RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

Nowhere does the OP say he's assigned a /16 mask to any interface.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
Sent: Sunday, January 28, 2007 4:02 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

hello,

just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?

Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


- Original Message -
From: Brian Clinemailto:[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

Going with a /24 when you're laying out a network just because its common and 
small doesn't really help anymore than picking a /16 out of the blue in the 
long run.

Migrating machines into new subnets is actually not that difficult if properly 
planned - I've been around that circuit quite a few times.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, January 28, 2007 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

My advice would have been to start with a 255.255.255.0 netmask (/24) - it's 
better for creating more subnets and hosts.  255.255.0.0 (/16) is more limiting 
if that is what the person is using, no matter what IP class is being used.  
But if not selected initially it's too late to easily go back...

Regards,

Chuck


-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Sun, 28 Jan 2007 3:01 AM
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
hello,

just to stop the troll...
Do you understand my others post about your network ?
Is you DC set up on its network interface with a 255.255.0.0 netmask ?

Your setup will work fine from an AD point of view (dssite.msc) , but not an IP 
routing point of view if you are really using a 255.255.0.0

Regards,
Mathieu CHATEAU
http://lordoftheping.blogspot.comhttp://lordoftheping.blogspot.com/


- Original Message -
From: Brian Clinejavascript:parent.ComposeTo('[EMAIL PROTECTED]',%20'');
To: 
ActiveDir@mail.activedir.orgjavascript:parent.ComposeTo('ActiveDir@mail.activedir.org',%20'');
Sent: Friday, January 26, 2007 10:19 PM
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.
Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

Check out the new 
AOLhttp://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redir=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol.
 Most comprehensive set of free safety and security tools, free access to 
millions of high-quality videos from across the web, free AOL Mail and more.

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

[Brian Desmond]

Yeah personally I'd have written some little .net contraption doing it in the 
background if it was something as simple as this.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 28, 2007 10:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

I agree that MIIS could be convenient but only if it is already there or you 
have other plans for it. If this was the only reason for it I would be more apt 
to put something else together that had a far lower bar of entry such as some 
basic scripts that are scheduled through task scheduler or made into a service 
(Perl PSDK) or LDSU or some basic low end syncing tools that don't require 
setting up a full blown SQL and MIIS server.

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Saturday, January 27, 2007 7:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
You can whack notes with ldifde or something. MIIS is a convenient way to do it 
though.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Ewww.  :)

Unless there are other needs that require MIIS I don't think I would deploy it 
for this. MIIS is a 50 caliber when all that was probably needed was foam 
pellet gun.

I have seen folks doing this before, usually they get an LDIF extract from 
Notes and just slam that into AD as contacts or mail-enabled users. Actually 
getting the info out of Notes... no clue, I didn't even want to start touching 
Exchange let alone any other messaging apps. I am happy just with Windows 
Server 2003 SMTP and looking at the text files. ;o)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Have you looked at MIIS?

Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish in 
AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all 
addresses into a file, I can use that as a basis to update AD with proxy info 
etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]
Brian Cline [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]

01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org


To

ActiveDir@mail.activedir.org

cc

Subject

RE: [ActiveDir] How to find non-primary SMTP addresses?







Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query
for users that have secondary addresses vs. only having a primary and
there
isn't any

[ActiveDir] Naming Convention for Site Links

[Brian Desmond]

Was wondering what other folks use for naming site links. A point to point link 
is obvious to me SiteA - SiteB or something like that. What about a link with 
three or four sites in it (e.g. SiteA, SiteB, SiteC, etc)?



Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

While your math is right you should look up supernetting and subnetting 
somewhere.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
 Sent: Saturday, January 27, 2007 4:17 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

 In my opinion, there is a pure TCP/IP network issue...

 A sample example:
 The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
 if you try to ping 10.10.41.104, it will try to communicate on the LAN,
 seeking its arp.
 It won't send packet to the gateway since 10.10.41.0 must be on the
 LAN.

 The only way to get it work is to use a Layer 2 link between both site.


 Regards,
 Mathieu CHATEAU
 http://lordoftheping.blogspot.com


 - Original Message -
 From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Friday, January 26, 2007 11:37 PM
 Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


 it will go for the second site 10.10.41.0/24 (= best matching)

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Brian Cline
 Sent: Fri 2007-01-26 22:19
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Overlapping AD Subnet Boundaries



 Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
 site,
 and another subnet as 10.10.41.0/24 and assign it to a secondary site.
 Will
 AD treat a client address of, say, 10.10.41.104 as a client on the
 secondary
 site, or will it default to the more general primary subnet? The reason
 I
 ask is we now have a need for a second AD site (I can see all the
 enterprise
 folks grinning now) and we have quite a number of other subnets that
 I'd
 have to manually enter if this is not the case. I don't mind doing it,
 but I
 was curious either way.

 Brian Cline, Applications Developer
 Department of Information Technology
 GP Trucking Company, Inc.
 803.936.8595 Direct Line
 800.922.1147 Toll-Free (x8595)
 803.739.1176 Fax



 This e-mail and any attachment is for authorised use by the intended
 recipient(s) only. It may contain proprietary material, confidential
 information and/or be subject to legal privilege. It should not be
 copied,
 disclosed to, retained or used by, any other party. If you are not an
 intended recipient then please promptly delete this e-mail and any
 attachment and all copies and inform the sender. Thank you.

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

OK well you don't need a layer 2 link to do what the OP wants...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
 Sent: Saturday, January 27, 2007 12:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

 hi,

 i am coming from network job, so i am used to sub/super netting somehow
 :)
 thanks anyway !

 Regards,
 Mathieu CHATEAU
 http://lordoftheping.blogspot.com


 - Original Message -
 From: Brian Desmond [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Saturday, January 27, 2007 6:47 PM
 Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


 While your math is right you should look up supernetting and subnetting
 somewhere.

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132

  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
  Sent: Saturday, January 27, 2007 4:17 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
 
  In my opinion, there is a pure TCP/IP network issue...
 
  A sample example:
  The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated).
  if you try to ping 10.10.41.104, it will try to communicate on the
 LAN,
  seeking its arp.
  It won't send packet to the gateway since 10.10.41.0 must be on the
  LAN.
 
  The only way to get it work is to use a Layer 2 link between both
 site.
 
 
  Regards,
  Mathieu CHATEAU
  http://lordoftheping.blogspot.com
 
 
  - Original Message -
  From: Almeida Pinto, Jorge de
 [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Friday, January 26, 2007 11:37 PM
  Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
 
 
  it will go for the second site 10.10.41.0/24 (= best matching)
 
  Met vriendelijke groeten / Kind regards,
  Ing. Jorge de Almeida Pinto
  Senior Infrastructure Consultant
  MVP Windows Server - Directory Services
 
  LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
  (   Tel : +31-(0)40-29.57.777
  (   Mobile : +31-(0)6-26.26.62.80
  *   E-mail : see sender address
 
  
 
  From: [EMAIL PROTECTED] on behalf of Brian Cline
  Sent: Fri 2007-01-26 22:19
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Overlapping AD Subnet Boundaries
 
 
 
  Say I create an AD subnet of 10.10.0.0/16 and assign it to our
 primary
  site,
  and another subnet as 10.10.41.0/24 and assign it to a secondary
 site.
  Will
  AD treat a client address of, say, 10.10.41.104 as a client on the
  secondary
  site, or will it default to the more general primary subnet? The
 reason
  I
  ask is we now have a need for a second AD site (I can see all the
  enterprise
  folks grinning now) and we have quite a number of other subnets that
  I'd
  have to manually enter if this is not the case. I don't mind doing
 it,
  but I
  was curious either way.
 
  Brian Cline, Applications Developer
  Department of Information Technology
  GP Trucking Company, Inc.
  803.936.8595 Direct Line
  800.922.1147 Toll-Free (x8595)
  803.739.1176 Fax
 
 
 
  This e-mail and any attachment is for authorised use by the intended
  recipient(s) only. It may contain proprietary material, confidential
  information and/or be subject to legal privilege. It should not be
  copied,
  disclosed to, retained or used by, any other party. If you are not an
  intended recipient then please promptly delete this e-mail and any
  attachment and all copies and inform the sender. Thank you.
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ma/default.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

[Brian Desmond]

You can whack notes with ldifde or something. MIIS is a convenient way to do it 
though.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 27, 2007 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Ewww.  :)

Unless there are other needs that require MIIS I don't think I would deploy it 
for this. MIIS is a 50 caliber when all that was probably needed was foam 
pellet gun.

I have seen folks doing this before, usually they get an LDIF extract from 
Notes and just slam that into AD as contacts or mail-enabled users. Actually 
getting the info out of Notes... no clue, I didn't even want to start touching 
Exchange let alone any other messaging apps. I am happy just with Windows 
Server 2003 SMTP and looking at the text files. ;o)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Friday, January 26, 2007 12:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Have you looked at MIIS?

Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley
Sent: Friday, January 26, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT

Same topic, but this one is for Notes Admin/Gurus as well.

I populate the mail attribute in AD with the Notes Users primary internet 
address. Does anyone have a script or method that will allow me to publish in 
AD the same info for groups and other addresses for users.

Even something that can query Domino for all users and groups and return all 
addresses into a file, I can use that as a basis to update AD with proxy info 
etc.
Thanks in advance.

Douglas Stelley
IT Engineer
Seneca Nation Health Department
(716)532-5582 x5404
[EMAIL PROTECTED]

Brian Cline [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]

01/26/2007 09:47 AM
Please respond to
ActiveDir@mail.activedir.org


To

ActiveDir@mail.activedir.org

cc

Subject

RE: [ActiveDir] How to find non-primary SMTP addresses?







Ah, yes, good call. Almost forgot that it changes that, too.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wells, James
Arthur
Sent: Friday 26 January 2007 08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

It should also update the 'mail' attribute to the new primary SMTP:
address.


--James

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 7:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?

Out of curiosity, when setting a different primary e-mail address to an
address that already exists as a secondary, does ADUC do anything more
than change the prefix on the old primary address from 'SMTP' to 'smtp'
and vice-versa for the new primary?


Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Thursday 25 January 2007 19:52
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to find non-primary SMTP addresses?

In addition to what Ulf said, there also isn't any practical way to
query
for users that have secondary addresses vs. only having a primary and
there
isn't any practical way to just get the secondary addresses out of the
proxyAddresses attribute.  You essentially need to get all the data and
then
check for the values that are prefixed with lower case smtp.

Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP
itself doesn't help much.

Joe K.

- Original Message -
From: Ulf B. Simon-Weidner
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 25, 2007 6:00 PM
Subject: RE: [ActiveDir] How to find non-primary SMTP addresses?


Hi Stu,

I don't think there's a way to expose mulitvalued attributes with CSVDE
-
you'd either have to use LDIFDE or VBScript or anything else to view all

values of those attributes.

Gruesse - Sincerely,
Ulf B. Simon-Weidner
 Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Freitag, 26. Januar 2007 00:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to find non-primary SMTP addresses?

How does one go about getting the non-primary SMTP addresses

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

AD subnets have nothing to do with how the WAN is actually routed. All they do 
is link an IP address to a site. If you don't have a blanket subnet as a last 
resort your DCs start filling their event logs with events about how clients 
are connecting from unknown subnets.

So what you do is you take your hub datacenter(s) and associate large supernets 
with the site objects (as big as 10.0.0.0/8 if appropriate). Then you associate 
the actual subnets with the sites where they're physically located.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
 Sent: Saturday, January 27, 2007 1:34 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

 i don't agree.
 the /24 is included in the /16.
 You won't have layer 3 routing between the two site, at least from the
 primary to the secondary. Even if it will work from a routing point of
 view
 from the secondary to the primary.

 what's the point ?

 Regards,
 Mathieu CHATEAU
 http://lordoftheping.blogspot.com


 - Original Message -
 From: Brian Desmond [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Saturday, January 27, 2007 6:58 PM
 Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries


 OK well you don't need a layer 2 link to do what the OP wants...

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132


  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
  Sent: Saturday, January 27, 2007 12:53 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
 
  hi,
 
  i am coming from network job, so i am used to sub/super netting
 somehow
  :)
  thanks anyway !
 
  Regards,
  Mathieu CHATEAU
  http://lordoftheping.blogspot.com
 
 
  - Original Message -
  From: Brian Desmond [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Saturday, January 27, 2007 6:47 PM
  Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
 
 
  While your math is right you should look up supernetting and
 subnetting
  somewhere.
 
  Thanks,
  Brian Desmond
  [EMAIL PROTECTED]
 
  c - 312.731.3132
 
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:ActiveDir-
   [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU
   Sent: Saturday, January 27, 2007 4:17 AM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries
  
   In my opinion, there is a pure TCP/IP network issue...
  
   A sample example:
   The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as
 indicated).
   if you try to ping 10.10.41.104, it will try to communicate on the
  LAN,
   seeking its arp.
   It won't send packet to the gateway since 10.10.41.0 must be on the
   LAN.
  
   The only way to get it work is to use a Layer 2 link between both
  site.
  
  
   Regards,
   Mathieu CHATEAU
   http://lordoftheping.blogspot.com
  
  
   - Original Message -
   From: Almeida Pinto, Jorge de
  [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Friday, January 26, 2007 11:37 PM
   Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries
  
  
   it will go for the second site 10.10.41.0/24 (= best matching)
  
   Met vriendelijke groeten / Kind regards,
   Ing. Jorge de Almeida Pinto
   Senior Infrastructure Consultant
   MVP Windows Server - Directory Services
  
   LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
   (   Tel : +31-(0)40-29.57.777
   (   Mobile : +31-(0)6-26.26.62.80
   *   E-mail : see sender address
  
   
  
   From: [EMAIL PROTECTED] on behalf of Brian Cline
   Sent: Fri 2007-01-26 22:19
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Overlapping AD Subnet Boundaries
  
  
  
   Say I create an AD subnet of 10.10.0.0/16 and assign it to our
  primary
   site,
   and another subnet as 10.10.41.0/24 and assign it to a secondary
  site.
   Will
   AD treat a client address of, say, 10.10.41.104 as a client on the
   secondary
   site, or will it default to the more general primary subnet? The
  reason
   I
   ask is we now have a need for a second AD site (I can see all the
   enterprise
   folks grinning now) and we have quite a number of other subnets
 that
   I'd
   have to manually enter if this is not the case. I don't mind doing
  it,
   but I
   was curious either way.
  
   Brian Cline, Applications Developer
   Department of Information Technology
   GP Trucking Company, Inc.
   803.936.8595 Direct Line
   800.922.1147 Toll-Free (x8595)
   803.739.1176 Fax
  
  
  
   This e-mail and any attachment is for authorised use by the
 intended
   recipient(s) only. It may contain proprietary material,
 confidential
   information and/or be subject to legal privilege. It should not be
   copied,
   disclosed to, retained or used by, any other party. If you

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

Yes. I have done this in organizations with hundreds of sites and a well 
designed subnetting scheme.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 4:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries


Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Brian Desmond]

Chuck-

Unfortunately I think your reasoning is a bit short sighted here. You can't 
make any of these assumptions without understanding the OP's environment both 
regard to business and technical requirements.

A T1 is way more than enough for hundreds of PCs to go to a DC across the WAN. 
While a couple of MLPPP T1s might be nice it's certainly not necessary. Logon 
traffic isn't that heavy.

The number of users at a site is usually not the driver so much as the number 
of workstations. Workstations are the limiting factor - you can have 100 guys 
someplace but they might share 10 PCs.

The business requirement is a real simple question - if the WAN link goes down 
will business continue at this site? If not, adding a DC doesn't do anything 
but cost money - doesn't matter whether users can log on. With cached 
credentials even when the link does go down they'll still be able to logon to 
their usual PCs anyway.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, January 26, 2007 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries

What I would be interested to find out is:

1.  What is the WAN link speed for the proposed 2nd AD site?
2.  How much free available bandwidth do you have between the two desired sites?
3.  How many users sit in the proposed 2nd AD site?

If you have a fast reliable WAN connection (like a pair of bonded T-1s or 
higher) between the 2 sites then perhaps you don't need the 2nd site.

I understand subnetting and it's possible to use a different subnet mask to 
achieve a separate subnet.  However there should be a compelling reason to go 
to a second AD site before deploying it that requires it as this might save you 
making things more complex than required.

Regards,

Chuck

RE: [ActiveDir] adsiedit question

[Brian Desmond]

You shouldn't be doing this.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP
 Sent: Tuesday, January 23, 2007 5:59 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] adsiedit question

 I needed to move SystemMailboxes which won't move with the wizard.
 Somehow several were homed on one database and it caused event sink
 problems. This was the easiest method.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe,
 Deji
 Sent: Tuesday, January 23, 2007 4:44 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] adsiedit question

 Why are you using adsiedit to rehome a mailbox? Doesn't the move
 mailbox
 wizard work for your needs?


 Sincerely,
_
   (, /  |  /)   /) /)
 /---| (/_  __   ___// _   //  _
  ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
 (_/ /)
(/
 Microsoft MVP - Directory Services
 www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com  -
 we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow
 you were worried about Yesterday? -anon

 

 From: Condra, Jerry W Mr HP
 Sent: Tue 1/23/2007 1:59 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] adsiedit question


 Hi all
 I didn't OT this even though I'm making modifications to Exchange since
 the question seems to be adsiedit related and therefore related to AD.
 I'm trying to modify an attribute for a mailbox using adsiedit.
 Particularly I'm rehoming it's database by modifying the homeMDB
 attribute.

 The problem I'm running into is I'm getting an error stating The name
 reference is invalid when I try to apply the change. I've done this a
 few times but this is the first time I've run into this error. Google
 doesn't give enough info to determine the cause...or maybe it is and I
 just don't know enough about the response to see itthat never
 happens. ;-)

 If anyone can shed some light it would be greatly appreciated.

 Many thanks
 Jerry
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Remote DC's on Virtual Server

[Brian Desmond]

Read all of this sort of. I have a fairly simple opinion:

 

If you want to screw around, or do small scale virtualization, VS or
VMWare server - whatever makes you happy, they're about the same in a
datacenter.

 

If you want to go do all that money saving stuff, large scale lets buy
some gigantic servers on a SAN, drink the kool aid off the cover of
eweek, etc - go buy an esx license or two. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Sunday, January 21, 2007 12:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server

 

All indications to the contrary are likely due to insufficient
operational experience with the product - not an attack on anyone just a
statement based on my personal experience and interactions with others

Not at all, Ben. I can speak from both side of the aisle as far as
VMWare and VS are concerned, although my bias, to which I have already
confessed, plays a role in my dislike of VMWare. My dislike, though, is
driven largely based on the original (apples and oranges) statement to
which I responded. I have not disputed that VMWare is ahead of VS at
this present time. I have simply stipulated that the perceived gap is so
considerably narrowed now that dismissing VS as a non-starter is no
longer a technically sound or tenable position.

 

However, MS stated virtual machine support is the same regardless of
virtual environment provider.
This is just wrong. Please see
http://www.support.microsoft.com/kb/897615

 

You will also notice that my observation and opinion were based mostly
on where we are today on VS 2005 SP1 Beta 2. I do not dispute that
VMWare is superior, but at what cost? I disagree with your assertion
that ESX is easier to deploy and manage than VS - that just defies logic
(no offense). Not with the availability of System Center.  When you need
to provision a lab of, say, 20 servers running various OSes, and you are
under the gun to get it done, like 4 hours ago, on a piece of recycled
(Ebayed) hardware, ESX is not your friend.

 

I was afraid that this thread will go down the undesirable path of Us
vs Them, and I apologize for making it so. The point I'm trying to make
is that, if you are looking for a Virtualization solution, VS does NOT
stink one bit. Factor in the cost overlay, the deployment and
maintenance efforts, divide that by what EXACTLY you are looking for in
virtualization, then give VS a fair shake and not just go with the
popular VMWare Rules opinion. ESX may have been sexy a while back when
VS was truly ugly, but that is not the case today. VS is evolving, and
you may just be pleasantly surprised that it adequately meets your need
without breaking your bank and back.

