RE: [ActiveDir] OT: How to find non-primary SMTP addresses?
Were the answers along the lines of it can't be done? http://www.akomolafe.com/Portals/1/Write%20out%20the%20SMTP%20Addresses%20of%20users%20OR%20Groups.txt YMWV Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B. Smith Sent: Thu 1/25/2007 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: How to find non-primary SMTP addresses? I'm guessing you didn't like the answers you got on the exchange list? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Thursday, January 25, 2007 6:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses for every Exchange user? I can't seem to find a way via csvde, but maybe I'm doing something wrong. Thanks again.
RE: [ActiveDir] Question about DNS SRV registration.
Read http://www.netpro.com/forum/files/authentication_topology.pdf Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Tue 1/23/2007 1:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: RE : RE: [ActiveDir] Question about DNS SRV registration.
I would not recommend that you do this. Please read the document I referenced in my previous response. Also, see Ulf's brief description/explanation of the behavior that you are seeing. I really recommend that you try to understand what is going on here. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Tue 1/23/2007 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] Question about DNS SRV registration. Steve, Thanks for fast reply; My example is the reflect of what i had in real production. So in my production, i have about 15 sites AD and we are in the process of migration (adding more sites). So you mean that i have to create 15 child dns domain and set each DCs in each site authoriatative for their respective child domain ? It seems to be a lot of work ... but i will follow into your direction. Thanks again, Yann Molkentin, Steve [EMAIL PROTECTED] a écrit : Yann, Create a child DNS domain for the site containing DCb, and establish DCb as the authoritative server for that domain. If you have resources in Sitea you'll then need to ensure there is a forwarder set up for resolution, etc. Remember that separate DNS domains can exist within the one logical windows domain. At least I think this would solve your problem... themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, 24 January 2007 7:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question about DNS SRV registration. Hello all and happy new year:-), Say: - Site A with DCa that is also dns (integrated to AD). - Site B that is a new site. my goal: dcpromo a new DC (DCb) in site B.DCb will be also dns (integrated to AD). - DCa DCb belong to the same domain (domain.local). My AD is w2k3 FFL mode. In order to add the new DCb in the existing domain.com, DCb is dns client to DCa. When dcpromo is finished, i configured: - DCb as dns client for himself - DCa as secondary dns sever for DCb. Everything looks good .. BUT: When clients in site B ask for all DCs in site B (with netlogon process),DCb returns DCb and DCa ! a nslookup set type=srv _ldap._tcp.siteB._sites.domain.local shows the 2 DCs - DCa.domain.local - DCb.domain.local When i search in dns console, i found that DCa still present in site B, i think, this is due to the fact that DCb's nic allow dynamic update and thus dynamically records DCa srv records. The only way i found to avoid DCb returning DCa to clients in site B is to delete srv records for DCa in dns (site B). Question: What is the best practice to avoid DCb to return DCa to clients and where in the process i'm wrong ? Thanks, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses. This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: [ActiveDir] adsiedit question
Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Security Auditing
Sometimes, rebuilding OUs is not a Bad Idea :) Try DSacls or something GUI-sh from Netpro and co. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Casey Robertson Sent: Tue 1/23/2007 2:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Security Auditing We are embarking on a project to clean up our OUs structure and reassign permissions that have grown unmanageable over time. To accomplish this it would be nice to be able to dump permissions on all OU objects and individual object types (users, computers, etc) so that we can determine who has rights to what. The prospect of doing this manually is daunting at best and for the most part I have only seen 3rd party tools (read: expensive) that do this in an easy to use fashion. Any suggestions for tools, scripts etc would be appreciated. Either that or we can rebuild our OU structure J Casey Robertson
RE: [ActiveDir] Remote DC's on Virtual Server
Who's Ben? Well, now you know :) Sorry about that. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Sun 1/21/2007 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Regarding http://www.support.microsoft.com/kb/897615 - agreed. I often forget that not all customers have a premier support agreement in place.and cannot necessary afford third-party support as my organization will provide. To be clear, I did not state that ESX was easier to deploy: and from an enterprise perspective often considered easier to manage given the wide range of tools available for it. Certainly for a smaller organization or a home lab, VS2005 will be easier to implement based on the underlying host OS and the less restrictive hardware requirements. As for System Center VMM - it will be a good tool when it is complete but is currently lacking many features that should show up in the next beta. I think I have made it clear that my perspective is from that of the Enterprise customer (also known as large, global, etc.) and as such I have not run into a single instance of recycled hardware - although I should probably highlight my bias based on who my employer is. Regardless, I certainly agree with you that MSVS must be part of the conversation as to what VE should be used and is appropriate in many situations and customer environments. Finally, my point was not to support one over the other just to make a statement based on what I see in the field. And FWIW I only run VS2005 in all of my test environments (outside of customers) although currently non-support for x64 guests is becoming a sticking point for me. Regads, Aric (who's Ben?) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Saturday, January 20, 2007 9:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others Not at all, Ben. I can speak from both side of the aisle as far as VMWare and VS are concerned, although my bias, to which I have already confessed, plays a role in my dislike of VMWare. My dislike, though, is driven largely based on the original (apples and oranges) statement to which I responded. I have not disputed that VMWare is ahead of VS at this present time. I have simply stipulated that the perceived gap is so considerably narrowed now that dismissing VS as a non-starter is no longer a technically sound or tenable position. However, MS stated virtual machine support is the same regardless of virtual environment provider. This is just wrong. Please see http://www.support.microsoft.com/kb/897615 You will also notice that my observation and opinion were based mostly on where we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, but at what cost? I disagree with your assertion that ESX is easier to deploy and manage than VS - that just defies logic (no offense). Not with the availability of System Center. When you need to provision a lab of, say, 20 servers running various OSes, and you are under the gun to get it done, like 4 hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend. I was afraid that this thread will go down the undesirable path of Us vs Them, and I apologize for making it so. The point I'm trying to make is that, if you are looking for a Virtualization solution, VS does NOT stink one bit. Factor in the cost overlay, the deployment and maintenance efforts, divide that by what EXACTLY you are looking for in virtualization, then give VS a fair shake and not just go with the popular VMWare Rules opinion. ESX may have been sexy a while back when VS was truly ugly, but that is not the case today. VS is evolving, and you may just be pleasantly surprised that it adequately meets your need without breaking your bank and back. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Sat 1/20/2007 5:41 PM To: ActiveDir
RE: [ActiveDir] Remote DC's on Virtual Server
All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others Not at all, Ben. I can speak from both side of the aisle as far as VMWare and VS are concerned, although my bias, to which I have already confessed, plays a role in my dislike of VMWare. My dislike, though, is driven largely based on the original (apples and oranges) statement to which I responded. I have not disputed that VMWare is ahead of VS at this present time. I have simply stipulated that the perceived gap is so considerably narrowed now that dismissing VS as a non-starter is no longer a technically sound or tenable position. However, MS stated virtual machine support is the same regardless of virtual environment provider. This is just wrong. Please see http://www.support.microsoft.com/kb/897615 You will also notice that my observation and opinion were based mostly on where we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, but at what cost? I disagree with your assertion that ESX is easier to deploy and manage than VS - that just defies logic (no offense). Not with the availability of System Center. When you need to provision a lab of, say, 20 servers running various OSes, and you are under the gun to get it done, like 4 hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend. I was afraid that this thread will go down the undesirable path of Us vs Them, and I apologize for making it so. The point I'm trying to make is that, if you are looking for a Virtualization solution, VS does NOT stink one bit. Factor in the cost overlay, the deployment and maintenance efforts, divide that by what EXACTLY you are looking for in virtualization, then give VS a fair shake and not just go with the popular VMWare Rules opinion. ESX may have been sexy a while back when VS was truly ugly, but that is not the case today. VS is evolving, and you may just be pleasantly surprised that it adequately meets your need without breaking your bank and back. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Sat 1/20/2007 5:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Other points to clear up... MS supports VS2005 as it is there product. However, MS stated virtual machine support is the same regardless of virtual environment provider. MS recently (nore than a year ago?) made some changes to their licensing model for virtual environments in terms of the Windows OS and how many instances can be run given a single license. This is applicable to any virtual environment, not just VS2005. In my role I am a supporter (technically, politically, and marketing) of MS products. However, from an Enterprise perspective (management and operations) VMWare is generally regarded as the superior product for all the reasons mentioned and more. VMWare is not difficult to implement and operate as compared to VS2005 and from an enterprise perspective often considered easier to manage given the wide range of tools available for it. All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others. That Sent from my Windows Mobile device. -Original Message- From: Brett Shirley [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 1/20/07 3:28 PM Subject: RE: [ActiveDir] Remote DC's on Virtual Server Does anyone know if the vmware stuff, allows ba xxx w4 in the windows debugger (obviously running on windows guest VM)? ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which is a pointer. This kind of bp is set through a register directly on the CPU. I know for a fact VS doesn't support it ... not sure if its impossible to support, switching machines would mean you simply have to swap out that set of registers as well, I guess ... just curious. Cheers, BrettSh [msft] posting as is On Thu, 18 Jan 2007, Akomolafe, Deji wrote: one runs on bare metal and other runs under a host OS Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. So, one can argue that, because it is bundled with its own OS, ESX does not really run on bare metal in the way some people describe it. Sincerely
RE: [ActiveDir] Remote DC's on Virtual Server
I don't think that is a Microsoft position. Probably a personal preference and opinion of the internal people. Publicly, MS supports Exchange virtualization starting from E2K3 SP2, running on VS R2. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Fri 1/19/2007 8:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Remote DC's on Virtual Server Btw, internally Microsoft doesn't recommend Exchange virtually due to I/O issues ... It's possible to run DCs on Virtual Server but I have questions about possible issues that I've heard about doing this. Chuck
RE: [ActiveDir] Remote DC's on Virtual Server
ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And complex to setup and administer. And, I could be wrong on this, NOT (MS)-supported for virtualizing DCs. Virtual Server, on the other hand, is good, not pricey, less picky, more supported (I believe it's actually validated) for DCs virtualization. Plus, the liberal OS licensing scheme is very attractive to me. Yes, I know, VMWare rules the market. Yes, I am biased. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Salandra, Justin A. Sent: Thu 1/18/2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remote DC's on Virtual Server What would you recommend for the following situation. We are thinking of having a hot site where Exchange will be replicated to a remote location. Since Exchange will be remote over the Internet, we will need to have DC's for each domain available in that remote site. (This would all be going across a VPN) I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server Enterprise edition. These DC's would really only be used in the event of a disaster and people started connecting to Exchange up in the remote site. Is VMWare Infrastructure 3 good? What would you use? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] Remote DC's on Virtual Server
Interesting points, Hunter. Not to engage in a holy war or something, but would you mind mentioning what makes one of these Orange and the other Apple (the fruit)? No, don't mention 64-bit Guest, thank you very much :)[1] [1]Grumbling I wish MS will hurry up on this front already. /grumbling Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Coleman, Hunter Sent: Thu 1/18/2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. Yes, they are both virtualization environments, but have vastly different capabilities. VM Infrastructure has a much broader and deeper feature set that does come with added cost and complexity. Regardless, in the context of the original question I'd be concerned about the load Exchange is going to place on the host hardware. How many Exchange users are in the 8 domains, and how many of these would potentially be connecting to the alternate site? Are you going to have GC availability to support Exchange? What other resources at the hotsite might be looking for DC/GC services? I would also be careful about having a configuration at my hotsite that is significantly different from my normal production environment. When things have melted down to the point of failing over to the hotsite, it's not a good time to be pulling out the manuals for your infrastructure because you don't work with it day in and day out. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server ESX (VMWare) is good - and pricey. And very strict as to hardware specs. And complex to setup and administer. And, I could be wrong on this, NOT (MS)-supported for virtualizing DCs. Virtual Server, on the other hand, is good, not pricey, less picky, more supported (I believe it's actually validated) for DCs virtualization. Plus, the liberal OS licensing scheme is very attractive to me. Yes, I know, VMWare rules the market. Yes, I am biased. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Salandra, Justin A. Sent: Thu 1/18/2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remote DC's on Virtual Server What would you recommend for the following situation. We are thinking of having a hot site where Exchange will be replicated to a remote location. Since Exchange will be remote over the Internet, we will need to have DC's for each domain available in that remote site. (This would all be going across a VPN) I was thinking about placing 8 DC's on a VMWare Infrastructure 3 server Enterprise edition. These DC's would really only be used in the event of a disaster and people started connecting to Exchange up in the remote site. Is VMWare Infrastructure 3 good? What would you use? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] Remote DC's on Virtual Server
