RE: [ActiveDir] Overlapping AD Subnet Boundaries
Nowhere does the OP say he's assigned a /16 mask to any interface. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Sunday, January 28, 2007 4:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries hello, just to stop the troll... Do you understand my others post about your network ? Is you DC set up on its network interface with a 255.255.0.0 netmask ? Your setup will work fine from an AD point of view (dssite.msc) , but not an IP routing point of view if you are really using a 255.255.0.0 Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Brian Clinemailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.orgmailto:ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 10:19 PM Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Overlapping AD Subnet Boundaries
Going with a /24 when you're laying out a network just because its common and small doesn't really help anymore than picking a /16 out of the blue in the long run. Migrating machines into new subnets is actually not that difficult if properly planned - I've been around that circuit quite a few times. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, January 28, 2007 9:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries My advice would have been to start with a 255.255.255.0 netmask (/24) - it's better for creating more subnets and hosts. 255.255.0.0 (/16) is more limiting if that is what the person is using, no matter what IP class is being used. But if not selected initially it's too late to easily go back... Regards, Chuck -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sun, 28 Jan 2007 3:01 AM Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries hello, just to stop the troll... Do you understand my others post about your network ? Is you DC set up on its network interface with a 255.255.0.0 netmask ? Your setup will work fine from an AD point of view (dssite.msc) , but not an IP routing point of view if you are really using a 255.255.0.0 Regards, Mathieu CHATEAU http://lordoftheping.blogspot.comhttp://lordoftheping.blogspot.com/ - Original Message - From: Brian Clinejavascript:parent.ComposeTo('[EMAIL PROTECTED]',%20''); To: ActiveDir@mail.activedir.orgjavascript:parent.ComposeTo('ActiveDir@mail.activedir.org',%20''); Sent: Friday, January 26, 2007 10:19 PM Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax Check out the new AOLhttp://pr.atwola.com/promoclk/1615326657x4311227241x4298082137/aol?redir=http%3A%2F%2Fwww%2Eaol%2Ecom%2Fnewaol. Most comprehensive set of free safety and security tools, free access to millions of high-quality videos from across the web, free AOL Mail and more.
RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
Yeah personally I'd have written some little .net contraption doing it in the background if it was something as simple as this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 28, 2007 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT I agree that MIIS could be convenient but only if it is already there or you have other plans for it. If this was the only reason for it I would be more apt to put something else together that had a far lower bar of entry such as some basic scripts that are scheduled through task scheduler or made into a service (Perl PSDK) or LDSU or some basic low end syncing tools that don't require setting up a full blown SQL and MIIS server. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, January 27, 2007 7:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT You can whack notes with ldifde or something. MIIS is a convenient way to do it though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 27, 2007 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Ewww. :) Unless there are other needs that require MIIS I don't think I would deploy it for this. MIIS is a 50 caliber when all that was probably needed was foam pellet gun. I have seen folks doing this before, usually they get an LDIF extract from Notes and just slam that into AD as contacts or mail-enabled users. Actually getting the info out of Notes... no clue, I didn't even want to start touching Exchange let alone any other messaging apps. I am happy just with Windows Server 2003 SMTP and looking at the text files. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, January 26, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any
[ActiveDir] Naming Convention for Site Links
Was wondering what other folks use for naming site links. A point to point link is obvious to me SiteA - SiteB or something like that. What about a link with three or four sites in it (e.g. SiteA, SiteB, SiteC, etc)? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Overlapping AD Subnet Boundaries
While your math is right you should look up supernetting and subnetting somewhere. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 4:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries In my opinion, there is a pure TCP/IP network issue... A sample example: The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated). if you try to ping 10.10.41.104, it will try to communicate on the LAN, seeking its arp. It won't send packet to the gateway since 10.10.41.0 must be on the LAN. The only way to get it work is to use a Layer 2 link between both site. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 11:37 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries it will go for the second site 10.10.41.0/24 (= best matching) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Cline Sent: Fri 2007-01-26 22:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Overlapping AD Subnet Boundaries
OK well you don't need a layer 2 link to do what the OP wants... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 12:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries hi, i am coming from network job, so i am used to sub/super netting somehow :) thanks anyway ! Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, January 27, 2007 6:47 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries While your math is right you should look up supernetting and subnetting somewhere. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 4:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries In my opinion, there is a pure TCP/IP network issue... A sample example: The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated). if you try to ping 10.10.41.104, it will try to communicate on the LAN, seeking its arp. It won't send packet to the gateway since 10.10.41.0 must be on the LAN. The only way to get it work is to use a Layer 2 link between both site. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 11:37 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries it will go for the second site 10.10.41.0/24 (= best matching) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Cline Sent: Fri 2007-01-26 22:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT
You can whack notes with ldifde or something. MIIS is a convenient way to do it though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 27, 2007 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Ewww. :) Unless there are other needs that require MIIS I don't think I would deploy it for this. MIIS is a 50 caliber when all that was probably needed was foam pellet gun. I have seen folks doing this before, usually they get an LDIF extract from Notes and just slam that into AD as contacts or mail-enabled users. Actually getting the info out of Notes... no clue, I didn't even want to start touching Exchange let alone any other messaging apps. I am happy just with Windows Server 2003 SMTP and looking at the text files. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, January 26, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Have you looked at MIIS? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas W Stelley Sent: Friday, January 26, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? Slightly OT Same topic, but this one is for Notes Admin/Gurus as well. I populate the mail attribute in AD with the Notes Users primary internet address. Does anyone have a script or method that will allow me to publish in AD the same info for groups and other addresses for users. Even something that can query Domino for all users and groups and return all addresses into a file, I can use that as a basis to update AD with proxy info etc. Thanks in advance. Douglas Stelley IT Engineer Seneca Nation Health Department (716)532-5582 x5404 [EMAIL PROTECTED] Brian Cline [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/26/2007 09:47 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] How to find non-primary SMTP addresses? Ah, yes, good call. Almost forgot that it changes that, too. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Friday 26 January 2007 08:44 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? It should also update the 'mail' attribute to the new primary SMTP: address. --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 7:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Out of curiosity, when setting a different primary e-mail address to an address that already exists as a secondary, does ADUC do anything more than change the prefix on the old primary address from 'SMTP' to 'smtp' and vice-versa for the new primary? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Thursday 25 January 2007 19:52 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to find non-primary SMTP addresses? In addition to what Ulf said, there also isn't any practical way to query for users that have secondary addresses vs. only having a primary and there isn't any practical way to just get the secondary addresses out of the proxyAddresses attribute. You essentially need to get all the data and then check for the values that are prefixed with lower case smtp. Maybe Joe R. has a neat trick with ADFind to make this easier, but LDAP itself doesn't help much. Joe K. - Original Message - From: Ulf B. Simon-Weidner To: ActiveDir@mail.activedir.org Sent: Thursday, January 25, 2007 6:00 PM Subject: RE: [ActiveDir] How to find non-primary SMTP addresses? Hi Stu, I don't think there's a way to expose mulitvalued attributes with CSVDE - you'd either have to use LDIFDE or VBScript or anything else to view all values of those attributes. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Freitag, 26. Januar 2007 00:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to find non-primary SMTP addresses? How does one go about getting the non-primary SMTP addresses
RE: [ActiveDir] Overlapping AD Subnet Boundaries
