:52 AM
Subject: RE: [ActiveDir] Strange password issue


I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many errors encountered, terminating...

The command did not complete successfully


--Paul






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to c

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled.

Sorry, Paul.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The account is currently 512... You can't get there with a blank password without 1-4.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many errors encountered, terminating...

The command did not 

RE: [ActiveDir] RPC Over HTTPS Problem....

[Akomolafe, Deji]

In addition to what Robert is saying, take a look at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true

There are many things that can be responsible for this failure, and you need to selectively eliminate each.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Robert RutherfordSent: Fri 9/15/2006 5:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RPC Over HTTPS Problem
Hi Ravi,

The certifcate does needs to match the name of the site... i.e.
mail.comp.com . If it doesn't then it wont work. There are numerous
reasons why it fails but that is the first.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 16 September 2006 01:36
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RPC Over HTTPS Problem

Hi Bob,

Can you please explain how it should be. because i think i have
something wrong here related to certificate.

Thanks
Ravi Dogra


On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote:
 The usual issue with that is that the url u r connecting to matches
the
 name on the cert.

 This must match on internal and external, i.e. u must use split brain
or
 you must config ur firewall to accept that connection on the WAN
 interface.

 Rob

 Robert Rutherford
 QuoStar Solutions Limited

 T:+44 (0) 8456 440 331
 F:+44 (0) 8456 440 332
 M:+44 (0) 7974 249 494
 E:[EMAIL PROTECTED]
 W:www.quostar.com




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
 Sent: 16 September 2006 00:00
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] RPC Over HTTPS Problem

 Hi,

 I am facing a weird problem here is some required information.

 Frontend - Backend Structure.
 Exchange with SP2 on Win2k3 SP1 on all Servers.
 FE1 and BE1 is on a different site,
 BE2 is on my Site.
 Configured RPC Over Https on Frontend Server. OWA (SSL) is working
fine.

 Now here is the situation:-
 I have configured my client for RPC over Https. When client machine
 tries to establish connection with my Exchange Server it prompts me
 for User Name and Password.

 When i am providing my credentials it is not accepting and keeps me
 prompting for same.

 Also while doing this when i use Ctrl + Right click on Outlook icon on
 rightside of taskbar and then selecting connection it never shows me
 established. It remains on Connecting and tries to connect my BE2
 server where my mailbox resides.

 What could be the possible reason for this? If any other information
 is required please let me know.


 --
 Ravi Dogra
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



-- 
Ravi Dogra
9899647200
This e-mail, together with any attachments, is confidential. It may be
read, copied and used only by the intended recipient. If you have
received it in error, please notify the sender immediately by e-mail
or telephone. Please then delete it from your computer without making
any copies or disclosing it to any other person.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Specifying builtin accounts in GPO settings.

[Akomolafe, Deji]

Glad I could help ;)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Matt HargravesSent: Thu 9/14/2006 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
I think we discovered the problem... things were just locked down a *tad* too much.
On 9/13/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: 




Look at your default recipient policy. What's set there? Just curious.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 


From: Matt HargravesSent: Wed 9/13/2006 8:58 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.


Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). 


On 9/13/06, Brian Desmond mailto:[EMAIL PROTECTED] wrote: 






On W2000 running OWA on a DC this was an issue  only case I know of. What are the issues you're having?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132






From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves 
Sent: Wednesday, September 13, 2006 10:49 PM



To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. 






We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. 



On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:





No it wouldn't. Why are you giving an IWAM account access to a remote machine?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132






From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves 
Sent: Wednesday, September 13, 2006 9:35 PM




To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.




Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt



On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:





And if you think about it they couldn't  if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. 



Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132






From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia 
Sent: Tuesday, September 12, 2006 2:29 PM




To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.




Matt-
I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. 

Darren

Darren Mar-Elia

For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information.







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine? 

RE: [ActiveDir] DNS zones expiring

[Akomolafe, Deji]

I guess if you have "Widows", then someone must have "expired" :)[1]

What is the exact error message?