:) Interesting points, again. Did I remember to say that I am biased? I think so. I expect that I'm going to catch some flaks for what I'm about to write, but . These do not make VS and ESX apples and oranges. VMotion, Host clustering. Different nomenclature, different capabilities, same purpose, Resource allocation guarantee, CPU Resource allocation weight. Superior Networking capabilities. Sure. Does VS have networking capabilities? Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and its proxy). Administration - show of hands, quick - ESX or VS, which is easier and less complex to deploy and administer? Which has easier and faster client deployment option? I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the superiority of ESX over VS is largely driven by a combination of historical trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we are on a Windows-centric list here, I do not mind admitting that I do not subscribe to the notion that if it's not Windows, it must be better than Windows. Mind you, Hunter, I am NOT implying that this is where you are coming from, but the reason I asked you to enunciate the reasoning behind your thinking was because I was hoping to hear something I haven't heard before on this issue. VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is considerably narrowed with what's currently going into VS and what ESX 3.0.1 has today. Will VS catch and surpass ESX in a few months, no. Will it ever catch up, maybe. But, today, if we factor in the cost overlay (in licensing, hardware and administrative values), and discount our preconceived (or received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair shake, one would be pleasantly surprised at how narrow the gap really is. To me, these 2 products are all bananas - one is a just banana and the other is organic banana. They are certainly not more apple and orange than your convertible and my jalopy are apple and orange. They are both virtualization tools, and they each serve the same purpose. One is cheap (like, FREE cheap, while giving you liberal Windows licensing terms and flexibility to boot), the other is not. Now, I'm off to find my Teflon :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Coleman, Hunter Sent: Thu 1/18/2007 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server On the Virtual Infrastructure side: Moving running guests across hosts (vmotion), the network configuration options, lower host overhead, grouping hosts into resource pools and allowing guests to automatically migrate based on allocation guarantees, 4-way SMP guests, 64-bit guests :- Nothing wrong with Virtual Server, but I see it more on par with VMware Server than ESX/Virtual Infrastructure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Thursday, January 18, 2007 2:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Interesting points, Hunter. Not to engage in a holy war or something, but would you mind mentioning what makes one of these Orange and the other Apple (the fruit)? No, don't mention 64-bit Guest, thank you very much :)[1] [1]Grumbling I wish MS will hurry up on this front already. /grumbling Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Coleman, Hunter Sent: Thu 1/18/2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server IMHO, ESX/VM Infrastructure and Virtual Server are like apples and oranges. Yes, they are both virtualization environments, but have vastly different capabilities. VM Infrastructure has a much broader and deeper feature set that does come with added cost and complexity. Regardless, in the context of the original question I'd be concerned about the load Exchange is going to place on the host hardware. How many Exchange users are in the 8 domains, and how many of these would potentially be connecting to the alternate site? Are you going to have
RE: [ActiveDir] Remote DC's on Virtual Server
one runs on bare metal and other runs under a host OS Actually, that's a sleight of hand. ESX runs on a VMware-cooked Linux Kernel. So, one can argue that, because it is bundled with its own OS, ESX does not really run on bare metal in the way some people describe it. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Noah Eiger Sent: Thu 1/18/2007 4:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server I realize this is now getting a bit OT, but. Deji, I think the fruit distinction is based on the fact that one runs on bare metal and other runs under a host OS. (Or at least that is how I have always thought of them.) Beyond that, I agree there are simply feature comparisons. That said, (and with the caveat that I have not worked with ESX) I find the MS product to be much simpler than VM Server (nee GSX). I started halfway down the path of migrating my MS VMs to VM Server and found it overly complex and the video emulation performance using the VM Ware client was so bad as to be unacceptable. And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any problems. In the situation you describe, Justin, it seems like performance and cost would be the deciding factor. --- nme From: Akomolafe, Deji [mailto:[EMAIL PROTECTED] Sent: Thursday, January 18, 2007 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server :) Interesting points, again. Did I remember to say that I am biased? I think so. I expect that I'm going to catch some flaks for what I'm about to write, but . These do not make VS and ESX apples and oranges. VMotion, Host clustering. Different nomenclature, different capabilities, same purpose, Resource allocation guarantee, CPU Resource allocation weight. Superior Networking capabilities. Sure. Does VS have networking capabilities? Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and its proxy). Administration - show of hands, quick - ESX or VS, which is easier and less complex to deploy and administer? Which has easier and faster client deployment option? I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the superiority of ESX over VS is largely driven by a combination of historical trends, myths, marketing and the unavoidable Winblows Sux mentality. Since we are on a Windows-centric list here, I do not mind admitting that I do not subscribe to the notion that if it's not Windows, it must be better than Windows. Mind you, Hunter, I am NOT implying that this is where you are coming from, but the reason I asked you to enunciate the reasoning behind your thinking was because I was hoping to hear something I haven't heard before on this issue. VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is considerably narrowed with what's currently going into VS and what ESX 3.0.1 has today. Will VS catch and surpass ESX in a few months, no. Will it ever catch up, maybe. But, today, if we factor in the cost overlay (in licensing, hardware and administrative values), and discount our preconceived (or received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair shake, one would be pleasantly surprised at how narrow the gap really is. To me, these 2 products are all bananas - one is a just banana and the other is organic banana. They are certainly not more apple and orange than your convertible and my jalopy are apple and orange. They are both virtualization tools, and they each serve the same purpose. One is cheap (like, FREE cheap, while giving you liberal Windows licensing terms and flexibility to boot), the other is not. Now, I'm off to find my Teflon :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Coleman, Hunter Sent: Thu 1/18/2007 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server On the Virtual Infrastructure side: Moving running guests across hosts (vmotion), the network configuration options, lower host overhead, grouping hosts into resource pools and allowing
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] Computer accounts getting deleted by unknown process
I had this issue a long time back with a similar product made by a previous employer. I won't go back into the details, but the problem is that computer passwords were being restored to previous states that no longer match those on the DCs at the present state. A manual or scripted rejoin is usually the cure. However, the computer objects themselves were not actually cleaned up, unlike in the case that Rich is now describing. Rich needs to eye-ball the directory itself and see whether or not the object actually disappeared when the problem manifests itself. Third-party eyes relaying information to the troubleshooter - not always reliable. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Tue 1/16/2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process In that case, you'll want to check out Steve's post and follow some of that advice. Since it's a computer resource domain topology, it should be relatively low traffic and easier to spot. Can you recreate it? Or is this just being reported retroactively? Better yet, how close are you to the situation? On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: Thanks Al. It's not that the domain is different, just that only one domain is used for computer accounts. The forest root isn't, and the other domain is relatively inactive until we put another area on AD, though it has a couple of user accounts. So all the computer accounts are in this domain (as well as almost all user accounts). I agree it's weird that nothing is touching user accounts. We do use Sophos, and Sophos is often referred to with 4 letters lately around here so I'll mention that to them. Deep Freeze apparently resets the computer to the state it was in before, so people can't change it. I'm not sure that the computer account password getting reset as part of it is a problem, I've been out of the loop on it. But it's not just those computers. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous From: mailto:[EMAIL PROTECTED]:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 16, 2007 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Computer accounts getting deleted by unknown process What's unique about the domain this is happening to? That strikes me as odd that it's occurring in one domain, but not all. I have yet to see accounts get deleted in Active Directory (any version) without a process that removes them. This could be a new experience for me, but I'm skeptical that a process doesn't exist that is removing accounts or preventing the replication (you did say they checked, but like I said, I'm skeptical of any process that picks on computer account security principals but leaves user security principals alone.) I have seen strange issues occur when anti virus apps that run on the domain controllers were thought to have been configured properly but weren't. I've seen instances where similar symptoms were presented but in the end we found out that a process was running that caused this issue. I've seen issues of DC promotions and DNS that ate the DNS zones, but that's not what you describe. So I'm interested to know what's unique about the domain it occurs in. I'm interested to know why it doesn't occur in the other domains? SP1 is highly recommended of course - lots of bug fixes and additional security changes. I'm not familiar with the client side apps you mention, but if the environment I work in currently is any indication old computer accounts don't become suicidal without provocation. Shame too On 1/16/07, Rich Milburn [EMAIL PROTECTED] wrote: I've found a little bit of info on this googling, and the results I'm finding seem to be related to replication problems, lack of SP1, or other issues with DCs that need to be reinstalled (reason not identified). What's happening is that computer accounts are getting deleted - most of them are ones that can't update their passwords because they have been turned off, or in the case of a group of users, their computers have Deep Freeze running on them, and those computers update their passwords but apparently the computers reset when they are rebooted so the password is reset
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
That's what I was getting at, too. Sorry to sound selfish and ask him to take it off-list :) He hasn't sent anything yet, though. If he does, I'll send him your way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Steve Linehan Sent: Tue 1/16/2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache I am also interested in the answers to these questions especially OS version and SP level. We had a few issues with caching around in RTM and a few others around SP1. It is a long story but has to do with how the cache entries are organized in memory. The net affect was that certain lookups would cause the cache to have bad data that would cause the behavior you mention. If you could provide the version of DNS.EXE, full build number using something like filever.exe, that would also be helpful. The last issue I was aware of that exhibited these behaviors is documented here: http://support.microsoft.com/kb/903720/en-us . So I would be interested if you were experiencing the issue with a build beyond that one. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] Who needs that much ram anyway?
One little addition: There is a 32-bit version of E2K7, although it neither intended to be used in production, nor supported if choose to ignore the caveat. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Tue 1/16/2007 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who needs that much ram anyway? My understanding is as follows: All three switches address the 32-bit architecture only. Exchange has never supported AWE. Exchange 2007 has RTM'd. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Tuesday, January 16, 2007 2:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who needs that much ram anyway? What about the 3Gb switch in the boot.in that is required to take advantage of the additional memory. Also depending on the age of the server and CPU, you may also need a PAE / AWE switch. http://support.microsoft.com/kb/283037 Since the final realease of Exchange 2007 will only be 64 bit and require a 64 bit version of Windows 2003 or Longhorn, I am not sure if the switch will be required, any one else know? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 8:47 AM Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DL information
See http://msmvps.com/blogs/ehlo/archive/2005/04/21/43813.aspx HTH Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Milton Sancho Sent: Mon 1/15/2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DL information Hi, I have a environment NT 4 , running a exchange server 5.5, I need to find the way to get a full list of all the Distribution List in the domain . Besides that I need to know the owner and members of each DL. i would like to know if there is any tool to reach that information or I need to run a script. At the same time to know if anyone has a script that might help me to get the info Regards
RE: [ActiveDir] DL information
Or these: http://support.microsoft.com/kb/152300/EN-US/ http://support.microsoft.com/kb/149447/EN-US/ HTH Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Milton Sancho Sent: Mon 1/15/2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DL information Hi, I have a environment NT 4 , running a exchange server 5.5, I need to find the way to get a full list of all the Distribution List in the domain . Besides that I need to know the owner and members of each DL. i would like to know if there is any tool to reach that information or I need to run a script. At the same time to know if anyone has a script that might help me to get the info Regards
RE: [ActiveDir] SID Deleted users remains in NTS permission.
It's normal. You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Thu 1/4/2007 1:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID Deleted users remains in NTS permission. Hello all Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file directory ACLs. Is this normal ? If not,what could be the reason(s) how to investigate this issue ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
: Thursday, January 04, 2007 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat up CPU and that would be a different complaint) just constantly walking the ACLs and verifying them. 2. Mistakes. Since we don't have a change notification capability for deleted security principals, and quite honestly you wouldn't (could you imagine 300,000 machines registering with every domain in your forest for change notifications of security principal changes) so that leaves polling and lets say you have a tempory network glitch that makes a SID unresolvable to a friendly name... Do you then just start stripping the SIDs from the ACLs because a name can't be resolved once, twice, three times? What about when an account gets undeleted or restored because it was accidently deleted for an hour? I can think of even more bad things but don't have the time to write about them. If you want to, think through how you would build an application to do what you are suggesting. It is always a good thought exercise before being surprised at what MSFT has done. Keep in mind they are a collection of really bright programmers that often have to work in committee, they aren't necessarily miracle workers. Could this be done? Maybe. I think could visualize mechanisms to possibly help here but would really have to think it through even more than I have and I have thought a lot about things like this... But it would take serious rework with how security is implemented on Windows and I would be quite fearful of the scaling capabilities. The Windows security system is difficult to work with and can be quite a pain but it is extremely flexible and powerful at the same time. I have started and stopped several times to write all inclusive security tracking tools, it is a big big deal and if done wrong will really make someone have a bad day. As someone else mentioned, use groups. Don't use users. When you go to delete a group, make it a point to clean up where that group has been used. If you don't know where it has been used, that is a process issue and one of the reasons why I am not a fan of universal and global groups because the scope of use is huge. Alternately write your own tools to scan all of the various ACLs looking for unresolvable SIDs and clean them up, but I would be shy on how agressive you are with the cleanup. You can easily screw yourself up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, January 04, 2007 5:35 AM To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission. Thanks for replying. You say that it is normal that the sid still remains in file directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD-file server) leave this dirty sid and that there is no synchronisation that updates the link between the AD object and the ACE What is the reason ? could this behavior be altering ? I'd like sid disappears after deletion of the corresponding group in AD in order to not have this dirty SIDs... Thanks. Yann Akomolafe, Deji [EMAIL PROTECTED] a écrit : It's normal. You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely
RE: [ActiveDir] OT: Hello?