AD subnets have nothing to do with how the WAN is actually routed. All they do is link an IP address to a site. If you don't have a blanket subnet as a last resort your DCs start filling their event logs with events about how clients are connecting from unknown subnets. So what you do is you take your hub datacenter(s) and associate large supernets with the site objects (as big as 10.0.0.0/8 if appropriate). Then you associate the actual subnets with the sites where they're physically located. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries i don't agree. the /24 is included in the /16. You won't have layer 3 routing between the two site, at least from the primary to the secondary. Even if it will work from a routing point of view from the secondary to the primary. what's the point ? Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, January 27, 2007 6:58 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries OK well you don't need a layer 2 link to do what the OP wants... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 12:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries hi, i am coming from network job, so i am used to sub/super netting somehow :) thanks anyway ! Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, January 27, 2007 6:47 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries While your math is right you should look up supernetting and subnetting somewhere. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mathieu CHATEAU Sent: Saturday, January 27, 2007 4:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries In my opinion, there is a pure TCP/IP network issue... A sample example: The DC is 10.10.0.1 with a netmask of 255.255.0.0 (/16 as indicated). if you try to ping 10.10.41.104, it will try to communicate on the LAN, seeking its arp. It won't send packet to the gateway since 10.10.41.0 must be on the LAN. The only way to get it work is to use a Layer 2 link between both site. Regards, Mathieu CHATEAU http://lordoftheping.blogspot.com - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 11:37 PM Subject: RE: [ActiveDir] Overlapping AD Subnet Boundaries it will go for the second site 10.10.41.0/24 (= best matching) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Cline Sent: Fri 2007-01-26 22:19 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you
RE: [ActiveDir] Overlapping AD Subnet Boundaries
Yes. I have done this in organizations with hundreds of sites and a well designed subnetting scheme. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 4:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Overlapping AD Subnet Boundaries
Chuck- Unfortunately I think your reasoning is a bit short sighted here. You can't make any of these assumptions without understanding the OP's environment both regard to business and technical requirements. A T1 is way more than enough for hundreds of PCs to go to a DC across the WAN. While a couple of MLPPP T1s might be nice it's certainly not necessary. Logon traffic isn't that heavy. The number of users at a site is usually not the driver so much as the number of workstations. Workstations are the limiting factor - you can have 100 guys someplace but they might share 10 PCs. The business requirement is a real simple question - if the WAN link goes down will business continue at this site? If not, adding a DC doesn't do anything but cost money - doesn't matter whether users can log on. With cached credentials even when the link does go down they'll still be able to logon to their usual PCs anyway. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 26, 2007 7:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Overlapping AD Subnet Boundaries What I would be interested to find out is: 1. What is the WAN link speed for the proposed 2nd AD site? 2. How much free available bandwidth do you have between the two desired sites? 3. How many users sit in the proposed 2nd AD site? If you have a fast reliable WAN connection (like a pair of bonded T-1s or higher) between the 2 sites then perhaps you don't need the 2nd site. I understand subnetting and it's possible to use a different subnet mask to achieve a separate subnet. However there should be a compelling reason to go to a second AD site before deploying it that requires it as this might save you making things more complex than required. Regards, Chuck
RE: [ActiveDir] adsiedit question
You shouldn't be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Tuesday, January 23, 2007 5:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question I needed to move SystemMailboxes which won't move with the wizard. Somehow several were homed on one database and it caused event sink problems. This was the easiest method. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 23, 2007 4:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] adsiedit question Why are you using adsiedit to rehome a mailbox? Doesn't the move mailbox wizard work for your needs? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Condra, Jerry W Mr HP Sent: Tue 1/23/2007 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] adsiedit question Hi all I didn't OT this even though I'm making modifications to Exchange since the question seems to be adsiedit related and therefore related to AD. I'm trying to modify an attribute for a mailbox using adsiedit. Particularly I'm rehoming it's database by modifying the homeMDB attribute. The problem I'm running into is I'm getting an error stating The name reference is invalid when I try to apply the change. I've done this a few times but this is the first time I've run into this error. Google doesn't give enough info to determine the cause...or maybe it is and I just don't know enough about the response to see itthat never happens. ;-) If anyone can shed some light it would be greatly appreciated. Many thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Remote DC's on Virtual Server
Read all of this sort of. I have a fairly simple opinion: If you want to screw around, or do small scale virtualization, VS or VMWare server - whatever makes you happy, they're about the same in a datacenter. If you want to go do all that money saving stuff, large scale lets buy some gigantic servers on a SAN, drink the kool aid off the cover of eweek, etc - go buy an esx license or two. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Sunday, January 21, 2007 12:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others Not at all, Ben. I can speak from both side of the aisle as far as VMWare and VS are concerned, although my bias, to which I have already confessed, plays a role in my dislike of VMWare. My dislike, though, is driven largely based on the original (apples and oranges) statement to which I responded. I have not disputed that VMWare is ahead of VS at this present time. I have simply stipulated that the perceived gap is so considerably narrowed now that dismissing VS as a non-starter is no longer a technically sound or tenable position. However, MS stated virtual machine support is the same regardless of virtual environment provider. This is just wrong. Please see http://www.support.microsoft.com/kb/897615 You will also notice that my observation and opinion were based mostly on where we are today on VS 2005 SP1 Beta 2. I do not dispute that VMWare is superior, but at what cost? I disagree with your assertion that ESX is easier to deploy and manage than VS - that just defies logic (no offense). Not with the availability of System Center. When you need to provision a lab of, say, 20 servers running various OSes, and you are under the gun to get it done, like 4 hours ago, on a piece of recycled (Ebayed) hardware, ESX is not your friend. I was afraid that this thread will go down the undesirable path of Us vs Them, and I apologize for making it so. The point I'm trying to make is that, if you are looking for a Virtualization solution, VS does NOT stink one bit. Factor in the cost overlay, the deployment and maintenance efforts, divide that by what EXACTLY you are looking for in virtualization, then give VS a fair shake and not just go with the popular VMWare Rules opinion. ESX may have been sexy a while back when VS was truly ugly, but that is not the case today. VS is evolving, and you may just be pleasantly surprised that it adequately meets your need without breaking your bank and back. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Bernard, Aric Sent: Sat 1/20/2007 5:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Remote DC's on Virtual Server Other points to clear up... MS supports VS2005 as it is there product. However, MS stated virtual machine support is the same regardless of virtual environment provider. MS recently (nore than a year ago?) made some changes to their licensing model for virtual environments in terms of the Windows OS and how many instances can be run given a single license. This is applicable to any virtual environment, not just VS2005. In my role I am a supporter (technically, politically, and marketing) of MS products. However, from an Enterprise perspective (management and operations) VMWare is generally regarded as the superior product for all the reasons mentioned and more. VMWare is not difficult to implement and operate as compared to VS2005 and from an enterprise perspective often considered easier to manage given the wide range of tools available for it. All indications to the contrary are likely due to insufficient operational experience with the product - not an attack on anyone just a statement based on my personal experience and interactions with others. That Sent from my Windows Mobile device. -Original Message- From: Brett Shirley [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 1/20/07 3:28 PM Subject: RE: [ActiveDir] Remote DC's on Virtual Server Does anyone know if the vmware stuff, allows ba xxx w4 in the windows debugger (obviously running on windows guest VM)? ba xxx w4 = means break on address write w/in 4 bytes of the xxx, which
RE: [ActiveDir] OT: Apache LDAP authentication oddity
So you're describing searching for something and talking about authentication. Which is it? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, January 19, 2007 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Apache LDAP authentication oddity We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION
Without knowing your requirements I can't tell you which of those is something you want. They all have different applications... I keep up to speed on hardware by specifying and installing it. I can rattle off the right Compaq or Dell server model number given what you're going to do with it. I'm pretty good with Cisco switches and routers in that respect too. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, January 19, 2007 11:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION HI, I have 2 questions. We need more storage space but we don't know if we should go with an attached storage solution (NAS, SAN, etc) or just get a big file server, can anyone tell me benefit and disadvantage of each one, or point me to URL with this info? Also, my hardware knowledge is very obsolete, how can I get up to speed in terms of hardware Thanks all Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Cisco VPN user authentication problem