[1] Please don't take offense. I'm just in a laughing mood :)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring
Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ 

RE: [ActiveDir] DNS zones expiring

[Akomolafe, Deji]

Here's what I'd do:

Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list.

If that checks out, then I'd:
Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone.

If that checks out, then I'd:
Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master".

If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring
No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date:  9/14/2006Time:  10:08:04 AMUser:  N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: 




I guess if you have "Widows", then someone must have "expired" :)[1]

What is the exact error message?

[1] Please don't take offense. I'm just in a laughing mood :)



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 


From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring

Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\ 

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Akomolafe, Deji]

Yes. You run Mac. LOL



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware

I run as local admin and have zero issues with spyware? Coincidence?

;o)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Thursday, September 14, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware


Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence?


From: [EMAIL PROTECTED] on behalf of Chris PohlschneiderSent: Thu 9/14/2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware


Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. 

Chris Pohlschneider
Holloway SportswearIT
937-494-2559
937-497-7300 (Fax)
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

I think you are missing 5.

5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account.

It's a feasible scenario, no?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue

The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. 

If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is

DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0

Which is 

F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d"


A blank password does not have a hash, the system knows it is blank. 

You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd.

So current or past setting of UAC has no bearing on this problem. 



This could occur infour ways that I can think of (in order of likelihood) and speak about

1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared

2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain

3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 

4. The raw DIT was modified. 


 joe



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue


PWD_NOT_REQ is 32.

You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says:

C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Adding specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...

The command completed successfully



C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe

AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005

DN Count: 1
Using server: connoa-dc-01.connoa.concorp.contoso.com
Modifying specified objects...
 DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn
oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform


ERROR: Too many errors encountered, terminating...

The command did not complete successfully


--Paul






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 

On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote:


This is a domain account.



To rehash-



The Default Domain Policy is set to min password length- 6 charcters.

This was created 2 years ago and never changed.

User account is a domain account created a month ago.

It was bought to my attention that the user can log in with no 

RE: [ActiveDir] List archive

[Akomolafe, Deji]

yes



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: David AdnerSent: Thu 9/14/2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List archive



Anyone else getting timeouts trying to get to the list archive URL?

http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Management Solutions

[Akomolafe, Deji]

At what point youre better off going with something like Shavlik or Patchlink?

For a 1700 users environment, WSUS will do.

What do they give you that WSUS doesnt?
They do give you some bells and whistles, but you will have to download a trial version of each, install them and compare. Then you ask, do you NEED all the other things the other products give you, and is it worth the money you have to pay for those other things? Or, do you like free, even if you have to do some work?



But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-).
It's difficult to sit here and answer this query for you. It depends on your environment, structure, policies, etc.


So were not sure how can we do this, with so many patches MS puts out every Tuesday
You mean every second Tuesday of every month? That too much for you?

without going insane! 
Since you are in healthcare, this should not be an issue, right? I mean, going insane is par for the course for any sys admin, but you are surrounded by healthcare professionals, so you are in good hands :)


Anybody out there had to deal with similar issues?
Yes. Believe it or not, you are not alone. Nobody is out to get you. We all have to go through similar things.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Alex AlborzfardSent: Wed 9/13/2006 6:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions


What is the largest environment WSUS can be deployed effectively? At what point youre better off going with something like Shavlik or Patchlink?
What do they give you that WSUS doesnt?
Were trying to put in place a patch management solution for a company thats midsize (~1700 users), but with offices scattered all over the world.
But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-).

The other issue is the industry were in: healthcare. Were constantly audited and for every single task we have to test, write validation and justification.
So were not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are 
a whole different ball of wax.

Anybody out there had to deal with similar issues?


Alex




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, September 11, 2006 9:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions

I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system  Ive gotten good at it and Ive also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. 


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, September 11, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions

I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. Ive tested and used many but Ghost is a mature project which does what it says on the tin. Youll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. 

In terms of helpdesk well its a minefield and a road of I have travelled many times. I have actually found that most of the time its actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLAs, contracts, processes, methods, etc.