Santa brought me coupon for a new home computer, redeemed the coupon and built the system So, what exactly did YOU do? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gil Kirkpatrick Sent: Thu 1/4/2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Hello? Only if you had to install Linux. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, January 04, 2007 4:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Hello? Hey, Santa brought me coupon for a new home computer, redeemed the coupon and built the system. Doesn't that count as work?? Dan Original Message Subject: RE: [ActiveDir] OT: Hello? From: Crawford, Scott [EMAIL PROTECTED] Date: Thu, January 04, 2007 3:35 pm To: ActiveDir@mail.activedir.org Ive seen a few today, but the list has been quite slow for the last week or so. Come on guys, the holidays are the time to actually get stuff done J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, January 04, 2007 4:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail from the mailing list since yesterday morning. Is anyone else seeing this e-mail? Has anyone else received e-mails since then? Just curious if the list has just been dead for the past day, or if something might not be working properly. ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AdminSDHolder orphans
Sorry, Tony. I've been away from emails for most of the week. Did you get a useful response to your question? If not, does my 2-part AdminSDHolder blog (http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx and http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx) help? No? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tony Murray Sent: Mon 12/18/2006 5:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: . Replace the object's security descriptor with that of the AdminSDHolder; . Disable permissions inheritance on the object; . Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AdminSDHolder orphans
OK, I'm embarrassed :-s That was just so lame. I thought the email from Tony was a PM. Oh, well... back to hiding from emails :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Akomolafe, Deji Sent: Thu 12/21/2006 6:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AdminSDHolder orphans Sorry, Tony. I've been away from emails for most of the week. Did you get a useful response to your question? If not, does my 2-part AdminSDHolder blog (http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx and http://www.akomolafe.com/JustSaying/tabid/193/EntryID/20/Default.aspx) help? No? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tony Murray Sent: Mon 12/18/2006 5:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: . Replace the object's security descriptor with that of the AdminSDHolder; . Disable permissions inheritance on the object; . Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Disabling DNS updates for a network interface (for real)
http://support.microsoft.com/default.aspx?scid=kb;KO;275554 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Cline Sent: Sat 12/16/2006 10:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabling DNS updates for a network interface (for real) I've got a third network interface on a DC I'm running at home that acquires a DHCP address from a completely separate subnet than the rest of the LAN. Since the DC kept updating DNS by adding that IP to its list of dcname.domain.com records, I removed the Register this connection's addresses in DNS box, but the DC still continues to update DNS with that particular address. Is there any other method I can use to disable this behavior? I wouldn't mind it so much if the other PCs were on that second subnet too, but they are not a part of it and thus have trouble connecting to the DC sometimes because of that DNS entry. Any ideas are welcome. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Vista GPO
People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren Darren Mar-Elia CTO Founder www.sdmsoftware.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 6:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous
RE: [ActiveDir] Vista GPO
I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e. they include 2003, XP and Vista settings) so you can happily manage Vista and non-Vista targeted GP settings from a Vista machine. Darren
RE: [ActiveDir] Vista GPO
I'm sure that you are aware that LH is still many years away from significant adoption. We will see several intervening years between LH release and its reaching the mainstream. In the meantime, Vista would have become the de-facto desktop OS in place of XP (yes, I can dream). So, between now, then and when-ever, people will be needlessly handicapped in their ADM/ADMX decision making. I foresee a lot of gnashing of the teeth, more gripping, beaucoup evil M$ rants, and other heart-burn-inducing misunderstandings. Nobody said it would be non-trivial. If it were, people like me will not need people like you. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Come on Deji-its exactly the same, else why in the world do we upgrade perfectly good IT systems? J Folks can manage their GP from DCs when Longhorn ships. Until then, its Vista. Also, it would fairly trivial, if not time-consuming, to convert all those ADMXs in Vista back to ADMs. There is nothing technically preventing that. But, it is not trivial to back-port the other new Vista functionality, like published printers, wired policy, the new IPSec and Firewall stuff, back to older versions. You wouldn't need to back-port all of it-just enough to support GP Editing, but still, it's a lot of work and MS, like most other software companies, probably needs to make the hard call about where to put dev and testing resources. I agree that its not ideal, but I don't think having to manage GP from Vista for the intervening space of time until Longhorn ships is a terrible thing. It will probably take most orgs that much time to decide when to go to Vista anyway. And for the aggressive ones, Vista is not a bad choice for a management platform. I think the benefits of the central store and other improvements outweigh the medium term inconvenience. I am curious, however, what others think. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get
RE: [ActiveDir] Vista GPO
Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL. What I've been recommending to folks is that once you introduce Vista desktops into your environment, use Vista for all your ongoing GP management. The Vista ADMXs are a superset of the latest and greatest ADMs (i.e
RE: [ActiveDir] Vista GPO
Know your audience. Know your customers. Know your consumers. I can't speak to whether or not you pi$$ off your employer, but I can name a few of your colleagues in the trenches (because I run into them every now and then) who will be more than glad to tell you that there are more that go into a client's administrative decision making, technology adoption, PO approval, etc, than best practices. I will not speak to the security hole boogey-man that you are floating because I don't think you want us veering into that arena. Imagine what it would sound like if we start saying that MS is not making AMDX administration available on non-Vista/LH platform because of security issues. No, you don't want that. So, what you are left with is nothing but Best Practices. You want to draw a line because it is the sensible thing to do. Well, my logic is that a lot of things make sense in my head and in my labs. They just don't translate well in the real brick and mortar life out there. People are going to administer their GPOs from their servers for any number of reasons. These same people will NOT install LH until RTM+x number of years. These people are the ones paying my bills. They are the ones paying yours. Unless you are actually making the case that MS is aware of some technical inhibitions to making ADMX administrable from legacy OSes, there is no compelling reason why MS should not factor in HOW its customers uses its products/technologies when decisions as to whether or not to make something available. It is this unwillingness/reluctance to relate to the real-word and to insist on a set of prescriptive mandates that continue to hurt MS in many places. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles
RE: [ActiveDir] Vista GPO
Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, December 15, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the sand. I personally don't see anything dictatorial about requiring a Vista+ machine to edit *VISTA* policies. I mean, seriously, if you're writing Vista GPOs, that would imply that you're using Vista machines, and if you're using Vista machines, what is the issue with using one of those Vista machines as your editing workstation? I think that that *IS* a very pragmatic, realistic approach. Sorry, I just don't follow your logic on this one. That said, my opinions are purely my own, do not represent those of my employer, are not intended to represent those of my employer and for all I know, may even pi$$ off my employer. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I wouldn't put it in those words. But, yeah, I would expect Microsoft to be... shall we say...pragmatic, realistic. Something like, enable its customers to run their businesses. I mean, refrain from dictating its wishes. You know? Because at the end of the day, it is the clueless customers that actually write the checks that add up to those billions in the vault. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO So Microsoft should encourage their bad practices? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 12:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely
RE: [ActiveDir] Vista GPO
Again, you are projecting. I don't call MS customers clueless. Why? Because I don't believe they are. Now, will I sometimes call some MS people arrogant? It depends. Will I take offence if someone thinks I lack exposure to sophisticated IT environments? No, Never. Why? Probably because I move around a lot in the real world, and sophisticated IT environments are very hard to come by. I've read and heard that there are plenty of them in silos. I just haven't seen enough of them to convince me that they come close to the number unevolved IT environments I deal with on regular basis. Come to think of it, I have a bunch of MS technical and marketing materials that speak to how much technical, financial and marketing effort MS is going to expend this year and next getting a whopping 60% of its customer-base to the Rationalized stage of optimization. Mind you, they are not shooting for Dynamic. Certainly not Sophisticated. So, yeah, there are more of us than there are of you out there, so you better start factoring us in when you make decisions that affect how we do things. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Fri 12/15/2006 1:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Since many of us are in the habit of expressing various opinions, perhaps we should refrain from characterizing those with which we disagree as the height of professional arrogance and misinformed. See, if we start doing that, I might express the opinion that referring to Microsoft's customers as clueless and insisting that Microsoft should accommodate cluelessness at the expense of new product development, security and code review (which is exactly what the expense is to devote resources to doing nothing but backporting new features) is the height of professional inexperience, myopia and lack of exposure to sophisticated IT environments. But I won't. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Tim, it is the height of professional arrogance to think that anyone who don't/can't/won't do things the way you think they should be done (best practices) are lazy and uninformed. I know you said that it is just your opinion, and, if I were like you, I would hazard that it is a misinformed opinion. But I won't. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tim Vander Kooi Sent: Fri 12/15/2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO They won't do it if Microsoft makes it so they CAN'T do it. I feel Microsoft should be applauded for forcing admins to do their jobs correctly for a change, instead of giving in to the lazy or uninformed amongst us. Just my opinion, Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From
RE: [ActiveDir] Object picker weirdness
because the problem is confined to W2K3 boxen only. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tom Kern Sent: Thu 12/14/2006 3:47 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Object picker weirdness Thanks alot! That helped. I wonder why it worked from my XP box? Thanks again On 12/13/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: http://support.microsoft.com/default.aspx/kb/829756 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tom Kern Sent: Wed 12/13/2006 7:07 PM To: activedirectory Subject: [ActiveDir] Object picker weirdness I have this strange issue where when i'm updating the mangedBy attribute of a group with another group. From a winXP sp2 box running ADUC, in the object picker when I click object type.., i check off group. And everything is golden. From a Win2k3 sp1 box running Exchange 2k3, when I select object type... in ADUC, the only options I have are user and contact. There is no group option. Same MMC version on both boxes. Is this some known issue I'm butting my head up against? Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Strange DNS problem. How to troubleshoot
convert the zone from AD-intg to Primary. The zone should be written to system32\dns folder after that. Once you have the file, you can go back and convert the zone to AD-intg again. Another option is to use dnscmd to dump the zone info to file. You can use /enumrecords or /zoneprint, depending on what you want to do with the file. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Wed 12/13/2006 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange DNS problem. How to troubleshoot Hi, thanks for your reply, I was in panic mode yesterday and sent this email before doing more in deep troubleshooting myself, it turns out that the problem was in the Nasa DNS server, they were delegating the subdomain to another DNS server, but they have them wrongly configured the delegation :( Thanks anyway. My DNS are AD integrated, I though a file was written and that you could actually modify the dns conf by editing those files, like in Linux, I was wrong I guess, is there a way to force that file to be written? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, December 13, 2006 9:00 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange DNS problem. How to troubleshoot For starters, what version of Windows Server are you using? Is it fully patched? What's in the event logs (system, application, and dns event logs) before/during/after the dns server goes wonky [1]? Is this AD-Integrated DNS? If so, no dns files are going to be written out. If so, they'll be in the directory specified in the properties of the server. What is your DNS topology? Is this server authoritative for nasa.gov? Is it a forwarder? stub zone? ?? I'm sure there's more, but that's a great place to start. [1] Is that the correct use of the term? If not, please correct me so I don't make that gaffe again. On 12/12/06, Ramon Linan mailto:[EMAIL PROTECTED] wrote: Hi, I am having a problem with the DNS. I have a few users that connects to computers at NASA. Every none and them our DNS server here stop resolving certain machines in the domains machine.subdomain.nasa.gov I have run nslookups asking for those machines to different DNS servers, my DNS don't resolve but others DNS are resolving fine, I have also use the online tool dnsstuff.com and and that one resolves too. Last time I solved the problem restarting the dns server service in the servers, other time I cleared the cache and updated the server data files and that was enough Any tips of how should I start troubleshooting this? Also, a separate question, I saw once that windows DNS server keep all the conf in a file, like Linux/UNIX, where is that file located? Thanks in advance Rezuma
RE: [ActiveDir] Object picker weirdness
http://support.microsoft.com/default.aspx/kb/829756 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tom Kern Sent: Wed 12/13/2006 7:07 PM To: activedirectory Subject: [ActiveDir] Object picker weirdness I have this strange issue where when i'm updating the mangedBy attribute of a group with another group. From a winXP sp2 box running ADUC, in the object picker when I click object type.., i check off group. And everything is golden. From a Win2k3 sp1 box running Exchange 2k3, when I select object type... in ADUC, the only options I have are user and contact. There is no group option. Same MMC version on both boxes. Is this some known issue I'm butting my head up against? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Way OT: Laptop Battery Life
Lithium batteries are resilient to the charge/discharge issues associated with earlier batteries. Generally, you want to replace batteries after about 18 months, because that's when depreciation sets in. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Tue 12/12/2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is Fn+F2 I think. Next, get a media bay battery from Dell - it can give you several (up to 4) more hours in my experience. I go through batteries pretty quickly - I think I killed the media bay battery (or at met its half life) in about 6 months. A combination of desk work and being mobile does this because of the uneven discharge/charge cycles. You can either be real meticulous about taking care of the batteries or start hitting your IT department up for new ones. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, December 12, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Way OT: Laptop Battery Life Hi - When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe two hours out of a fully charged battery while doing standard Word, Excel, Outlook stuff. Throw in Visio or (ugh) Quickbooks and cut that time in half. Sometimes, I try to disable services that I know I will not need on the plane (does antivirus really need to autoprotect on the plane?), but I can't tell you that this actually gives me any more battery. Any recommendations for battery-life extending tricks, tools, services to disable, etc? Greatly appreciated as I head across the country for the late December boogie. Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
RE: [ActiveDir] can not browse the internet after dcpromo
http://support.microsoft.com/kb/300202 Pay attention to the part that says To Remove the Root DNS Zone Then look at the part that says: To Configure Forwarders. You only NEED to do this part IF your ISP is blocking you from running DNS on their network. In that case, you will point your DNS server to your ISP's DNS servers for forwarding as described here. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Sent: Mon 12/11/2006 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] can not browse the internet after dcpromo Hi, The internet is not working after a sucessful DCPROMO. This is a secondary DNS server. What are the things I need to check to troubleshoot the problem. Any suggetion is highly appreciated. Thanks. John __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Join a Domain
John, now that your DNS is working on the server, you need to make sure that your clients are using ONLY this server as their DNS server. Reconfigure your clients' Primary DNS server entries in TCP/IP configuration to have the IP address of your DNS server. Remove any other IP address that you find in the DNS configuration. IF you are using DHCP, you need to change your scope configuration to now have ONLY this server as the DNS server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Sent: Mon 12/11/2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Join a Domain There was an error in my one client machine to join a domain. Below are: An error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain server-2.blackstallions.com.sa. The error was: No records found for given DNS query. (error code 0x251D DNS_INFO_NO_RECORDS) The query was for the SRV record for _ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa What does this SRV record means? There is something I need to re-configure in the server? Let me know expert. Thanks. John Everyone is raving about the all-new Yahoo! Mail beta.
RE: [ActiveDir] Join a Domain
si, padre :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al Mulnick Sent: Mon 12/11/2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Join a Domain Sounds like this is a carry over from another thread then? On 12/11/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: John, now that your DNS is working on the server, you need to make sure that your clients are using ONLY this server as their DNS server. Reconfigure your clients' Primary DNS server entries in TCP/IP configuration to have the IP address of your DNS server. Remove any other IP address that you find in the DNS configuration. IF you are using DHCP, you need to change your scope configuration to now have ONLY this server as the DNS server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Sent: Mon 12/11/2006 10:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Join a Domain There was an error in my one client machine to join a domain. Below are: An error occurred when DNS was queried for the service location (SRV) resource record used to locate a domain controller for domain server-2.blackstallions.com.sa. The error was: No records found for given DNS query. (error code 0x251D DNS_INFO_NO_RECORDS) The query was for the SRV record for _ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa What does this SRV record means? There is something I need to re-configure in the server? Let me know expert. Thanks. John Everyone is raving about the all-new Yahoo! Mail beta.