 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com  - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 



From: Bernard, Aric
Sent: Sat 1/20/2007 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server

Other points to clear up...
 
MS supports VS2005 as it is there product.  However, MS stated virtual
machine support is the same regardless of virtual environment provider.
 
MS recently (nore than a year ago?) made some changes to their licensing
model for virtual environments in terms of the Windows OS and how many
instances can be run given a single license.  This is applicable to any
virtual environment, not just VS2005.
 
In my role I am a supporter (technically, politically, and marketing) of
MS products.  However, from an Enterprise perspective (management and
operations) VMWare is generally regarded as the superior product for all
the reasons mentioned and more. VMWare is not difficult to implement and
operate as compared to VS2005 and from an enterprise perspective often
considered easier to manage given the wide range of tools available for
it.  All indications to the contrary are likely due to insufficient
operational experience with the product - not an attack on anyone just a
statement based on my personal experience and interactions with others.
 
That
 
 
Sent from my Windows Mobile device.
 
-Original Message-
From: Brett Shirley [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 1/20/07 3:28 PM
Subject: RE: [ActiveDir] Remote DC's on Virtual Server
 
 
Does anyone know if the vmware stuff, allows ba xxx w4 in the windows
debugger (obviously running on windows guest VM)?
 
ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which

RE: [ActiveDir] OT: Apache LDAP authentication oddity

[Brian Desmond]

So you're describing searching for something and talking about
authentication. Which is it?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, January 19, 2007 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Apache LDAP authentication oddity

 

We have an application that is using an Apache server to do LDAP
authentications against our active directory.  (Yeah, I know; if only I
were king!  LOL!)  The application developer tells me that if he tries
doing an auth against our root base (dc=yyy,dc=zzz), the auth fails.  If
he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works.  The
user account that is being tested is some OU levels below this.  He is
coding a subtree scope and he is filtering on (objectclass=user and
objectcategory=person).

 

It's like Apache needs to start at an OU structure.  I couldn't find
much on Google about this other than someone else was having the same
issue last Fall and just gave up in frustration.   The Apache
documentation I could find seemed to indicate that a search of
dc=yyy,dc=zzz SHOULD work.

 

Any thoughts/pointers are appreciated!  Thanks!

 

Mike Thommes

RE: [ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION

[Brian Desmond]

Without knowing your requirements I can't tell you which of those is
something you want. They all have different applications...

I keep up to speed on hardware by specifying and installing it. I can
rattle off the right Compaq or Dell server model number given what
you're going to do with it. I'm pretty good with Cisco switches and
routers in that respect too. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Ramon Linan
 Sent: Friday, January 19, 2007 11:19 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED
 STORAGE SOLUTION
 
 HI,
 
 I have 2 questions.
 
 We need more storage space but we don't know if we should go with an
 attached storage solution (NAS, SAN, etc) or just get a big file
 server, can anyone tell me benefit and disadvantage of each one, or
 point me to URL with this info?
 
 Also, my hardware knowledge is very obsolete, how can I get up to
speed
 in terms of hardware
 
 
 Thanks all
 
 Rezuma
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Cisco VPN user authentication problem

[Brian Desmond]

Steve-

 

I don't understand your problem.

 

Is this an IAS issue with AD authentication? Is this a PIX config issue?
Is this just a screwed up laptop issue? I'm lost.

 

I wrote a couple articles on my blog (click the cisco category in the
tag cloud) specifically about integrating IOS and PIX with IAS/AD. Have
set it up for several people and it works fine.

 

IAS logs an event with a reason for failed auth every time it fails an
auth in the system log. You can enable aaa debugging on the PIX for info
there. Now I just read you have a VPN 3000 - never touched one - maybe
it has AAA debugging type stuff? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, January 19, 2007 5:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Cisco VPN user authentication problem

 

Greetings, Brain Trust:

 

I've been troubleshooting a VPN access problem for about two days now
and have almost scratched a groove in my head - this one's a puzzler.

 

My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client
software loaded into it.  It was working just fine up until the third
week of December, allowing her to use Dialup to get into our HQ domain
from her house.  When the logins failed, I thought it was due to crappy
dialup connection, since noise in the link will cause the VPN tunnel to
go down.

 

However, I just got her link at her house to go on wireless, and it
works just spiffy (11M up/down), and she still can't log on to the
domain with the VPN software.  The connection works just fine, she can
browse with no problem.  OWA works just fine.

 

Here's some of the troubleshooting I've done:

 

1)  reloaded the VPN software.

2)  Tried to have her log on from another machine.

3)  Changed the Group authentication (made a new one) just for her.

 

Nothing seems to work.  She logs in to the domain normally from her desk
at work using either the wireless in the laptop, or via the Ethernet
connection.  Anybody else can use her laptop to get in via the VPN, so
it's not the drivers or hardware.  Her problem is replicated from
ANYBODY's laptop utilizing the VPN software.  It's got to be her
account, which is why I think it's something screwed up in AD.

 

When I monitor her attempts to log into the VPN concentrator (a Cisco
3000), sometimes it says the IKE isn't working, sometimes it says
there's no domain (domain = {not specified}), sometimes it never talks
to the 3000 at all (according to the log and the way it comes right back
with the username/password request).

 

Want to get even more confused?  This problem started when she attempted
to change her password back to what it was - she went through the AD
administration on the primary AD box and got some kind of error.  Ever
since then, things just ain't the same.  I think something got scrambled
in her account.  We tried disabling her account for 5 minutes and then
re-enabling, but nothing's worked.

 

Where should I look to see if something's amiss?  I'm kinda stumped.

 

Steve Egan 

Systems/Network Engineer

 

RE: [ActiveDir] OT: Different default GALs for different groups

[Brian Desmond]

I did this for a school once.
 
Basically what you do is create a group for each GAL and put the folks in the 
groups, then you create GAL/ALs in System manager and filter on this group 
membership. Set the ACLs accordingly and deny access to the default GAL.
 
--brian



From: [EMAIL PROTECTED] on behalf of Jonathan Watts
Sent: Thu 1/18/2007 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Different default GALs for different groups



Hey list

 

I have been battling with the following issue for what feels like an age, but I 
can't seem to get it so I'm hoping someone here could provide a bit of 
inspiration for me:

 

As we are a secondary school (K-12 equivalent), I would like members of a 
particular group (namely staff) to have a different default GAL than another 
group (students) when opening Outlook. I am really stuck with this would 
appreciate any help I can get. Our environment is W2K3, Exc2K3 and Outlook2K3.

 

Thanks in advance

 

Jon Watts

St Catherine's School

winmail.dat

RE: [ActiveDir] OT: Who needs that much ram anyway?

[Brian Desmond]

The more you can get in memory, the better. 32GB is the threshold for
Exchange before it stops making sense.

I've remoted into SQL servers with dozens of CPUs and dozens of gigs of
ram before...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Tuesday, January 16, 2007 4:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Who needs that much ram anyway?
 
 
   The Microsoft Exchange Information Store service stops responding on
 a
   computer that is running Windows Server 2003 and Exchange Server
2007
 
 http://support.microsoft.com/?kbid=928368
 
 This problem occurs if Exchange Server 2007 is installed on a computer
 that has more than 4 gigabytes (GB) of RAM.
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)

[Brian Desmond]

On Cisco's you should be looking at a switchport level feature called
DHCP snooping.

ip helper-address does more than just forward DHCP packets just an FYI.

The term I use for the issue with the routers is that they're plugged in
backwards when someone gets the WAN and LAN confused. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Al Garrett
 Sent: Tuesday, January 16, 2007 11:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 Not sure about other switch brandswe've been Cisco-centric for
 years.
 
 The command in Cisco IOS is ip helper-address x.x.x.x to tell DHCP
 packets where to go across VLANsbut
 
 This still doesn't prevent a rogue DHCP server from popping up on a
 VLAN. (Think about a Linksys wired/wireless router brought to work by
a
 well-meaning but technically-challenged person and plugged into a
local
 port in order to get wireless in their cubicle/office)
 
 Al
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Tuesday, January 16, 2007 6:14 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 OTOH, I am wondering if it'd be possible to configure the routers so
 that they only allow DHCP OFFER/ACK/NACK from auth.
 
 In case you weren't sure - this is exactly what I was suggesting you
 consider, in my first post :)
 
 neil
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 16 January 2007 13:35
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 Sorry for the delay on getting back on this, had a few things piled up
 after New Year's...
 
 You're right on the fact that routers isolating the VLANs limit the
 impact of this issue... The problem is that the idea is to
 re-configure routers to forward DHCP traffic, so that we get DHCP
 service on all VLANs from one/a few DHCP servers, instead of having to
 setup a DHCP server on each VLAN.
 
 Somebody suggested having a multi-homed DHCP server, with a leg on
 each VLAN, so that we get containment and DHCP service on every VLAN.
I
 don't know at the moment if that's possible (I have to check with the
 client, to see if their network topology has a hub where all VLANs
 come close).
 OTOH, I am wondering if it'd be possible to configure the routers so
 that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers
 (something similar to what we've done with the local filtering on the
 workstations)...
 We'd still have problems with a rogue DHCP server in a VLAN, but we
 wouldn't have to go the multi-homed server route...
 
 Thanks a lot for the input received so far. It's made me explore
 several
 options that I had not considered ;)
 
 As always, a pleasure.
 
   Javier
 
 -Mensaje original-
 De: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] En nombre de
 [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35
 Para: ActiveDir@mail.activedir.org
 Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
 servers? (or how do you find it?)
 
 Your last statement is true but then if routers restrict BOOTP traffic
 as I describe, then the rogue DHCP server will only affect the VLAN on
 which it exists. At least that way, you've reduced the impact.
 
 neil
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: 08 January 2007 17:24
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue
DHCP
 servers? (or how do you find it?)
 
 Hi, Neil!!
 
 That's another thing I'll have to look into :) I am aware that it's
 possile to do DHCP-proxy to pass along the DHCP requests to the proper
 servers.
 That's something that will have to be done, as the client's network is
 split in different VLAN segments, and in multiple locations/sites, and
 they'd like to have a reduced number of DHCP servers.
 
 But, useful and necessary as it is, this won't prevent a
 rogue/malicious
 DHCP server on the same LAN segment from playing havoc with the
 systems.
 
 Thanks for the heads-up though.
 
   Javier Jarava
 
 -Mensaje original-
 De: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] En nombre de
 [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33
 Para: ActiveDir@mail.activedir.org
 Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP
 servers? (or how do you find it?)
 
 In addition to the below, routers can be configured to only forward
 BOOTP packets to/from 'authorised' DHCP servers.
 
 neil
 
 
 ___
 Neil Ruston
 Global

RE: [ActiveDir] File replication setup problem

[Brian Desmond]

Steve-

 

Is the box running R2? You need to upgrade to schema v31 (r2) if so.

 

If not I tend to think your DNS is busted.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Monday, January 15, 2007 8:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] File replication setup problem

 

Howdy, Brain Trust:

 

I have two servers, one on Poland, the other in Sweden, that I want to
install FRS on (and later upgrade to DFS) so that I can back up these
remote location files locally on a high-speed offsite backup here in the
States.  I'm attempting to go slow and do a little bit at a time.

 

When I Run the New Replication Group Wizard and name the replication
group and hit Next, the following error happens:

company.com: The Active Directory schema on domain controller ftp
server.domain.com cannot be read.  This error might be caused by a
schema that has not been extended, or was extended improperly.  See Help
and Support Center for information about extending the Active Directory
schema.  A class schema object cannot be found.

 

I've tried and tried to extend the schema, the results are normal (no
errors), and still the AD schema is broken. It swears up and down that
it is a 2003 schema.  I can't install AD on the Sweden server because
something ain't right with it (schema), and now this.  I have two
servers running here in the states as DC's, and they both think they are
the top dog controller because whenever I try to do something like
this it tells me the schema is broken.  The FTP server and the mail
server are both set up as DC's, both have AD on them.  How do I tell one
of them that they are no longer the master?  Can I just delete (remove)
the AD schema from the ftp server and reinstall it without serious
breakage?  I'm not sure that a simple demote will do the trick. I'm
enough of a thumb-fingered idiot when it comes to AD that I live in fear
of really screwing the pooch if I do something like this - but I have to
get it solved somehow.

 

Somebody got a life preserver?

 

Steve Egan (temp)

Systems/Network Engineer

Occasional AD fumble-fingered idiot

RE: [ActiveDir] R2 Schema

[Brian Desmond]

I thought you needed the schema updates for the extra attributes for
pushing printers via GP.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, January 14, 2007 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] R2 Schema

 

(for those on the off chance interested in the SBS impact)

While SBS's r2 release does not give you the functionality of the real
R2 bits, to have DFSRv2 on member servers you have to bump the schema on
the SBS DC.
The only parts of the real r2 that SBS 2003 R2 gets is FSRM and MMC
3.0.

http://blogs.technet.com/sbs/archive/2006/02/28/420825.aspx
More tech details there.

The printer management console doesn't need a schema update that I
recall.. you just need the R2 install on that server.  I don't remember
(don't think) I did anything on my DC when I enabled the Printer
Management console on the member server.

Vinnie Cardona wrote: 

Excellent.  Thank you.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Saturday, January 13, 2007 4:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

 

the AD schema is (must be) extended with the R2 stuff when either:

* you want to install R2 on a DC

* you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc.

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

( Tel : +31-(0)40-29.57.777

(Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address

 



From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 06:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

Thank you Jorge...I was just a bit puzzled by one of the lines in the
doc on the CD which states that the schema is only extended if you are
planning on installing W2K3r2 on a W2K3 DC.  I am still in the process
of reading up on W2K3r2 and DFS and thanks to you and Hunter which sent
me the link to the DFS requirements...I now understand more on the
requirements. 

 

Thank you all for your help.  Really do appreciate it.

 

-vC

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, January 12, 2007 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

 

although the file servers are R2 because of the use of DFS-R (new
replication mechanism), you MUST extend the AD schema so that the DFS-R
information can be stored in AD

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

( Tel : +31-(0)40-29.57.777

(Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address

 



From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 00:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

Interesting.  I have a similar situation.  But in my case they want me
to
roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage
of
DFS.  After reading the installation docs from the CD it appears to me
that
I don't have to extend the schema because the servers I will be
upgrading
are not DCs...would like a reassurance that this is indeed the case with
the
community...

-many thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender

RE: [ActiveDir] R2 Schema

[Brian Desmond]

No. I've done numerous upgrades in this scenario. It takes like five
minutes.

There's a known issue someone here will/probably has commented on with
SFU I believe but other than that its good.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] R2 Schema

[Brian Desmond]

DFSR, Printers, integrated SFU...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Friday, January 12, 2007 5:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

There shouldn't be a problem with running the R2 schema in an SP1
network.  As to what that buys you, maybe someone else can address
that??  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 4:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Way OT: Shared Folders snap-in columns

[Brian Desmond]

Office autorecover will write to the share fairly frequently...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller
Sent: Thursday, January 11, 2007 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Way OT: Shared Folders snap-in columns

I can't find an explanation and thought some of this august body might 
know or can point me to some resource...

When viewing sessions in the Shared Folders MMC snap-in for an AD member

file server, there is a column labeled Idle Time.

What events reset this timer?   I sometimes see very short idle times in

the wee hours of the morning when I'm pretty sure no human is at the 
client machine.

In the Computer column I see some machines listed by their NetBIOS name,

obviously from info in the AD integrated DDNS. Others are listed by 
their FQDN which is not related to the assigned NetBIOS name. This must 
be coming from the non-AD related, public DNS to which the AD DDNS 
refers inquiries for other domains. (The AD domain name and the public 
domain name are different.)  What might be different about the way these

machines were set up?

Just curious...

TIA,

-mjm

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Shares with Computer Account Permissions

[Brian Desmond]

No. This would only apply for things running in the context of the
computer account (e.g. services as SYSTEM or NETWORK SERVICE). When you
go \\server file:///\\server  in explorer you connect as ben not
bensmachine...

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 09, 2007 4:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Shares with Computer Account Permissions

 

I was asked today whether it was possible to allow or deny access to
shares not just based on user accounts, but also upon computer accounts.
My immediate response was that I didn't think so.

 

So I tested it by simply creating a folder up on our file server, and
added the computer account for my workstation and denying it access
completely.  This made no difference to my permissions when trying to
access it from this workstation.

 

So my question is this, is there any way to design access permissions in
such a way so you could not only allow access to a share to a certain
security group, but also to this security group only when they are
accessing it on hosts that we have explicitly defined?

 

~Ben

RE: [ActiveDir] AD Schema - adding an attribute

[Brian Desmond]

It's an attribute of the user class.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Wednesday, January 10, 2007 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute

Hi,

Thanks for the replies.
 
 birthDate already exists - can you take advantage of it?
Where would I find this? If it already exists I think I'd be better off
using that one.


Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, January 09, 2007 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute

Well, first off - birthDate already exists - can you take advantage of
it?

Second you need to register a prefix and OID tree with Microsoft on
MSDN. This is how you will get a starting point for OIDs. You'll also
get a prefix so it would be ewu-birthMonth or something.

Don't use oidgen.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, January 09, 2007 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema - adding an attribute

How do I add an attribute to AD?

I'd like to add birthMonth, birthDay, birthYear to my Active Directory
Schema for extra data to store for my users.

Looking in MMC - Schema, I see I can add an attribute, but it wants an
Object ID (OID). I know there's a oidgen program somewhere (haven't
found it
yet). but is that the best way to do it?

Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] AD Schema - adding an attribute

[Brian Desmond]

Yeah. Joe just emailed me too offlist - I seem to be hallucinating. I've
seen it in so many directories I guess I thought it was part of the
standard g. My suggestion is to keep birthDate in HR but you can
easily extend the schema to include it if you want.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Wednesday, January 10, 2007 11:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute

I can't seem to find the birthDate attribute in any of my classes.

Looking in MMC-ActiveDirectorySchema.


Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, January 10, 2007 8:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute

It's an attribute of the user class.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Wednesday, January 10, 2007 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute

Hi,

Thanks for the replies.
 
 birthDate already exists - can you take advantage of it?
Where would I find this? If it already exists I think I'd be better off
using that one.


Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, January 09, 2007 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute

Well, first off - birthDate already exists - can you take advantage of
it?

Second you need to register a prefix and OID tree with Microsoft on
MSDN. This is how you will get a starting point for OIDs. You'll also
get a prefix so it would be ewu-birthMonth or something.

Don't use oidgen.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, January 09, 2007 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema - adding an attribute

How do I add an attribute to AD?

I'd like to add birthMonth, birthDay, birthYear to my Active Directory
Schema for extra data to store for my users.

Looking in MMC - Schema, I see I can add an attribute, but it wants an
Object ID (OID). I know there's a oidgen program somewhere (haven't
found it
yet). but is that the best way to do it?

Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] DNS Comments

[Brian Desmond]

This is not a dynamic zone at all. The AD domains are all already integrated 
and dynamic and working.

 

As far as the BIND merging, this is actually a bit of a cleanup/migration so 
it’s going to require some custom scripting more than anything.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James 
Arthur
Sent: Monday, January 08, 2007 9:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

If there are enough deltas that aren’t being made by Dynamic DNS, then I would 
suggest just looking into an IPAM solution like Infoblox or Bluecat.  Either 
one can provide a management interface and BIND server that can then be merged 
with your existing zone through a number of API options…

 

 

--James

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 8:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

Integrated. They tell me they make a couple updates a day to the zone.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 08, 2007 7:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Weird name but they get good press.  I haven't tried them myself, but I've 
heard of them.  

 

Most of the others out there tend to want to take over the DNS vs. provide 
tools.  Personally, I'm a fan of setting it up well (design for success and all 
that) and using cli to manage so I haven't really researched after-market 
tools.  