I just recommend going onto sourceforge.net and typing helpdesk initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but youll pay for it.. have a sniff around and see what fits your requirements.

In terms of patch deployment I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price.

Cheers,

Rob 
Robert Rutherford QuoStar Solutions Limited 
T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E:  [EMAIL PROTECTED] W:  http://www.quostar.com/ 
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 11 September 2006 20:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions

I have a lot of experience using Ghost for all of that but 

RE: [ActiveDir] Isolating a DC

[Akomolafe, Deji]

I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again

You should readhttp://support.microsoft.com/kb/250570/ then



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Lucas, BryanSent: Wed 9/13/2006 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Isolating a DC


I should probably expand on my reasoning. 

We have 5 DCs now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. 

My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just dont collect the logs from that DC but I dont isolate it, then I can potentially miss legitimate security logs. 

I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable.

Thanks,


Bryan Lucas
Server Administrator
Texas Christian University




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC

Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC". 

On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote:
Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a "keep it simple" perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you readhttp://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that  they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent "Server and DomainIsolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also "Using IPSec to Lock Down a Server" from technet..http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ: 

RE: [ActiveDir] Specifying builtin accounts in GPO settings.

[Akomolafe, Deji]

Look at your default recipient policy. What's set there? Just curious.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.
Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). 
On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: 




On W2000 running OWA on a DC this was an issue  only case I know of. What are the issues you're having?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 10:49 PM
To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.




We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. 

On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote:



No it wouldn't. Why are you giving an IWAM account access to a remote machine?


Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:35 PM

To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings.


Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt

On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote:



And if you think about it they couldn't  if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. 



Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132





From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings.


Matt-
I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs.

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information.






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings.
I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine? 

RE: [ActiveDir] Isolating a DC

[Akomolafe, Deji]

I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935

Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Lucas, BryanSent: Tue 9/12/2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Isolating a DC


Id like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DCs. I dont have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required?

Bryan Lucas
Server Administrator
Texas Christian University

RE: [ActiveDir] Seperate forest migration notes

[Akomolafe, Deji]

Yes. Try doing file://computername/c$ toa few of thecomputers in question. If you can't connect, you have a firewall issue. If you can connect, but can log in with the account you are using for the migration, you have a permission issue. Those 2 tests must pass before you can do any migration.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: DannySent: Fri 9/8/2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate forest migration notes
Thanks - I will try that out. Also, do you know if the Windows firewall needs any exceptions for the computer migration component to function?
On 9/8/06, Chong Ai Chung [EMAIL PROTECTED] wrote: 


You can add your account to administrators group on all computers using restricted group in GPO.

http://support.microsoft.com/Default.aspx?kbid=279301

On 9/9/06, Danny [EMAIL PROTECTED] wrote: 

I found some more information, however, in the "Before using ADMT v3" help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks,
...D

On 9/5/06, Danny [EMAIL PROTECTED] wrote: 

Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined?

On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: 


Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. 

Order of migration: 
Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. 

That leads to expectations: 
Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). 

Did I mention name resolution? That's important, so I don't mind mentioning it twice. 

Planning is your friend when it comes to migrations. 

I imagine that Guido might chime in here. I hear he's done this once or twice. :)

On 8/29/06, Danny [EMAIL PROTECTED] wrote: 

A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

RE: [ActiveDir] Seperate forest migration notes

[Akomolafe, Deji]

BTW, here's how I add the ADMT account to the relevant admin groups before the known good"Restricted Group" option was invented. If you find out that "Restricted Group" is not working for you, try the script option.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: DannySent: Fri 9/8/2006 1:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate forest migration notes
I found some more information, however, in the "Before using ADMT v3" help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks,...D
On 9/5/06, Danny [EMAIL PROTECTED] wrote: 

Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined?

On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: 


Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. 

Order of migration: 
Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. 

That leads to expectations: 
Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). 

Did I mention name resolution? That's important, so I don't mind mentioning it twice. 

Planning is your friend when it comes to migrations. 