RE: [ActiveDir] no dns servers
Do you have another DNS server? If yes, then configure the problematic server to use this other DNS server (in TCP/IP configuration). If no, then remove and reinstall DNS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Sent: Sun 12/10/2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] no dns servers Hi, Thanks for your quick reply. It seems am still having an error with the DNS test. DNS test . . . . . . . . . . . . . : Failed [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com. sa. re-registeration on DNS server '10.0.0.6' failed. Below are the detailed copy paste messages from my DNS server. Do you know any recommendation what are the things I need to check further. Thanks again. John C:\Program Files\Support Toolsnetdiag /fix .. Computer Name: SERVER-2 DNS Host Name: Server-2.blackstallions.com.sa System info : Windows 2000 Server (Build 2195) Processor : x86 Family 15 Model 1 Stepping 2, GenuineIntel List of installed hotfixes : KB810217 KB823182 KB825119 KB826232 KB828035 KB841872 Q147222 Q311967 Q313450 Q318138 Q320206 q323172 Q323255 Q326830 Q326886 Q329115 Q329170 Q329834 Q810833 Q84 Q811630 Q814033 Q816093 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection 2 Netcard queries test . . . : Passed Host Name. . . . . . . . . : Server-2 IP Address . . . . . . . . : 10.0.0.6 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 10.0.0.138 Dns Servers. . . . . . . . : 10.0.0.6 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed No remote names have been found. WINS service test. . . . . : Skipped There are no WINS servers configured for this interface. Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{C8E2682E-1F11-43C0-9F7E-DA4402F67D20} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Failed [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com. sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._ sites.dc._msdcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _ldap._tcp.blackstallions.com.sa. re-reg isteration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site s.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.blackstallions.com .sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _ldap._tcp.Default-First-Site-Name._site s.gc._msdcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' fai led. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _ldap._tcp.29caf58f-680d-4c54-be26-085bf 3c39cf2.domains._msdcs.blackstallions.com.sa. re-registeration on DNS server '10 .0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry gc._msdcs.blackstallions.com.sa. re-regi steration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry 174e43f3-2ad3-492f-a2c0-4f27283d7dc2._ms dcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED
RE: [ActiveDir] no dns servers
Your Alcatel router is also a DNS server? If yes, does it support SRV resource record as well as dynamic registration? If yes, then yes, you can point use its IP address as the Primary DNS server of this problematic DC. Is this a new DC/Domain? If yes, I highly recommend that you start over by following Daniel's helpful step-by-step here: http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm For DNS support of AD, see: http://technet2.microsoft.com/WindowsServer/en/library/9d62e91d-75c3-4a77-ae93-a8804e9ff2a11033.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Sent: Sun 12/10/2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] no dns servers Yes we have another DNS server defined directly to our ALCATEL router. So then HOW-TO configure the other DNS server (in TCP/IP configuration)? Sorry I am newbie on this service. Also, I already remove and reinstalled the DNS however no luck. The same problem. John - Original Message From: Akomolafe, Deji [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, December 11, 2006 9:17:37 AM Subject: RE: [ActiveDir] no dns servers Do you have another DNS server? If yes, then configure the problematic server to use this other DNS server (in TCP/IP configuration). If no, then remove and reinstall DNS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Sent: Sun 12/10/2006 9:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] no dns servers Hi, Thanks for your quick reply. It seems am still having an error with the DNS test. DNS test . . . . . . . . . . . . . : Failed [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com. sa. re-registeration on DNS server '10.0.0.6' failed. Below are the detailed copy paste messages from my DNS server. Do you know any recommendation what are the things I need to check further. Thanks again. John C:\Program Files\Support Toolsnetdiag /fix .. Computer Name: SERVER-2 DNS Host Name: Server-2.blackstallions.com.sa System info : Windows 2000 Server (Build 2195) Processor : x86 Family 15 Model 1 Stepping 2, GenuineIntel List of installed hotfixes : KB810217 KB823182 KB825119 KB826232 KB828035 KB841872 Q147222 Q311967 Q313450 Q318138 Q320206 q323172 Q323255 Q326830 Q326886 Q329115 Q329170 Q329834 Q810833 Q84 Q811630 Q814033 Q816093 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection 2 Netcard queries test . . . : Passed Host Name. . . . . . . . . : Server-2 IP Address . . . . . . . . : 10.0.0.6 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 10.0.0.138 Dns Servers. . . . . . . . : 10.0.0.6 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed No remote names have been found. WINS service test. . . . . : Skipped There are no WINS servers configured for this interface. Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{C8E2682E-1F11-43C0-9F7E-DA4402F67D20} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Failed [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.blackstallions.com. sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code: DNS_ERROR_RCODE_NOT_IMPLEMENTED [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.Default-First-Site-Name._ sites.dc._msdcs.blackstallions.com.sa. re-registeration on DNS server '10.0.0.6' failed. DNS Error code
RE: [ActiveDir] _msdcs not propagated in AXFR
Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Selective auth, allowed to auth right, group policy
http://technet2.microsoft.com/WindowsServer/en/library/b4d96434-0fde-4370-bd29-39e4b3cc7da81033.mspx?mfr=true You owe me a beer for making me do your google :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie Kaiser Sent: Mon 11/27/2006 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Selective auth, allowed to auth right, group policy I have to add the allowed to auth right to a large number of workstations so that workstation admins from another domain can access them. Instead of adding that right to each computer object, is there a way to do it with group policy at the OU level? I haven't been able to find it. It's a painful manual process. We're using a selective auth external trust between forests. For other reasons, we can't set up a normal trust. Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Neil, You responded to the thread where Steve already corrected himself. Read the doc you cited again. Only the EDC membership changes during the process you described. EDC itself is NOT created at this point. It is merely made a member of the newly-created Windows Authorization Access group. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Wed 11/22/2006 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... I believe SteveL may have already suggested that this group is only available post w2k, and only after the PDC in the domain has been upgraded. Further info here: http://technet2.microsoft.com/WindowsServer/en/library/08eb226b-0192-4c0 5-b919-c9311bafae351033.mspx?mfr=true neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 22 November 2006 05:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --- ---| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled Windows Server 2003 Well Known Security Principals in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4ed b-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise
RE: [ActiveDir] DNS Scavenging - new issue
Since someone has already taken the time to address this, I will simply refer you to http://searchwincomputing.techtarget.com/tip/0,289483,sid68_gci1040355,00.html If you still have questions after that, then ask away. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gordon Pegue Sent: Wed 11/22/2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Scavenging - new issue The recent thread on DNS scavenging was interesting and informative. It has lead me to investigate my own DNS scavenging issue and I'd appreciate some assistance with figuring out how to resolve it. I manage a single domain with a mixture of 2 - Win2K 3 - Win2K3 servers. My 2 DC's are on Win2K boxes, I have one Win2K3 server running Exchange 2K3 and the other 2 Win2K3 servers are basically file servers at this point although we plan on promoting one to a DC in the near future and retiring one of the Win2K DC's. My DNS is AD integrated. My issue involves the issue of old, stale DNS RR's not being properly scavenged and even though I've read some of the documents linked in the previous thread, I'm still a bit uncertain how to rectify my issue without totally botching things - I'm a bit of a newbie... Anyhow, I examine the contents of my Reverse Lookup Zone and I find 2 Name entries for the same machine name. If I examine the properties of each, I see, for example, that the Record Time Stamp for one is 6-6-05 and 11-21-06 for the other. Checking DHCP shows that the IP address for the 11-21-06 entry is the active one. When I check the Aging settings for the zone, I see that the No-refresh interval is set to 7 hours, the Refresh interval is set to 7 days and the Scavenge stale RR check box is checked. OK so far, me thinks. When I check the properties for the DNS server, under the Advanced tab, the Enable automatic scavenging of stale records check box is _not_ checked. My first question: Should it be checked? My second question: Are the any negative consequences to doing so? Next, when I right-click the DNS server and click Set Aging/ Scavenging for All Zones, I see that the No-refresh interval is set to 7 days, the Refresh interval is also set to 7 days and the Scavenge stale RR check box is _not_ checked. My third question: As opposed to my previous 2 questions, is this where I should be enabling scavenging? My final question: Once the scavenging has been properly enabled, will the really stale RR records be removed? TIA Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. Really? How did you confirm that? In ADUC (with Advanced Features enabled in View) and doing a custom search for enterprise, simply looking in the Foreign Security Principals containers? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Well then, someone fat-fingered it. Run forestprep again, and if that doesn't work, it's time to talk to the likes of Steve in private :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... ;-)yip sure did..sorry I should have elaborated further Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Akomolafe, Deji | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:26 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. Really? How did you confirm that? In ADUC (with Advanced Features enabled in View) and doing a custom search for enterprise, simply looking in the Foreign Security Principals containers? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 6:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx
RE: [ActiveDir] Enterprise Domain Controllers group missing...
Its not viewable/searchable under ADUC even with advanced features turned on That is an incorrect statement. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... You have to upgrade or install one of the servers in each domain to Windows Server 2003 and then transfer the PDC Emulator role to the upgraded or added Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC Emulator FSMO role it will create these new security principals. This is documented under the section titled Windows Server 2003 Well Known Security Principals in the following link: http://technet2.microsoft.com/WindowsServer/en/library/795229a5-8a74-4edb-a2f4-d5794d31c2a71033.mspx . Thanks, -Steve From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Tuesday, November 21, 2006 8:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using
RE: [ActiveDir] Enterprise Domain Controllers group missing...
I already did. But since you missed this, how about http://www.akomolafe.com/Portals/1/EDC.jpeg? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Then correct it so people can learn rather than simply point out that its wrong which really gets no one anywhere... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Akomolafe, Deji | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 07:12 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Its not viewable/searchable under ADUC even with advanced features turned on That is an incorrect statement. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing
RE: [ActiveDir] Kerberos is Killing Me!
I know there's a really good how-to out there somewhere on using NTDSUTIL for this purpose Talking about this http://www.akomolafe.com/Portals/1/Docs/xferfsmos.htm? :-p Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Thu 11/16/2006 11:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos is Killing Me! You can leave the IP the same. If the demotion fails or goes awry in some respect, you may have to do some metadata cleanup in addition to the DNS cleanup (which I'm guessing is what Deji meant by AD/DNS/Sites, but just in case...). Given the, um, quirkiness of this environment, I suspect you may have a difficult demotion ahead. I assume you've done metadata cleanup before? If not, feel free to post, or just spend a lot of time typing ? at the ntdstuil prompts. I know there's a really good how-to out there somewhere on using NTDSUTIL for this purpose, but to be honest, I'm pooped and I have to be up early to talk NAP with one customer and convince another that Volume License Activation isn't Evil Empire Voodoo designed to suck all of the money out of their bank accounts. Otherwise, I'd dig it up for you. Then again, I may be thinking of something I wrote, in which case it'll be hard to find by searching the Internet. ;-) Seriously, though, if you can't find anything helpful, I'm sure any number of people on this list have either great links or great documents they wrote on using NTDSUTIL for metadata cleanup. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Friday, November 17, 2006 2:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Deji. I understand. I will re-examine the event log in the morning and plan for a demotion over the weekend. besides removing the reference from AD/DNS/Sites, is there something else i should do or look to remove the reference ? Also, should i change the IP address ? This i really don't want to do if i really don't have to... ? Thanks. On 11/16/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I believe I recommended this early on in the thread. Sometimes, it's easier (wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you have the luxury, wipe and reinstall the box, otherwise, just do a rename of the box. Renaming it is strongly recommended unless you have scripts and applications into which you have hard-coded the name. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: hboogz Sent: Thu 11/16/2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! AD sites. 3 one including the DR-site. regarding the question about demoting then promoting...if i have to go that route, should i keep the same server name ? On 11/16/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: I apologize if I keep asking questions you've already answered, but how many sites are involved here? Of course, by the time this hits the list, any replication that hasn't yet occurred probably will have. :-) Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 5:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! **Update*** i changed the user account control attribute using the following direction: Did you follow: When using adsiedit: * Connect to the domain NC * Navigate to the Domain Controllers OU * Right click on the DC for which you want to change the UserAccountControl value and select properties * Goto the UserAccountControl attribute * You should see a value (from what you have described): 536576 * Change that value to: 532480 i teh followed the instructions found here: Re: access denied http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true i did this from the phmaindc1 server net stop kdc clear ticket cache reset machine pawd open sites and services and forced replication with phprint -- which succeced opened replmon and synchronized with phprint1. net start kdc ran: repadmin /showreps. replication to phprint1 came up as succesfull
RE: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel.
Getting the new Exchange server in there and moving mailboxes, PFs, RG master role, etc, is fairly easy. The main work is involved in getting the old server out of the mix. This (http://support.microsoft.com/?id=822931) should help somewhat. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Mark Parris Sent: Fri 11/17/2006 1:16 AM To: ActiveDir.org Subject: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel. Hello all, I am intending to upgrade an Exchange 2000 environment to Exchange 2003 via a parallel installation as a opposed to an upgrade, as the hardware will not handle an upgrade The environment consists of a Front End Server and 4 Mailbox servers, there is no clustering involved. Does anyone have any experience of doing the installation vai this method and are there any major gotcha's? Any recomedations or perhaps a document? All I can find on ms is physical upgrade documentation. Many thanks, Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Kerberos is Killing Me!