 

One thing that comes to mind: is this going to be integrated or traditional 
zone with primary and secondary configurations? 

 

How much maintenance is expected?   

 

On 1/8/07, Brian Desmond [EMAIL PROTECTED] wrote: 

What a weird name – thanks for the link

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 08, 2007 7:33 PM 


To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments 

 

Well there hasn't been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over. 

 

Are there any commercial tools you'd recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments 

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

RE: [ActiveDir] AD Schema - adding an attribute

[Brian Desmond]

Well, first off - birthDate already exists - can you take advantage of
it?

Second you need to register a prefix and OID tree with Microsoft on
MSDN. This is how you will get a starting point for OIDs. You'll also
get a prefix so it would be ewu-birthMonth or something.

Don't use oidgen.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, January 09, 2007 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema - adding an attribute

How do I add an attribute to AD?

I'd like to add birthMonth, birthDay, birthYear to my Active Directory
Schema for extra data to store for my users.

Looking in MMC - Schema, I see I can add an attribute, but it wants an
Object ID (OID). I know there's a oidgen program somewhere (haven't
found it
yet). but is that the best way to do it?

Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] DNS Comments

[Brian Desmond]

Well there hasn’t been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over.

 

Are there any commercial tools you’d recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

RE: [ActiveDir] DNS Comments

[Brian Desmond]

Integrated. They tell me they make a couple updates a day to the zone.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 08, 2007 7:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments

 

Weird name but they get good press.  I haven't tried them myself, but I've 
heard of them.  

 

Most of the others out there tend to want to take over the DNS vs. provide 
tools.  Personally, I'm a fan of setting it up well (design for success and all 
that) and using cli to manage so I haven't really researched after-market 
tools.  

 

One thing that comes to mind: is this going to be integrated or traditional 
zone with primary and secondary configurations? 

 

How much maintenance is expected?   

 

On 1/8/07, Brian Desmond [EMAIL PROTECTED] wrote: 

What a weird name – thanks for the link

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 08, 2007 7:33 PM 


To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments

 

I like these guys: http://www.miceandmen.com/

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 08, 2007 4:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Comments 

 

Well there hasn't been some sort of ruling on whether the existing BIND folks 
will get new tools or the AD team (which is very gui dependent) will take it 
over. 

 

Are there any commercial tools you'd recommend I look at as far as management 
goes?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 07, 2007 1:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Comments 

 

Backup a second - how do you plan to manage the zones? 

 

I ask because this might be a good time to re-evaluate the metadata concept of 
the zones. 

 

In BIND you see that information because of the way you manage the zone.  In AD 
there is a different way to manage the zone information that doesn't include 
that information.  

 

If you decide to manage the zones the same way, then handle the comments the 
same way.  If you decide to go GUI (often a shock for a real BIND techie and 
often doesn't last long) then consider using a CMDB-type of mechanism to record 
the metadata. You may also consider some alternate tools to manage the DNS 
systems instead of the built in tools.  Performance is pretty rough with the 
included anyway so it's not like you won't consider it later :) 

 

This is a change in the way they do things.  It deserves a change in the way 
they are used to doing things. 

 

Al

 

On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: 

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD Integrated 
DNS. The BIND zones have various comments in them which go with the record. I 
believe the dnsNode class in AD supports a notes field or similar but the GUI 
doesn't. How do people manage metadata about their DNS zones? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

 

 

RE: [ActiveDir] AD Auditing and Change Control

[Brian Desmond]

Garrett-

 

You need something to process your event logs with. I have used MOM for
this as well as ACS (which never saw the light of day but will ship as
part of MOM2007). Quest and NetIQ (and possibly NetPRO) also all have
tools that can do this type of thing. I have used Ecora as well. It has
nice pretty reports and is priced at an affordable price point. I prefer
the MOM/ACS route mostly because I can play with the raw data to my
liking. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mattingly,
Garrett
Sent: Friday, January 05, 2007 11:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Auditing and Change Control

 

Hi All,

I was asked if there was a way to find out all changes performed in AD
by a particular user account.  The personal was wondering if there is a
AD attribute to query on to do this.  Natively I believe that event log
auditing is about the only way you can track this information natively
which is almost useless because the security log overwrites after a day
or so. As far as I know in AD you have a creation and modified date on
objects in AD but there is no created by or modified by attribute
that I am aware of.  I thought maybe object owner might be and attribute
but I did not see this listed in ADSIEdit.  

This is basically a How can we find out what this guy is doing or did?
problem.

Questions: Is this even possible with native tools?  Are there
recommended 3rd party tools that could do this?  I've heard of something
call ECORA Auditor Pro, anybody use this?

Thanks,

Garrett

RE: [ActiveDir] ADFind help

[Brian Desmond]

Set your filter to (proxyAddresses=smtp*) to get all the smtp addresses.
Just do * for stuff like x400 also.

Adfind -b ou=myou,dc=mydomain,dc=com -f (proxyAddresses=*)

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Friday, January 05, 2007 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind help

Hello, colleagues,

I'm sorry to have to ask this, but I can't figure out how to get this
information for a particular client. She wants a list of all the primary
email addresses and their secondary email addresses (aliases) for a
particular OU in Active Directory. This OU is named FND, and it is at
the top of mydomain.mydepartment.local. It has sub-OU's as well.

I figure ADFind will do the job, but I just am not familiar enough with
the tool to get the information out.

Can somebody help me? 

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] DNS Comments

[Brian Desmond]

Has anyone on this DL have experience with this problem?

 

I am working on potentially migrating numerous UNIX BIND zones to AD
Integrated DNS. The BIND zones have various comments in them which go
with the record. I believe the dnsNode class in AD supports a notes
field or similar but the GUI doesn't. How do people manage metadata
about their DNS zones?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

RE: [ActiveDir] ADFind help

[Brian Desmond]

Do you have such a feature that combines ou=myou with whatever
searchroot -default resolves? It occurred to me today that that would
save a lot of typing. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 06, 2007 12:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind help

Yep that will do it.

It can be further refined. :)

I put in a special shortcut for this specific case

adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses

If you just want the SMTP addresses, I.E. you don't care about X400
addresses which is most people, you can do the following:

adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses:smtp

Which will only diplay SMTP addresses from proxyAddresses. The filter
below
will only return objects with SMTP addresses but it will still display
any
other types of addresses in the proxyaddresses attribute such as X400,
SIP,
X500, SNADS, etc. 

For the curious that expands out to the following switches/args:

Selected Switches
-b ou=myou,dc=mydomain,dc=com
-f ((mailnickname=*)(proxyaddresses=smtp*))
-gc
-mvfilter proxyaddresses=smtp

Selected Attributes
proxyAddresses


I am planning on releasing a new version of AdFind (V01.35.00) in the
next
day or three (may even upload it tonight still if I don't run out of
gas).
It has a couple bug fixes around the ACL output and some additional ACL
options. 

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, January 05, 2007 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind help

Set your filter to (proxyAddresses=smtp*) to get all the smtp addresses.
Just do * for stuff like x400 also.

Adfind -b ou=myou,dc=mydomain,dc=com -f (proxyAddresses=*)

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Friday, January 05, 2007 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind help

Hello, colleagues,

I'm sorry to have to ask this, but I can't figure out how to get this
information for a particular client. She wants a list of all the primary
email addresses and their secondary email addresses (aliases) for a
particular OU in Active Directory. This OU is named FND, and it is at
the top of mydomain.mydepartment.local. It has sub-OU's as well.

I figure ADFind will do the job, but I just am not familiar enough with
the tool to get the information out.

Can somebody help me? 

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] NTP Client Software

[Brian Desmond]

Pool.ntp.org is what you want to point to ideally.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, January 03, 2007 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] NTP Client Software

I'm assuming you have a mixed environment... granted I'm small...but 
I've not found the built in time sync to not sync once the DC has been 
properly pointed and the ports are open on the firewall properly.

I've read somewhere (need to google this) that some of the military time 
servers that we used to sync with are no longer externally sync-able.
http://support.microsoft.com/kb/314054
http://support.microsoft.com/kb/816042/


Ken Cornetet wrote:
 http://ntp.isc.org/bin/view/Main/ExternalTimeRelatedLinks

 
 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Dan Smith
 *Sent:* Wednesday, January 03, 2007 8:53 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] NTP Client Software

 Hello

  

 Wonder if anyone out there has any NTP client software 
 recommendations? We need to keep some clients within 1-2 sec’s of our 
 stratum 1 timeserver and Windows Time simply does not cut it.

  

 Any suggestions would be much appreciated.

  

 Dan

  


 Send instant messages to your online friends 
 http://uk.messenger.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Sorta... AD and the 3/07 Time Change

[Brian Desmond]

Hi Richard-

 

The time sync process is just going to set the actual time (think UTC)
not the timezone. If the client thinks it is GMT-5 then it will set the
time accordingly. 

 

Given the rochester.rr address - U of R or RIT? 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline
Sent: Sunday, December 31, 2006 2:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Sorta... AD and the 3/07 Time Change

 

This question addresses the March'07 Dailylight Saving's time change in
the US and Canada (has Mexico joined in?).

 

I work for an institute of higher learning where the policies (human,
not domain) get a little...  unevenly suggested.  So please grant me
some leniency as to why this question is even asked :)

 

Does belonging to a domain with properly configured time synchronization
lessen the concern for applying the XP patches as they relate to the
March 2007 time change?  Or the need to take special care with Windows
2000 workstations?

 

In other words, will AD sync the PC clock on Windows 2000 workstations
to the correct hour during next next March's leap ahead

 

Speaking of time:  Happy New Year to Everyone!

 

Thank you.

 

Richard

[ActiveDir] OT MOM 2005 Install

[Brian Desmond]

Is there someone who has a MOM 2005 SP1 install and access to the SQL
server it's on that could ping me offlist? I don't have access to my
VMWare environment and I need the create script for a couple things. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

RE: [ActiveDir] Delegate Password Resets

[Brian Desmond]

It's in the book and his book's website - I was feeling lazy the other
day and copied it verbatim to make a password reset page rather than
look up the line of code I couldn't remember. Worked great.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, December 22, 2006 11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

Good ol .NET. :)

 

Honestly you can probably throw a pretty simple ASP.NET app together to
do this. Doubt there is a reason to buy anything and then when it dorks
up you can fix on your own. JoeK probably has this code on a web site
somewhere.

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, December 22, 2006 11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

We use a product called rDirectory and the Reset Password function has
suddenly sporatically stopped working throwing what appear to be .net
errors.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, December 22, 2006 12:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

In our case, I simply modified the security permissions on the OU
containing our user accounts to provide a granular delegation of rights
so the members of this security group can go into ADUC and unlock user
accounts or reset/change passwords only.  I modified various read/write
property rights as well as reset password and change password rights.

 

Besides modifying ACLs, what other methods of delegating password reset
functions were you referring to?

 



From: [EMAIL PROTECTED] on behalf of Salandra, Justin
A.
Sent: Thu 12/21/2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate Password Resets

I wanted to find out from all of you what ways you have delegated
password reset functions to your helpdesks.  We have a product that does
this but it is continually having problems and want to know if there are
nay other ways.

 

Justin A. Salandra

MCSE Windows 2000 and 2003

Network and Technology Services Manager

Catholic Health Care System

646.505.3681

cell 917.455.0110

[EMAIL PROTECTED]

 

RE: [ActiveDir] Delegate Password Resets

[Brian Desmond]

A lot of companies don't have someone with your skill set to write it so
they think it's cheaper to buy stuff everytime then to employ a decent
dev or two. It adds up overtime but they still don't get it. There's
also the companies who have tons of devs and they're all clueless.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, December 23, 2006 12:02 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate Password Resets

This is definitely something I've written a few times.  I actually don't

have a stand alone ASP.NET page that does this, as I tend to write
ASP.NET 
apps that are a bit more architected and have stuff implemented in 
different layers to help facilite reuse and testability, so the actual
LDAP 
code would be in a different DLL and the page would be a very thin
facade.

However, the comple code samples from our book would make a nice
foundation 
for building a page to do this.  We also cover the reasons why ADSI 
SetPassword and ChangePassword can be so tricky to deal with in our book
in 
ch 10 (which is a free download from www.directoryprogramming.net).  We
also 
have a pure LDAP approach in our book that successfully avoids most of

these problems, but it requires .NET 2.0 (hopefully not a big issue for
most 
people these days).

I agree that buying a program to do this seems a little crazy to me, but
I'm 
also a good developer, so a lot of things that seem easy to me might not
be 
easy to other people.

Joe K.

- Original Message - 
From: joe
To: ActiveDir@mail.activedir.org
Sent: Friday, December 22, 2006 11:34 AM
Subject: RE: [ActiveDir] Delegate Password Resets


Good ol .NET. :)

Honestly you can probably throw a pretty simple ASP.NET app together to
do 
this. Doubt there is a reason to buy anything and then when it dorks up
you 
can fix on your own. JoeK probably has this code on a web site
somewhere.

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, December 22, 2006 11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets


We use a product called rDirectory and the Reset Password function has 
suddenly sporatically stopped working throwing what appear to be .net 
errors.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, December 22, 2006 12:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

In our case, I simply modified the security permissions on the OU
containing 
our user accounts to provide a granular delegation of rights so the
members 
of this security group can go into ADUC and unlock user accounts or 
reset/change passwords only.  I modified various read/write property
rights 
as well as reset password and change password rights.

Besides modifying ACLs, what other methods of delegating password reset 
functions were you referring to?




From: [EMAIL PROTECTED] on behalf of Salandra, Justin
A.
Sent: Thu 12/21/2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate Password Resets
I wanted to find out from all of you what ways you have delegated
password 
reset functions to your helpdesks.  We have a product that does this but
it 
is continually having problems and want to know if there are nay other
ways.

Justin A. Salandra
MCSE Windows 2000 and 2003
Network and Technology Services Manager
Catholic Health Care System
646.505.3681
cell 917.455.0110
[EMAIL PROTECTED]
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Delegate Password Resets

[Brian Desmond]

I gave a 500K seat org helpdesk a copy of ADUC and the same rights as
below and it worked like a charm. Not pretty but cheap and functional.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, December 22, 2006 12:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

In our case, I simply modified the security permissions on the OU
containing our user accounts to provide a granular delegation of rights
so the members of this security group can go into ADUC and unlock user
accounts or reset/change passwords only.  I modified various read/write
property rights as well as reset password and change password rights.

 

Besides modifying ACLs, what other methods of delegating password reset
functions were you referring to?

 



From: [EMAIL PROTECTED] on behalf of Salandra, Justin
A.
Sent: Thu 12/21/2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate Password Resets

I wanted to find out from all of you what ways you have delegated
password reset functions to your helpdesks.  We have a product that does
this but it is continually having problems and want to know if there are
nay other ways.

 

Justin A. Salandra

MCSE Windows 2000 and 2003

Network and Technology Services Manager

Catholic Health Care System

646.505.3681

cell 917.455.0110

[EMAIL PROTECTED]

 

RE: [ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw Poster:

[Brian Desmond]

Talk to your account team if you want one (or more) ... one of my
accounts they were giving them away. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, December 20, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT:TechNet Magazine Active Directory Component
Jigsaw Poster:

 


Very cool but you'd have to have one heck of a printer (plotter or
similar) to equal the one that came with the dead tree version =) 

Thanks, 
Andrew Fidel 



Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 

12/19/2006 08:32 PM 

Please respond to
ActiveDir@mail.activedir.org

To

ActiveDir@mail.activedir.org 

cc


Subject

[ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw
Poster:

 






Download details: TechNet Magazine Active Directory Component Jigsaw 
Poster:
http://www.microsoft.com/downloads/details.aspx?familyid=c236336d-ab43-4
4b1-ad6f-a2f668fb8c02displaylang=en


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Schema Extension Question

[Brian Desmond]

It should be fine with normal credentials.

Why are you so scared of SP1 or a schema extension? Neither of them are
going to end the world...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Rocky Habeeb
 Sent: Tuesday, December 19, 2006 8:41 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] Schema Extension Question
 
 Guys (and Gals)
 
 I am far from an LDAP expert and we have not modified our Windows 2003
 FFL
 Schema at all.  I don't even have SP1 running as I am just still a
 little
 gunshy about it.  But now me and my network engineer are under heavy
 pressure to move our POP 3 email clients to a Server Centric Web based
 model
 that will allow internet access to email.
 
 So my network engineer and *nix expert is testing a *nix based program
 to do
 that.  We are having trouble with it connecting to AD to authenticate
 Users
 because it is popping errors that state I can't find the Schema
 extensions.  He is chasing that and I'm not really happy about
 modifying
 the shema, if indeed we end up having to do that, but here is my
 question.
 
 Will this app need an elevated credential (Domain or Enterprise Admin)
 to
 simply LDAP query the AD from this *nix box to get usernames or
 passwords or
 can it be done without that power?  I know you don't know the app, but
 the
 question is a generic one relative to *nix boxes querying an AD.
 
 Thanks in advance.
 
 RH
 
 _
 
 Rocky Habeeb
 Microsoft Systems Administrator
 James W. Sewall Company
 Old Town, Maine
 Voice: 207.827.4456  Ext. 387
 Email: [EMAIL PROTECTED]
 www.jws.com
 _
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Group Restrictions

[Brian Desmond]

No. Limit who can send to it to people who aren't stupid. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Tuesday, December 19, 2006 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Group Restrictions

 

Not sure if this is possible, but in the Exchange General tab of a
Distribution group, I am able to restrict messages from certain
individuals.  Is it possible to restrict people from sending mail to
that group using the To: or Cc: field?  I only want them to use BCC:.
Reason is, I want to prevent people from replying ALL to Distribution
Groups that contains members of the whole company.

 

-Devon 

 



This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential,
and exempt from disclosure under applicable law or may constitute as
attorney work product. If you are not the intended recipient, you are
hereby notified that any use, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and (i)
destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication. 
Thank you. 

RE: [ActiveDir] ADfind to find locked accounts

[Brian Desmond]

Search for lockoutTime0.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, December 19, 2006 5:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADfind to find locked accounts

 

I'm using a bitwise filter to search for locked accounts using ADFind.

 

I have one particular account, a service account, that is locked out and
also has Password No Expire set.

 

In ADFind it comes up as such...

 

C:\toolsadfind -default -bit -f samaccountname=servaccount -alldc
useraccountcontrol

 

AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006

 

Transformed Filter: samaccountname=servaccount

Using server: dc.appsig.com:389

Directory: Windows 2000

Base DN: DC=appsig,DC=com

 

dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com

userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)]

 

Why does the userAccountControl read as 512+65536 only?  Shouldn't it be
512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064?

 

In fact, I cannot even find this account when searching for locked
accounts via ADFind.  The only reason I realized it was locked out was
because I also used Joe's Unlock utility to search for all locked
accounts and it returned this account as part of the search.  

 

C:\toolsunlock . * -view

 

Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004

 

Processed at dc.appsig.com

Default Naming Context: DC=appsig,DC=com

 

1: servaccount12/15/2006-10:52:45 LOCKED   VIEW_ONLY

 

 

I'm probably just missing something here, but was hoping for some
clarification.

 

Thanks,

~Ben

RE: [ActiveDir] Redirecting MyDocs without Offline folder sync

[Brian Desmond]

Right click the share and goto the sharing tab and disable offline
files/sync'ing...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
 Sent: Monday, December 18, 2006 11:34 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Redirecting MyDocs without Offline folder sync
 
 So I'm trying to set up a new policy that will redirect my users My
 Documents directory, but I don't want the off line folder sync to
 happen
 when they log out of their workstations. Anyone know what setting I
 need
 to change in order to make this happen?
 