Steve- I don't understand your problem. Is this an IAS issue with AD authentication? Is this a PIX config issue? Is this just a screwed up laptop issue? I'm lost. I wrote a couple articles on my blog (click the cisco category in the tag cloud) specifically about integrating IOS and PIX with IAS/AD. Have set it up for several people and it works fine. IAS logs an event with a reason for failed auth every time it fails an auth in the system log. You can enable aaa debugging on the PIX for info there. Now I just read you have a VPN 3000 - never touched one - maybe it has AAA debugging type stuff? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 5:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cisco VPN user authentication problem Greetings, Brain Trust: I've been troubleshooting a VPN access problem for about two days now and have almost scratched a groove in my head - this one's a puzzler. My boss has an IBM Lenovo T60 laptop that has the Cisco VPN client software loaded into it. It was working just fine up until the third week of December, allowing her to use Dialup to get into our HQ domain from her house. When the logins failed, I thought it was due to crappy dialup connection, since noise in the link will cause the VPN tunnel to go down. However, I just got her link at her house to go on wireless, and it works just spiffy (11M up/down), and she still can't log on to the domain with the VPN software. The connection works just fine, she can browse with no problem. OWA works just fine. Here's some of the troubleshooting I've done: 1) reloaded the VPN software. 2) Tried to have her log on from another machine. 3) Changed the Group authentication (made a new one) just for her. Nothing seems to work. She logs in to the domain normally from her desk at work using either the wireless in the laptop, or via the Ethernet connection. Anybody else can use her laptop to get in via the VPN, so it's not the drivers or hardware. Her problem is replicated from ANYBODY's laptop utilizing the VPN software. It's got to be her account, which is why I think it's something screwed up in AD. When I monitor her attempts to log into the VPN concentrator (a Cisco 3000), sometimes it says the IKE isn't working, sometimes it says there's no domain (domain = {not specified}), sometimes it never talks to the 3000 at all (according to the log and the way it comes right back with the username/password request). Want to get even more confused? This problem started when she attempted to change her password back to what it was - she went through the AD administration on the primary AD box and got some kind of error. Ever since then, things just ain't the same. I think something got scrambled in her account. We tried disabling her account for 5 minutes and then re-enabling, but nothing's worked. Where should I look to see if something's amiss? I'm kinda stumped. Steve Egan Systems/Network Engineer
RE: [ActiveDir] OT: Different default GALs for different groups
I did this for a school once. Basically what you do is create a group for each GAL and put the folks in the groups, then you create GAL/ALs in System manager and filter on this group membership. Set the ACLs accordingly and deny access to the default GAL. --brian From: [EMAIL PROTECTED] on behalf of Jonathan Watts Sent: Thu 1/18/2007 10:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Different default GALs for different groups Hey list I have been battling with the following issue for what feels like an age, but I can't seem to get it so I'm hoping someone here could provide a bit of inspiration for me: As we are a secondary school (K-12 equivalent), I would like members of a particular group (namely staff) to have a different default GAL than another group (students) when opening Outlook. I am really stuck with this would appreciate any help I can get. Our environment is W2K3, Exc2K3 and Outlook2K3. Thanks in advance Jon Watts St Catherine's School winmail.dat
RE: [ActiveDir] OT: Who needs that much ram anyway?
The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?)
On Cisco's you should be looking at a switchport level feature called DHCP snooping. ip helper-address does more than just forward DHCP packets just an FYI. The term I use for the issue with the routers is that they're plugged in backwards when someone gets the WAN and LAN confused. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Tuesday, January 16, 2007 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Not sure about other switch brandswe've been Cisco-centric for years. The command in Cisco IOS is ip helper-address x.x.x.x to tell DHCP packets where to go across VLANsbut This still doesn't prevent a rogue DHCP server from popping up on a VLAN. (Think about a Linksys wired/wireless router brought to work by a well-meaning but technically-challenged person and plugged into a local port in order to get wireless in their cubicle/office) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, January 16, 2007 6:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. In case you weren't sure - this is exactly what I was suggesting you consider, in my first post :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 16 January 2007 13:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Sorry for the delay on getting back on this, had a few things piled up after New Year's... You're right on the fact that routers isolating the VLANs limit the impact of this issue... The problem is that the idea is to re-configure routers to forward DHCP traffic, so that we get DHCP service on all VLANs from one/a few DHCP servers, instead of having to setup a DHCP server on each VLAN. Somebody suggested having a multi-homed DHCP server, with a leg on each VLAN, so that we get containment and DHCP service on every VLAN. I don't know at the moment if that's possible (I have to check with the client, to see if their network topology has a hub where all VLANs come close). OTOH, I am wondering if it'd be possible to configure the routers so that they only allow DHCP OFFER/ACK/NACK from auth. DHCP servers (something similar to what we've done with the local filtering on the workstations)... We'd still have problems with a rogue DHCP server in a VLAN, but we wouldn't have to go the multi-homed server route... Thanks a lot for the input received so far. It's made me explore several options that I had not considered ;) As always, a pleasure. Javier -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: martes, 09 de enero de 2007 9:35 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Your last statement is true but then if routers restrict BOOTP traffic as I describe, then the rogue DHCP server will only affect the VLAN on which it exists. At least that way, you've reduced the impact. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: 08 January 2007 17:24 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) Hi, Neil!! That's another thing I'll have to look into :) I am aware that it's possile to do DHCP-proxy to pass along the DHCP requests to the proper servers. That's something that will have to be done, as the client's network is split in different VLAN segments, and in multiple locations/sites, and they'd like to have a reduced number of DHCP servers. But, useful and necessary as it is, this won't prevent a rogue/malicious DHCP server on the same LAN segment from playing havoc with the systems. Thanks for the heads-up though. Javier Jarava -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de [EMAIL PROTECTED] Enviado el: lunes, 08 de enero de 2007 14:33 Para: ActiveDir@mail.activedir.org Asunto: RE: [ActiveDir] Likely OT: :) Managing/preventing rogue DHCP servers? (or how do you find it?) In addition to the below, routers can be configured to only forward BOOTP packets to/from 'authorised' DHCP servers. neil ___ Neil Ruston Global
RE: [ActiveDir] File replication setup problem
Steve- Is the box running R2? You need to upgrade to schema v31 (r2) if so. If not I tend to think your DNS is busted. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Monday, January 15, 2007 8:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] File replication setup problem Howdy, Brain Trust: I have two servers, one on Poland, the other in Sweden, that I want to install FRS on (and later upgrade to DFS) so that I can back up these remote location files locally on a high-speed offsite backup here in the States. I'm attempting to go slow and do a little bit at a time. When I Run the New Replication Group Wizard and name the replication group and hit Next, the following error happens: company.com: The Active Directory schema on domain controller ftp server.domain.com cannot be read. This error might be caused by a schema that has not been extended, or was extended improperly. See Help and Support Center for information about extending the Active Directory schema. A class schema object cannot be found. I've tried and tried to extend the schema, the results are normal (no errors), and still the AD schema is broken. It swears up and down that it is a 2003 schema. I can't install AD on the Sweden server because something ain't right with it (schema), and now this. I have two servers running here in the states as DC's, and they both think they are the top dog controller because whenever I try to do something like this it tells me the schema is broken. The FTP server and the mail server are both set up as DC's, both have AD on them. How do I tell one of them that they are no longer the master? Can I just delete (remove) the AD schema from the ftp server and reinstall it without serious breakage? I'm not sure that a simple demote will do the trick. I'm enough of a thumb-fingered idiot when it comes to AD that I live in fear of really screwing the pooch if I do something like this - but I have to get it solved somehow. Somebody got a life preserver? Steve Egan (temp) Systems/Network Engineer Occasional AD fumble-fingered idiot
RE: [ActiveDir] R2 Schema