I imagine that Guido might chime in here. I hear he's done this once or twice. :)

On 8/29/06, Danny [EMAIL PROTECTED] wrote: 

A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

RE: [ActiveDir] Seperate forest migration notes

[Akomolafe, Deji]

Ugh! I wish they would invent a computerish thingamabob that reads your mind and paste the link you are thinking :0.

Here's the sample script.
http://www.akomolafe.com/Portals/1/add-to-loc-grp.txt



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Akomolafe, DejiSent: Fri 9/8/2006 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate forest migration notes


BTW, here's how I add the ADMT account to the relevant admin groups before the known good"Restricted Group" option was invented. If you find out that "Restricted Group" is not working for you, try the script option.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: DannySent: Fri 9/8/2006 1:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate forest migration notes
I found some more information, however, in the "Before using ADMT v3" help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks,...D
On 9/5/06, Danny [EMAIL PROTECTED] wrote: 

Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined?

On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: 


Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. 

Order of migration: 
Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. 

That leads to expectations: 
Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). 

Did I mention name resolution? That's important, so I don't mind mentioning it twice. 

Planning is your friend when it comes to migrations. 

I imagine that Guido might chime in here. I hear he's done this once or twice. :)

On 8/29/06, Danny [EMAIL PROTECTED] wrote: 

A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

It is possible to programmatically create an account that bypasses the password length policy. The password not required flag will let you enable the account with blank password, in contravention of your password policy.


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Tom KernSent: Wed 9/6/2006 10:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue

This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks

On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 

Robert Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] more DNS questions

[Akomolafe, Deji]

Do you have a zone called "rev" in your sub.domain.com fwd lookup zone?

If not, I want to say that the requestor didn't quite explain what he needs properly. The in-addr-arpa tag that you see is standard for reverse entries. Unless you are doing something fancy in your environment, that's what you'd typically use. Creating cnames in reverse lookup zones for vanity domains is ... shall we say  exotic.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Ramon LinanSent: Wed 9/6/2006 10:25 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] more DNS questions
Hi,

I have 2 internal DNS servers and 2 external DNS servers. 
We are delegating the subdomain sub.domain.com to another server in the
same building that is managed by the Unix guys. We have also given them
16 ip address in the range x.y.z.65-80

One of their SA is asking me to update the reverse RR for several
records in this way.

x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com  


But when I go to our dns server all I find for the reverse zone is
something like.

z.y.x.in-addr.arpa, so when I tried to create a cname record there I get
something like 67.z.y.x.in-addr.arpa instead of
67.z.y.x.rev.sub.domain.com  

How can I get what this dude is asking me to do??? Do I need to create a
reverse zone for that subdomain?

Thanks
Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Is a Global Security group being used?

[Akomolafe, Deji]

Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used?

The tough one... being used in resource ACLs


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used?

What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups?

Laura



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used?

Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this?

Thanks in advance.

Johnny Figueroa

RE: [ActiveDir] Strange password issue

[Akomolafe, Deji]

If it's 512, then that pwd not req is not true.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Al MulnickSent: Wed 9/6/2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue
From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. 
On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: 


This is a domain account.

To rehash-

The Default Domain Policy is set to min password length- 6 charcters.
This was created 2 years ago and never changed.
User account is a domain account created a month ago.
It was bought to my attention that the user can log in with no password.
I confirmed.
The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP).
The domain/forest is at w2k3 FL.

Thanks


On 9/6/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: 



Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? 

Laura




From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for acouple ofyears and the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?


On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: 




Tom,

This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? 

Robert Williams




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue



I'm having this weird issue where I have a user account who is able to log in with a blank password.

The Default Domain Policy is set to a min password length of 6 characters.

The userAccountControl on the user is set to 512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] NTFRS - Journal Wrap Errors

[Akomolafe, Deji]

how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline?

IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure.

If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors

Hi-

I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up:

I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. 

The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! 

Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. 

Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week!

Thanks so much,
Aaron
[EMAIL PROTECTED]

RE: [ActiveDir] NTFRS - Journal Wrap Errors

[Akomolafe, Deji]

two recommendations:

1] don't mention that you have a "second DC" anymore because you don't appear to have a good "secondDC" at all. The one you have does not sound reliable, so don't introduce it into the environment again.