 Thanks
 -Chris
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AD Reports

[Brian Desmond]

I usually use Joe's ADFIND tool, Excel, and SQL. Occasionally I would replace 
adfind with a simple .net app if I need some logic as part of the data 
collection process. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo
Sent: Monday, December 18, 2006 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Reports

 

What,s the best AD reporting tool. My boss want´s a report of all the users who 
are allowed to send and recieve Internet Mail in exchange 2003. I can go and 
check user by user but we have over 500 users.

RE: [ActiveDir] Automatic user disable based on criteria

[Brian Desmond]

If whenCreated  7 days and pwdLastSet = 0 then they haven't logged in
yet...

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Monday, December 18, 2006 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Automatic user disable based on criteria

 

Hi All,

 

DFL  FFL : Win2k-Native

DCs : Win2k3-SP1

 

User accounts are automatically provisioned as enabled with Change
Password at Next logon. And management wants to disable new accounts
which have not logged into domain within next 7 days of creation. And
they want it to happen automatically. 

 

I have problem at hand as I can't use LastLogonTimeStamp as DFL is not
supportive. I can't connect to each DC and search for lastlogon as
number of DCs are too large, can't go by whenchanged, as that is
generic attribute, which could get changed for any other attribute also.


 

Any other attribute would help me?

 

Currently LDAP filter checks for account created on specific day (say
current day - 7) and whose Change Password at next logon is still
ticked i.e. pwdlastset=0

 

But this doesn't take care of scenario, where users are created on that
same day (current - 7) and logged into network, changed their password,
but around the time of running script, had forgotten password and
helpdesk had resetted their password and set Change Password at next
logon 

 

I hope I am not confusing you all. :-)

 

I know, simple solution would be to change criteria to say 15 days,
raise DFL and use LLTS, but I am taking this as a scripting challenge at
Win2k-native DFL.

 

Hey joe, is there a way to see replication meta data using adfind? ;-)

If yes, I could take a peek at originating date/time for attributes.


-- 

Kamlesh
~
You teach best what you most need to learn.
~ 

RE: [ActiveDir] Redirecting MyDocs without Offline folder sync

[Brian Desmond]

On the actual share, not through DFS goto the properties of it and the
sharing tab. There's a button towards the bottom that controls this.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
 Sent: Monday, December 18, 2006 1:36 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Redirecting MyDocs without Offline folder
sync
 
 I guess I forgot to mention that this is a share via DFS. I couldn't
 find
 the setting to turn that off.
 
 -Chris
 
 
 
  Right click the share and goto the sharing tab and disable offline
  files/sync'ing...
 
  Thanks,
  Brian Desmond
  [EMAIL PROTECTED]
 
  c - 312.731.3132
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
  Sent: Monday, December 18, 2006 11:34 AM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Redirecting MyDocs without Offline folder sync
 
  So I'm trying to set up a new policy that will redirect my users
My
  Documents directory, but I don't want the off line folder sync to
  happen
  when they log out of their workstations. Anyone know what setting I
  need
  to change in order to make this happen?
 
  Thanks
  -Chris
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir@mail.activedir.org/
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-
 archive.com/activedir@mail.activedir.org/
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Strange Lock Out Issue

[Brian Desmond]

Eventcombmt the DCs for whatever the lockout ID is also works. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Monday, December 18, 2006 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange Lock Out Issue

 

Download the Account Lockout and Management Tools from Microsoft.  More
specifically, from the downloaded EXE, extract the LockoutStatus.EXE
file and use it to query for the user account that is having issues.

 

It will tell you how many bad password attempts have been made, what
time/date the lockout occurred, and on what DC.  Furthermore, you can
directly manage the Domain Controller from the tool and pull up the
event viewer to look for the security entry pointing you to the source
of the bad credentials.

 

It's always worked like a charm for me when dealing with issues like
these.

 

Good luck,

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, December 18, 2006 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange Lock Out Issue

 

I have a user, who is not logged in anywhere else, and while surfing the
web or access a program is getting locked out of her account for no
reason.  I have checked the logs on all three domain controllers and
nothing is showing a failed logon attempt or bad password.  It doesn't
even show when the account got locked.  Any ideas on how to rectify
this?

 

Justin A. Salandra

MCSE Windows 2000  2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 

RE: [ActiveDir] AdminSDHolder orphans

[Brian Desmond]

Yeah this caused me issues when I was at a large client which had this
proposensity to put everyone and their brother into a group that
triggered this behavior. What I would do is dump everyone with
admincount0, then set admincount=0 on all of them, wait a bit, and see
who was back to 0 and then fix the deltas. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Tony Murray
 Sent: Monday, December 18, 2006 8:32 PM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] AdminSDHolder orphans
 
 
 Just wanted to get your opinion on something.
 
 When an object becomes a member of one of the groups protected by the
 AdminSDHolder, the next run of the SDProp thread will:
 
 * Replace the object's security descriptor with that of the
 AdminSDHolder;
 * Disable permissions inheritance on the object;
 * Set a new adminCount attribute with a value  0 on the object.
 
 If the object is then removed from the protected group(s), the changes
 made by the AdminSDHolder are not reversed.  In other words, the
 adminCount value remains the same, as does the security descriptor.
 
 Is it just me or does anyone think this behaviour a little strange?
 What I am finding in many environments is a large number of these
 AdminSDHolder orphans.  These can arise quite easily, e.g. an
account
 is made a temporary member of a privileged group to perform a specific
 task or someone changes role within the organisation.  Of course I
 realise that in a perfect world these scenarios would be minimised by
 the use of dual accounts for splitting standard vs. admin functions,
 but the reality is that it is all too common.
 
 The AdminSDHolder orphans can cause problems when troubleshooting
 delegation issues.  For example, I came across this issue recently
when
 setting up permissions for GAL Sync using IIFP.  I had to tidy up
 before the sync would complete without errors.
 
 Does anyone run a regular cleanup using the script provided in this
 article (or similar)?
 
 http://support.microsoft.com/kb/817433
 
 Do you think the AdminSDHolder behaviour should be changed to clean-up
 after itself?
 
 Tony
 
 
 
 
 
 Sent via the WebMail system at mail.activedir.org
 
 
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Vista GPO

[Brian Desmond]

Oddly enough I was on a concall with MS the other day and one of the
accounts mentioned he was rolling out a 3K seat Vista upgrade in March.
Sad they already had vendor commitments for application fixes and
everything. I was pretty surprised. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: Saturday, December 16, 2006 6:24 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Vista GPO
 
 I don't know of anyone officially moving to Vista any time soon. Folks
 are
 playing with it, usually IT folks are just looking to get the latest
 and
 greatest to feel cool, they don't generally really and truly need any
 of the
 features. Several places I have heard with any kind of plans are
 talking
 2008 soonest for Vista and Office 2007.
 
 I was chatting with some other folks about this recently and I expect
a
 lot
 of companies will find the migration to Vista to be even more
difficult
 than
 their migration from Win9x to NT based technology. At least with NT
 Technology you usually had a bunch of people that had a lot of NT
 knowledge
 already and could leverage it or could go out into the newsgroups and
 find
 folks who have been running NT stuff in production for years and
years.
 You
 don't really have that with Vista (and LongHorn) and the changes are
 sufficient enough that it will break quite a few things. I am not
 saying
 that is bad necessarily, that is what everyone started screaming for
 when
 they said MSFT wasn't secure enough. Now people will get to find out
 what
 that really means... I know quite a few developers who are hopping mad
 over
 a lot of the changes and some are even more concerned over where code
 signing is going, etc. Especially folks with low priced or free
 software
 that they may available because if code signing becomes absolutely
 required,
 you have to pay for that as a developer/company.
 
 Anyway, my thoughts are that there will be quite a few companies with
 custom
 mechanisms for managing things that they have developed over the years
 that
 will all completely fail or nearly completely fail with Vista and will
 have
 to be reworked or outright replaced which could take a lot of time.
 This
 doesn't even start to get into the realm of just plain old line of
 business
 apps.
 
 Don't get me wrong, some leading edge people will move fast and take
 the
 black eyes and bloodied noses in stride, most folks though I expect to
 follow the old wait for SP1 rule and then wait even longer as they
 realize
 it isn't a simple forklift of the binaries. I wouldn't be surprised to
 see
 most large companies deploying Longhorn heavily into production before
 Vista
 even.
 
joe
 
 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
 CPA
 aka Ebitz - SBS Rocks [MVP]
 Sent: Friday, December 15, 2006 8:32 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Vista GPO
 
 (as a bystander here .. I personally like the point/counterpoints..
 just
 sometimes we need to realize that we lose ...what?  About 60% of
 communication via email? And adjust accordingly okay?  Can we hug and
 make up?)
 
 Pogue's Posts - Technology - New York Times Blog:
 http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/
 
 Granted I'm little... but are you guys really and truly rolling out
 Vista in other than Lab settings anyway?  I'm getting hit over the
head
 on a daily basis by vendors are are saying Wait.
 
 My two benchmarks of when I can say I'm somewhat business ready on
 Vista is when the ISA firewall client that supports Vista ships (it
did
 earlier this week) and when Trend isn't offering up beta versions as
 the
 only ones that will run on Vista.
 
 Are you guys really and truly rolling these suckers out on production
 boxes?
 
 Don't geeks adapt anyway?  (We may not read... but we adapt right?)
 
 This is slightly incorrect...but the fact is SQL 2005 express
 officially
 needs sp2 to run on Vista

http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz
 2/ind
 ex.htm?cnn=yes
 
 *Wait Until after Tax Time? *Note that Intuit's tax software divisions
 are recommending that their users wait until after tax season to make
 any move to Windows Vista. These notices are posted for both Lacerte
 Professional Tax Software

http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQ
 S2b=
 0j=NzQzNjgzNDcS1mt=1
 and ProSeries Professional Tax Software

http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQ
 S2b=
 0j=NzQzNjgzNDcS1mt=1.
 
 *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds
much
 promise for significant improvements in security and functionality.
 However, Intuit suggests the decision to upgrade to Windows Vista be
 approached carefully, for two reasons

RE: [ActiveDir] Send As(OT)

[Brian Desmond]

I have a recollection of being able to send from a DL though I haven't
been an Exchange admin in 6+ months so I may be thinking of something
else. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: Saturday, December 16, 2006 7:56 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Send As(OT)
 
 In Exchange nothing comes from the DL, it comes from the user who sent
 to
 the DL. I believe you cannot in actualality (sp?) send from a DL
 because a
 DL is an alias, not a mailbox.
 
 I could easily be wrong not being an Exchange guy but I don't expect I
 am.
 
 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Tuesday, December 05, 2006 6:12 PM
 To: activedirectory
 Subject: [ActiveDir] Send As(OT)
 
 I have given a user send As perm directly on a universal
distribution
 group
 in AD.
 However, whenever this user slects the group from the GAL in the
 From:
 field of Outlook 2k3 and attempts to send an email as that group, he
 gets an
 error of You do not have the permission to send the message on behalf
 of
 the
 specified user.
 
 The group is NOT nested in any of the AdminSDHolder protected groups.
 The user has been given send as perms directly on the UDG. He is in
 no
 groups with expilict denys.
 I have also tried giving my account send as perms to the group and I
 get
 the same error.
 I have waitied over 24hrs so its also not a info store
 cache/replication
 issue.
 
 I'm running exchange 2k3 sp2 with the latest hotfixes(including the
 send as
 one) in a win2k3 forest(win2k3 FFL/DFL).
 
 Any ideas would be great.
 
 Thnaks for your time.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AB Views Export/Import

[Brian Desmond]

No I think he wants a GALSync type thing...

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, December 16, 2006 8:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AB Views Export/Import

 

Hey Jerry, I am not exactly sure what you are asking for here.

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch
Sent: Thursday, November 02, 2006 9:26 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AB Views Export/Import

Would like to build a AB Views on an AD directory that stores Contacts
from multiple AD Forests.  Export these views to a file and Import them
to each of the Forests.  

Does Joe's ADFind support this, or is there another tool someone can
suggest.

Many thanks,

Jerry

 

Jerry Welch

CPS Systems

US/Canada: 888-666-0277

International: +1 703 827 0919 (-5 GMT)

IP Phone (Skype):  Jerry_Welch  ( www.skype.net http://www.skype.net/
)

RE: [ActiveDir] Vista GPO

[Brian Desmond]

There was a hotfix for that - they lengthened some string or something
in the adm file format if I remember right. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Rich Milburn
 Sent: Friday, December 15, 2006 9:49 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Vista GPO
 
 You may recall, there was a similar case when XP came out too - if
 memory serves, you had to manage XP GPO settings from an XP box - if
 you
 opened them on Win2K, there were problems (I can't recall now exactly
 what those problems were... it would corrupt the policy? Lose the
 settings?) anyway so there are tons more settings (+ side) and you
have
 to use Vista for now (- side, sorta).  I wouldn't be too surprised if
 they fix that with the next server and XP SP... but I haven't actually
 heard that.
 

---
 Rich Milburn
 MCSE, Microsoft MVP - Directory Services
 Sr Network Analyst, Field Platform Development
 Applebee's International, Inc.
 4551 W. 107th St
 Overland Park, KS 66207
 913-967-2819
 --
 I love the smell of red herrings in the morning - anonymous
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-
 Elia
 Sent: Thursday, December 14, 2006 4:13 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Vista GPO
 
 Vista introduces a new Admin Template format called ADMX. These are
 found on Vista in C:\windows\policydefinitions and, unfortuately
cannot
 be consumed by earlier versions of Windows. That is you must manage
 Vista GP from Vista.
 
 Darren
 
 -Original Message-
 From: Za Vue [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: 12/14/2006 1:18 PM
 Subject: Re: [ActiveDir] Vista GPO
 
 Sorry. Exactly what Ben wrote.
 
 Thanks..
 
 -Z.V.
 
 WATSON, BEN wrote:
  Maybe he may be referring to the location of any possible new ADM
 files
  included with Vista.
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Darren
 Mar-Elia
  Sent: Thursday, December 14, 2006 10:34 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Vista GPO
 
  What do you mean Za? I'm not familiar with any GPO plug-in for
 Win2K3,
  unless you mean the LDIF files that are in sources\adprep on the
 Vista
  CD?
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
  Sent: Thursday, December 14, 2006 9:57 AM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Vista GPO
 
  Anyone know what and where the GPO plugin for Win2003 on the Vista
 DVD
 
  is called and located?
 
  -Z.V.
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/
 
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/
 
 
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
 
 ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
 PRIVILEGED /
 CONFIDENTIAL INFORMATION may be contained in this message or any
 attachments.
 This information is strictly confidential and may be subject to
 attorney-client
 privilege. This message is intended only for the use of the named
 addressee. If
 you are not the intended recipient of this message, unauthorized
 forwarding,
 printing, copying, distribution, or using such information is strictly
 prohibited and may be unlawful. If you have received this in error,
you
 should
 kindly notify the sender by reply e-mail and immediately destroy this
 message.
 Unauthorized interception of this e-mail is a violation of federal
 criminal law.
 Applebee's International, Inc. reserves the right to monitor and
review
 the
 content of all messages sent to and from this e-mail address. Messages
 sent to
 or from this e-mail address may be stored on the Applebee's
 International, Inc.
 e-mail system.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org

RE: [ActiveDir] Way OT: Laptop Battery Life

[Brian Desmond]

I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is
Fn+F2 I think. 

 

Next, get a media bay battery from Dell - it can give you several (up to
4) more hours in my experience.

 

I go through batteries pretty quickly - I think I killed the media bay
battery (or at met its half life) in about 6 months. A combination of
desk work and being mobile does this because of the uneven
discharge/charge cycles. You can either be real meticulous about taking
care of the batteries or start hitting your IT department up for new
ones. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, December 12, 2006 10:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Way OT: Laptop Battery Life

 

Hi -

 

When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe
two hours out of a fully charged battery while doing standard Word,
Excel, Outlook stuff. Throw in Visio or (ugh) Quickbooks and cut that
time in half. Sometimes, I try to disable services that I know I will
not need on the plane (does antivirus really need to autoprotect on the
plane?), but I can't tell you that this actually gives me any more
battery.

 

Any recommendations for battery-life extending tricks, tools, services
to disable, etc? Greatly appreciated as I head across the country for
the late December boogie. 

 

Thanks.

 

-- nme

 

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date:
12/11/2006

RE: [ActiveDir] Way OT: Laptop Battery Life

[Brian Desmond]

Whatever they give me must not be Lithium then. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Tuesday, December 12, 2006 11:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Way OT: Laptop Battery Life

 

Lithium batteries are resilient to the charge/discharge issues
associated with earlier batteries. Generally, you want to replace
batteries after about 18 months, because that's when depreciation sets
in.

 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com  - we
know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 



From: Brian Desmond
Sent: Tue 12/12/2006 7:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Way OT: Laptop Battery Life

I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is
Fn+F2 I think. 

 

Next, get a media bay battery from Dell - it can give you several (up to
4) more hours in my experience.

 

I go through batteries pretty quickly - I think I killed the media bay
battery (or at met its half life) in about 6 months. A combination of
desk work and being mobile does this because of the uneven
discharge/charge cycles. You can either be real meticulous about taking
care of the batteries or start hitting your IT department up for new
ones. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, December 12, 2006 10:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Way OT: Laptop Battery Life

 

Hi -

 

When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe
two hours out of a fully charged battery while doing standard Word,
Excel, Outlook stuff. Throw in Visio or (ugh) Quickbooks and cut that
time in half. Sometimes, I try to disable services that I know I will
not need on the plane (does antivirus really need to autoprotect on the
plane?), but I can't tell you that this actually gives me any more
battery.

 

Any recommendations for battery-life extending tricks, tools, services
to disable, etc? Greatly appreciated as I head across the country for
the late December boogie. 

 

Thanks.

 

-- nme

 

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date:
12/11/2006

RE: [ActiveDir] running scripts via group policy using alternate accounts

[Brian Desmond]

The logon script will run in the context of the user who runs it. My
suggestion is that you rethink your process because this sounds like a
really crappy plan that you've got.

 

I believe Joe Richards' cpau utility on joeware.net supports some type
of encryption of credentials that you could use if you must do this. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anuj Attree
Sent: Saturday, December 09, 2006 2:29 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] running scripts via group policy using alternate
accounts

 

Hi,

 

Is there a way to run user logon scripts via Group Policy using
alternate credentials (say domain admins)? 

i m putting this question because i want to (for example) install some
s/w (yes i can use s/w installation feature from GPMC, i know) or want
to run a command which can be run only by administartor (say ipconfig
/registerdns or something else) through the script but as the user
logging in should have administrator priveleges to install the s/w etc
and which is not the case generally. 

 

please correct me if i m wrong.

-- 
Regards
Anuj Attree 

RE: [ActiveDir] Quest Recovery Manager

[Brian Desmond]

Heh - funny I received the half off email at the widget company I'm at
earlier this week. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, December 09, 2006 6:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Yep, when I was at one large widget company we would really be
interested in some product from a given company but the per user or per
object licensing costs were so insanely out of the park for an
infrastructure type product versus the money available for
infrastructure that we could never buy the products... Then every
December the main sales guy, we will call him Art to protect the guilty,
would come along and take folks out to lunch or dinner or whatever and
say it is all half off or more so buy now... Unfortunately, in this
company I was in, it was pretty much impossible to purchase anything
after Thanksgiving due to the complexity of the buying system and the
number of folks who had to sign off on things and the amount of vacation
time being taken by people. If it wasn't at a price that was expensable
on corporate credit card, it wasn't getting bought at the end of the
year. So half off, three quarter off, heck even pennies on the dollar
likely wouldn't reduce the pricing enough although everyone wanted it.

 

Silly thing is if the company would simply go to a site based licensing
scheme and put a good price on it they would have been selling products
to the company 6 years ago and not going through the same dance every
year. 