I thought you needed the schema updates for the extra attributes for pushing printers via GP. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 14, 2007 4:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 Schema (for those on the off chance interested in the SBS impact) While SBS's r2 release does not give you the functionality of the real R2 bits, to have DFSRv2 on member servers you have to bump the schema on the SBS DC. The only parts of the real r2 that SBS 2003 R2 gets is FSRM and MMC 3.0. http://blogs.technet.com/sbs/archive/2006/02/28/420825.aspx More tech details there. The printer management console doesn't need a schema update that I recall.. you just need the R2 install on that server. I don't remember (don't think) I did anything on my DC when I enabled the Printer Management console on the member server. Vinnie Cardona wrote: Excellent. Thank you. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, January 13, 2007 4:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema the AD schema is (must be) extended with the R2 stuff when either: * you want to install R2 on a DC * you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 (Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 06:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Thank you Jorge...I was just a bit puzzled by one of the lines in the doc on the CD which states that the schema is only extended if you are planning on installing W2K3r2 on a W2K3 DC. I am still in the process of reading up on W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS requirements...I now understand more on the requirements. Thank you all for your help. Really do appreciate it. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 12, 2007 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema although the file servers are R2 because of the use of DFS-R (new replication mechanism), you MUST extend the AD schema so that the DFS-R information can be stored in AD Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 (Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 00:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender
RE: [ActiveDir] R2 Schema
No. I've done numerous upgrades in this scenario. It takes like five minutes. There's a known issue someone here will/probably has commented on with SFU I believe but other than that its good. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 5:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] R2 Schema
DFSR, Printers, integrated SFU... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, January 12, 2007 5:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema There shouldn't be a problem with running the R2 schema in an SP1 network. As to what that buys you, maybe someone else can address that?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 4:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Way OT: Shared Folders snap-in columns
Office autorecover will write to the share fairly frequently... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Thursday, January 11, 2007 4:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Way OT: Shared Folders snap-in columns I can't find an explanation and thought some of this august body might know or can point me to some resource... When viewing sessions in the Shared Folders MMC snap-in for an AD member file server, there is a column labeled Idle Time. What events reset this timer? I sometimes see very short idle times in the wee hours of the morning when I'm pretty sure no human is at the client machine. In the Computer column I see some machines listed by their NetBIOS name, obviously from info in the AD integrated DDNS. Others are listed by their FQDN which is not related to the assigned NetBIOS name. This must be coming from the non-AD related, public DNS to which the AD DDNS refers inquiries for other domains. (The AD domain name and the public domain name are different.) What might be different about the way these machines were set up? Just curious... TIA, -mjm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Shares with Computer Account Permissions
No. This would only apply for things running in the context of the computer account (e.g. services as SYSTEM or NETWORK SERVICE). When you go \\server file:///\\server in explorer you connect as ben not bensmachine... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 4:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn't think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben
RE: [ActiveDir] AD Schema - adding an attribute
It's an attribute of the user class. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, January 10, 2007 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Hi, Thanks for the replies. birthDate already exists - can you take advantage of it? Where would I find this? If it already exists I think I'd be better off using that one. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] AD Schema - adding an attribute
Yeah. Joe just emailed me too offlist - I seem to be hallucinating. I've seen it in so many directories I guess I thought it was part of the standard g. My suggestion is to keep birthDate in HR but you can easily extend the schema to include it if you want. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, January 10, 2007 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute I can't seem to find the birthDate attribute in any of my classes. Looking in MMC-ActiveDirectorySchema. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, January 10, 2007 8:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute It's an attribute of the user class. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Wednesday, January 10, 2007 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Hi, Thanks for the replies. birthDate already exists - can you take advantage of it? Where would I find this? If it already exists I think I'd be better off using that one. Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, January 09, 2007 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Schema - adding an attribute Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DNS Comments
This is not a dynamic zone at all. The AD domains are all already integrated and dynamic and working. As far as the BIND merging, this is actually a bit of a cleanup/migration so it’s going to require some custom scripting more than anything. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wells, James Arthur Sent: Monday, January 08, 2007 9:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments If there are enough deltas that aren’t being made by Dynamic DNS, then I would suggest just looking into an IPAM solution like Infoblox or Bluecat. Either one can provide a management interface and BIND server that can then be merged with your existing zone through a number of API options… --James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 08, 2007 8:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments Integrated. They tell me they make a couple updates a day to the zone. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 08, 2007 7:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Weird name but they get good press. I haven't tried them myself, but I've heard of them. Most of the others out there tend to want to take over the DNS vs. provide tools. Personally, I'm a fan of setting it up well (design for success and all that) and using cli to manage so I haven't really researched after-market tools. One thing that comes to mind: is this going to be integrated or traditional zone with primary and secondary configurations? How much maintenance is expected? On 1/8/07, Brian Desmond [EMAIL PROTECTED] wrote: What a weird name – thanks for the link Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 08, 2007 7:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments I like these guys: http://www.miceandmen.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 08, 2007 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments Well there hasn't been some sort of ruling on whether the existing BIND folks will get new tools or the AD team (which is very gui dependent) will take it over. Are there any commercial tools you'd recommend I look at as far as management goes? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 07, 2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Backup a second - how do you plan to manage the zones? I ask because this might be a good time to re-evaluate the metadata concept of the zones. In BIND you see that information because of the way you manage the zone. In AD there is a different way to manage the zone information that doesn't include that information. If you decide to manage the zones the same way, then handle the comments the same way. If you decide to go GUI (often a shock for a real BIND techie and often doesn't last long) then consider using a CMDB-type of mechanism to record the metadata. You may also consider some alternate tools to manage the DNS systems instead of the built in tools. Performance is pretty rough with the included anyway so it's not like you won't consider it later :) This is a change in the way they do things. It deserves a change in the way they are used to doing things. Al On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] AD Schema - adding an attribute
Well, first off - birthDate already exists - can you take advantage of it? Second you need to register a prefix and OID tree with Microsoft on MSDN. This is how you will get a starting point for OIDs. You'll also get a prefix so it would be ewu-birthMonth or something. Don't use oidgen. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, January 09, 2007 10:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Schema - adding an attribute How do I add an attribute to AD? I'd like to add birthMonth, birthDay, birthYear to my Active Directory Schema for extra data to store for my users. Looking in MMC - Schema, I see I can add an attribute, but it wants an Object ID (OID). I know there's a oidgen program somewhere (haven't found it yet). but is that the best way to do it? Thanks, -- Matt Brown [EMAIL PROTECTED] Sr. Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DNS Comments
Well there hasn’t been some sort of ruling on whether the existing BIND folks will get new tools or the AD team (which is very gui dependent) will take it over. Are there any commercial tools you’d recommend I look at as far as management goes? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 07, 2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Backup a second - how do you plan to manage the zones? I ask because this might be a good time to re-evaluate the metadata concept of the zones. In BIND you see that information because of the way you manage the zone. In AD there is a different way to manage the zone information that doesn't include that information. If you decide to manage the zones the same way, then handle the comments the same way. If you decide to go GUI (often a shock for a real BIND techie and often doesn't last long) then consider using a CMDB-type of mechanism to record the metadata. You may also consider some alternate tools to manage the DNS systems instead of the built in tools. Performance is pretty rough with the included anyway so it's not like you won't consider it later :) This is a change in the way they do things. It deserves a change in the way they are used to doing things. Al On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] DNS Comments