I believe I recommended this early on in the thread. Sometimes, it's easier (wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you have the luxury, wipe and reinstall the box, otherwise, just do a rename of the box. Renaming it is strongly recommended unless you have scripts and applications into which you have hard-coded the name. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: hboogz Sent: Thu 11/16/2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! AD sites. 3 one including the DR-site. regarding the question about demoting then promoting...if i have to go that route, should i keep the same server name ? On 11/16/06, Laura A. Robinson [EMAIL PROTECTED] wrote: I apologize if I keep asking questions you've already answered, but how many sites are involved here? Of course, by the time this hits the list, any replication that hasn't yet occurred probably will have. :-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 5:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! **Update*** i changed the user account control attribute using the following direction: Did you follow: When using adsiedit: * Connect to the domain NC * Navigate to the Domain Controllers OU * Right click on the DC for which you want to change the UserAccountControl value and select properties * Goto the UserAccountControl attribute * You should see a value (from what you have described): 536576 * Change that value to: 532480 i teh followed the instructions found here: Re: access denied http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true i did this from the phmaindc1 server net stop kdc clear ticket cache reset machine pawd open sites and services and forced replication with phprint -- which succeced opened replmon and synchronized with phprint1. net start kdc ran: repadmin /showreps. replication to phprint1 came up as succesfull however, i still get an error to the child domain indicating access denied. should i wait for AD replication for this to work ? -- No virus found in this outgoing message. Checked by AVG Free Edition. -- HBooGz:\
RE: [ActiveDir] Restrict VPN Access By Computer Name
Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, because machines are what you want to filter. Are you providing hosted services to your clients, or what? Yes, there are ISA appliances. There have been since 2004. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefanoSent: Wed 11/15/2006 5:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name Cool, I will test that out, thanks. I am not too familiar with using or configuring EAP would this solution require installing a CA on the network? Furthermore, would these certificates be assigned to the machine, not the user? No, I understand the difference between IAS and ISA. I just mentioned ISA because you said that it might be a good idea to use it. For most of our clients, a $1500 firewall solution is overkill. We are pretty much standardized on the Netgear FVL328, which costs under $300, provides 100 VPN tunnels for branch offices and is compact enough to fit in most of our clients wiring closets (the term closet being the operative word as most of our clients do not have or need a server room). I would prefer a firewall appliance to one installed on a server and most ISA appliances are on the expensive side and are designed for rack-mounting. I cant remember where, but I vaguely remember reading that Microsoft would be offering a light version of ISA2006 that can be used as an embedded solution for small business networks such as those that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am mistaken, but I will try to find out. I will take your advice and wait for LH server instead of messing with WS2k3 quarantine. I appreciate the recommendation. Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Tuesday, November 14, 2006 12:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name You are right, Calling-Station-Identifier(in some cases) maptothe telephone number. In 802.1x scenario, though,it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC. I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter? Hope we are not mixing acronyms here, re: IAS vs. ISA. IAS is the RADIUS server. Free with the OS. ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the "light" version you mentioned. If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefanoSent: Tue 11/14/2006 5:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a light version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists). Thanks for the advice about ws2k3 quarantine, I guess we wont waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit
RE: [ActiveDir] Restrict VPN Access By Computer Name
All "appliances" are expensive, IMO. Not just the monetary part, but also their up-keep. I resell a product that gets grossly marked up in appliance form, and is not as regularly updated as the non-applianced version. But people are willing to pay the additional (unnecessary) cost, just because it is applianced, and they don't like "software solutions". Go figure. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 11/15/2006 8:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restrict VPN Access By Computer Name "Expensive" ISA appliances... let's qualify that Akomolafe, Deji wrote: Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, because machines are what you want to filter. Are you providing hosted services to your clients, or what? Yes, there are ISA appliances. There have been since 2004. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Dan DeStefano *Sent:* Wed 11/15/2006 5:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name Cool, I will test that out, thanks. I am not too familiar with using or configuring EAP would this solution require installing a CA on the network? Furthermore, would these certificates be assigned to the machine, not the user? No, I understand the difference between IAS and ISA. I just mentioned ISA because you said that it might be a good idea to use it. For most of our clients, a $1500 firewall solution is overkill. We are pretty much standardized on the Netgear FVL328, which costs under $300, provides 100 VPN tunnels for branch offices and is compact enough to fit in most of our clients wiring closets (the term closet being the operative word as most of our clients do not have or need a server room). I would prefer a firewall appliance to one installed on a server and most ISA appliances are on the expensive side and are designed for rack-mounting. I cant remember where, but I vaguely remember reading that Microsoft would be offering a light version of ISA2006 that can be used as an embedded solution for small business networks such as those that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am mistaken, but I will try to find out. I will take your advice and wait for LH server instead of messing with WS2k3 quarantine. I appreciate the recommendation. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.info-lution.com http://www.info-lution.com/ Office: 727 546-9143 FAX: 727 541-5888 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Tuesday, November 14, 2006 12:32 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name You are right, Calling-Station-Identifier (in some cases) map to the telephone number. In 802.1x scenario, though, it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC. I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter? Hope we are not mixing acronyms here, re: IAS vs. ISA. IAS is the RADIUS server. Free with the OS. ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the "light" version you mentioned. If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT **-5.75, -3.23** Do you now realize that Today is the Tomorrow y
RE: [ActiveDir] Strange DC behaviour and error
Compare the IP registered for phmaindc1 in DNS to the actual IP address of this machine. Do you see any discrepancy? Is this your only DC? If not, then I'd demote it, clean it completely out of AD (ADUC, AD Site and services, DNS),and then re-promote it. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: hboogzSent: Wed 11/15/2006 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Strange DC behaviour and error Hey Guys, I receive this error on my DC and my newly created Citrix Server. Event Type:ErrorEvent Source:KerberosEvent Category:NoneEvent ID:4Date:11/15/2006Time:12:30:17 PMUser:N/AComputer:PHMAINDC1Description:The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/phmaindc1.phippsny.org. The target name used was DNS/phmaindc1.phippsny.org. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm ( PHIPPSNY.ORG), and the client realm. Please contact your system administrator. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The citrix server can't connect to the termincal server licensing component on here and everytime a user logs in, they receive an access denied indicated that they could retrieve their TS profile information. everytime i try to run dsa.msc on the citrix box, i get an error. I'm running windows 2003 standard R2 on AD and standard w/ SP1 on the citrix box. I also get this error/message when i run dcdiag on the dc The account PHMAINDC1 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of PHMAINDC1 is: 0x1000 = ( UF_WORKSTATION_TRUST_ACCOUNT ) Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TR USTED_FOR_DELEGATION ) This may be affecting replication? any ideas ? i'm stuck with all my citrix users being denied logon! -- HBooGz:\
RE: [ActiveDir] DNS Scavenging
You need some quiet time (and your favorite bottle/keg of liquor) with this document http://www.microsoft.com/technet/prodtechnol/windows2000serv/plan/w2kdns2.mspx If you are in a hurry, just skip down to the Aging and Scavenging part. Enjoy Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rimmerman, Russ Sent: Wed 11/15/2006 5:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Scavenging We're in the middle of an SMS deployment and SMS is making us very aware that DNS scavenging and WINS tombstoning doesn't appear to be happening as much as it should. Looking through our DNS records for our domain, there's like 2 and 3 machine names for one IP. Two of them were tossed in the trash, one is still alive. We have scavenging set to 7 days on the zones, but not enabled at the server level (that seems a bit scarier). Shouldn't DNS scavenging work if enabled on the zone? We're running Win2k3 on our DNS/DCs, some with sp1 some without. Thanks in advance ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DNS Scavenging
Also keep in mind scavenging only applies to records that have timestamps (which are typically dynamically created.) Keep in mind that you CAN enable scavenging on static records. The facility is in dnscmd. So, please don't assume that your static records are safe from scavenging just because you don't see a timestamp. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Roger Longden Sent: Wed 11/15/2006 7:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Correct. When a server runs scavenging it'll determine which of the primary zones it hosts has it enabled and then which records in those zones are stale based on the no-refresh and refresh intervals. Also keep in mind scavenging only applies to records that have timestamps (which are typically dynamically created.) And make sure none of the zones have too short of no-refresh/refresh intervals where valid records could be removed. You can do due diligence by ensuring you have current and valid backups. You may want to also check out KB838851 just to be sure it doesn't apply to your environment. - Roger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, November 15, 2006 10:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging OK that explains my problems then. When I enable it at the server level, it won't actually do anything to the zones that aren't enabled, correct? I mean, is it a two step process, you enable the server, and then enable the zones you actually want to scavenge one at a time? I just don't want anything to disappear out of DNS suddenly when I enable the server level, that ends up being a CLM (career limiting move). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Longden Sent: Wednesday, November 15, 2006 7:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Unless you enable it on a server (or manually initiate it against a server) nothing's actually being scavenged. The settings on the zone only allow the timestamps to replicate and defines what records would be deleted assuming scavenging is run. So until a DNS server that hosts a primary copy of the zone performs the scavenging process you can continue to watch those duplicates accumulate and your SMS admins complain. :) - Roger -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, November 15, 2006 8:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Scavenging We're in the middle of an SMS deployment and SMS is making us very aware that DNS scavenging and WINS tombstoning doesn't appear to be happening as much as it should. Looking through our DNS records for our domain, there's like 2 and 3 machine names for one IP. Two of them were tossed in the trash, one is still alive. We have scavenging set to 7 days on the zones, but not enabled at the server level (that seems a bit scarier). Shouldn't DNS scavenging work if enabled on the zone? We're running Win2k3 on our DNS/DCs, some with sp1 some without. Thanks in advance ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Restrict VPN Access By Computer Name
You are right, Calling-Station-Identifier(in some cases) maptothe telephone number. In 802.1x scenario, though,it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC. I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter? Hope we are not mixing acronyms here, re: IAS vs. ISA. IAS is the RADIUS server. Free with the OS. ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the "light" version you mentioned. If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefanoSent: Tue 11/14/2006 5:28 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a light version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists). Thanks for the advice about ws2k3 quarantine, I guess we wont waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit complex, requiring a bit more infrastructure than most small businesses need or can afford. Have you ever tried restricting VPN access by MAC address? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Tuesday, November 14, 2006 1:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restrict VPN Access By Computer Name Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head. Also, if you haven't started messing withthat2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished. Hope I haven't thoroughly confused you yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefanoSent: Mon 11/13/2006 9:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restrict VPN Access By Computer Name I was wondering if there is a way to restrict client VPN
RE: [ActiveDir] OT: Sonicwall vs ISA (was M$)
Which part of it do you not understand? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Albert DuroSent: Tue 11/14/2006 7:09 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Sonicwall vs ISA (was M$) Sonicwall vs. ISA? That's a new one on me. I'm not a SBSer, but I do have a Sonicwall. Would you care to expand? thank you - Original Message - From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, November 13, 2006 5:17 PM Subject: Re: [ActiveDir] OT: M$ (I would just like to go on record as saying that I thought Brett's post was funny) In the MVP survey this year the final question was "give three words that best describe Microsoft?" Boy howdy was that the hardest part of the survey to fill out. Three words to describe the "company"? Youch. Think about that one for a moment will ya? Ask me to say three words about the people of Microsoft and I'd have that survey done in a nanosecond. Ask me three words about the "Company" ...this financial entity that files 10Ks and like what do you want me to say? Microsoft (or M$ or MF$T whatever you'd like to call it) is a company registered with the SEC to do business. It is a software company. It is an entity. It has a Tax ID number. It has to make sucky decisions due to Judges and Lawyers and Patents and EU attorneys and stupid EOLA lawsuits and . The Employees of Microsoft (no abbreviations)... as was best put by a Security MVP he went looking for the employees of Microsoft that eat babiesyou know...the ones he's heard about in those Department of Justice/SlashDot postings and all that well he can't find them. Every one of them he (and I) have ever met are sincere, hardworking, trustworthy people. In fact that's one of the wonderful things about the blogs... they do a total 'end run' around WagEd/PR stuff and show the people for the people. Even when Brett didn't blog we knew about him via his blog. Just honest people talking to people. And that's when Microsoft truly rocks. I also know that in the newsgroups when I have someone who challenges my views I find that ends up happening is not that I'll change them, but I'll solidify my views. To those that use M$ knowing full well that it annoys you (the generic you, not "you", you), if their goal is to annoythey won't change. The following items are bound to start arguments/flames etc. in my home base community (most of these are specific to SBS, so my apologies) 1. One nic versus two 2. Antivirus choice (with the exception of Norton Yellow Box consumer which is nearly universally hated by all in IT) 3. Sonicwall versus ISA server 4. .local/.lan versus .com 5. the lack of inclusion of DFSv2 in SBS 2003 R2 So I guess if you are doing a list of Arguments/Flamewars in this community I guess I will say 1. The use or non use of M$ :-) Sometimes you just have to let it roll off your back. :-) How about a lighter less argumentative topic change: So how about those USA elections, 'eh? What's your thoughts about Stem Cell Research? Laura A. Robinson wrote: Disclaimer #1: "You" in the below refers to a generic "you", not a specific person. Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions long before I became a Microsoft employee. That said... You know what I find amazing here? It has been clearly expressed that there *are* people who find the term irritating (and I assure you, I'm not the only one; I'm just the only one who states it publicly), yet you're still arguing that because *you* think it's funny, it's therefore okay to use it. Please explain this logic to me. If you meet somebody who asks you not to call him "Tiny" because he hates the nickname, do you make a point to call him "Tiny"? If you do, then you have some serious personal issues. If you don't do that, then why do you think it's okay to continue to justify using a name on a Microsoft-centric list that is populated by Microsoft-centric people that you've been told *is* offensive to some of those people? This isn't about political correctness and it isn't about different senses of humor. It's about somebody having stated flat-out that the "M$" term is offensive to her (and, again, to a lot more people than you realize) and you continuing to assert that it's just fine for you to use it. Some people might consider that incredibly childish and ignorant. Did it never occur to you simply to not use or defend the use of the term, regardless of whether you think I'm oversensitive about it?
RE: [ActiveDir] OT: M$
I've been wondering all day, even after my private mea culpa to you. I've been wondering why that last line would elicit such reaction from you. So, when another trusted fellow brought up the issue in a private conversation I started wondering again. Something just didn't compute. I expected "Shut up, Laura"to an innocuous statement that will be met with a smiley or VBEG from "Laura". I didn't expect "Laura" to take umbrage at that phrase. As a matter of fact, I expected hugs and kisses and flowers and whatnot. So, I kept wondering... Well, I'm wondering no more. I got you mixed up, Laura. Beaucoup apologies. I thought you were Laura Hunter (http://www.shutuplaura.com/- WARNING, adult language). I am very sorry. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. RobinsonSent: Tue 11/14/2006 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ That last line really was unnecessary, Deji. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, November 13, 2006 8:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ You know what I find amazing here? That you felt compelled to lend more visibility to this topic, when it, truly, does not deserve an iota of your time. I see people use "M$" in conversations, I note their names and learn to avoid them. It's the same thing I do with people who use "1337" and similar "elite-speak" in conversation. I put them all in the same column of idiotic wannabes and move on. The only reason I feel impelled to write what I'm writing is because you are still lending your professional credence to a nonentity who should have been duly ignored from the start. I'm surprised that you are expending so much energy in that exercise, seeing as I know that you have been in numerous environments where people do things like thesein attempts to garner attention. Giving them the undeserved attention is, IMNSHO, injurious to your reputation. So, Laura . shut up already. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. RobinsonSent: Mon 11/13/2006 4:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Disclaimer #1: "You" in the below refers to a generic "you", not a specific person. Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions long before I became a Microsoft employee. That said... You know what I find amazing here? It has been clearly expressed that there *are* people who find the term irritating (and I assure you, I'm not the only one; I'm just the only one who states it publicly), yet you're still arguing that because *you* think it's funny, it's therefore okay to use it. Please explain this logic to me. Ifyou meet somebody who asks you not to call him "Tiny" because he hates the nickname, do you make a point to call him "Tiny"? If you do, then you have some serious personal issues. If you don't do that, then why do you think it's okay to continue to justify using a name on a Microsoft-centric list that is populated by Microsoft-centric people that you've been told *is* offensive to some of those people? This isn't about political correctness and it isn't about different senses of humor. It's about somebody having stated flat-out that the "M$" term is offensive to her (and, again, to a lot more people than you realize) and you continuing to assert that it's just fine for you to use it. Some people might consider that incredibly childish and ignorant. Did it never occur to you simply to not use or defend the use ofthe term, regardless of whether you think I'm oversensitive about it? It certainly occurred to the person who originally posted it to stop using the term, and he didn't have to have an argument that boils down to "I think it's funny, so you need to just get over it" before stating that he wouldn't continue to use the term. I found that very adult of him. I don't, however, find it particularly adult to continue to defend the use of a tasteless, inaccurate, slighting moniker because *you* think it's "funny". Most Microsoft employees are not nearly as well-paid as the public seems to think, and yet, the VAST majority of them contribute their own time and money to charitable organizations. I can give you statistics if you like; Microsoft is actually first in terms of per-capita employee philanthropy. The insistence upon referring to the company as "M$" displays a tremendous amount of ignorance and rudeness to those
RE: [ActiveDir] OT: M$
You know what I find amazing here? That you felt compelled to lend more visibility to this topic, when it, truly, does not deserve an iota of your time. I see people use "M$" in conversations, I note their names and learn to avoid them. It's the same thing I do with people who use "1337" and similar "elite-speak" in conversation. I put them all in the same column of idiotic wannabes and move on. The only reason I feel impelled to write what I'm writing is because you are still lending your professional credence to a nonentity who should have been duly ignored from the start. I'm surprised that you are expending so much energy in that exercise, seeing as I know that you have been in numerous environments where people do things like thesein attempts to garner attention. Giving them the undeserved attention is, IMNSHO, injurious to your reputation. So, Laura . shut up already. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. RobinsonSent: Mon 11/13/2006 4:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Disclaimer #1: "You" in the below refers to a generic "you", not a specific person. Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions long before I became a Microsoft employee. That said... You know what I find amazing here? It has been clearly expressed that there *are* people who find the term irritating (and I assure you, I'm not the only one; I'm just the only one who states it publicly), yet you're still arguing that because *you* think it's funny, it's therefore okay to use it. Please explain this logic to me. Ifyou meet somebody who asks you not to call him "Tiny" because he hates the nickname, do you make a point to call him "Tiny"? If you do, then you have some serious personal issues. If you don't do that, then why do you think it's okay to continue to justify using a name on a Microsoft-centric list that is populated by Microsoft-centric people that you've been told *is* offensive to some of those people? This isn't about political correctness and it isn't about different senses of humor. It's about somebody having stated flat-out that the "M$" term is offensive to her (and, again, to a lot more people than you realize) and you continuing to assert that it's just fine for you to use it. Some people might consider that incredibly childish and ignorant. Did it never occur to you simply to not use or defend the use ofthe term, regardless of whether you think I'm oversensitive about it? It certainly occurred to the person who originally posted it to stop using the term, and he didn't have to have an argument that boils down to "I think it's funny, so you need to just get over it" before stating that he wouldn't continue to use the term. I found that very adult of him. I don't, however, find it particularly adult to continue to defend the use of a tasteless, inaccurate, slighting moniker because *you* think it's "funny". Most Microsoft employees are not nearly as well-paid as the public seems to think, and yet, the VAST majority of them contribute their own time and money to charitable organizations. I can give you statistics if you like; Microsoft is actually first in terms of per-capita employee philanthropy. The insistence upon referring to the company as "M$" displays a tremendous amount of ignorance and rudeness to those employees, IMO. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 8:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Exactly, is exactly right. You cant impose your own humor preferences on someone because you consider it unfunny. You just dont laugh. You can't stop bad jokes, because someone, somewhere is laughing at them. Just not you. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Monday, November 13, 2006 8:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Exactly. M$ just isn't funny. Borg, kool-aid, those are funny. M$ isn't. Go figure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: Monday, November 13, 2006 7:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ Useless Air Farce would not be found funny because its just that, not funny. Funnier is US Chair Force. Thats funny, and people here laugh at it all the time. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, November 13, 2006 7:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: M$ ;oP Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440
RE: [ActiveDir] Restrict VPN Access By Computer Name
Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head. Also, if you haven't started messing withthat2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished. Hope I haven't thoroughly confused you yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefanoSent: Mon 11/13/2006 9:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Restrict VPN Access By Computer Name I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to be conscious of updated antivirus/spyware software. I saw a setting in Remote Access Policies called Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to set up an IAS server? If not, is there another way I can accomplish my goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though it looks like a bit of a PITA to set up and I am looking for a quick way to fix this problem. We will probably eventually use the new quarantine feature after our techs have had a chance to learn and test it a bit. I think another problem with this feature is for small business networks that have just a single SBS server. Any help would be greatly appreciated. Thanks, Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] Exchange --NDR--
You should be able to see my email from the response. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Technical SupportSent: Tue 11/7/2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR-- Please let me know how I can contact you Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, November 06, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR-- 4.4.7 is "usually" the other server's problem. If you want, I can privately help you verify this, if you send me the domain/ip of the other server in a private (off-list) message. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Technical SupportSent: Mon 11/6/2006 8:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange --NDR-- Hi, I am sending mail @XYZ.COM and here is the error I am getting. When id to Email ID Verification and MX Record lookup it works fine for xyz.com. Also I am not facing this problem with any other mail id. I am able to send mails to other clients/vendors. Here is the NDR I am getting. --- Your message did not reach some or all of the intended recipients. Subject: Updated: Undelivered Sent: 11/6/2006 6:58 PM The following recipient(s) could not be reached: [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 --- Please suggest what the possible reason is for the same. Do I need to change something from my end (a new connector) or get something changed at remote (Client) end? Thanks!!! Ravi Dogra
RE: [ActiveDir] Exchange --NDR--
4.4.7 is "usually" the other server's problem. If you want, I can privately help you verify this, if you send me the domain/ip of the other server in a private (off-list) message. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Technical SupportSent: Mon 11/6/2006 8:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange --NDR-- Hi, I am sending mail @XYZ.COM and here is the error I am getting. When id to Email ID Verification and MX Record lookup it works fine for xyz.com. Also I am not facing this problem with any other mail id. I am able to send mails to other clients/vendors. Here is the NDR I am getting. --- Your message did not reach some or all of the intended recipients. Subject: Updated: Undelivered Sent: 11/6/2006 6:58 PM The following recipient(s) could not be reached: [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 --- Please suggest what the possible reason is for the same. Do I need to change something from my end (a new connector) or get something changed at remote (Client) end? Thanks!!! Ravi Dogra
RE: [ActiveDir] Active Directory Health Check tool - where can it run from?