 

--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 06, 2006 7:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

The Quest guys told me the other day they had a lot of leeway on some
pricing for one of my clients so I'm wondering if this is the end of the
year for the salesmen and they need to make their year this month (if so
this is an excellent time to buy Quest software)

 

Ha! Show me a sales person from ANY software company who doesn't get
that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye
around quarter-end or year-end and I'll show you a sales person that is
about to be fired. Its part of the game. Gotta make quota, esp. at year
end, and to do that, you gotta discount! I would think most IT shops are
wise to it by now. Its kind of a sick dance we all do J

 

Darren

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Yeah. Sit down with your team and figure out what it is you need - must
have, would like to have, and nice to have. Then, tell all the vendors
you want a little webinar (they love these), and then compare your notes
after each/all of them again. Rule out any ones now that don't do the
trick


Then go get ready to have it shoved way up your ass when they give you
the pricing. Then you can suggest (if they haven't already) that they
come discuss it in further and plan on a lunch/dinner or two on their
dime while you further discuss how expensive their stuff is and what
they can do for you to make it more attractive. The Quest guys told me
the other day they had a lot of leeway on some pricing for one of my
clients so I'm wondering if this is the end of the year for the salesmen
and they need to make their year this month (if so this is an excellent
time to buy Quest software).

 

Now that said, I've worked in a few large shops, and we haven't had any
of this frilly fancy shit. It's expensive, I hate the per head/per
seat/per whatever pricing, and frankly all I think it does is idiot
proof what's already there. Rather than having something do it for you,
why don't you learn how it does it, because then you'll be smarter, and
you can go get a new better job with your new found talents.

 

That said there is some cool shit from quest and NetIQ and those guys -
I'm into the change control/management stuff in shops where there are
too many cooks in the kitchen. Quest's migration stuff is of course
great if you can afford it.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

I don't think there are many independent rankings out there.  You have
to figure that Windows ITPro and SearchWindows are probably the easiest
sources to get access to online, but they are influenced by ad dollars
sometimes.   It is possible that Burton Group and possibly Gartner have
done some research But I

RE: [ActiveDir] What is Websence

[Brian Desmond]

Websense is software you put on one or more servers to do the filtering
of http requests. You can either do it parallel to your firewalls (Pixen
and others support passing http requests to a Websense farm in
realtime), or I believe you can put them inline as a proxy.

If you're doing a large deployment of it there is significant planning
involved, FYI.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: Thursday, December 07, 2006 6:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What is Websence

Is it a box or software driven web filtering. Please provide some info
on this.

-- 
Thanks,
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

[Brian Desmond]

Well with 40 people you're paying 280 euro a month. Some quick currency 
conversions tells me that an Exchange server for an org your size would likely 
set you back between 2300 and 3000 Euro from Dell. 280 goes into 2300 8.2 times 
- or it will pay for itself in 9 months.

If you're already managing AD and other infrastructure, Exchange isn't going to 
add that much overhead. Create the mailboxes for your users, import the PSTs or 
whatever they have now, and make sure it's getting backed up and updated (which 
I'm sure you're already doing with your other servers). Has the DSL been 
reliable so far? If so, then I wouldn't worry about it. If not, either get a 
better DSL provider or find someone to be your MX or backup MX. 

Regarding bandwidth, ADSL goes to 6mbps these days - what limitations are on 
your circuit? Outlook 2003 in cached mode doesn't chew that much. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: Wednesday, December 06, 2006 11:57 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange?
 Tips/Suggestions/Recommedations?
 
 Hi!
 
 Thanks for the prompt reply...
 
 As for hosted solutions, I guess that I don't much care wether the
 backend is Exchange, SBS or whatever the hosting company choses to
 provide ;) From what I've seen
 (http://www.arsys.es/aplicaciones/correo-exchange.htm,
 http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we
 are based in Spain - or http://www.mi8.com/ to show that I'm looking
 elsewhere) basically what you get is a webbased admin panel and a
 number of accounts that you configure... not too much control but
 good enough Of course, I'd love to get recommendations for other
 providers or to be shown that not all of them are similar ;)
 
 As for the lack of a server for 40+ users, well, that's not really
 true: We have an AD (2003) domain (basic setup: single forest, single
 domain, 2 DCs) for the users, it's just that the email is hosted on a
 external server, to avoid downtime and lessen the administrative load
 on network admin (we don't have a full time person for that). Also,
 we currently have 2 main offices in Spain (conneted by DSL) and people
 working or tele-working in the US, Mexico, Colombia, Germany and the
 UK (2/3 people on each place at most): I believe that creating the
 infrastructure (relability-wise) to serve all those locations inhouse
 would be a tad expensive and (I belive) not really warranted. Of
 course, I'd love to hear opinions either way...
 
 As for control freak, we have an VPS so we have root on the mail
 server; as a matter of fact the hardest point for the internal
 acceptance of a hosted solution would probably lack of root access
 on the email server...
 
 I agree with you that to manage that that many (ok, those who manage
 Multi-K domains, please stop laughing) users, AD is a must And,
 besides, we delvelop security software that runs on top of AD, so I'd
 be a bit odd if we didn't use our own SW ;)
 
 In any case, I really am starting to believe that the simpler thing
 will be to get the real thing, so the options seem to be: 1) Get an
 Exchange Server inhouse. But that means making sure that our DSL line
 doesn't go down, and having the bandwith etc... 2) House a server on
 some co-lo. The comm. problems disappear, but we still have to babysit
 the thing... 3) Go for a hosted exchange provider. I've seen offers on
 the range of ~7€/mo/user; I believe that for a limited number of user
 (~30 ATM, possibly up to 40 in the foreseable future) that makes more
 sense than doing it all ourselves...
 
 I'd really love to hear your thoughts on the matter, and also if you
 could comment/recommend any service providers you'd make my life
 considerably easier ;)
 
 In any case, thanks again for reading this far and bearing with my
 ramblings.
 
 Happy Christmas for all ;)
 
   Javier Jarava
 
 On 05/12/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 [EMAIL PROTECTED] wrote:
  Hosted SBS with Outlook 2003
 
  Office Live  http://office.microsoft.com/en-
 us/outlook/HA100809831033.aspx
  Not 2003 without a SBS box on the backend but 2007 uses Office Live
 to
  share calendars.
 
  40 people and you don't have a server... wow.the control freak in
 me
  is freaking out.  We put SBS servers in at 5 to 10 people and even
 less.
 
  Shared calendars pushes the sale of many a SBS box I don't know
 of
  non MS solutions.
 
 
  Javier Jarava wrote:
   Hi!
  
   Sorry if this question is a bit off-topic to the list, but I've
 seen
   some Exchange-related questions here, so I know there is Exchange
   expertise hanging around ;) and I didn't know where to ask; please
   feel free to point me to the proper forums (forii?) to ask in.
  
   I am looking for a way to implement shared calendars a la
 exchange
   (ie, they have

RE: [ActiveDir] Quest Recovery Manager

[Brian Desmond]

Yeah. Sit down with your team and figure out what it is you need - must
have, would like to have, and nice to have. Then, tell all the vendors
you want a little webinar (they love these), and then compare your notes
after each/all of them again. Rule out any ones now that don't do the
trick


Then go get ready to have it shoved way up your ass when they give you
the pricing. Then you can suggest (if they haven't already) that they
come discuss it in further and plan on a lunch/dinner or two on their
dime while you further discuss how expensive their stuff is and what
they can do for you to make it more attractive. The Quest guys told me
the other day they had a lot of leeway on some pricing for one of my
clients so I'm wondering if this is the end of the year for the salesmen
and they need to make their year this month (if so this is an excellent
time to buy Quest software).

 

Now that said, I've worked in a few large shops, and we haven't had any
of this frilly fancy shit. It's expensive, I hate the per head/per
seat/per whatever pricing, and frankly all I think it does is idiot
proof what's already there. Rather than having something do it for you,
why don't you learn how it does it, because then you'll be smarter, and
you can go get a new better job with your new found talents.

 

That said there is some cool shit from quest and NetIQ and those guys -
I'm into the change control/management stuff in shops where there are
too many cooks in the kitchen. Quest's migration stuff is of course
great if you can afford it.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

I don't think there are many independent rankings out there.  You have
to figure that Windows ITPro and SearchWindows are probably the easiest
sources to get access to online, but they are influenced by ad dollars
sometimes.   It is possible that Burton Group and possibly Gartner have
done some research But I doubt it.  I know that directions on
Microsoft hasn't covered it.  It is a pretty niche topic.

 

I think the best way to approach this is to have a good old fashion bake
off of the technologies.  Depending how big a player you are, you can
probably get Quest, Netpro, Veritas, and Commvalt to step-up.  I would
say that all the technologies are pretty stable at the moment; there
isn't a lot of innovation going on anymore, so it is pretty hard to make
a mistake choosing one of these products.

 

 

Todd



From: Tim Onsomu [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 06, 2006 2:06 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Does anybody know what independent rankings look like for AD DR tools?




-Original Message-
From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 12/6/2006 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

shamelss plug

NetPro has an AD data recovery product called RestoreADmin that competes
very well with the Quest product. It's solves the AD object recovery
problem nicely.

See http://www.netpro.com/products/restoreadmin/index.cfm.

/shameless plug

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 7:37 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Todd, thanks for your insight. Good points to think about.


James Masters
Systems Architecture and Engineering
The Kroger Co.
Office: (859) 363-2346
Cell:(859) 653-8644


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Same here... Good stuff.

To be fair though, most of the major AD players have these tools now.
The thing about the Quest (Aelita) tool was its use of their own APIs to
address issues like Domain Local Groups etc.  I haven't kept up with the
latest versions so I am not sure what direction they have gone since
2003.
Latest information I remember was they offered you the option to use the
MS API methods for recovery, or their special brew for more advanced
recovery options.

Now if put some extra effort into your query, you might get this thread
nice and hot, and generate input from people like Stuart Kwan discussing
supportability issues using the various recovery methods, Guido 
Vladimir
discussing in great depth the inherent problems of group recovery,
various
opinions on how to use isolates sites with rubber chickens, MIIS, ADAM
to
reanimate deleted objects

RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?

[Brian Desmond]

So, SBS sounds like the solution to your problem. Have you considered
bringing in someone from a good local consulting firm that targets the
SMB space and knows how to sell SBS on all levels (technical to exec)?
Honestly, almost every SBS deal I've done it's started out with such and
such manager says in house costs too much. I have a pretty good track
record of putting an SBS box (or whatever was appropriate) in that shop
after the fact.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 
 
 Javier Jarava wrote:
  Hi!
 
  Sorry if this question is a bit off-topic to the list, but I've seen
  some Exchange-related questions here, so I know there is Exchange
  expertise hanging around ;) and I didn't know where to ask; please
  feel free to point me to the proper forums (forii?) to ask in.
 
  I am looking for a way to implement shared calendars a la exchange
  (ie, they have to be visible and used from within Outlook 2003),
 but
  without actually using/hosting an Exchange Server ourselves. The
idea
  is that people should be able to see/manage the calendar of the
 people
  they manage, so free/busy info is not enough. And the outlook
  requisite is a must (as my CEO put it yesterday: I live within
  Outlook; I don't want to meddle with web apps or the like)
 
  I know that it's a bit odd of a requisite, but we are a small co. (~
  40 employees) and the president feels that having to babysit a
server
  in-house is a bit of a needless burden.
 
  At present we host our email / web presence / customer ticketing
  system in a pair of VPS from Verio, so if the proposed solution
could
  run on top of FreeBSD it'd be a big plus ;)
 
  Of course (now going for the and ask about the KitchenSink part ;)
  if we could put it into place without having to tweak our email
setup
  that'd be wonderful!!.
 
  We understand that we'd probably have to install some Outlook
plugin,
  so that's OK...
 
  If there is no way to have the Shared Calendar feature as a
  stand-alone service/server, I guess the next step would be to ask
  those of you who know Exchange for an exchange clone that runs on
  FreeBDS / Unix. Or last but not least, I guess that there must
be
  hosted Exchange providers out there that you can recommend. That'd
  mean re-doing our mail system, but I guess that we could live with
 it,
  if need be.
 
  Thanks a lot for those of you who have read this far.
 
   Best Regards
 
   Javier Jarava
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-
 archive.com/activedir@mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] OT: Exchange Design Question

[Brian Desmond]

Mark,

In scenario 2 will your SMTP server in the DMZ subnet be part of the Exchange 
organization? If so the whole DMZ thing isn't really going to get you much if 
anything. Personally I think DMZs are outdated and not a good model anymore.

I would go with option 1. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Tuesday, December 05, 2006 11:42 AM
 To: ActiveDir.org
 Subject: [ActiveDir] OT: Exchange Design Question
 
 A friend of mine has asked me to ask the group the following Exchange
 related question.
 
 An Exchange 2003 environment that has been upgraded from Exchange 2000
 needs to have SMTP reconfigured for outbound mail. There are two
 proposals on the table but they are not sure of the best approach.
 
 1 Exchange Frontend/Backend configuration with both servers on the
 internal network and an ISA server in the perimeter network publishing
 internal SMTP to the internet or in this case messagelabs
 
 or
 
 2 Exchange Frontend/Backend configuration with both servers on the
 internal network and an SMTP server in the DMZ relaying to messagelabs
 
 Messagelabs host the MX records and cleanses most viruses out of the
 emails but may change in the future though there is no current
 managment thinking to do so.
 
 Given these two scenarios which one would most people choose and if so
 why?
 
 The environment is approx 2000 users and there are eight sites  and the
 chosen SMTP configuration will be repeated in another site for
 resilience.
 
 Many thanks as always,
 
 
 
 
 Regards,
 
 Mark Parris
 
 Base IT Ltd
 Active Directory Consultancy
 Tel +44(0)7801 690596
 .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§²Örz§ÿÃ
   ŠVryÊý§Š÷Š¹ŠV¶+v*

RE: [ActiveDir] OT: Exchange Design Question

[Brian Desmond]

Well it’s a Juniper NetScreen probably not a server ... just a firewall. I'd 
either throw ISA there behind the Juniper or just go with option three and 
point the NAT on your Juniper straight to the backend. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Tuesday, December 05, 2006 6:37 PM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] OT: Exchange Design Question
 
 Thanks for the responses so far - I have also been kicked for not
 mentioning that there is a Juniper server in the equation to which OWA
 is published.
 
 So OWA goes through the Juniper appliance in another dmz and does not
 touch the ISA dmz.
 
 Still the same responses?
 
 
 
 Regards,
 
 Mark Parris
 
 Base IT Ltd
 Active Directory Consultancy
 Tel +44(0)7801 690596
 
 
 -Original Message-
 From: Mark Parris [EMAIL PROTECTED]
 Date: Tue, 5 Dec 2006 16:41:30
 To:ActiveDir.org ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Exchange Design Question
 
 A friend of mine has asked me to ask the group the following Exchange
 related question.
 
 An Exchange 2003 environment that has been upgraded from Exchange 2000
 needs to have SMTP reconfigured for outbound mail. There are two
 proposals on the table but they are not sure of the best approach.
 
 1 Exchange Frontend/Backend configuration with both servers on the
 internal network and an ISA server in the perimeter network publishing
 internal SMTP to the internet or in this case messagelabs
 
 or
 
 2 Exchange Frontend/Backend configuration with both servers on the
 internal network and an SMTP server in the DMZ relaying to messagelabs
 
 Messagelabs host the MX records and cleanses most viruses out of the
 emails but may change in the future though there is no current
 managment thinking to do so.
 
 Given these two scenarios which one would most people choose and if so
 why?
 
 The environment is approx 2000 users and there are eight sites  and the
 chosen SMTP configuration will be repeated in another site for
 resilience.
 
 Many thanks as always,
 
 
 
 
 Regards,
 
 Mark Parris
 
 Base IT Ltd
 Active Directory Consultancy
 Tel +44(0)7801 690596
 .+-Šwè†Ûiÿü0Á§-
 [EMAIL PROTECTED]
   šŠV«r¯yÊý§-
 Š÷Š¹šŠVœ¶+Þv*è®.+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË
§²Örz§ÿÃ
   ŠVryÊý§Š÷Š¹ŠV¶+v*
[EMAIL PROTECTED]   ��V�r�y���-�÷Š¹ï¿½ï¿½V��+�v*��

RE: [ActiveDir] OT: Vista Activation and KMS

[Brian Desmond]

On the VL site there are different MAK and KMS keys...which did you use

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Monday, December 04, 2006 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Vista Activation and KMS

 

I was testing out the RTM of Vista Enterprise last night and noticed I
didn't have to enter a key at any point during the install. When Windows
tried to activate, it told me there was a DNS error, so I suspected it
looks for a local activation server by default. Sure enough, in the DNS
cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon
further research, it appears Microsoft has not released KMS yet, and I
couldn't find any option to activate directly with Microsoft. For the
moment, is telephone activation the only option?

Brian Cline, Applications Developer 
Department of Information Technology 
GP Trucking Company, Inc. 
803.936.8595 Direct Line 
800.922.1147 Toll-Free (x8595) 
803.739.1176 Fax 

RE: [ActiveDir] Renaming sites

[Brian Desmond]

You should be fine, but your example leads me to believe that you should
hash out your naming conventions such that they're thoughtful and
future-proof and only do this once.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Huber, Rob (HNI
Corp)
Sent: Monday, December 04, 2006 5:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Renaming sites

 

Does anyone know of any issue with renaming sites?  For example, if we
change the site call Chicago to ChicagoIL, what issues could arise?  I
expect that since the GUID is not changes that there will not be a
problem.  How about if we use SMS??

RE: [ActiveDir] Import User Details from a XLS file

[Brian Desmond]

Look at csvde

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haritwal,
Dhiraj
Sent: Thursday, November 30, 2006 10:40 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Import User Details from a XLS file

 

Dear All,

 

How can I import, AD Users Details like Department, Telephone No,
Location etc... from an XLS file.

 

Dhiraj Haritwal

 




This email is confidential and intended only for the use of the
individual or entity named above and may contain information that is
privileged. If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this email is strictly
prohibited. If you have received this email in error, please notify us
immediately by return email or telephone and destroy the original
message. - This mail is sent via Sony Asia Pacific Mail Gateway.

RE: [ActiveDir] Child domain for external SharePoint users

[Brian Desmond]

You need a separate forest to get the effect you want. The Domain gets
you nothing more than an OU would. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ
Sent: Thursday, November 30, 2006 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Child domain for external SharePoint users

 

Hi all 

We are in the process of creating a SharePoint site that external users
(dealers) can access to obtain shipping information.  I have the
SharePoint server in my LAN with a reverse proxy appliance in the DMZ
that the dealers will use to access the SharePoint server.

The discussion came up about using a child domain for these dealers to
authenticate to the SharePoint server.  Is this an accepted practice
(create a child domain for the external users)?  How safe is this
compared to creating a separate OU for the dealer in the parent domain?

Thank you

Russ 

RE: [ActiveDir] Split pagefile

[Brian Desmond]

You're going to have other issues if you have that little free space on
your C drive. My suggestion is that you find something else to cleanup
or else replace the spindles with larger ones.

Yes its fine to store the pagefile elsewhere though.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Thursday, November 30, 2006 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

Sorry for the reply to my own post, but this article:

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips
/Miscellaneous/EnhancePerformancebyMovingthePagefile.html

says I can move the whole thing to a different partition. I'll leave a
meg on the C drive just for the dumpfile, which we limit to 64K, in case
the system crashes and I can actually figure out how to read the
dumpfile.

But, really, is it OK to leave absolutely NO pagefile on C:/? We
normally leave at least 200Mb on the C: partition when we move the rest
to a different drive.


-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876



  -Original Message-
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On 
  Behalf Of Larry Wahlers
  Sent: Thursday, November 30, 2006 9:55 AM
  To: Exchange Discussions
  Subject: Split pagefile
  
  Colleagues,
  
  Is there a best practice for splitting the pagefile on Exchange 2003
  across multiple drives? My C drive is up to nearly 9GB used 
  out of 10GB,
  and I'd like to move off most of the 3GB pagefile to maybe 
  the database
  drive. We have only 500 users on that system, so 
 performance shouldn't
  be too much of an issue.
  