Integrated. They tell me they make a couple updates a day to the zone. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 08, 2007 7:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Weird name but they get good press. I haven't tried them myself, but I've heard of them. Most of the others out there tend to want to take over the DNS vs. provide tools. Personally, I'm a fan of setting it up well (design for success and all that) and using cli to manage so I haven't really researched after-market tools. One thing that comes to mind: is this going to be integrated or traditional zone with primary and secondary configurations? How much maintenance is expected? On 1/8/07, Brian Desmond [EMAIL PROTECTED] wrote: What a weird name – thanks for the link Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 08, 2007 7:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments I like these guys: http://www.miceandmen.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, January 08, 2007 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Comments Well there hasn't been some sort of ruling on whether the existing BIND folks will get new tools or the AD team (which is very gui dependent) will take it over. Are there any commercial tools you'd recommend I look at as far as management goes? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 07, 2007 1:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Comments Backup a second - how do you plan to manage the zones? I ask because this might be a good time to re-evaluate the metadata concept of the zones. In BIND you see that information because of the way you manage the zone. In AD there is a different way to manage the zone information that doesn't include that information. If you decide to manage the zones the same way, then handle the comments the same way. If you decide to go GUI (often a shock for a real BIND techie and often doesn't last long) then consider using a CMDB-type of mechanism to record the metadata. You may also consider some alternate tools to manage the DNS systems instead of the built in tools. Performance is pretty rough with the included anyway so it's not like you won't consider it later :) This is a change in the way they do things. It deserves a change in the way they are used to doing things. Al On 1/5/07, Brian Desmond [EMAIL PROTECTED] wrote: Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] AD Auditing and Change Control
Garrett- You need something to process your event logs with. I have used MOM for this as well as ACS (which never saw the light of day but will ship as part of MOM2007). Quest and NetIQ (and possibly NetPRO) also all have tools that can do this type of thing. I have used Ecora as well. It has nice pretty reports and is priced at an affordable price point. I prefer the MOM/ACS route mostly because I can play with the raw data to my liking. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mattingly, Garrett Sent: Friday, January 05, 2007 11:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Auditing and Change Control Hi All, I was asked if there was a way to find out all changes performed in AD by a particular user account. The personal was wondering if there is a AD attribute to query on to do this. Natively I believe that event log auditing is about the only way you can track this information natively which is almost useless because the security log overwrites after a day or so. As far as I know in AD you have a creation and modified date on objects in AD but there is no created by or modified by attribute that I am aware of. I thought maybe object owner might be and attribute but I did not see this listed in ADSIEdit. This is basically a How can we find out what this guy is doing or did? problem. Questions: Is this even possible with native tools? Are there recommended 3rd party tools that could do this? I've heard of something call ECORA Auditor Pro, anybody use this? Thanks, Garrett
RE: [ActiveDir] ADFind help
Set your filter to (proxyAddresses=smtp*) to get all the smtp addresses. Just do * for stuff like x400 also. Adfind -b ou=myou,dc=mydomain,dc=com -f (proxyAddresses=*) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, January 05, 2007 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind help Hello, colleagues, I'm sorry to have to ask this, but I can't figure out how to get this information for a particular client. She wants a list of all the primary email addresses and their secondary email addresses (aliases) for a particular OU in Active Directory. This OU is named FND, and it is at the top of mydomain.mydepartment.local. It has sub-OU's as well. I figure ADFind will do the job, but I just am not familiar enough with the tool to get the information out. Can somebody help me? -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] DNS Comments
Has anyone on this DL have experience with this problem? I am working on potentially migrating numerous UNIX BIND zones to AD Integrated DNS. The BIND zones have various comments in them which go with the record. I believe the dnsNode class in AD supports a notes field or similar but the GUI doesn't. How do people manage metadata about their DNS zones? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] ADFind help
Do you have such a feature that combines ou=myou with whatever searchroot -default resolves? It occurred to me today that that would save a lot of typing. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 06, 2007 12:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind help Yep that will do it. It can be further refined. :) I put in a special shortcut for this specific case adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses If you just want the SMTP addresses, I.E. you don't care about X400 addresses which is most people, you can do the following: adfind -b ou=myou,dc=mydomain,dc=com -sc exchaddresses:smtp Which will only diplay SMTP addresses from proxyAddresses. The filter below will only return objects with SMTP addresses but it will still display any other types of addresses in the proxyaddresses attribute such as X400, SIP, X500, SNADS, etc. For the curious that expands out to the following switches/args: Selected Switches -b ou=myou,dc=mydomain,dc=com -f ((mailnickname=*)(proxyaddresses=smtp*)) -gc -mvfilter proxyaddresses=smtp Selected Attributes proxyAddresses I am planning on releasing a new version of AdFind (V01.35.00) in the next day or three (may even upload it tonight still if I don't run out of gas). It has a couple bug fixes around the ACL output and some additional ACL options. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, January 05, 2007 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind help Set your filter to (proxyAddresses=smtp*) to get all the smtp addresses. Just do * for stuff like x400 also. Adfind -b ou=myou,dc=mydomain,dc=com -f (proxyAddresses=*) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, January 05, 2007 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind help Hello, colleagues, I'm sorry to have to ask this, but I can't figure out how to get this information for a particular client. She wants a list of all the primary email addresses and their secondary email addresses (aliases) for a particular OU in Active Directory. This OU is named FND, and it is at the top of mydomain.mydepartment.local. It has sub-OU's as well. I figure ADFind will do the job, but I just am not familiar enough with the tool to get the information out. Can somebody help me? -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] NTP Client Software
Pool.ntp.org is what you want to point to ideally. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 03, 2007 10:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTP Client Software I'm assuming you have a mixed environment... granted I'm small...but I've not found the built in time sync to not sync once the DC has been properly pointed and the ports are open on the firewall properly. I've read somewhere (need to google this) that some of the military time servers that we used to sync with are no longer externally sync-able. http://support.microsoft.com/kb/314054 http://support.microsoft.com/kb/816042/ Ken Cornetet wrote: http://ntp.isc.org/bin/view/Main/ExternalTimeRelatedLinks *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Dan Smith *Sent:* Wednesday, January 03, 2007 8:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] NTP Client Software Hello Wonder if anyone out there has any NTP client software recommendations? We need to keep some clients within 1-2 sec’s of our stratum 1 timeserver and Windows Time simply does not cut it. Any suggestions would be much appreciated. Dan Send instant messages to your online friends http://uk.messenger.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Sorta... AD and the 3/07 Time Change
Hi Richard- The time sync process is just going to set the actual time (think UTC) not the timezone. If the client thinks it is GMT-5 then it will set the time accordingly. Given the rochester.rr address - U of R or RIT? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Sunday, December 31, 2006 2:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Sorta... AD and the 3/07 Time Change This question addresses the March'07 Dailylight Saving's time change in the US and Canada (has Mexico joined in?). I work for an institute of higher learning where the policies (human, not domain) get a little... unevenly suggested. So please grant me some leniency as to why this question is even asked :) Does belonging to a domain with properly configured time synchronization lessen the concern for applying the XP patches as they relate to the March 2007 time change? Or the need to take special care with Windows 2000 workstations? In other words, will AD sync the PC clock on Windows 2000 workstations to the correct hour during next next March's leap ahead Speaking of time: Happy New Year to Everyone! Thank you. Richard
[ActiveDir] OT MOM 2005 Install
Is there someone who has a MOM 2005 SP1 install and access to the SQL server it's on that could ping me offlist? I don't have access to my VMWare environment and I need the create script for a couple things. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Delegate Password Resets
It's in the book and his book's website - I was feeling lazy the other day and copied it verbatim to make a password reset page rather than look up the line of code I couldn't remember. Worked great. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 22, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