Title: Active Directory Health Check tool - where can it run from? The tool actually lists out the specific requirements for running it. You just need to read the "default.htm" that is part of the generated report. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Wed 11/1/2006 12:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Active Directory Health Check tool - where can it run from? I assume you are referring to the ADST tool that you get if you're a premier customer and MSFT come and do an AD Healthcheck. As far as I know, this can be run from anywhere (in the domain), as it's really just a bunch of VBS scripts that do ADSI and WMI queries against the DCs. The cool thing is these scripts are wrapped behind a decent GUI. --Paul - Original Message - From: Washington, Booker To: ActiveDir@mail.activedir.org Sent: Tuesday, October 31, 2006 10:26 PM Subject: RE: [ActiveDir] Active Directory Health Check tool - where can it run from? It is the Active Directory Health Check Snapshot Tool. What exactly is ADRAP? I got a copy from our Forest Admins because I am a child domain of the forest. The reason that I ask is because I seem to get buggy results when I go from an XP workstation, or a member server, and I wondered if I needed to run it from the DC itself. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, October 31, 2006 5:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: Active Directory Health Check tool - where can it run from? Which tool is this? The AD Snapshot tool that you get from an ADRAP can run from any server. --brian From: [EMAIL PROTECTED] on behalf of Washington, BookerSent: Tue 10/31/2006 4:04 PMTo: ActiveDir@mail.activedir.orgSubject: Active Directory Health Check tool - where can it run from? Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation. Just curious. Thanks
RE: [ActiveDir] list lastlogontime for every user script
Tool.penetration Tony took a vacation and this is what this list is turning into Time to go wash my brains. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 10/27/2006 9:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script First off... let's go with using the word utilityversustool ;o) Second off yeah they are pretty popular. I got a lot of pings from various MSFT and other consultant type friends who seem to run into my utilities in the wild pretty regularly. This penetration is greater in the primarily english speaking world (North America, UK, Western Europe, Australia, and militaries of those areas globally) as the utilities really better for targeted at English environments. UNICODE and other special characters (anything with umlauts, etc) are kind of a pain to deal with from the command line. Anyone who has used adfind to output something that has characters like éèà has noticed that to the command line, that ends up looking something like dn:CN=TestGroupΘΦα,OU=TestOU,DC=joe,DC=com but if that same output is redirected to a text file via standard redirection it looks like dn:CN=TestGroupéèà,OU=TestOU,DC=joe,DC=com and I can assure you adfind is doing nothing different which is the problem. I have worked through some of that with some new routines and that is the V2 versions of AdFind/AdMod I occasionally mention as it will take very radical changes to use the new strings. I have done it with some other code I have written but nothing I have released yet as I am still tinkering with it. Basically I have to try and work out where you are sending the output in order to determine how to output it. I have no clue what would happen if you tried to use adfind in an environment with true multibyte characters like say a Chinese edition. I expect it would blow up magnifiscently. I am curious if even dsquery would work in that environment. Doing this in the GUI is immensely easier which sounds odd, most people would tend to think that console apps are easier to write than GUI. I find it just the opposite, GUI is easier for most everything especially character encoding and threaded output but I find the GUI less useful than the console. And with Server Core coming...The joeware stuffwill become even more popular as my utilities are very nice console utilities AND they are all FAT-free, err I mean NET-free. ;o) Twice the power, triple the taste, tenth of the calories and actually work on Server Core... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, October 27, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] list lastlogontime for every user script I believe at last count it was way more than half the world was using joe's tool. Likely because it's fast, free, easy to use and the best around. (-; Well, half the world I tend to live in anyway. On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: I used Joe's tool (no sexual connotation here) because it was easy and fastnever mind half of the world does it! ;-) ROTFMAOMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Ramon LinanSent: Fri 2006-10-27 20:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script Thanks Matt for the script that you sent and thanks Joe for your tool.I used Joe's tool (no sexual connotation here) because it was easy and fast.I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -lltsis there a way of excluding disabled users from the results?ThanksFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user scriptIt isn't, it is randomly calculated every time logonTime is updated.--O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htmFrom: mailto:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo:
RE: [ActiveDir] List Groups I'm In?
whoami -group Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B AllenSent: Wed 10/25/2006 9:46 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] List Groups I'm In?
You never mentioned anything about a "product". Anywhooo, see http://www.rlmueller.net/primary_group.htm, then go see what Richard did in http://www.rlmueller.net/Programs/EnumUserGroups.txt Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B AllenSent: Wed 10/25/2006 11:42 AMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: Re: [ActiveDir] List Groups I'm In? On Wed, 25 Oct 2006 10:06:53 -0700 "Free, Bob" [EMAIL PROTECTED] wrote: whoami /groups C:\Admin\Utilwhere whoami C:\Program Files\Support Tools\whoami.exe Not exacty "stock" but then again I consider Support Tools as an essential part of an installation :-) Well I can't ship that with my product. I scraped up this VBS script that does the trick. if WScript.Arguments.Count = 0 then WScript.Echo "Usage: [cscript|wscript] ListGroups.vbs nETBIOSName/sAMAccountName" WScript.Quit 1 end if Set UserObj = GetObject("WinNT://" Replace(WScript.Arguments.Item(0), "\", "/")) For Each GroupObj In UserObj.Groups List = List GroupObj.Name vbcrlf Next WScript.Echo List Thanks, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Wednesday, October 25, 2006 9:47 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to list what groups they're in? Specifically I'd like the user to be able to just type a command like 'net user list groups' or some such and get a list of NT Account names for tokenGroups. Or if there is a dialog somewhere that's good too. Ideas? Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ A_POLICY_VIOLATED_FILE_WAS_DETECTED_AND_REMOVED.TXT Description: Click here to view or download the program. Rename .txt file to .vbs before running program..url
RE: [ActiveDir] OT: Jabber and AD authentication
support.Jabber.com Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Thu 9/28/2006 1:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Jabber and AD authentication Assuming it can authenticate against an LDAP source it should work fine - never done Jabber but they're all about the same when it comes to this... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Thursday, September 28, 2006 4:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Jabber and AD authentication The powers that be at my site want to implement IM using Jabber and would like to leverage our AD for authentication. We are just starting to think about this. It's not yet decided if the Jabber server will be running on Linux or Windows. I would imagine several people in this august body would have experience with this. I would be interested in your comments before we actually start trying to implement something. TIA, -mjm -- Michael J. Miller Computing Services College of Veterinary Medicine University of Illinois at Urbana-Champaign List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS entry won't delete
Sorry for jumping into this in the middle. I've been partially following the thread. To the OP, have you tried: Convert the zone from AD-intg to Primary one DC Updating the server data file on that server (done by r-clicking the zone and clicking "update") Delete the zone from the other DC. After that, check system32\dns on the DC where you did the conversion and open up the corresponding in-addr.arpa file in notepad, delete the offending records and save the file. After that, go back to DNS console and reload the zone file. If everything looks OK, wait a while to see if the offending entries re-appear. If they don't, then convert the zone back to AD-intg and let it replicate to the other DC. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Andrew CaceSent: Wed 9/27/2006 7:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS entry won't delete Hi Bruce, Can you find the object using ADSIEDIT? There are three places you should check for the DNS zone. You've already checked DomainDNSZones, so that leaves the domain partition and the ForestDNSZones partition. The domain partition should be in adsiedit by default, but you will need to add ForestDNSZones. Once you have adsiedit opened, right-click "ADSI Edit" in the left column, then choose "Connect to". Choose "Select or type a Distinguished Name or Naming Context" and enter the dn of your forestdnszones partition in the text box. It should look something like dc=forestdnszones,dc=yourforestroot,dc=com. Change the value of the Name field to ForestDNSZones. Click OK. You should now have the ForestDNSZones partition in the left column. Expand the left column as follows (I'm using 192.168.1.0 as the network in this example): (ForestDNSZones) ForestDNSZones DC=ForestDNSZones,DC=yourforestroot,DC=com CN=MicrosoftDNS DC=1.168.192.in-addr.arpa. - OR - (Domain) Domain DC=yourdomain,DC=com CN=System CN=MicrosoftDNS DC=1.168.192.in-addr.arpa Find the duplicate record. Right-click it and choose Properties. Find the distinguishedName attribute and copy/paste the value into a notepad window. In your response to William King, you indicated that the record reappears immediately when you delete it. Delete the entire record in adsiedit. This should remove the good AND the bad records. Refresh the reverse lookup zone and see if it's truly gone. Get on the machine that currently has the IP address and force registration using "ipconfig /registerdns". Verify, in adsiedit and DNS management, that the record is correct. If everything is correct, keep an eye on it for a few hours and make sure that the bad data doesn't return. If the bad data does return, you can then plug the record's dn into the "repadmin /showobjmeta" command to find out when the dnsRecord attribute was last modified. Then you can look at the security log on the domain controller to find out who modified that object at that time. It's possible that you're not auditing these objects. If that's the case, then see http://support.microsoft.com/?id=814595 for details on how to enable auditing. Let us know if this works out for you. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clingaman, Bruce Sent: Wednesday, September 27, 2006 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS entry won't delete The address field is not editable. If I change the host name, the original entry reappears, then I have two bad entries. Bruce Clingaman Information Technology Department Pensacola Christian College 850.478.8496 ext. 2198 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Wednesday, September 27, 2006 12:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS entry won't delete Any chance you can edit the setting so that it points to something not in your network? (ex. you have a 10.x.x.x network, so you reset it to be a 192.168.x.x IP) On 9/26/06, Clingaman, Bruce [EMAIL PROTECTED] wrote: My two DCs are Windows 2003 servers, DNS integrated, Primary, The resiliant entries are from Mac OS X clients and one OS X server. The domain name of the entries are from a domain that was renamed. Bruce Clingaman Information Technology Department Pensacola Christian College 850.478.8496 ext. 2198 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, September 26, 2006 3:18 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS entry won't delete Bruce, try the command that Andrew posted and see what
RE: [ActiveDir] Question about computer role
http://www.rlmueller.net/ComputerRole.htm Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott KlassenSent: Wed 9/27/2006 8:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question about computer role Only peripherally related to AD, but with the technical expertise of many here, I figure someone may have the answer. I'll try to make this as "Readers-Digest" as possible. I recently had to re-install SAV on a particular server. One of the optional components wasn't showing up. After pouring through the install log, googling, and poking into the MSI with ORCA, I figured out why this was happening. In the Condition table of the installer, one of the validation checks for what can and cannot be installed is based upon the computers "Role" returned by MsiNTProductType. This is a member server now, but was previously a DC (Yeah I know, should have been rebuilt, but it happened before I worked here and we have a LOB app on this machine which is vendor installed and supported for big $$$. Lots of custom permissions, files, and reg entries to make this app function that we have no documentation of. A reinstall would not only stop our business until completed, but would cost us $10K+ in vendor fees). I've edited the validation string in the MSI to take out that check and was then able to install the option I wanted. Of course, the next version/update will have that string back in again and I don't care to have to custom edit the MSIs in future for this one machine. I'm looking for two things: 1) Some way of querying against MsiNTProductType on the machine so that I can see the results. I'm guessing that it is returning 500-2 (W2K DC), but would like to verify. Been googling around, but haven't had any luck so far. 2) If the problem is that the machine thinks that it is still a DC, a (hopefully) non-disruptive method of changing this information on the machine to return 500-3 (w2k server). AD believes this machine is a member server and there is no remnants in AD of this box once being a DC, so it's is definitely a setting on the local machine. I've had one suggestion to try disjoining and rejoining this machine from the domain to possibly fix this, but would prefer another method if possible due to the vendor app issue listed above. Scott Klassen List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] I'm Baaaaaaack!
Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] I'm Baaaaaaack!
Not according to my birth certificate. See anything "random" here: Dèjì Akómöláfé? Me neither ;-p Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/21/2006 3:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Random is Deji's middle name. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, September 21, 2006 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! :) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] different version of R2 available?
I think there is just one version of theR2 CD. The main CD (CD1) has Standard, Enterprise and Datacenter flavors, but the contents of CD2 look the same to me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Thommes, Michael M.Sent: Wed 9/20/2006 3:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] different version of R2 available? My officemate and I were discussing whether there are different versions of the R2 CD depending on whether youre running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes
RE: [ActiveDir] DNS zones expiring
Yes, I would. From parent to the child DNS server. Then create a Primary or AD-int child zone on the child DNS server. It's a KISS factor. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Fri 9/15/2006 6:56 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring Thanks Al.I will monitor the link and check to see if any latency or packet loss occurs and if so, if it coincides with the zone expiring.what about the second part of the question ? would you recommend dns delgation ? On 9/15/06, Al Mulnick [EMAIL PROTECTED] wrote: From what I've seen, the timeout can also be attributed to the transfer failing for whatever reason. If, during the transfer the entire zone is not copied, then you hit an error. This sounds like some network issues or you're behind in your patching. Have you verified that there are no network issues going on? Maybe a saturated network link? Dropped packets? High latency between the servers? I've seen similar issues with DNS servers. In my case they were network related, but it's odd that they drop and don't come back. Might be a good time to verify that your patches are up to date on those machines. On 9/15/06, HBooGz mailto:[EMAIL PROTECTED] wrote: Thanks for the feedback.I can defintely telnet to both servers interchangeably and netstat works as it should.I have the "allow all servers listed under nameservers" selected for zone transfers -- i might just change that to specific IP addresses. When i reload, that works fine - the problem is the zone expires on its own without any pattern and i have to manually reload. Needless to say, not very efficientI'm open to other ways to architect the DNS structure for a single parent with single child. what are the "recommended" steps for this type of DNS setup ? Domain delgation ? all AD-integrated ? On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master". If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AM User: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. On 9/14/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: I guess if you have "Widows", then someone must have "expired" :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AM To: mailto:ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every
RE: [ActiveDir] Strange password issue
Paul, did you try this? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Paul WilliamsSent: Fri 9/15/2006 12:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to c
RE: [ActiveDir] Strange password issue
OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled. Sorry, Paul. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not
RE: [ActiveDir] RPC Over HTTPS Problem....
In addition to what Robert is saying, take a look at http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/0849cb53-f1f9-419b-bb74-82bc010e247f.mspx?mfr=true There are many things that can be responsible for this failure, and you need to selectively eliminate each. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Robert RutherfordSent: Fri 9/15/2006 5:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] RPC Over HTTPS Problem Hi Ravi, The certifcate does needs to match the name of the site... i.e. mail.comp.com . If it doesn't then it wont work. There are numerous reasons why it fails but that is the first. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 01:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RPC Over HTTPS Problem Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Glad I could help ;) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Thu 9/14/2006 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. I think we discovered the problem... things were just locked down a *tad* too much. On 9/13/06, Akomolafe, Deji mailto:[EMAIL PROTECTED] wrote: Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond mailto:[EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] DNS zones expiring
I guess if you have "Widows", then someone must have "expired" :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\
RE: [ActiveDir] DNS zones expiring
Here's what I'd do: Ensure that there is no NATting going on between the 2 DNS servers. Verify this by doing something like "telnet PrimaryDNSServer 53" from the secondary server and then going to the Primary server and doing "netstat |find ":53" and making sure that you could see the real IP address of the secondary server on the list. If that checks out, then I'd: Go to the DNS console on the Primary server and verify that the secondary server is on the list of servers allowed to transfer that particular zone. If that checks out, then I'd: Attempt a manual transferat the secondary server by going to the DNS console on the secondary server, right-clicking on the zone and selecting "Reload from master" first. If that fails, then I'd try "Transfer from master". If that fails, then I'd pray very hard then enable DNS logging . then pray some more and open up the log file after a while. Then I'd post back here withwhatever is interesting. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS zones expiring No worries, i don't take offense easily...=)Event Type: ErrorEvent Source: DNSEvent Category: NoneEvent ID: 6527Date: 9/14/2006Time: 10:08:04 AMUser: N/AComputer: PHMAINDC1Description:Zone jacwf.phippsny.org expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. On 9/14/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: I guess if you have "Widows", then someone must have "expired" :)[1] What is the exact error message? [1] Please don't take offense. I'm just in a laughing mood :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: HBooGzSent: Thu 9/14/2006 8:12 AMTo: mailto:ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS zones expiring Hey All -I've setup the child domain DNS zones as primary ( not AD-Integrated). On the parent Domain Controllers/DNS servers i've added that zone as a secondary zone. I've noticed this dns setup has worked better for me in the past than a full AD-Integrated setup. After migrating over to Widows 2003, every day i get an event log message on the parent DNS server log indicating that the child domains zone has expired and i have to manually reload. any ideas ? help ? suggestions ?Thanks,-- HBooGz:\ -- HBooGz:\
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Yes. You run Mac. LOL Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, ScottSent: Thursday, September 14, 2006 11:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris PohlschneiderSent: Thu 9/14/2006 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Strange password issue
I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no
RE: [ActiveDir] List archive
yes Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: David AdnerSent: Thu 9/14/2006 9:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] List archive Anyone else getting timeouts trying to get to the list archive URL? http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Management Solutions
At what point youre better off going with something like Shavlik or Patchlink? For a 1700 users environment, WSUS will do. What do they give you that WSUS doesnt? They do give you some bells and whistles, but you will have to download a trial version of each, install them and compare. Then you ask, do you NEED all the other things the other products give you, and is it worth the money you have to pay for those other things? Or, do you like free, even if you have to do some work? But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-). It's difficult to sit here and answer this query for you. It depends on your environment, structure, policies, etc. So were not sure how can we do this, with so many patches MS puts out every Tuesday You mean every second Tuesday of every month? That too much for you? without going insane! Since you are in healthcare, this should not be an issue, right? I mean, going insane is par for the course for any sys admin, but you are surrounded by healthcare professionals, so you are in good hands :) Anybody out there had to deal with similar issues? Yes. Believe it or not, you are not alone. Nobody is out to get you. We all have to go through similar things. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Alex AlborzfardSent: Wed 9/13/2006 6:22 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions What is the largest environment WSUS can be deployed effectively? At what point youre better off going with something like Shavlik or Patchlink? What do they give you that WSUS doesnt? Were trying to put in place a patch management solution for a company thats midsize (~1700 users), but with offices scattered all over the world. But were not sure how to architect the whole thing (how many servers, layers, and where-whats the cutoff point:bandwidth, # of users?-). The other issue is the industry were in: healthcare. Were constantly audited and for every single task we have to test, write validation and justification. So were not sure how can we do this, with so many patches MS puts out every Tuesday, without going insane! And this is just for desktops; servers are a whole different ball of wax. Anybody out there had to deal with similar issues? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, September 11, 2006 9:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions I use WSUS for patching in some decent size places. My strategy has been to combine a variety of free products into a single system Ive gotten good at it and Ive also written glue when I need to. My overall feeling is that I get more flexibility just gluing things together than with a single baked product. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Monday, September 11, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions I agree with Brian that Ghost does tend to be the front runner for imaging (IMHO).. Ive tested and used many but Ghost is a mature project which does what it says on the tin. Youll be surprised how forgiving it is and how much you can do with varying software and hardware with a little work. In terms of helpdesk well its a minefield and a road of I have travelled many times. I have actually found that most of the time its actually easier to get a dev guy to come in and build a system which actually meets your requirements. I have found this to be cheaper (most of the time) in the larger organisations as every organisation has different SLAs, contracts, processes, methods, etc. I just recommend going onto sourceforge.net and typing helpdesk initially. This should get you going and you may find something that suits your needs or something you can amend to fit. Yes, you can go for the bigger boys, i.e. Hornbill but youll pay for it.. have a sniff around and see what fits your requirements. In terms of patch deployment I do like Patchlink. It will give you patch deployment across most applications with good reporting. You also get software and hardware inventory included in the price. Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: http://www.quostar.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: 11 September 2006 20:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Management Solutions I have a lot of experience using Ghost for all of that but
RE: [ActiveDir] Isolating a DC
I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again You should readhttp://support.microsoft.com/kb/250570/ then Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Lucas, BryanSent: Wed 9/13/2006 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Isolating a DC I should probably expand on my reasoning. We have 5 DCs now with 2 of them in a separate physical location (same campus) so we do have plenty of redundancy and performance. My issue is I have an account provisioning system that synchronizes various directories including AD. It generates a *ton* of entries in the Security Log. I also have some other apps/appliances that generate some logs as well. Our policy is to collect and archive all DC security logs. If I just dont collect the logs from that DC but I dont isolate it, then I can potentially miss legitimate security logs. I worry that if I isolate it with IPSEC, what tells Exchange dont ever try that DC again. Seems like it would introduce delay while the application/user workstation learns that DC is unavailable. Thanks, Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:26 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DC Isolating via site will still leave the DC available in case of emergencies (your authentication DCs go down), whereas IPSec makes them completely unavailable for any purposes for clients. I've actually never heard of anyone doing this and would consider it a very bad idea unless you have significant redundancy in your 'normal' environment. BTW, from a Microsoft presentation a little over a year ago, they have 4 Exchange server sites, only 1 of them (Redmond) isolates their DCs from authentication and reserves it for Exchange, the other 3 use their Exchange (a *very* DC/GC intensive app) servers for authentication also. Site is only a logical separation. IPSec might as well be a physical barrier. Unless there is a serious reason why you would rather have none of your clients to be able to authenticate instead of authenticating against these DCs (as I said, in case of an emergency), then you should probably avoid putting a IP filter on these boxes. If you isolate via site, then the only way that clients are going to authenticate against them is if all DCs are down in their site, which since you're a single physical site org, means that all of the authentication DCs are down, which is probably a more serious problem than "OMG, a (gasp) *user* authenticated against my application DC". On 9/13/06, Lucas, Bryan [EMAIL PROTECTED] wrote: Thanks to all for the responses.This (isolating via ipsec) is probably the right direction for me.We're a single site, single domain at a single physical location, butthe idea of building another site isn't appealing from a "keep it simple" perspective.Are there any technical reasons why a separate site would be better thanisolation through IPSec?Will I cause clients/apps, who initially don'tknow they are denied, delays when they try to access the ipsec isolated DC?Bryan LucasServer AdministratorTexas Christian University-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of James Eaton-LeeSent: Wednesday, September 13, 2006 5:39 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Isolating a DCAkomolafe, Deji wrote: I highly recommend that you readhttp://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with aspecific server or network using IPSec.I think what you're referring to is the excellent "Server and DomainIsolation using IPSec" content, at: http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspxIf all you're looking for is host-based firewalling, however, there's other content online that'll explain this a little moreconcisely, such as this presentation from the Virginia Tech WindowsUsers Group:http://vtwug.w2k.vt.edu/pdf/w2k_ipsec_firewall.pdf#search=%22using%20ipsec%20as%20a%20firewall%22And also "Using IPSec to Lock Down a Server" from technet..http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspxHope that helps!- James.--James (njan) Eaton-Lee | 10807960 | http://www.jeremiad.org/Semper Monemus Sed Non Audiunt, Ergo Lartus - (Jean-Croix)sites: https://www.bsrf.org.uk/ ~ http://www.security-forums.com/ca: https://www.cacert.org/index.php?id=3List info : http://www.activedir.org/List.aspxList FAQ:
RE: [ActiveDir] Specifying builtin accounts in GPO settings.
Look at your default recipient policy. What's set there? Just curious. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Matt HargravesSent: Wed 9/13/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Non-Exchange privileged users can't access OWA. I thought it was related to the fact that they had removed the M: drive, but that was only a small number of servers, the rest (that also aren't working) are having accessability issues to OWA (though they can still access their mailbox through Outlook). On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: On W2000 running OWA on a DC this was an issue only case I know of. What are the issues you're having? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 10:49 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. We're having some issues with Exchange OWA and MS said something about IWAM when we called them. We're not granting them 'logon via terminal services', just testing 'log on locally', but if it works, that just creates an entire mess that we'd like to avoid. On 9/13/06, Brian Desmond [EMAIL PROTECTED] wrote: No it wouldn't. Why are you giving an IWAM account access to a remote machine? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Wednesday, September 13, 2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Specifying builtin accounts in GPO settings. Would something like IWAM_%servername% or something like that work? I really don't want to go throuh and specify 45 account names in the "Log on locally" right for an OU if I can do it with a more simple command. I'll try just about anything :) Thanks,Matt On 9/12/06, Brian Desmond [EMAIL PROTECTED] wrote: And if you think about it they couldn't if you have two DCs running IIS they both have IUSR and IWAM accounts in AD, so SIDs have to be different. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: mailto:[EMAIL PROTECTED][mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Darren Mar-EliaSent: Tuesday, September 12, 2006 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Specifying builtin accounts in GPO settings. Matt- I don't think these accounts have well-known SIDs, so I'm not sure that's going to help.You can easily verify using psgetsid from Sysinternals. I checked a couple accounts here (though they were domain accounts) and they were not well-knownSIDs. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out http://www.gpoguy.com/-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide ,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Tuesday, September 12, 2006 10:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Specifying builtin accounts in GPO settings. I am trying to specify the builtin IWAM/IUSR accounts in GPO settings. We have a set of servers within an OU where they require the account to have rights on the local servers, call them Server1, Server2, Server3. We obviously don't want to create the setting for IWAM_Server1, IWAM_Server2, etc I believe that this account has a common SID, if I simply do a browse for the account on one machine, will it resolve to SID and apply the setting for all accounts, or is there another way to do this (like specifying "Builtin\Administrator" would work for the builtin Administrator account) no matter what the name happens to be on a local machine?