2] follow Susan's recommendation. Post back if it doesn't work for you.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Aaron BurgSent: Wed 9/6/2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] NTFRS - Journal Wrap Errors

Thanks for the reply. I did see some of the topics covering this, but they all seemed to cover situations where there were several DCs functioning.

The newer DC was built about 1 year ago, but it never synced correctly and was powered down for over 60 days at a time. Since this is a very small, basic setup, there are no fancy or custom GPs or special groups. The problem is that no one really knows much about the infrastructure since so many people have hacked at it over the past 2 years. 

Since the offline DC has never fully replicated with the original one, at what point in the seizure does it create its own sysvol?

I would prefer to resolve the journal issue if possible. My confusion is how to do it without a good DC to restore from?

Thanks again,
Aaron
On 9/6/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: 




how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? 

IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure.

If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. 



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 


From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors


Hi-

I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up:

I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. 

The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! 

Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. 

Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week!

Thanks so much,
Aaron
[EMAIL PROTECTED]

RE: OT - RE: [ActiveDir] W. in hell

[Akomolafe, Deji]

Nah.it looks more like the sender mistook this list for some other lists. On other lists, this would have been a engendered more rapid-fire flame war to the sender's satisfaction, even though the joke itself is very old and has outlived its useful shelf life.

I'm sure he's disappointed that this list is so geeky and full of maroons with no sense of humors.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Laura A. RobinsonSent: Sun 9/3/2006 5:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in hell
Okay, has anybody considered the possibility that this was an accident? I
know I've accidentally sent mail to the wrong addresses before by letting
autofill kick in an not paying attention to what actually got autofilled,
and this seems like a very strange thing to send to this list intentionally.

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
 Sent: Sunday, September 03, 2006 8:49 AM
 To: ActiveDir@mail.activedir.org
 Subject: OT - RE: [ActiveDir] W. in hell
 
 Yup and this list (especially with no OT marking) is the 
 place for that right?
 
 Bring it to an OT list, mark your postings that have no 
 bearing on technical matter with an OT or something. 
 
 Otherwise, you're just another spammer
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Brandon Pierce
 Sent: Sunday, September 03, 2006 1:14 AM
 To: Brandon Pierce
 Subject: [ActiveDir] W. in hell 
 
 George Bush has a heart attack and dies.  He goes to hell, 
 where the Devil is waiting for him.
  
 "I'm not sure what to do," says the Devil.  "You're on my 
 list, but I have no room for you.  As you definitely have to 
 stay here, I'm going to have to let someone else go.  I've 
 got three folks here who weren't quite as bad as you.
  
 I'll let you decide who leaves."
  
 George thought that sounded pretty good, so he agreed.
  
 The Devil opened the first room.  In it were Richard Nixon 
 and a large pool of hot water.  He kept diving in and 
 climbing out, over and over.  Such was his fate in hell.
  
 "No!" said George.  "I don't think so, I'm not a good swimmer 
 and don't think I could stay in hot water all day."
  
 The Devil led him to the next room.  In it was Tony Blair 
 with a sledgehammer and a room full of rocks.  All he did was 
 swing the hammer, time after time.
  
 No! I've got this problem with my shoulder.  I would be in 
 constant agony if all I could do was break rocks all day." 
 commented George.
  
 The Devil opened the third door.  In it, George saw Bill 
 Clinton lying on the floor with his arms staked over his 
 head, and his legs staked in a spread-eagle pose.  Bent over 
 him was Monica Lewinsky, doing what she does best.
  
 George Bush looked at this in disbelief for a while, and 
 finally said "Yeah, I can handle this."
  
 The Devil smiled and said, "OK, Monica, you're free to go!"
 
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DNS DOCUMENTATION

[Akomolafe, Deji]

This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public.

I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION


All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com



Thanks,
Anthony Scott
Microsoft Consultant
Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED]



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION

HI,

I have one of my client that has AD integrated DNS.

The internet domain is the same that the AD domain. (domain.com)
They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers.
And they also have several internal dns servers for AD.