A lot of companies don't have someone with your skill set to write it so they think it's cheaper to buy stuff everytime then to employ a decent dev or two. It adds up overtime but they still don't get it. There's also the companies who have tons of devs and they're all clueless. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, December 23, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
I gave a 500K seat org helpdesk a copy of ADUC and the same rights as below and it worked like a charm. Not pretty but cheap and functional. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw Poster:
Talk to your account team if you want one (or more) ... one of my accounts they were giving them away. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 20, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw Poster: Very cool but you'd have to have one heck of a printer (plotter or similar) to equal the one that came with the dead tree version =) Thanks, Andrew Fidel Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/19/2006 08:32 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw Poster: Download details: TechNet Magazine Active Directory Component Jigsaw Poster: http://www.microsoft.com/downloads/details.aspx?familyid=c236336d-ab43-4 4b1-ad6f-a2f668fb8c02displaylang=en -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Schema Extension Question
It should be fine with normal credentials. Why are you so scared of SP1 or a schema extension? Neither of them are going to end the world... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, December 19, 2006 8:41 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Schema Extension Question Guys (and Gals) I am far from an LDAP expert and we have not modified our Windows 2003 FFL Schema at all. I don't even have SP1 running as I am just still a little gunshy about it. But now me and my network engineer are under heavy pressure to move our POP 3 email clients to a Server Centric Web based model that will allow internet access to email. So my network engineer and *nix expert is testing a *nix based program to do that. We are having trouble with it connecting to AD to authenticate Users because it is popping errors that state I can't find the Schema extensions. He is chasing that and I'm not really happy about modifying the shema, if indeed we end up having to do that, but here is my question. Will this app need an elevated credential (Domain or Enterprise Admin) to simply LDAP query the AD from this *nix box to get usernames or passwords or can it be done without that power? I know you don't know the app, but the question is a generic one relative to *nix boxes querying an AD. Thanks in advance. RH _ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine Voice: 207.827.4456 Ext. 387 Email: [EMAIL PROTECTED] www.jws.com _ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Group Restrictions
No. Limit who can send to it to people who aren't stupid. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, December 19, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Group Restrictions Not sure if this is possible, but in the Exchange General tab of a Distribution group, I am able to restrict messages from certain individuals. Is it possible to restrict people from sending mail to that group using the To: or Cc: field? I only want them to use BCC:. Reason is, I want to prevent people from replying ALL to Distribution Groups that contains members of the whole company. -Devon This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] ADfind to find locked accounts
Search for lockoutTime0. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, December 19, 2006 5:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADfind to find locked accounts I'm using a bitwise filter to search for locked accounts using ADFind. I have one particular account, a service account, that is locked out and also has Password No Expire set. In ADFind it comes up as such... C:\toolsadfind -default -bit -f samaccountname=servaccount -alldc useraccountcontrol AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Transformed Filter: samaccountname=servaccount Using server: dc.appsig.com:389 Directory: Windows 2000 Base DN: DC=appsig,DC=com dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)] Why does the userAccountControl read as 512+65536 only? Shouldn't it be 512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064? In fact, I cannot even find this account when searching for locked accounts via ADFind. The only reason I realized it was locked out was because I also used Joe's Unlock utility to search for all locked accounts and it returned this account as part of the search. C:\toolsunlock . * -view Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004 Processed at dc.appsig.com Default Naming Context: DC=appsig,DC=com 1: servaccount12/15/2006-10:52:45 LOCKED VIEW_ONLY I'm probably just missing something here, but was hoping for some clarification. Thanks, ~Ben
RE: [ActiveDir] Redirecting MyDocs without Offline folder sync
Right click the share and goto the sharing tab and disable offline files/sync'ing... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 18, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Redirecting MyDocs without Offline folder sync So I'm trying to set up a new policy that will redirect my users My Documents directory, but I don't want the off line folder sync to happen when they log out of their workstations. Anyone know what setting I need to change in order to make this happen? Thanks -Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD Reports
I usually use Joe's ADFIND tool, Excel, and SQL. Occasionally I would replace adfind with a simple .net app if I need some logic as part of the data collection process. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo Sent: Monday, December 18, 2006 11:45 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Reports What,s the best AD reporting tool. My boss want´s a report of all the users who are allowed to send and recieve Internet Mail in exchange 2003. I can go and check user by user but we have over 500 users.
RE: [ActiveDir] Automatic user disable based on criteria
If whenCreated 7 days and pwdLastSet = 0 then they haven't logged in yet... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Monday, December 18, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Automatic user disable based on criteria Hi All, DFL FFL : Win2k-Native DCs : Win2k3-SP1 User accounts are automatically provisioned as enabled with Change Password at Next logon. And management wants to disable new accounts which have not logged into domain within next 7 days of creation. And they want it to happen automatically. I have problem at hand as I can't use LastLogonTimeStamp as DFL is not supportive. I can't connect to each DC and search for lastlogon as number of DCs are too large, can't go by whenchanged, as that is generic attribute, which could get changed for any other attribute also. Any other attribute would help me? Currently LDAP filter checks for account created on specific day (say current day - 7) and whose Change Password at next logon is still ticked i.e. pwdlastset=0 But this doesn't take care of scenario, where users are created on that same day (current - 7) and logged into network, changed their password, but around the time of running script, had forgotten password and helpdesk had resetted their password and set Change Password at next logon I hope I am not confusing you all. :-) I know, simple solution would be to change criteria to say 15 days, raise DFL and use LLTS, but I am taking this as a scripting challenge at Win2k-native DFL. Hey joe, is there a way to see replication meta data using adfind? ;-) If yes, I could take a peek at originating date/time for attributes. -- Kamlesh ~ You teach best what you most need to learn. ~
RE: [ActiveDir] Redirecting MyDocs without Offline folder sync
On the actual share, not through DFS goto the properties of it and the sharing tab. There's a button towards the bottom that controls this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 18, 2006 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Redirecting MyDocs without Offline folder sync I guess I forgot to mention that this is a share via DFS. I couldn't find the setting to turn that off. -Chris Right click the share and goto the sharing tab and disable offline files/sync'ing... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 18, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Redirecting MyDocs without Offline folder sync So I'm trying to set up a new policy that will redirect my users My Documents directory, but I don't want the off line folder sync to happen when they log out of their workstations. Anyone know what setting I need to change in order to make this happen? Thanks -Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Strange Lock Out Issue
Eventcombmt the DCs for whatever the lockout ID is also works. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, December 18, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue Download the Account Lockout and Management Tools from Microsoft. More specifically, from the downloaded EXE, extract the LockoutStatus.EXE file and use it to query for the user account that is having issues. It will tell you how many bad password attempts have been made, what time/date the lockout occurred, and on what DC. Furthermore, you can directly manage the Domain Controller from the tool and pull up the event viewer to look for the security entry pointing you to the source of the bad credentials. It's always worked like a charm for me when dealing with issues like these. Good luck, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, December 18, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Lock Out Issue I have a user, who is not logged in anywhere else, and while surfing the web or access a program is getting locked out of her account for no reason. I have checked the logs on all three domain controllers and nothing is showing a failed logon attempt or bad password. It doesn't even show when the account got locked. Any ideas on how to rectify this? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: [ActiveDir] AdminSDHolder orphans
Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Vista GPO