  Thanks in advance, folks.
  
  -- 
  Larry Wahlers
  Concordia Technologies
  The Lutheran Church - Missouri Synod
  mailto:[EMAIL PROTECTED]
  direct office line: (314) 996-1876
  
  _
  List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
  Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
  To subscribe: 
 http://e-newsletters.internet.com/discussionlists.html/
  To unsubscribe send a blank email to 
  [EMAIL PROTECTED]
  Exchange List admin:[EMAIL PROTECTED]
  To unsubscribe via postal mail, please contact us at:
  Jupitermedia Corp.
  Attn: Discussion List Management
  475 Park Avenue South
  New York, NY 10016
  
  Please include the email address which you have been contacted with.
  
  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] dynamic variables within an event log entry?

[Brian Desmond]

Michael-

 

I don't have an AD install or ADFind in front of me, but
whencreated=Now-24hr gives you everything in the past 24 hours.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 9:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping eventid 624
and I see the Caller User Name: entry with the right value.  Where I
got confused was when I built a daily job using adfind (with the -owner
switch) to produce a list of users created during the previous 24 hours.
Laura's #2 answer explains why I see what I do for accounts created by
members of the Domain Admins.  Her #1 answer is going to make me
rethink how we do some of the account creations.  Her #3 answer begs the
question of how would I construct a query to produce new accounts
created over a 24 hour period?  Adfind was the first (and maybe only)
tool that popped into my head to do this.  Other suggestions?  Thanks!

 

Mike Thommes



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

2. By default, when a member of the Domain Admins group creates an
object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs,
rather than looking at the ownership of the object? That's why auditing
allows tracking of who creates/modifies/deletes directory objects.

 

Laura

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log
entry?

I wonder if someone could explain to me (or point me at some
reference) about what mechanism is used to populate the information in a
Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on
purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

RE: [ActiveDir] Pointsec software vs. Active Directory

[Brian Desmond]

Vincent-

 

I have no idea what Pointsec is or does, perhaps you could share a
little bit about this.

 

What are the characteristics of the domain controllers in your test
forest? How much memory? Disk config? How big is the DIT?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of De Potter
Vincent
Sent: Tuesday, November 28, 2006 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Pointsec software vs. Active Directory

 

Hi,

 

My organisation is looking into testing and implementing Pointsec
software for encryption purposes for our client environment. I'm
responsable for the DIrectory service and they've asked me to
participate. 

I've set -up  a development forest and let the Pointsec team loose on
that one. I activated some perfmon counters to see the impact on one DC.
Regarding LDAP queries it was quite ok (only 1 reference to an expensive
one) but I saw some implication on the physical disks of the machine
that were hit quite heavily. Also a collegue of mine could remember from
his previous company that the roll out of that soft brought some issues
along.

Does anyone of you have experience with the implementation of Pointsec
and the impact on the directory service (especially the boxes) in a
large environment?

_
Vincent De Potter
Volvo Information Technology

RE: [ActiveDir] Anonymous Access to Virtual Directory or Web Site...

[Brian Desmond]

On IIS 6 ensure that Network Service has rights to the content. On IIS5
or IIS6 in IIS5 compatability mode ensure ISUR_HOSTNAME has access to
the content.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, November 28, 2006 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Anonymous Access to Virtual Directory or Web
Site...


Hi Ravi

Have you checked the NTFS security in addition to the IIS settings?

I had a similar problem before and it had to do with the policy settings
for User Rights Assignments.

Guests had been added to the list of those denied access in the
following setting:

Computer Configuration - Windows Settings - Security Settings - Local
Policies - User Rights Assignments - Deny Access to this computer from
the network.

My problem was resolved by removing Guests from the list.

Tony

-- Original Message --
From: Ravi Dogra [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Wed, 29 Nov 2006 06:20:41 +0530

Hi,

I want to configure anonymous access to virtual directory. But when i
try to configure the same it gives me access denied error. but when i
do a mixed auth it askes me for username and password and works fine.
But thats what i dont want.

i dont want it to ask me user name and password when opening the page.

Please help!!!

-- 
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] mailNickName(OT)

[Brian Desmond]

Hi Tom,

Glad to hear you've moved on to bigger things. It only gets more fun as
the numbers get larger. :)

With regard to your email address question, you can update the recipient
policy the RUS uses to automatically stamp everything with
[EMAIL PROTECTED] You would set your recipient policy to include
[EMAIL PROTECTED] to generate this for each object. Reference Q285136
for more info.

8 People for 110K mailboxes seems like a lot to me, but that's just me.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, November 23, 2006 9:11 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)

I ask because the reason mailNickName is in firstname.lastname
format, is due to a dirsync process that runs once a day and reads
that attribute to do an address rewrite.
When a mailbox enabled user is created, the RUS stamps it with an
[EMAIL PROTECTED].
Later, the dirsync process adds [EMAIL PROTECTED], so
when mail goes out, sendmail rewrites the RHS portion of the smtp
addy.
if mailNickName is sAMAccountName, it doesnt work.


Sometimes during the provisioning process, the lan access guys  forget
to set this attribute to that value, so the exchange team was looking
for a way to automatically generate the value in the correct format,
kinda like displayName.

I just started here about 2 months ago, so i'm not complelety sure how
the process works and i'm trying not to annoy everyone with too many
questions.

This is the first truly large corp i've ever worked for. Before i was
the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8
member Exchange team for a 110,000 user bank that you've all heard of
and i guess i'm trying to wrap my head around how a org this size
works...
i'm actually kinda surprised no one on the exchange team knows how to
script or is very knowldgable about AD.
Then again the AD team doesn't seem that knowldgable about AD.

They just migrated from EX 5.5 to EX2K3 when i started, so i guess
they are trying to get up to speed witn exchange.

i only made the MS comment because a corp this large seems to have a
lot of resurces at MS and I saw that someone from MS did their EX2K3
design doc.
I'm not under the illusion that just because someone is from MS that
they know what they are doing but i guess i have illusions about
companies this size and that they would somehow get the better support
from MS and other vendors.

Thanks for your responses and help.

On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote:
 I think I see the reason that it hasn't been as big a problem as it
could
 be. The id is not yet everywhere.  You will run into those collisions.
 Statistically (note, I'm not a statistician, but I sometimes play one
on the
 internet) your numbers are just too large not to.  When you hook in
MIIS,
 you'll start to see a lot of john smith's and you'll have to map them
and
 come up with rules to automatically resolve those if possible.  I
dunno
 though, you may be an organization that enjoys manual processes.

 Even for first.lastname for smtp addresses I'm reasonably sure there's
 either a really strong nepotism policy in your organization or you've
got
 some *process* that allows for making those unique.  I've worked in
much
 smaller shops that had such policies (sadly, no strong nepotism rule,
but
 that's another story altogether.)

 I second what joe says about not taking their word for anything.  I'll
go so
 far as to qualify that and say that the best answer you should get
from a
 consultant or on-site resource is it depends. What that really means
is
 that depending on the information available, your current best
practice as
 it was intended is to do x.  I can't begin to tell you how many things
that
 started from the product teams as the product only does this later
ends up
 to be,  for the love of insert your favorite deity here don't do
this!!!
  Think clustering and you'll know what I'm talking about.

 Every bit of it depends.  But Microsoft developers need more
parameters than
 it depends so they come up with scenarios.  And they narrow those
down out
 of necessity.  If you fit in that scenario, your stuff is a tested
scenario.
  If not, it's something they may have thought of but didn't think
enough
 customers would use and so didn't spend time testing thoroughly - aka
if it
 works, it was meant to do that. If it does not, what the ^%$# were you
 thinking? Don't you read that (often non-existent) documentation that
 explicitly says not to do that? Or didn't you know that it wouldn't
work
 like that? I mean, it's common sense right?

 Anyhow, I always remember two things about consultants - without
common
 understanding, there can be no common sense (I ripped that off in case
you
 wonder) and everything should be explicitly written down.  When in
doubt ask
 for the project notes and verify that the information you're working
off

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

[Brian Desmond]

Yeah. I suspect you'll bottleneck on disk and memory before you do on
CPU, so 1 quad will get you more than enough, as would I suspect 1 dual.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: Thursday, November 23, 2006 4:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX -
Optimal lab system

I am not sure if I interpreted you correctly. After reading your reply
again
I now think you would go with the single quad because even with one
quad,
cpu resources would not be an issue. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor W.
Sent: donderdag 23 november 2006 0:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX -
Optimal
lab system

You mean that it is in fact overkill. I have thought about this and I
know
that it probably is. 2 Dual Cores will be probably overkill as well.
Both
options probably being overkill, with one quad, we at least have the
option
to add another one later in case this may be necessary and one quad will
be
cheaper than 2 Duals.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: woensdag 22 november 2006 19:41
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX -
Optimal
lab system

A pair of quad cores is a lot of horsepower for testing. I suspect you
will run out of disk i/o perf and memory long before you encounter the
need for a second quad core chip given the scenarios you've described.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal
lab system

I posted this on the VMWARE forum as well but I am very interested in 
the opinion of the people who post to this list and there must be some 
people with hands on experience with ESX and DC's and Exchange 2007 
running on VM's on top of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core 
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be 
using this machine in a test lab only and will be testing mainly 
Exchange 2007 and simulating AD issues. We would like to deploy ESX 
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several 
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need 
to make the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad 
Core, see here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345 
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be 
available in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the 
fact that if one Quad would not be enough, we could always plug in 
another one :-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] mailNickName(OT)

[Brian Desmond]

I don't understand your issue, then. Can you rehash it for me and I'll
make a second attempt?

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, November 23, 2006 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mailNickName(OT)

Hey, thanks Brian.
I really appreciate that.

I know you can do that with the RUS and I'm sure they know, but they
don't.

It could have something to do with sharing the external domain with
exchange,lotus, and funmail, but i'm not totally sure.



Thanks!!
Happy Thanksgiving,btw.

On 11/23/06, Brian Desmond [EMAIL PROTECTED] wrote:
 Hi Tom,

 Glad to hear you've moved on to bigger things. It only gets more fun
as
 the numbers get larger. :)

 With regard to your email address question, you can update the
recipient
 policy the RUS uses to automatically stamp everything with
 [EMAIL PROTECTED] You would set your recipient policy to
include
 [EMAIL PROTECTED] to generate this for each object. Reference Q285136
 for more info.

 8 People for 110K mailboxes seems like a lot to me, but that's just
me.

 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]

 c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, November 23, 2006 9:11 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] mailNickName(OT)

 I ask because the reason mailNickName is in firstname.lastname
 format, is due to a dirsync process that runs once a day and reads
 that attribute to do an address rewrite.
 When a mailbox enabled user is created, the RUS stamps it with an
 [EMAIL PROTECTED].
 Later, the dirsync process adds [EMAIL PROTECTED], so
 when mail goes out, sendmail rewrites the RHS portion of the smtp
 addy.
 if mailNickName is sAMAccountName, it doesnt work.


 Sometimes during the provisioning process, the lan access guys  forget
 to set this attribute to that value, so the exchange team was looking
 for a way to automatically generate the value in the correct format,
 kinda like displayName.

 I just started here about 2 months ago, so i'm not complelety sure how
 the process works and i'm trying not to annoy everyone with too many
 questions.

 This is the first truly large corp i've ever worked for. Before i was
 the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8
 member Exchange team for a 110,000 user bank that you've all heard of
 and i guess i'm trying to wrap my head around how a org this size
 works...
 i'm actually kinda surprised no one on the exchange team knows how to
 script or is very knowldgable about AD.
 Then again the AD team doesn't seem that knowldgable about AD.

 They just migrated from EX 5.5 to EX2K3 when i started, so i guess
 they are trying to get up to speed witn exchange.

 i only made the MS comment because a corp this large seems to have a
 lot of resurces at MS and I saw that someone from MS did their EX2K3
 design doc.
 I'm not under the illusion that just because someone is from MS that
 they know what they are doing but i guess i have illusions about
 companies this size and that they would somehow get the better support
 from MS and other vendors.

 Thanks for your responses and help.

 On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote:
  I think I see the reason that it hasn't been as big a problem as it
 could
  be. The id is not yet everywhere.  You will run into those
collisions.
  Statistically (note, I'm not a statistician, but I sometimes play
one
 on the
  internet) your numbers are just too large not to.  When you hook in
 MIIS,
  you'll start to see a lot of john smith's and you'll have to map
them
 and
  come up with rules to automatically resolve those if possible.  I
 dunno
  though, you may be an organization that enjoys manual processes.
 
  Even for first.lastname for smtp addresses I'm reasonably sure
there's
  either a really strong nepotism policy in your organization or
you've
 got
  some *process* that allows for making those unique.  I've worked in
 much
  smaller shops that had such policies (sadly, no strong nepotism
rule,
 but
  that's another story altogether.)
 
  I second what joe says about not taking their word for anything.
I'll
 go so
  far as to qualify that and say that the best answer you should get
 from a
  consultant or on-site resource is it depends. What that really
means
 is
  that depending on the information available, your current best
 practice as
  it was intended is to do x.  I can't begin to tell you how many
things
 that
  started from the product teams as the product only does this later
 ends up
  to be,  for the love of insert your favorite deity here don't do
 this!!!
   Think clustering and you'll know what I'm talking about.
 
  Every bit of it depends.  But Microsoft developers need more
 parameters than
  it depends so they come up with scenarios.  And they narrow those
 down out

RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system

[Brian Desmond]

A pair of quad cores is a lot of horsepower for testing. I suspect you
will run out of disk i/o perf and memory long before you encounter the
need for a second quad core chip given the scenarios you've described.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, November 22, 2006 8:55 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal
lab system

I posted this on the VMWARE forum as well but I am very interested in 
the opinion of the people who post to this list and there must be some 
people with hands on experience with ESX and DC's and Exchange 2007 
running on VM's on top of ESX 3.0.1.

I am interested in the following: 

We will be buying a Dell PowerEdge 2900 with either 1 Quad Core 
processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be 
using this machine in a test lab only and will be testing mainly 
Exchange 2007 and simulating AD issues. We would like to deploy ESX 
3.0.1 (or the newest versionwith several Exchange 2007 VM's and several 
W2K3 R2 Domain Controller VM's on it.

We are doubting between the following configurations, both DELL 2900's. 
We will unfortunately only be buying one system so we definately need 
to make the right choice. 

As I said we want to buy a system with either 2 Dual Cores or 1 Quad 
Core, see here under: 

- 1 Quad Core 2.33 GHz Processor, Xeon 5345 
- 2 Dual Core 2.33 GHz Processors, Xeon 5140 

Both systems will have 8 GB of 667 MHz RAM to start with. 

We have contacted Dell and we were told that the 5345 Xeon will be 
available in January at the latest. 

We dont really care about the price at this moment.

The first thing that comes to mind when making a choice, to me is the 
fact that if one Quad would not be enough, we could always plug in 
another one :-) at a later time. 

Any suggestions are greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000

[Brian Desmond]

Tim-

 

There is a hotfix for this, I think for Exchange. The issue is that the
Exchange 2000 RUS doesn't sense changes when Linked Value Replication is
happening.

 

The easiest solution is to introduce an Exchange 2003 server to run your
RUS. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mischler,
Timothy J CTR USAF NASIC/SCNA
Sent: Wednesday, November 22, 2006 11:27 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional
Level 2 while running Exchange 2000

 

Hello, 

I was wondering if anyone had any experience with changing their Windows
2003 Forest Functional Level to 2 (Windows Server forest level) while
running Exchange 2000 (post SP3)? I've found some documentation stating
the Exchange 2000 recipient update service does not replicate changes
successfully in forest functional level 2 in a 2003 Active Directory.
From what I've read the best practice is to leave the Forest Functional
Level  on 0 (mixed level forest) until the Exchange 2000 server has been
migrated to Exchange 2003. Any input is much appreciated.

Tim 

RE: [ActiveDir] AD Replication Problem

[Brian Desmond]

I would wipe INSIDADC52 and do a metadata cleanup removing it from the
domain and then rebuild/repromote it. That will be the easiest route.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Haritwal,
Dhiraj
Sent: Saturday, November 18, 2006 9:58 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Replication Problem

 

Dear All,

 

I am facing some problem in AD Replication. I m sending you the dcdiag
logs.

 

Kindly help me to get rid from this problem.

 

 

 

Domain Controller Diagnosis

 

Performing initial setup:

   Done gathering initial info.

 

Doing initial required tests

   

   Testing server: AP-IN-KOL\INSIDADC52

  Starting test: Connectivity

 . INSIDADC52 passed test Connectivity

 

Doing primary tests

   

   Testing server: AP-IN-KOL\INSIDADC52

  Starting test: Replications

 [INSIDADC50] DsBindWithSpnEx() failed with error -2146893022,

 The target principal name is incorrect..

 REPLICATION-RECEIVED LATENCY WARNING

 INSIDADC52:  Current time is 2006-11-18 20:17:07.

CN=Schema,CN=Configuration,DC=sony,DC=com

   Last replication recieved from HKSIHADC03 at 2006-07-14
15:28:03.

   WARNING:  This latency is over the Tombstone Lifetime of
60 days!

 

  . INSIDADC52 passed test Replications

  Starting test: NCSecDesc

 [INSIDADC52] LDAP bind failed with error 8341,

 A directory service error has occurred..

 . INSIDADC52 failed test NCSecDesc

  Starting test: NetLogons

 . INSIDADC52 passed test NetLogons

  Starting test: Advertising

 . INSIDADC52 passed test Advertising

  Starting test: KnowsOfRoleHolders

 [USBMAGDC03] DsBindWithSpnEx() failed with error 5,

 Access is denied..

 Warning: USBMAGDC03 is the Schema Owner, but is not responding
to DS RPC Bind.

 [USBMAGDC03] LDAP bind failed with error 1323,

 Unable to update the password. The value provided as the
current password is incorrect..

 Warning: USBMAGDC03 is the Schema Owner, but is not responding
to LDAP Bind.

 Warning: USBMAGDC03 is the Domain Owner, but is not responding
to DS RPC Bind.

 Warning: USBMAGDC03 is the Domain Owner, but is not responding
to LDAP Bind.

 [SGAPADC04] DsBindWithSpnEx() failed with error -2146893022,

 The target principal name is incorrect..

 Warning: SGAPADC04 is the PDC Owner, but is not responding to
DS RPC Bind.

 [SGAPADC04] LDAP bind failed with error 8341,

 A directory service error has occurred..

 Warning: SGAPADC04 is the PDC Owner, but is not responding to
LDAP Bind.

 Warning: SGAPADC04 is the Rid Owner, but is not responding to
DS RPC Bind.

 Warning: SGAPADC04 is the Rid Owner, but is not responding to
LDAP Bind.

 [SGSINSISSAPIPS3] DsBindWithSpnEx() failed with error
-2146893022,

 The target principal name is incorrect..

 Warning: SGSINSISSAPIPS3 is the Infrastructure Update Owner,
but is not responding to DS RPC Bind.

 [SGSINSISSAPIPS3] LDAP bind failed with error 8341,

 A directory service error has occurred..

 Warning: SGSINSISSAPIPS3 is the Infrastructure Update Owner,
but is not responding to LDAP Bind.