RE: [ActiveDir] Isolating a DC
I highly recommend that you read http://www.windowsitpro.com/articles/print.cfm?articleid=37935 Then, as a fall-back option, look for the isolation using IPSec whitepapers on Microsoft site. I can't find them now, but I know that they exist. They show you how to restrict communication with a specific server or network using IPSec. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Lucas, BryanSent: Tue 9/12/2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Isolating a DC Id like to isolate a DC from regular user authentication. I only want certain applications/processes using it. Obviously it will need to replicate with the other DCs. I dont have an interface on the firewall to use, so I would probably have to do something software based on the DC itself. Any recommendations on what to read, how to isolate it and what ports are required? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Seperate forest migration notes
Yes. Try doing file://computername/c$ toa few of thecomputers in question. If you can't connect, you have a firewall issue. If you can connect, but can log in with the account you are using for the migration, you have a permission issue. Those 2 tests must pass before you can do any migration. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: DannySent: Fri 9/8/2006 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate forest migration notes Thanks - I will try that out. Also, do you know if the Windows firewall needs any exceptions for the computer migration component to function? On 9/8/06, Chong Ai Chung [EMAIL PROTECTED] wrote: You can add your account to administrators group on all computers using restricted group in GPO. http://support.microsoft.com/Default.aspx?kbid=279301 On 9/9/06, Danny [EMAIL PROTECTED] wrote: I found some more information, however, in the "Before using ADMT v3" help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks, ...D On 9/5/06, Danny [EMAIL PROTECTED] wrote: Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined? On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny [EMAIL PROTECTED] wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Seperate forest migration notes
BTW, here's how I add the ADMT account to the relevant admin groups before the known good"Restricted Group" option was invented. If you find out that "Restricted Group" is not working for you, try the script option. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: DannySent: Fri 9/8/2006 1:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate forest migration notes I found some more information, however, in the "Before using ADMT v3" help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks,...D On 9/5/06, Danny [EMAIL PROTECTED] wrote: Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined? On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny [EMAIL PROTECTED] wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Seperate forest migration notes
Ugh! I wish they would invent a computerish thingamabob that reads your mind and paste the link you are thinking :0. Here's the sample script. http://www.akomolafe.com/Portals/1/add-to-loc-grp.txt Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Akomolafe, DejiSent: Fri 9/8/2006 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Seperate forest migration notes BTW, here's how I add the ADMT account to the relevant admin groups before the known good"Restricted Group" option was invented. If you find out that "Restricted Group" is not working for you, try the script option. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: DannySent: Fri 9/8/2006 1:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Seperate forest migration notes I found some more information, however, in the "Before using ADMT v3" help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? Thanks,...D On 9/5/06, Danny [EMAIL PROTECTED] wrote: Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined? On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote: Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. Order of migration: Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. That leads to expectations: Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). Did I mention name resolution? That's important, so I don't mind mentioning it twice. Planning is your friend when it comes to migrations. I imagine that Guido might chime in here. I hear he's done this once or twice. :) On 8/29/06, Danny [EMAIL PROTECTED] wrote: A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access Am I missing anything? Any tips?Thanks,...D -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] Strange password issue
It is possible to programmatically create an account that bypasses the password length policy. The password not required flag will let you enable the account with blank password, in contravention of your password policy. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Tom KernSent: Wed 9/6/2006 10:09 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] more DNS questions
Do you have a zone called "rev" in your sub.domain.com fwd lookup zone? If not, I want to say that the requestor didn't quite explain what he needs properly. The in-addr-arpa tag that you see is standard for reverse entries. Unless you are doing something fancy in your environment, that's what you'd typically use. Creating cnames in reverse lookup zones for vanity domains is ... shall we say exotic. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Wed 9/6/2006 10:25 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] more DNS questions Hi, I have 2 internal DNS servers and 2 external DNS servers. We are delegating the subdomain sub.domain.com to another server in the same building that is managed by the Unix guys. We have also given them 16 ip address in the range x.y.z.65-80 One of their SA is asking me to update the reverse RR for several records in this way. x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com But when I go to our dns server all I find for the reverse zone is something like. z.y.x.in-addr.arpa, so when I tried to create a cname record there I get something like 67.z.y.x.in-addr.arpa instead of 67.z.y.x.rev.sub.domain.com How can I get what this dude is asking me to do??? Do I need to create a reverse zone for that subdomain? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Is a Global Security group being used?
Try Hyena. I believe that it has the option to report on ACLs and list the relevant users/groups Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Figueroa, JohnnySent: Wed 9/6/2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? The tough one... being used in resource ACLs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: Wednesday, September 06, 2006 10:16To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is a Global Security group being used? What do you mean by "being used"? Are you referring to it being in resource ACLs? Nested into other groups? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, JohnnySent: Wednesday, September 06, 2006 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is a Global Security group being used? Does anyone have a way to determine if a domain global group is being used?. Will auditing on the DCs tell me this? Thanks in advance. Johnny Figueroa
RE: [ActiveDir] Strange password issue
If it's 512, then that pwd not req is not true. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Al MulnickSent: Wed 9/6/2006 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson mailto:[EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert mailto:[EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] NTFRS - Journal Wrap Errors
how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure. If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]
RE: [ActiveDir] NTFRS - Journal Wrap Errors
two recommendations: 1] don't mention that you have a "second DC" anymore because you don't appear to have a good "secondDC" at all. The one you have does not sound reliable, so don't introduce it into the environment again. 2] follow Susan's recommendation. Post back if it doesn't work for you. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] NTFRS - Journal Wrap Errors Thanks for the reply. I did see some of the topics covering this, but they all seemed to cover situations where there were several DCs functioning. The newer DC was built about 1 year ago, but it never synced correctly and was powered down for over 60 days at a time. Since this is a very small, basic setup, there are no fancy or custom GPs or special groups. The problem is that no one really knows much about the infrastructure since so many people have hacked at it over the past 2 years. Since the offline DC has never fully replicated with the original one, at what point in the seizure does it create its own sysvol? I would prefer to resolve the journal issue if possible. My confusion is how to do it without a good DC to restore from? Thanks again, Aaron On 9/6/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: how old is the offline DC? Does the online DC have a LOT of things (beside FSMO) that you need to sync with the offline DC? I mean, are there are lot of objects that have been created on the online DCs that have not been replicated to the offline? IF all you want to do is transfer FSMO, I'd just turn off this problematic DC, bring up the offline (known good) DC and doa FSMO roles seizure. If you still want to go through journal wrap troubleshooting, let us know. I have a couple of references to give you. You can also search this list's archives because journal wrap has been discussed to death here on several occassions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Aaron BurgSent: Wed 9/6/2006 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] NTFRS - Journal Wrap Errors Hi- I am new to the list and was hoping someone could help with an ugly situation I was brought in to clean up: I am working with a W2K native mode domain with only ONE active domain controller (W2K SP4). There is a second DC, but it was brought on-line after the journal wrap errors (Event 13568 ) began and has never replicated sysvol (doesn't even exist on the box). It appears AD and such are working with the new DC... just not NTFRS. The original DC does have sysvol and appears to be working to authenticate clients as normal. I need to get the journal wrap errors resolved so I can bring the second DC on-line, transfer FSMO roles and get the old box rebuilt since it doesn't even have redundant drives - Yikes! Everything I have read says to do a D2 non-authoritative restore, but since I only have the one DC, where would it restore from? I have run an NT backup of c:\ and system state to try and get some comfort, but still am afraid of making matters worse. Any suggestions/recommendations would be very much appreciated...I would like to get this cleaned up this week! Thanks so much, Aaron [EMAIL PROTECTED]
RE: OT - RE: [ActiveDir] W. in hell
Nah.it looks more like the sender mistook this list for some other lists. On other lists, this would have been a engendered more rapid-fire flame war to the sender's satisfaction, even though the joke itself is very old and has outlived its useful shelf life. I'm sure he's disappointed that this list is so geeky and full of maroons with no sense of humors. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. RobinsonSent: Sun 9/3/2006 5:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in hell Okay, has anybody considered the possibility that this was an accident? I know I've accidentally sent mail to the wrong addresses before by letting autofill kick in an not paying attention to what actually got autofilled, and this seems like a very strange thing to send to this list intentionally. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Sunday, September 03, 2006 8:49 AM To: ActiveDir@mail.activedir.org Subject: OT - RE: [ActiveDir] W. in hell Yup and this list (especially with no OT marking) is the place for that right? Bring it to an OT list, mark your postings that have no bearing on technical matter with an OT or something. Otherwise, you're just another spammer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Pierce Sent: Sunday, September 03, 2006 1:14 AM To: Brandon Pierce Subject: [ActiveDir] W. in hell George Bush has a heart attack and dies. He goes to hell, where the Devil is waiting for him. "I'm not sure what to do," says the Devil. "You're on my list, but I have no room for you. As you definitely have to stay here, I'm going to have to let someone else go. I've got three folks here who weren't quite as bad as you. I'll let you decide who leaves." George thought that sounded pretty good, so he agreed. The Devil opened the first room. In it were Richard Nixon and a large pool of hot water. He kept diving in and climbing out, over and over. Such was his fate in hell. "No!" said George. "I don't think so, I'm not a good swimmer and don't think I could stay in hot water all day." The Devil led him to the next room. In it was Tony Blair with a sledgehammer and a room full of rocks. All he did was swing the hammer, time after time. No! I've got this problem with my shoulder. I would be in constant agony if all I could do was break rocks all day." commented George. The Devil opened the third door. In it, George saw Bill Clinton lying on the floor with his arms staked over his head, and his legs staked in a spread-eagle pose. Bent over him was Monica Lewinsky, doing what she does best. George Bush looked at this in disbelief for a while, and finally said "Yeah, I can handle this." The Devil smiled and said, "OK, Monica, you're free to go!" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS DOCUMENTATION
This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] DNS DOCUMENTATION
Couldn't make the con-call. But we have been asking for this for some time now. Do you have any shareable info on what MS is doing along that line? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION Heh, this was a topic on a MSFTconcall yesterday... Bind 9supports multiple views on zones based on external/internal (or other definitions) requests... Cuts down on the number of DNS servers required. http://www.oreillynet.com/pub/a/oreilly/networking/news/views_0501.html http://transposed.org/techstuff/bind9-win2k.html or better (depending on your viewpoint[1]) http://info.ccone.at/INFO/FreeBSD-Manual/en/network-bind9.html :) [1] B. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Friday, September 01, 2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION This doesn't do anything positive for him regarding his particular concerns. He is publishing internal records to the public. I have seen some people argue that it is not a big deal to expose internal addresses/records unless the addresses are routable. Me? I say it is bad to mix your internal and external records on the same server. Unless you don't have a choice in terms of hardware limitations, you should split your internal and external zones. Ideally, you would want your internal domain name to be different from your external domain name. But, where that is not possible, use different servers for the DNS service. Point your internal servers and clients to the internal DNS servers and make sure that these are the only name servers listed in your DHCP and on the "Name Server" tab of the zone. Then, remove all internal records from the external DNS servers and make sure that these are the only servers listed externally at the Registrar for the domain. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Scott, AnthonySent: Fri 9/1/2006 8:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS DOCUMENTATION All you should have to do is create an A record named www, point it to the internal IP of your web server. This will create an A record of www.domain.com Thanks, Anthony Scott Microsoft Consultant Mobile 616-481-9722 | Desk 616-464-6369 | [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Friday, September 01, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS DOCUMENTATION HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
RE: [ActiveDir] Logging successful logons in AD security log
I can say that I have seen logs way bigger than the specified max size. I can't say it's hurt the servers in any way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Glenn CorbettSent: Thu 8/31/2006 2:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging successful logons in AD security log Interesting. from the article: "Microsoft plans to resolve these problems in the next version of Windows by rewriting the event logging system from the ground up." since the last update was Mar 28 2003, I wonder how this applies to Wndows 2003 R2 and the 64 Bit versions of Windows, or if this will only be fixed in Longhorn. Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, 31 August 2006 7:20 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log Does everyone know this recomendation from Microsoft? On Windows XP, member servers, and stand-alone servers, the combined size of the application, security, and system event logs should not exceed 300 MB. On domain controllers, the combined size of these three logs - plus the Directory Service, File Replication Service, and DNS Server logs - should not exceed 300 MB. http://technet2.microsoft.com/WindowsServer/en/library/5a86ab0f-c7eb-45ed-9e 5e-514173bf15e31033.mspx?mfr=true Mark Return-Path: [EMAIL PROTECTED] Thu Aug 31 04:12:18 2006 Received: from smarthost1.giacom.net [194.131.240.55] by mail1.giacom.net with SMTP; Thu, 31 Aug 2006 04:12:18 +0100 Received: from mail.activedir.org ([12.168.66.190]) by smarthost1.giacom.net with MailEnable ESMTP; Thu, 31 Aug 2006 04:12:15 +0100 Received: from smtp111.sbc.mail.mud.yahoo.com [68.142.198.210] by mail.activedir.org (SMTPD32-8.15) id A27721B0148; Wed, 30 Aug 2006 23:07:35 -0400 Received: (qmail 99368 invoked from network); 31 Aug 2006 03:07:35 - Received: from unknown (HELO ?192.168.16.19?) ([EMAIL PROTECTED]@69.106.185.80 with plain) by smtp111.sbc.mail.mud.yahoo.com with SMTP; 31 Aug 2006 03:07:35 - DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pacbell.net; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Reference s:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=PEIfvYwJhIYktsWE3wK8pnfo1RmbheeJg4LXCAQ1cS/3aIkBB+zWPBGoNL0vpHGQ7U+CwL+WPV R6qNv7o1jr4Xp9zMxBmnzKaUuWHbmSmTn++z6CEr/Q5njP0rjFViu7J0fVz2mvIfjfh29qkHO6+P EuYRMiJ3/EUAyhoBySfo8= ; Message-ID: [EMAIL PROTECTED] Date: Wed, 30 Aug 2006 20:07:29 -0700 From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" [EMAIL PROTECTED] User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Logging successful logons in AD security log References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Received-SPF: none (smarthost1.giacom.net: mail.activedir.org does not designate permitted sender hosts) X-Declude-Sender: [EMAIL PROTECTED] [12.168.66.190] X-Note: This E-mail was scanned in real-time by Giacom Anti-Spam and Giacom Anti-Virus. Advanced Virus and Spam protection is available to subscribers of Giacom Business Pro Plus. Visit http://www.giacom.com for more details. X-Spam-Tests-Failed: ROUTING [-1] X-Note: This E-mail was sent from ([12.168.66.190]). X-Rcpt-To: [EMAIL PROTECTED] Ask the PSS security guys and they want success and failure. Only having half the story... is only half the story Buy bigger harddrives and archive. Sitton Glen E wrote: I don't know that there is a 'general consensus' because everyone's business needs differ. My environment has around 100K users and you're right, there's a ridiculously high volume of logon events. We set the security log size very high on the domain controllers, and collect and clear the security logs several times per day using a commercially-available "fancy log management system." We don't allow the security logs to rollover. The eventlog management software gives us an impressive battery of audit reports, and a compressed eventlog repository that we archive for FISMA compliance. I'm sure our uncompressed event log archive is well above 1TB per year. But we realize about a 20:1 compression using the commercial software. Your options may be limited by legal requirements that may govern the audit logs of your business or organization. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, August