Oddly enough I was on a concall with MS the other day and one of the accounts mentioned he was rolling out a 3K seat Vista upgrade in March. Sad they already had vendor commitments for application fixes and everything. I was pretty surprised. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I don't know of anyone officially moving to Vista any time soon. Folks are playing with it, usually IT folks are just looking to get the latest and greatest to feel cool, they don't generally really and truly need any of the features. Several places I have heard with any kind of plans are talking 2008 soonest for Vista and Office 2007. I was chatting with some other folks about this recently and I expect a lot of companies will find the migration to Vista to be even more difficult than their migration from Win9x to NT based technology. At least with NT Technology you usually had a bunch of people that had a lot of NT knowledge already and could leverage it or could go out into the newsgroups and find folks who have been running NT stuff in production for years and years. You don't really have that with Vista (and LongHorn) and the changes are sufficient enough that it will break quite a few things. I am not saying that is bad necessarily, that is what everyone started screaming for when they said MSFT wasn't secure enough. Now people will get to find out what that really means... I know quite a few developers who are hopping mad over a lot of the changes and some are even more concerned over where code signing is going, etc. Especially folks with low priced or free software that they may available because if code signing becomes absolutely required, you have to pay for that as a developer/company. Anyway, my thoughts are that there will be quite a few companies with custom mechanisms for managing things that they have developed over the years that will all completely fail or nearly completely fail with Vista and will have to be reworked or outright replaced which could take a lot of time. This doesn't even start to get into the realm of just plain old line of business apps. Don't get me wrong, some leading edge people will move fast and take the black eyes and bloodied noses in stride, most folks though I expect to follow the old wait for SP1 rule and then wait even longer as they realize it isn't a simple forklift of the binaries. I wouldn't be surprised to see most large companies deploying Longhorn heavily into production before Vista even. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 8:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz 2/ind ex.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQ S2b= 0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQ S2b= 0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons
RE: [ActiveDir] Send As(OT)
I have a recollection of being able to send from a DL though I haven't been an Exchange admin in 6+ months so I may be thinking of something else. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 7:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Send As(OT) In Exchange nothing comes from the DL, it comes from the user who sent to the DL. I believe you cannot in actualality (sp?) send from a DL because a DL is an alias, not a mailbox. I could easily be wrong not being an Exchange guy but I don't expect I am. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, December 05, 2006 6:12 PM To: activedirectory Subject: [ActiveDir] Send As(OT) I have given a user send As perm directly on a universal distribution group in AD. However, whenever this user slects the group from the GAL in the From: field of Outlook 2k3 and attempts to send an email as that group, he gets an error of You do not have the permission to send the message on behalf of the specified user. The group is NOT nested in any of the AdminSDHolder protected groups. The user has been given send as perms directly on the UDG. He is in no groups with expilict denys. I have also tried giving my account send as perms to the group and I get the same error. I have waitied over 24hrs so its also not a info store cache/replication issue. I'm running exchange 2k3 sp2 with the latest hotfixes(including the send as one) in a win2k3 forest(win2k3 FFL/DFL). Any ideas would be great. Thnaks for your time. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AB Views Export/Import
No I think he wants a GALSync type thing... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 16, 2006 8:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AB Views Export/Import Hey Jerry, I am not exactly sure what you are asking for here. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Welch Sent: Thursday, November 02, 2006 9:26 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AB Views Export/Import Would like to build a AB Views on an AD directory that stores Contacts from multiple AD Forests. Export these views to a file and Import them to each of the Forests. Does Joe's ADFind support this, or is there another tool someone can suggest. Many thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ )
RE: [ActiveDir] Vista GPO
There was a hotfix for that - they lengthened some string or something in the adm file format if I remember right. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar- Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org
RE: [ActiveDir] Way OT: Laptop Battery Life
I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is Fn+F2 I think. Next, get a media bay battery from Dell - it can give you several (up to 4) more hours in my experience. I go through batteries pretty quickly - I think I killed the media bay battery (or at met its half life) in about 6 months. A combination of desk work and being mobile does this because of the uneven discharge/charge cycles. You can either be real meticulous about taking care of the batteries or start hitting your IT department up for new ones. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, December 12, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Way OT: Laptop Battery Life Hi - When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe two hours out of a fully charged battery while doing standard Word, Excel, Outlook stuff. Throw in Visio or (ugh) Quickbooks and cut that time in half. Sometimes, I try to disable services that I know I will not need on the plane (does antivirus really need to autoprotect on the plane?), but I can't tell you that this actually gives me any more battery. Any recommendations for battery-life extending tricks, tools, services to disable, etc? Greatly appreciated as I head across the country for the late December boogie. Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
RE: [ActiveDir] Way OT: Laptop Battery Life
Whatever they give me must not be Lithium then. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, December 12, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life Lithium batteries are resilient to the charge/discharge issues associated with earlier batteries. Generally, you want to replace batteries after about 18 months, because that's when depreciation sets in. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Tue 12/12/2006 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Way OT: Laptop Battery Life I have this model too. Kill the Wifi and Bluetooth for starters. Wifi is Fn+F2 I think. Next, get a media bay battery from Dell - it can give you several (up to 4) more hours in my experience. I go through batteries pretty quickly - I think I killed the media bay battery (or at met its half life) in about 6 months. A combination of desk work and being mobile does this because of the uneven discharge/charge cycles. You can either be real meticulous about taking care of the batteries or start hitting your IT department up for new ones. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, December 12, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Way OT: Laptop Battery Life Hi - When I travel with my standard issue Dell D600 (1.5GB RAM), I get maybe two hours out of a fully charged battery while doing standard Word, Excel, Outlook stuff. Throw in Visio or (ugh) Quickbooks and cut that time in half. Sometimes, I try to disable services that I know I will not need on the plane (does antivirus really need to autoprotect on the plane?), but I can't tell you that this actually gives me any more battery. Any recommendations for battery-life extending tricks, tools, services to disable, etc? Greatly appreciated as I head across the country for the late December boogie. Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
RE: [ActiveDir] running scripts via group policy using alternate accounts
The logon script will run in the context of the user who runs it. My suggestion is that you rethink your process because this sounds like a really crappy plan that you've got. I believe Joe Richards' cpau utility on joeware.net supports some type of encryption of credentials that you could use if you must do this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anuj Attree Sent: Saturday, December 09, 2006 2:29 AM To: activedir@mail.activedir.org Subject: [ActiveDir] running scripts via group policy using alternate accounts Hi, Is there a way to run user logon scripts via Group Policy using alternate credentials (say domain admins)? i m putting this question because i want to (for example) install some s/w (yes i can use s/w installation feature from GPMC, i know) or want to run a command which can be run only by administartor (say ipconfig /registerdns or something else) through the script but as the user logging in should have administrator priveleges to install the s/w etc and which is not the case generally. please correct me if i m wrong. -- Regards Anuj Attree
RE: [ActiveDir] Quest Recovery Manager
Heh - funny I received the half off email at the widget company I'm at earlier this week. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 09, 2006 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yep, when I was at one large widget company we would really be interested in some product from a given company but the per user or per object licensing costs were so insanely out of the park for an infrastructure type product versus the money available for infrastructure that we could never buy the products... Then every December the main sales guy, we will call him Art to protect the guilty, would come along and take folks out to lunch or dinner or whatever and say it is all half off or more so buy now... Unfortunately, in this company I was in, it was pretty much impossible to purchase anything after Thanksgiving due to the complexity of the buying system and the number of folks who had to sign off on things and the amount of vacation time being taken by people. If it wasn't at a price that was expensable on corporate credit card, it wasn't getting bought at the end of the year. So half off, three quarter off, heck even pennies on the dollar likely wouldn't reduce the pricing enough although everyone wanted it. Silly thing is if the company would simply go to a site based licensing scheme and put a good price on it they would have been selling products to the company 6 years ago and not going through the same dance every year. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, December 06, 2006 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I don't think there are many independent rankings out there. You have to figure that Windows ITPro and SearchWindows are probably the easiest sources to get access to online, but they are influenced by ad dollars sometimes. It is possible that Burton Group and possibly Gartner have done some research But I