 . INSIDADC52 failed test
KnowsOfRoleHolders

  Starting test: RidManager

 . INSIDADC52 failed test RidManager

  Starting test: MachineAccount

 . INSIDADC52 passed test MachineAccount

  Starting test: Services

 . INSIDADC52 passed test Services

  Starting test: ObjectsReplicated

 . INSIDADC52 passed test
ObjectsReplicated

  Starting test: frssysvol

 . INSIDADC52 passed test frssysvol

  Starting test: frsevent

 . INSIDADC52 passed test frsevent

  Starting test: kccevent

 An Warning Event occured.  EventID: 0x8785

Time Generated: 11/18/2006   20:03:00

Event String: The attempt to establish a replication link
for

 

An Warning Event occured.  EventID: 0x8785

Time Generated: 11/18/2006   20:03:09

Event String: The attempt to establish a replication link
for

 

 An Warning Event occured.  EventID: 0x8786

Time Generated: 11/18/2006   20:03:10

Event String: The attempt to establish a replication link to
a

 

 An Warning Event occured.  EventID: 0x8786

Time Generated: 11/18/2006   20:03:12

Event String: The attempt to establish a replication link to
a

 

 An Warning Event occured.  

RE: [ActiveDir] Domain and Subdomain. Duplicating accounts

[Brian Desmond]

What Laura said, plus - why do you have two domains for this scenario. I know 
nothing about your environment, but my instinct says that you don't need them.
 
Thanks,
Brian



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Thu 11/16/2006 7:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts



Besides significantly increasing the likelihood of people logging onto the
wrong domain and generating support calls along the lines of where's my
stuff?

Not really. AD accommodates the same name in multiple domains, as long as
the UPNs are different (which they are, or account creation would have
failed).

Why doesn't the other SA just let people use their regular accounts?

Laura

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
 Sent: Thursday, November 16, 2006 4:48 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts

 Hi,

 The company I work for has 2 office in 2 different states.

 The main office is domain.com and other office is a subdomain
 (sub.domain.com).

 Our users sometimes go to the other office (sub.domain.com)
 to work for a week or so, I just found out that other SA has
 been creating accounts for my users in the subdomain.

 So now I have same user in the domain and subdomain, beside
 being a stupid way of doing things is there any technical
 issue this could create?


 Thanks

 Rezuma
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/

 --
 No virus found in this incoming message.
 Checked by AVG Free Edition.

 


--
No virus found in this outgoing message.
Checked by AVG Free Edition.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


winmail.dat

RE: [ActiveDir] AD Audit/Compliance Tool

[Brian Desmond]

Probably could get some of this out of a Quest Reporter type
tool. Personally Id just write a bunch of small .net apps (or use adfind if
appropriate) that pump out csv files. Then I import them into a SQL database and
make my queries and voila. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Merry, Joel (US - Philadelphia)
Sent: Tuesday, November 14, 2006 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Audit/Compliance Tool











Hi All ... I'm looking for a tool that will query all of the
domains in a single forest and show me expired accounts, accounts with
passwords older than xx days, duplicate accounts (accounts with the same
samaccountname in different domains), accounts with primary SMTP address of
something other than @domain.com, @domain1.com, @domain2.com, etc.











I'm
scripting most of it now, but it's a pain. Any suggestions?











Thanks,





Joel



















This message (including any
attachments) contains confidential information intended for a specific
individual and purpose, and is protected by law. If you are not the intended
recipient, you should delete this message and are hereby notified that any
disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited. 

RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy!

[Brian Desmond]

I think MS may have signed them all. Dunno if that increases size. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Javier Jarava
 Sent: Monday, November 13, 2006 12:47 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone
up
 like crazy!
 
 Hi!
 
 Just a quick question to the list, to see what the honrable members
 (tm)
 think.
 
 I have just d/l some of the the updated sysinternals tools from MS
 (filemon,
 regmon, autoruns and pstools to be precise), and I have noticed that
 most if
 not all the utils have grown in size A LOT.
 
 As an example, this is the change I see from pstools v2.34 and v2.4:
 
 Archive:  SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip
   Length Date   TimeName
     
122880  20/03/06 16:19   psshutdown.exe
 94208  02/08/05 11:14   pskill.exe
 65536  30/03/06 10:05   psloglist.exe
 49152  27/03/06 13:07   psloggedon.exe
106496  21/07/05 10:22   psgetsid.exe
146704  26/07/00 12:00   pdh.dll
 57344  06/04/06 14:52   psservice.exe
 53248  30/12/05 03:15   psfile.exe
135168  11/07/06 09:00   psexec.exe
 63786  08/07/06 11:10   Pstools.chm
135168  13/12/05 09:51   Psinfo.exe
106496  07/11/03 14:42   pssuspend.exe
 86016  01/12/04 17:27   pslist.exe
 57344  16/05/04 08:36   pspasswd.exe
  1969  11/02/06 09:22   Eula.txt
39  10/07/06 13:58   version.txt
     ---
   1281554   16 files
 
 Archive:  SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip
   Length Date   TimeName
     
412472  01/11/06 13:07   psexec.exe
166712  01/11/06 13:06   psfile.exe
322360  01/11/06 13:07   psgetsid.exe
428856  01/11/06 13:07   Psinfo.exe
318264  01/11/06 13:07   pskill.exe
191288  01/11/06 13:06   pslist.exe
162616  01/11/06 13:06   psloggedon.exe
187192  01/11/06 13:06   psloglist.exe
170808  01/11/06 13:06   pspasswd.exe
179000  01/11/06 13:06   psservice.exe
404280  01/11/06 13:07   psshutdown.exe
375608  01/11/06 13:07   pssuspend.exe
 63786  08/07/06 11:10   Pstools.chm
38  15/10/06 16:32   psversion.txt
153672  01/11/06 13:05   pdh.dll
  7005  28/07/06 08:32   Eula.txt
     ---
   3543957   16 files
 
 Just wondering outloud what is the reason for the size change.
 Different
 compiler, maybe?
 
 
 Thanks a lot for your time in reading thus far.
 
   Javier Jarava
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?

[Brian Desmond]

WSH hosts _vbscript_s, JScripts, other scripting languages. You
can do some other stuff with it to package scripts and what have you, but, by and
large you just want to pickup _vbscript_. The 2nd Edition of the Active
Directory Cookbook has a ton of examples that you can likely benefit from as
well.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Stu Packett
Sent: Thursday, November 09, 2006 10:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Beginner's Book on Scripting - WSH or _vbscript_?







Hello everyone. After reading through a lot of the
posts on this mailing list, I realize I could make my job easier if I knew how
to script. I have no experience in scripting, but would like to know what
books do you recommend as a beginner's book on scripting? Also, I don't
really know the difference between WSH and _vbscript_, so if anyone could explain
that, I'd appreciate that. After browsing through Amazon, I saw several
books on WSH and _vbscript_, but don't know where I should focus on. I'm
also open to computer based training (CBT) videos of any exist. Thanks in
advance. 

RE: [ActiveDir] mailbox enumeration(OT)

[Brian Desmond]

I can think of a couple ways-

You can modify the script here to just count:
http://briandesmond.com/blog/archive/2006/09/04/Script-to-Dump-Exchange-
Mailbox-Info-to-Spreadsheet-_2800_CSV_2900_.aspx 

You can also query the config partition, specifically cn=microsoft
exchange,cn=services,dcn=configuration,dc=blah,dc=blech for whatever the
cass is for the mailstores, I think msExchPrivateStore or something
similar. Then just iterate each of those and search AD for
homeMDB=DnOfThat. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, November 09, 2006 8:58 PM
 To: activedirectory
 Subject: [ActiveDir] mailbox enumeration(OT)
 
 Can anyone help me out with a script that will just query every
 exchange server and SG in the org and dump out the # of mailboxes on
 each store to a txt file?
 
 The output is simple, just EX severname-SGname-store-#of mailboxes.
 
 I can get the size of a mailbox or store but I can't seem to just
 query for # of mailboxes on a store and dump that to a text file.any
 example or suggestione would be appreciated.
 
 Thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

[Brian Desmond]

Id use ADMT  at a minimum youll want to run the security
translation wizard if you dont use the move computer wizard. MSSQL will
require some manual work. I have no idea about Citrix. 



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Danny
Sent: Tuesday, November 07, 2006 12:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers
next







Thanks to advice from the ActiveDir community (this mailing
list) and Microsoft's ADMT and ExMerge, we have successfully completed an
interforest migration - of users, computers, and mailboxes. Next up: the
servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange,
MS SQL (integrated auth), Citrix, and backup. The source forest will no longer
be necessary in a few weeks. Would you recommend using ADMT for the servers as
well? I know that the DC's and Exchange server will be done manually.. 

Thanks,
...D

RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

[Brian Desmond]

ADMT3 can replace subinacl





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, November 07, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated -
Servers next











if you just want to migrate the servers from one domain to the
other, you can use ADMT. However... if you also need to translate data, that is
another story.











File
based data - ADMT





Print
services - SUBINACL





Services
- SUBINACL





Shares
- SUBINACL





Registry
- SUBINACL





IIS
- third party





SQL
- third party





Citrix
- don't know











PS.:
SUBINACL is in the resource kit, but make sure to download the latest version

















Met vriendelijke groeten / Kind regards,





Ing. Jorge de Almeida Pinto





Senior Infrastructure Consultant





MVP Windows Server- Directory Services













LogicaCMG Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





( Mobile : +31-(0)6-26.26.62.80



* E-mail :
see sender address

















From: [EMAIL PROTECTED] on
behalf of Danny
Sent: Tue 2006-11-07 18:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers
next





Thanks to advice from the ActiveDir community (this mailing
list) and Microsoft's ADMT and ExMerge, we have successfully completed an
interforest migration - of users, computers, and mailboxes. Next up: the
servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange,
MS SQL (integrated auth), Citrix, and backup. The source forest will no longer
be necessary in a few weeks. Would you recommend using ADMT for the servers as
well? I know that the DC's and Exchange server will be done manually.. 

Thanks,
...D

RE: [ActiveDir] Decommissioning a DC

[Brian Desmond]

Well if you have some crappy app that is hardcoded to it by name
or ip it will break, but thats fine  you need to fix those problems anyway.



Otherwise do it and forget about it. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Tuesday, November 07, 2006 4:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Decommissioning a DC







We
have several DCs in our environment all of which are 2003 SP1 servers except
for one. I am preparing to demote this one through DCPromo this
weekend. All of our DCs are also GCs, including this last remaining
2000 server. It does not own any FSMO roles. The Exchange RUS
services are not using this DC. We are a single site and domain.



Is
there anything unique about demoting the last 2000 DC, given there are plenty
of other 2003 DC/GCs available?



Bryan
Lucas

Server
Administrator

Texas
Christian University

RE: [ActiveDir] OT - USB HD no boot

[Brian Desmond]

That is possible, then. G4 was when they added the USB ports on the
front and the usb key stuff. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Albert Duro
 Sent: Sunday, November 05, 2006 1:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OT - USB HD no boot
 
 DL380 R03 P2400XEON US
 
 Product #: 257917-001
 
 Thank you, Brian
 
 - Original Message -
 From: Brian Desmond [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Saturday, November 04, 2006 6:09 PM
 Subject: RE: [ActiveDir] OT - USB HD no boot
 
 
 What generation and model is the server - DL is just the make, still
 need the model and year. :)
 
 Thanks,
 Brian Desmond
 [EMAIL PROTECTED]
 
 c - 312.731.3132
 
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED] On Behalf Of Albert Duro
  Sent: Saturday, November 04, 2006 3:51 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] OT - USB HD no boot
 
  Nothing doing.  I tried it on a 3-year old Proliant DL.  I couldn't
  find any
  USB settings, not in the boot order, not in the boot selections, not
  anywhere.  It's back to the old switch and bai...er...boot
 
  - Original Message -
  From: Albert Duro [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Friday, November 03, 2006 7:14 PM
  Subject: Re: [ActiveDir] OT - Backup Follies
 
 
   That's a great revelation.  Thank you.  I'll try it first thing in
  the
   morning.
  
   - Original Message -
   From: Laura A. Robinson [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Friday, November 03, 2006 2:25 PM
   Subject: RE: [ActiveDir] OT - Backup Follies
  
  
   Remember when I asked about the BIOS? :-)
  
   http://www.microsoft.com/whdc/device/storage/usb-boot.mspx
  
   You can check out the links at the end for more information, but
  again,
   this
   is set in the BIOS of the machine.
  
   Laura
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Bob
  Anderson
   Sent: Friday, November 03, 2006 4:03 PM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] OT - Backup Follies
  
   Susan,
   How did you do that I would love to be able to  reboot
   with a worry.
  
  
   Bob
   IT Guy
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
   Susan Bradley,
   CPA aka Ebitz - SBS Rocks [MVP]
   Sent: Friday, November 03, 2006 3:04 PM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] OT - Backup Follies
  
   And on my DC I removed the USB drive as a boot device.
  
   So now I can be at home in my jammies and remotely reboot the
  server
   with no issues and it will reboot just fine.
  
   Bob Anderson wrote:
Laura,
Yea that on bit me big time.  Had our Domain Controller
running
   and
added a USB Drive all was fine.  Along came Microsoft with
   the darned
Updates and there 'Computer Must be restarted' Well it
 restarted
alright and would not reboot.  Talked to IBM Server Support
for
 4
hours be for I finally figured it out myself.  That was the
   only time
I ever taught something to them and not the other way around.
   
I have since update the restart procedure to say 'Power off
the
  USB
drive before the system restarts.'
   
   
Bob
IT Guy
   
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura
 A.
Robinson
Sent: Friday, November 03, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Backup Follies
   
Umm, that was kinda the point I was trying to make, Bob. :-)
   
Laura
   
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
   Bob Anderson
Sent: Friday, November 03, 2006 11:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Backup Follies
   
Laura,
It doesn't matter what the boot order is. Most servers have
an
internal Raid configuration that doesn't kick in until after
 the
machine goes through it's start up and by them it has
   found the USB
and not the hard disks.
   
And yes I have this on two of my servers.
   
Bob Anderson
IT Guy
Kent Sporting Goods
433 Park Ave. S
New London OH 44851
419-929-7021 x315
email: [EMAIL PROTECTED]
   
   
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Laura
  A.
Robinson
Sent: Friday, November 03, 2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Backup Follies
   
What's the boot order in the BIOS on those machines?
   
Laura
   
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf

[ActiveDir] Subnet Object Question

[Brian Desmond]

Question on Subnet Objects 
It appears that there is not an actual property designated for the subnet
network/mask. Does anyone know does AD use the name or cn
for this information/



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132

RE: [ActiveDir] Subnet Object Question

[Brian Desmond]

Well yes, but Im wondering
which one is the actual value used. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent: Sunday,
November 05, 2006 4:18 PM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] Subnet Object Question











Hi Brian,











The following represents subnet 10.1.1.0/24, as you can
see, it is used in the CN and NAME

















Expanding base
'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'...
Result 0: (null)
Matched DNs: 
Getting 1 entries:
 Dn: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN
2 objectClass: top; subnet; 
1 cn: 10.1.1.0/24; 
1 distinguishedName:
CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 
1 instanceType: 0x4 = ( IT_WRITE ); 
1 whenCreated: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe
Daylight Time; 
1 whenChanged: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe
Daylight Time; 
1 uSNCreated: 13938; 
1 uSNChanged: 13938; 
1 showInAdvancedViewOnly: TRUE; 
1 name: 10.1.1.0/24; 
1 objectGUID: d69ed007-4556-4f85-b018-d6ff405ae2f1; 
1 systemFlags: 0x4000 = ( FLAG_CONFIG_ALLOW_RENAME ); 
1 siteObject: CN=HQ,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 
1 objectCategory: CN=Subnet,CN=Schema,CN=Configuration,DC=AD,DC=LAN





























Met vriendelijke groeten / Kind regards,





Ing. Jorge de Almeida Pinto





Senior Infrastructure Consultant





MVP Windows Server- Directory Services













LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





( Tel
: +31-(0)40-29.57.777





( Mobile :
+31-(0)6-26.26.62.80



* E-mail : see sender address

















From: [EMAIL PROTECTED] on
behalf of Brian Desmond
Sent:
Sun 2006-11-05 22:08
To:
ActiveDir@mail.activedir.org
Subject:
[ActiveDir] Subnet Object Question





Question on Subnet Objects
 It appears that there is not an actual property designated for the subnet
network/mask. Does anyone know does AD use the name or cn for this
information/



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132

RE: [ActiveDir] Subnet Object Question

[Brian Desmond]

As the actual representative
subnet  if CN=foo and name=10.10.10.0/24 will the match occur or vice versa if
CN=10.10.10.0/24 and name=foo will the match occur? In other words which of the
two attributs represents the actual subnet info?





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura
A. Robinson
Sent:
Sunday, November 05, 2006 4:43 PM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] Subnet Object Question









Used for what?













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
Desmond
Sent:
Sunday, November 05, 2006 4:31 PM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] Subnet Object Question

Well yes, but Im wondering
which one is the actual value used. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto, Jorge de
Sent:
Sunday, November 05, 2006 4:18 PM
To:
ActiveDir@mail.activedir.org
Subject:
RE: [ActiveDir] Subnet Object Question











Hi Brian,











The following represents subnet 10.1.1.0/24, as you can
see, it is used in the CN and NAME

















Expanding base
'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'...
Result 0: (null)
Matched DNs: 
Getting 1 entries:
 Dn: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN
2 objectClass: top; subnet; 
1 cn: 10.1.1.0/24; 
1 distinguishedName:
CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 
1 instanceType: 0x4 = ( IT_WRITE ); 
1 whenCreated: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe
Daylight Time; 
1 whenChanged: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe
Daylight Time; 
1 uSNCreated: 13938; 
1 uSNChanged: 13938; 
1 showInAdvancedViewOnly: TRUE; 
1 name: 10.1.1.0/24; 
1 objectGUID: d69ed007-4556-4f85-b018-d6ff405ae2f1; 
1 systemFlags: 0x4000 = ( FLAG_CONFIG_ALLOW_RENAME ); 
1 siteObject: CN=HQ,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 
1 objectCategory: CN=Subnet,CN=Schema,CN=Configuration,DC=AD,DC=LAN





























Met vriendelijke groeten / Kind regards,





Ing. Jorge de Almeida Pinto





Senior Infrastructure Consultant





MVP Windows Server- Directory Services













LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





(
Tel
: +31-(0)40-29.57.777





( Mobile
: +31-(0)6-26.26.62.80



* E-mail : see sender address

















From: [EMAIL PROTECTED] on
behalf of Brian Desmond
Sent:
Sun 2006-11-05 22:08
To:
ActiveDir@mail.activedir.org
Subject:
[ActiveDir] Subnet Object Question





Question on Subnet Objects
 It appears that there is not an actual property designated for the subnet
network/mask. Does anyone know does AD use the name or cn for this
information/



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132

RE: [ActiveDir] OT - USB HD no boot

[Brian Desmond]

Another thing, on HPQ's site if you go under support/downloads and
search DL380 G3 you'll get some choices, among them DL380 Rack server or
something like that, once you choose that you get all the downloads. One
of them is a utility for formatting USB Keys for booting 380s. Never
used it but it's there. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
 Sent: Sunday, November 05, 2006 10:30 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT - USB HD no boot
 
 And have you tried booting the server with the USB drive formatted as
a
 system drive? So far, your original statement has not been proven, and
 if
 the server boots properly with that USB drive formatted in a bootable
 fashion, then your original statement is actually *disproven*. Also, I
 don't
 know if you actually read the entire article that Susan provided (I'm
 not
 accusing you of not having read it, mind you), but if you haven't,
 you'll
 definitely want to. Based on the information there, I'd find it more
 likely
 than not that your particular DL 380s are capable of booting from USB
 devices.
 
 Laura
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro
  Sent: Sunday, November 05, 2006 9:48 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] OT - USB HD no boot
 
  I could not find the letters USB anywhere in the BIOS, and I
  looked down every menu tree.  The paper you reference says
  that the DL380 does not support hot plug USB.  It really
  looks like my original statement that some machines cannot
  boot with a live USB HD stands.  Strangely enough, though,
  the machine isn't bothered by a USB memory stick or a USB diskette.
  BTW it also does not have a USB port in the front.  What were
  they thinking?
 