The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc

Is this the correct way to do it?
Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc?


Thanks

Rezuma

RE: [ActiveDir] DNS DOCUMENTATION

[Akomolafe, Deji]

Couldn't make the con-call.

But we have been asking for this for some time now. Do you have any shareable info on what MS is doing along that line?



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: joeSent: Fri 9/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION

Heh, this was a topic on a MSFTconcall yesterday... Bind 9supports multiple views on zones based on external/internal (or other definitions) requests... Cuts down on the number of DNS servers required. 

http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html

http://transposed.org/techstuff/bind9-win2k.html

or better (depending on your viewpoint[1])

http://info.ccone.at/INFO/FreeBSD-Manual/en/network-bind9.html


:)


[1] B.


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION


This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public.

I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION


All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com



Thanks,
Anthony Scott
Microsoft Consultant
Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED]



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION

HI,

I have one of my client that has AD integrated DNS.

The internet domain is the same that the AD domain. (domain.com)
They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers.
And they also have several internal dns servers for AD.

The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc

Is this the correct way to do it?
Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc?


Thanks

Rezuma

RE: [ActiveDir] Logging successful logons in AD security log

[Akomolafe, Deji]

I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon


From: Glenn CorbettSent: Thu 8/31/2006 2:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging successful logons in AD security log
Interesting.
 
from the article: "Microsoft plans to resolve these problems in the next
version of Windows by rewriting the event logging system from the ground
up."  since the last update was Mar 28 2003, I wonder how this applies to
Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be
fixed in Longhorn.
 
Glenn
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, 31 August 2006 7:20 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Logging successful logons in AD security log


Does everyone know this recomendation from Microsoft?

On Windows XP, member servers, and stand-alone servers, the combined size of
the application, security, and system event logs should not exceed 300 MB.
On domain controllers, the combined size of these three logs - plus the
Directory Service, File Replication Service, and DNS Server logs - should
not exceed 300 MB.

http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e
5e-514173bf15e31033.mspx?mfr=true

Mark





Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006
Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net
with SMTP;
Thu, 31 Aug 2006 04:12:18 +0100
Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net
with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100
Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by
mail.activedir.org
(SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400
Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 -
Received: from unknown (HELO ?192.168.16.19?)
([EMAIL PROTECTED]@69.106.185.80 with plain)
by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 -
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=pacbell.net;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference
s:In-Reply-To:Content-Type:Content-Transfer-Encoding;
b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV
R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+P
EuYRMiJ3/EUAyhoBySfo8= ;
Message-ID: [EMAIL PROTECTED]
Date: Wed, 30 Aug 2006 20:07:29 -0700
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
[EMAIL PROTECTED]
User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)
MIME-Version: 1.0
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Logging successful logons in AD security log
References: [EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not
designate permitted sender hosts)
X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190]
X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom
Anti-Virus. Advanced Virus and Spam protection is available to subscribers
of Giacom Business Pro Plus. Visit http://www.giacom.com for more details.
X-Spam-Tests-Failed: ROUTING [-1]
X-Note: This E-mail was sent from ([12.168.66.190]).
X-Rcpt-To: [EMAIL PROTECTED]

Ask the PSS security guys and they want success and failure. Only 
having half the story... is only half the story

Buy bigger harddrives and archive.

Sitton Glen E wrote:
 I don't know that there is a 'general consensus' because everyone's
 business needs differ. My environment has around 100K users and you're
 right, there's a ridiculously high volume of logon events. We set the
 security log size very high on the domain controllers, and collect and
 clear the security logs several times per day using a
 commercially-available "fancy log management system." We don't allow
 the security logs to rollover. The eventlog management software gives
 us an impressive battery of audit reports, and a compressed eventlog
 repository that we archive for FISMA compliance.

 I'm sure our uncompressed event log archive is well above 1TB per year.
 But we realize about a 20:1 compression using the commercial software.

 Your options may be limited by legal requirements that may govern the
 audit logs of your business or organization. 

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
 Joseph
 Sent: Wednesday, August