  - Original Message -
  From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
  [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Sunday, November 05, 2006 12:25 PM
  Subject: Re: [ActiveDir] OT - USB HD no boot
 
 
   HP provides support for USB devices prior to the operating
  system loading
   through legacy USB support, which is enabled by default in
  the system ROM.
  
  
  
 
http://h18004.www1.hp.com/products/servers/platforms/usb-support.html
  
   Can you disable that in the bios?  Disable legacy USB support?
  
   Brian Desmond wrote:
   That is possible, then. G4 was when they added the USB ports on
 the
   front and the usb key stuff.
   Thanks,
   Brian Desmond
   [EMAIL PROTECTED]
  
   c - 312.731.3132
  
  
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:ActiveDir-
   [EMAIL PROTECTED] On Behalf Of Albert Duro
   Sent: Sunday, November 05, 2006 1:17 PM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] OT - USB HD no boot
  
   DL380 R03 P2400XEON US
  
   Product #: 257917-001
  
   Thank you, Brian
  
   - Original Message -
   From: Brian Desmond [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Saturday, November 04, 2006 6:09 PM
   Subject: RE: [ActiveDir] OT - USB HD no boot
  
  
   What generation and model is the server - DL is just the
  make, still
   need the model and year. :)
  
   Thanks,
   Brian Desmond
   [EMAIL PROTECTED]
  
   c - 312.731.3132
  
  
  
   -Original Message-
   From: [EMAIL PROTECTED] [mailto:ActiveDir-
   [EMAIL PROTECTED] On Behalf Of Albert Duro
   Sent: Saturday, November 04, 2006 3:51 PM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] OT - USB HD no boot
  
   Nothing doing.  I tried it on a 3-year old Proliant DL.
  I couldn't
   find any
   USB settings, not in the boot order, not in the boot
  selections, not
   anywhere.  It's back to the old switch and bai...er...boot
  
   - Original Message -
   From: Albert Duro [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Friday, November 03, 2006 7:14 PM
   Subject: Re: [ActiveDir] OT - Backup Follies
  
  
  
   That's a great revelation.  Thank you.  I'll try it
  first thing in
  
   the
  
   morning.
  
   - Original Message -
   From: Laura A. Robinson [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Friday, November 03, 2006 2:25 PM
   Subject: RE: [ActiveDir] OT - Backup Follies
  
  
  
   Remember when I asked about the BIOS? :-)
  
   http://www.microsoft.com/whdc/device/storage/usb-boot.mspx
  
   You can check out the links at the end for more
  information, but
  
   again,
  
   this
   is set in the BIOS of the machine.
  
   Laura
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Bob
  
   Anderson
  
   Sent: Friday, November 03, 2006 4:03 PM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] OT - Backup Follies
  
   Susan,
   How did you do that I would love to be able to  reboot

RE: [ActiveDir] /3GB and/or /USERVA and/or /PAE???

[Brian Desmond]

You do want /3GB on the DCs but not /PAE. The older ones with
2gb dont need either. What I want to know is why youre not loading x64 Windows
which solves this problem?



Given your DIT is at 2.4GB and growing if you want to get it
into memory (better perf), it will fit now but it shortly wont  buy more RAM.
Quad proc is a lot of horsepower  must be some busy sites youre putting these
into.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Baudino
Sent: Saturday, November 04, 2006 12:30 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] /3GB and/or /USERVA and/or /PAE???









Hi all,











We're running a Server 2003 AD environment across 110 DCs
across North America and Europe. We have physical DCs on a variety of
fairly new hardware and ESX VMs.











Older server hardware, approxtwo years old:





quad proc





2GB ram











ESX VMs:





dual proc





3.6GB ram











New server hardware, from this summer:





quad proc





4GB ram

















Our DIT is around 2.3-2.4 GB and still growing slowly as we
continue migrations of users. Server migrations coming next.
There's no Exchange in our environment and the DCs are single-purpose as we
don't permit anything else to be loaded on them (except for SYSVOL,
antivirus,and monitoring tools, of course). 











My concern is that none of the older hardware or the VMs are
running /3GB or /PAE. Some of the new hardware is running /PAE and some
is not. I would like to have some degree of consistency.











From what I can tell, running /3GB would make sense on the
VMs and the newer physical boxes as it would permit more RAM to be allocated
LSASS. If we use /3GB do we need to, or want to, use /USERVA? 











I don't see any advantage, and in fact a disadvantage, to
running /PAE. The disadvantage may just be bad press but it
appears that there are issues with /PAE compatibility. Also, it appears
that /PAE has no impact at or below 4GB? 











I read another thread from earlier this summer that the VMs
should probably be replaced. We're looking into that but it will take a
while. The thread seemed to indicate that /3GB might be the way to go.











Anyway, I would like to know what you're running and/or
would recommend. Called Microsoft about this and they looked up the same
article that we already had but seemed to offer no advise based on real world
experience. You guys are where the rubber meets the road. 











Thanks,
Mike

RE: [ActiveDir] OT - USB HD no boot

[Brian Desmond]

What generation and model is the server - DL is just the make, still
need the model and year. :)

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Albert Duro
 Sent: Saturday, November 04, 2006 3:51 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OT - USB HD no boot
 
 Nothing doing.  I tried it on a 3-year old Proliant DL.  I couldn't
 find any
 USB settings, not in the boot order, not in the boot selections, not
 anywhere.  It's back to the old switch and bai...er...boot
 
 - Original Message -
 From: Albert Duro [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Friday, November 03, 2006 7:14 PM
 Subject: Re: [ActiveDir] OT - Backup Follies
 
 
  That's a great revelation.  Thank you.  I'll try it first thing in
 the
  morning.
 
  - Original Message -
  From: Laura A. Robinson [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Friday, November 03, 2006 2:25 PM
  Subject: RE: [ActiveDir] OT - Backup Follies
 
 
  Remember when I asked about the BIOS? :-)
 
  http://www.microsoft.com/whdc/device/storage/usb-boot.mspx
 
  You can check out the links at the end for more information, but
 again,
  this
  is set in the BIOS of the machine.
 
  Laura
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Bob
 Anderson
  Sent: Friday, November 03, 2006 4:03 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT - Backup Follies
 
  Susan,
  How did you do that I would love to be able to  reboot
  with a worry.
 
 
  Bob
  IT Guy
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  Susan Bradley,
  CPA aka Ebitz - SBS Rocks [MVP]
  Sent: Friday, November 03, 2006 3:04 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] OT - Backup Follies
 
  And on my DC I removed the USB drive as a boot device.
 
  So now I can be at home in my jammies and remotely reboot the
 server
  with no issues and it will reboot just fine.
 
  Bob Anderson wrote:
   Laura,
   Yea that on bit me big time.  Had our Domain Controller running
  and
   added a USB Drive all was fine.  Along came Microsoft with
  the darned
   Updates and there 'Computer Must be restarted' Well it restarted
   alright and would not reboot.  Talked to IBM Server Support for
4
   hours be for I finally figured it out myself.  That was the
  only time
   I ever taught something to them and not the other way around.
  
   I have since update the restart procedure to say 'Power off the
 USB
   drive before the system restarts.'
  
  
   Bob
   IT Guy
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Laura
A.
   Robinson
   Sent: Friday, November 03, 2006 11:41 AM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] OT - Backup Follies
  
   Umm, that was kinda the point I was trying to make, Bob. :-)
  
   Laura
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  Bob Anderson
   Sent: Friday, November 03, 2006 11:09 AM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] OT - Backup Follies
  
   Laura,
   It doesn't matter what the boot order is. Most servers have an
   internal Raid configuration that doesn't kick in until after
the
   machine goes through it's start up and by them it has
  found the USB
   and not the hard disks.
  
   And yes I have this on two of my servers.
  
   Bob Anderson
   IT Guy
   Kent Sporting Goods
   433 Park Ave. S
   New London OH 44851
   419-929-7021 x315
   email: [EMAIL PROTECTED]
  
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of Laura
 A.
   Robinson
   Sent: Friday, November 03, 2006 10:52 AM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] OT - Backup Follies
  
   What's the boot order in the BIOS on those machines?
  
   Laura
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
  Albert Duro
   Sent: Friday, November 03, 2006 10:54 AM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] OT - Backup Follies
  
   Ah, that brings up another interesting point.  I use USB
  
   external hard
  
  
   drives too, and I've found that some WinXP and
   Server2003 machines will not boot if a USB hard drive is
  
   attached--I
  
   have to remember to turn it off while booting.
   Anyone else seen this?
  
   - Original Message -
   From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
   [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Thursday, November 02, 2006 9:02 PM
   Subject: Re: [ActiveDir] OT - Backup Follies (was) Exchange
  
   Log files
  
   --Disk
   Full--
  
  
  
   No tape drives here.  If it has a USB connection we are
  
   in business

RE: [ActiveDir] Phantom Exchange server(OT)

[Brian Desmond]

 Can i just delete it from the config NC with adsiedit.msc?
 is there anything else I should worry about?

I generally take this route

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Saturday, November 04, 2006 7:27 PM
 To: activedirectory
 Subject: [ActiveDir] Phantom Exchange server(OT)
 
 I have a server that used to be a clustered Exchange box.
 Exchange and MSCS was removed(I dont know how), but the Exchange
 server object is still in the config NC and ESM.
 I can't right click the server in ESM and select remove.
 The ex cluster 2 nodes are still live and in the domain.
 
 The exchange server cluster name is still in AD and in the Exchange
 servers GG
 
 The exchange server was not a bridgehead or route master or default PF
 server or any other exchange specific services.
 
 My question is, what is the best way to remove the exchange attributes
 of this server from AD?
 
 Can i just delete it from the config NC with adsiedit.msc?
 is there anything else I should worry about?
 
 Thanks alot!
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] DC crashed

[Brian Desmond]

1 and 2 yes, 3 is certainly unnecessary. 4 I suppose if you don't think you 
squared things away or you only have a few.
 
--brian



From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny
Sent: Fri 11/3/2006 5:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC crashed




1) I would Google how to seize the FSMO roles.

2) Google how to cleanup metadata for the failed DC

3) Once all of that is done, I would still use a different name and IP
for the rebuilt server before going on with a DCPROMO. Unless you had to
use the same.

4) Use DCDIAG on the other DCs prior to and after promoting the rebuilt
one.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Friday, November 03, 2006 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC crashed

Did you delete this server object from ADUC? If not, that's probably
what you need to do.


--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clingaman,
Bruce
Sent: Friday, November 03, 2006 4:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC crashed
   
   
I apologize for not doing my homework first, but I'm in a pickle
and need help fast.

One of my domain controllers (which held all the fsmo roles)
crashed and I had to reinstall.
Now that I've reinstalled, I'm ready to rejoin and promote. But
I can't; I get User already exists when trying to join.
I am using the same computer name as before. I have not deleted
or changed anything in the directory on the other server yet.
What do I need to do to get my old server back as a domain
controller?
Links to articles or even words to search by would be of great
help.

Thanks for any advice.

Bruce.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


winmail.dat

RE: [ActiveDir] OT - Backup Follies

[Brian Desmond]

Compaq ILO/RILOE board, Dell DRAC, IBM Remote Access, IP KVM + APC PDU
w/ remote access are all viable options...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Bob Anderson
 Sent: Friday, November 03, 2006 4:03 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT - Backup Follies
 
 Susan,
   How did you do that I would love to be able to  reboot with a
 worry.
 
 
 Bob
 IT Guy
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan
Bradley,
 CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Friday, November 03, 2006 3:04 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OT - Backup Follies
 
 And on my DC I removed the USB drive as a boot device.
 
 So now I can be at home in my jammies and remotely reboot the server
 with no issues and it will reboot just fine.
 
 Bob Anderson wrote:
  Laura,
  Yea that on bit me big time.  Had our Domain Controller running
 and
  added a USB Drive all was fine.  Along came Microsoft with the
darned
  Updates and there 'Computer Must be restarted' Well it restarted
  alright and would not reboot.  Talked to IBM Server Support for 4
  hours be for I finally figured it out myself.  That was the only
time
  I ever taught something to them and not the other way around.
 
  I have since update the restart procedure to say 'Power off the USB
  drive before the system restarts.'
 
 
  Bob
  IT Guy
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
  Robinson
  Sent: Friday, November 03, 2006 11:41 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT - Backup Follies
 
  Umm, that was kinda the point I was trying to make, Bob. :-)
 
  Laura
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Bob
 Anderson
  Sent: Friday, November 03, 2006 11:09 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT - Backup Follies
 
  Laura,
 It doesn't matter what the boot order is. Most servers have an
  internal Raid configuration that doesn't kick in until after the
  machine goes through it's start up and by them it has found the USB
  and not the hard disks.
 
  And yes I have this on two of my servers.
 
  Bob Anderson
  IT Guy
  Kent Sporting Goods
  433 Park Ave. S
  New London OH 44851
  419-929-7021 x315
  email: [EMAIL PROTECTED]
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
  Robinson
  Sent: Friday, November 03, 2006 10:52 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT - Backup Follies
 
  What's the boot order in the BIOS on those machines?
 
  Laura
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Albert
 Duro
  Sent: Friday, November 03, 2006 10:54 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] OT - Backup Follies
 
  Ah, that brings up another interesting point.  I use USB
 
  external hard
 
 
  drives too, and I've found that some WinXP and
  Server2003 machines will not boot if a USB hard drive is
 
  attached--I
 
  have to remember to turn it off while booting.
  Anyone else seen this?
 
  - Original Message -
  From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
  [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Sent: Thursday, November 02, 2006 9:02 PM
  Subject: Re: [ActiveDir] OT - Backup Follies (was) Exchange
 
  Log files
 
  --Disk
  Full--
 
 
 
  No tape drives here.  If it has a USB connection we are
 
  in business.
 
  Albert Duro wrote:
 
  Yes, BE does do disk backup.  But I have some objections:
   A.  They don't make it easy, infact they make an unnecessarily
  complicated production of it.
   B.  I started doing NTBackup to disk while (and because)
 
  I was still
 
  troubleshooting BE.  When I gave up on BE and its
 
  brethren, NTBackup
 
  was a natural segway, and already in place and working.
   C.  I discovered one great advantage that
 
  NTBackup-to-disk has over
 
  any other backup system:  with a bit of planning, it is
 
  proof against
 
  almost any combination of crash and burn. You have a
 
  backup file on
 
  two or more disks/machines.  Things go bad, you can do
 
  recovery from
 
  any Windows machine; you can move or copy the backup
 
  disks/files to
 
  any machine.  Try doing that with a sophisticated tape-based or
  SAN-based system.  Imagine having to replace the tape
  drive/autoloader with the exact same type, while rebuilding a
  same-hardware three-year old server to the exact same
 
  configuration,
 
  same SPs, same backup software, same drivers.  I can
 
  guarantee that
 
  at least one of those necessary replacement elements will be
  impossible to find, even under leisurely conditions. [1]
 
  Yes, there
 
  are strategies

RE: [ActiveDir] Active Directory Health Check tool - where can it run from?

[Brian Desmond]

Which tool is this? The AD Snapshot tool that you get from an ADRAP can run 
from any server.
 
--brian



From: [EMAIL PROTECTED] on behalf of Washington, Booker
Sent: Tue 10/31/2006 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: Active Directory Health Check tool - where can it run from?




Does that tool need to be run from a Domain Controller, or can it be run from 
any member server in the Domain, or workstation.

Just curious. 

Thanks 


winmail.dat

RE: [ActiveDir] Active Directory Health Check tool - where can it run from?

[Brian Desmond]

ADRAP being AD Risk Assesment Program or something along that line - MS comes 
out for some number of days, runs that tool and makes recommendations on 
changes to make to the forest - it's a health check, basically.
 
Your forest admins aren't supposed to be emailing that thing around the 
company. My recollection is that the license is one year from the date of the 
ADRAP to be used on the machine it was installed on only.
 
--brian



From: [EMAIL PROTECTED] on behalf of Washington, Booker
Sent: Tue 10/31/2006 4:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory Health Check tool - where can it run 
from?



It is the Active Directory Health Check Snapshot Tool. What exactly is ADRAP?  
I got a copy from our Forest Admins because I am a child domain of the forest.

 

The reason that I ask is because I seem to get buggy results when I go from an 
XP workstation, or a member server, and I wondered if I needed to run it from 
the DC itself.

 

 

Thanks

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, October 31, 2006 5:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Active Directory Health Check tool - where can it run from?

 

Which tool is this? The AD Snapshot tool that you get from an ADRAP can run 
from any server.

 

--brian

 



From: [EMAIL PROTECTED] on behalf of Washington, Booker
Sent: Tue 10/31/2006 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: Active Directory Health Check tool - where can it run from?

 

Does that tool need to be run from a Domain Controller, or can it be run from 
any member server in the Domain, or workstation.

Just curious. 

Thanks 

 

winmail.dat

RE: [ActiveDir] Need some advices....

[Brian Desmond]

If the domain was created in Windows 2000 or 2003 R2, youve got
60 days to fix it, 2003 domains you have 180 days. This is assuming you havent
tweaked the tombstone lifetime. 4 hours is nothing. :)



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Yann
Sent: Wednesday, October 25, 2006 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Need some advices









Hello all ;)











Due tonetwork outagethat is scheduled for 4
hourson a active directory site, i'd like to leave our DCs
upwithoutshut them down.











Question:





Could il leave all my DCs up despite they can not
communicate with each others for 4 hours ?Willthatcause
anyissues (repl, auth,etc..)? or Do i have to shut them down and
next reboot them when networkwill up ?











Thanks for advices.











Cheers, 











Yann



  







Découvrez une nouvelle façon d'obtenir des réponses à toutes
vos questions ! Profitez des connaissances, des opinions et des expériences des
internautes sur Yahoo!
Questions/Réponses.

RE: [ActiveDir] Need some advices....

[Brian Desmond]

That sounds right - I forgot about the SP1 change

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz -
 SBS Rocks [MVP]
 Sent: Wednesday, October 25, 2006 12:51 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Need some advices
 
 If memory serves me right the forest/trees tombstone values
 whatevers (you know those things we never worry about in SBSland) are
 different depending on how that SP1 got on the box...
 
 2003 RTM you have 60 days
 2003 SP1 (clean install) you have 180 days
 2003 R2 (clean install) you have 60 days
 
 (they kinda went backwards on the r2 and reintroduced the 60 days if I
 remember right.)
 
 
 
 Brian Desmond wrote:
 
  *If the domain was created in Windows 2000 or 2003 R2, you've got 60
  days to fix it, 2003 domains you have 180 days. This is assuming you
  haven't tweaked the tombstone lifetime. 4 hours is nothing. :)*
 
  * *
 
  *Thanks,*
 
  *Brian Desmond*
 
  [EMAIL PROTECTED]
 
  * *
 
  *c - 312.731.3132*
 
  * *
 
  *From:* [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] *On Behalf Of *Yann
  *Sent:* Wednesday, October 25, 2006 10:23 AM
  *To:* ActiveDir@mail.activedir.org
  *Subject:* [ActiveDir] Need some advices
 
  Hello all ;)
 
  Due to network outage that is scheduled for 4 hours on a active
  directory site, i'd like to leave our DCs up without shut them down.
 
  Question:
 
  Could il leave all my DCs up despite they can not communicate with
  each others for 4 hours ? Will that cause any issues (repl,
  auth,etc..) ? or Do i have to shut them down and next reboot them
 when
  network will up ?
 
  Thanks for advices.
 
  Cheers,
 
  Yann
 
  -
 ---
 
  Découvrez une nouvelle façon d'obtenir des réponses à toutes vos
  questions ! Profitez des connaissances, des opinions et des
  expériences des internautes sur Yahoo! Questions/Réponses
  http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com.
 
 
 --
 Letting your vendors set your risk analysis these days?
 http://www.threatcode.com
 
 If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
 will hunt you down...
 http://blogs.technet.com/sbs
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/