RE: [ActiveDir] What is Websence
Websense is software you put on one or more servers to do the filtering of http requests. You can either do it parallel to your firewalls (Pixen and others support passing http requests to a Websense farm in realtime), or I believe you can put them inline as a proxy. If you're doing a large deployment of it there is significant planning involved, FYI. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
Well with 40 people you're paying 280 euro a month. Some quick currency conversions tells me that an Exchange server for an org your size would likely set you back between 2300 and 3000 Euro from Dell. 280 goes into 2300 8.2 times - or it will pay for itself in 9 months. If you're already managing AD and other infrastructure, Exchange isn't going to add that much overhead. Create the mailboxes for your users, import the PSTs or whatever they have now, and make sure it's getting backed up and updated (which I'm sure you're already doing with your other servers). Has the DSL been reliable so far? If so, then I wouldn't worry about it. If not, either get a better DSL provider or find someone to be your MX or backup MX. Regarding bandwidth, ADSL goes to 6mbps these days - what limitations are on your circuit? Outlook 2003 in cached mode doesn't chew that much. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: Wednesday, December 06, 2006 11:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations? Hi! Thanks for the prompt reply... As for hosted solutions, I guess that I don't much care wether the backend is Exchange, SBS or whatever the hosting company choses to provide ;) From what I've seen (http://www.arsys.es/aplicaciones/correo-exchange.htm, http://www.acens.com/seccion.web/correo/acens-exchange/678 - yes, we are based in Spain - or http://www.mi8.com/ to show that I'm looking elsewhere) basically what you get is a webbased admin panel and a number of accounts that you configure... not too much control but good enough Of course, I'd love to get recommendations for other providers or to be shown that not all of them are similar ;) As for the lack of a server for 40+ users, well, that's not really true: We have an AD (2003) domain (basic setup: single forest, single domain, 2 DCs) for the users, it's just that the email is hosted on a external server, to avoid downtime and lessen the administrative load on network admin (we don't have a full time person for that). Also, we currently have 2 main offices in Spain (conneted by DSL) and people working or tele-working in the US, Mexico, Colombia, Germany and the UK (2/3 people on each place at most): I believe that creating the infrastructure (relability-wise) to serve all those locations inhouse would be a tad expensive and (I belive) not really warranted. Of course, I'd love to hear opinions either way... As for control freak, we have an VPS so we have root on the mail server; as a matter of fact the hardest point for the internal acceptance of a hosted solution would probably lack of root access on the email server... I agree with you that to manage that that many (ok, those who manage Multi-K domains, please stop laughing) users, AD is a must And, besides, we delvelop security software that runs on top of AD, so I'd be a bit odd if we didn't use our own SW ;) In any case, I really am starting to believe that the simpler thing will be to get the real thing, so the options seem to be: 1) Get an Exchange Server inhouse. But that means making sure that our DSL line doesn't go down, and having the bandwith etc... 2) House a server on some co-lo. The comm. problems disappear, but we still have to babysit the thing... 3) Go for a hosted exchange provider. I've seen offers on the range of ~7€/mo/user; I believe that for a limited number of user (~30 ATM, possibly up to 40 in the foreseable future) that makes more sense than doing it all ourselves... I'd really love to hear your thoughts on the matter, and also if you could comment/recommend any service providers you'd make my life considerably easier ;) In any case, thanks again for reading this far and bearing with my ramblings. Happy Christmas for all ;) Javier Jarava On 05/12/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Hosted SBS with Outlook 2003 Office Live http://office.microsoft.com/en- us/outlook/HA100809831033.aspx Not 2003 without a SBS box on the backend but 2007 uses Office Live to share calendars. 40 people and you don't have a server... wow.the control freak in me is freaking out. We put SBS servers in at 5 to 10 people and even less. Shared calendars pushes the sale of many a SBS box I don't know of non MS solutions. Javier Jarava wrote: Hi! Sorry if this question is a bit off-topic to the list, but I've seen some Exchange-related questions here, so I know there is Exchange expertise hanging around ;) and I didn't know where to ask; please feel free to point me to the proper forums (forii?) to ask in. I am looking for a way to implement shared calendars a la exchange (ie, they have
RE: [ActiveDir] Quest Recovery Manager
Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I don't think there are many independent rankings out there. You have to figure that Windows ITPro and SearchWindows are probably the easiest sources to get access to online, but they are influenced by ad dollars sometimes. It is possible that Burton Group and possibly Gartner have done some research But I doubt it. I know that directions on Microsoft hasn't covered it. It is a pretty niche topic. I think the best way to approach this is to have a good old fashion bake off of the technologies. Depending how big a player you are, you can probably get Quest, Netpro, Veritas, and Commvalt to step-up. I would say that all the technologies are pretty stable at the moment; there isn't a lot of innovation going on anymore, so it is pretty hard to make a mistake choosing one of these products. Todd From: Tim Onsomu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 2:06 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Does anybody know what independent rankings look like for AD DR tools? -Original Message- From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Wed 12/6/2006 9:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager shamelss plug NetPro has an AD data recovery product called RestoreADmin that competes very well with the Quest product. It's solves the AD object recovery problem nicely. See http://www.netpro.com/products/restoreadmin/index.cfm. /shameless plug -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:37 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Todd, thanks for your insight. Good points to think about. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 9:14 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Same here... Good stuff. To be fair though, most of the major AD players have these tools now. The thing about the Quest (Aelita) tool was its use of their own APIs to address issues like Domain Local Groups etc. I haven't kept up with the latest versions so I am not sure what direction they have gone since 2003. Latest information I remember was they offered you the option to use the MS API methods for recovery, or their special brew for more advanced recovery options. Now if put some extra effort into your query, you might get this thread nice and hot, and generate input from people like Stuart Kwan discussing supportability issues using the various recovery methods, Guido Vladimir discussing in great depth the inherent problems of group recovery, various opinions on how to use isolates sites with rubber chickens, MIIS, ADAM to reanimate deleted objects
RE: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
So, SBS sounds like the solution to your problem. Have you considered bringing in someone from a good local consulting firm that targets the SMB space and knows how to sell SBS on all levels (technical to exec)? Honestly, almost every SBS deal I've done it's started out with such and such manager says in house costs too much. I have a pretty good track record of putting an SBS box (or whatever was appropriate) in that shop after the fact. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 Javier Jarava wrote: Hi! Sorry if this question is a bit off-topic to the list, but I've seen some Exchange-related questions here, so I know there is Exchange expertise hanging around ;) and I didn't know where to ask; please feel free to point me to the proper forums (forii?) to ask in. I am looking for a way to implement shared calendars a la exchange (ie, they have to be visible and used from within Outlook 2003), but without actually using/hosting an Exchange Server ourselves. The idea is that people should be able to see/manage the calendar of the people they manage, so free/busy info is not enough. And the outlook requisite is a must (as my CEO put it yesterday: I live within Outlook; I don't want to meddle with web apps or the like) I know that it's a bit odd of a requisite, but we are a small co. (~ 40 employees) and the president feels that having to babysit a server in-house is a bit of a needless burden. At present we host our email / web presence / customer ticketing system in a pair of VPS from Verio, so if the proposed solution could run on top of FreeBSD it'd be a big plus ;) Of course (now going for the and ask about the KitchenSink part ;) if we could put it into place without having to tweak our email setup that'd be wonderful!!. We understand that we'd probably have to install some Outlook plugin, so that's OK... If there is no way to have the Shared Calendar feature as a stand-alone service/server, I guess the next step would be to ask those of you who know Exchange for an exchange clone that runs on FreeBDS / Unix. Or last but not least, I guess that there must be hosted Exchange providers out there that you can recommend. That'd mean re-doing our mail system, but I guess that we could live with it, if need be. Thanks a lot for those of you who have read this far. Best Regards Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT: Exchange Design Question
Mark, In scenario 2 will your SMTP server in the DMZ subnet be part of the Exchange organization? If so the whole DMZ thing isn't really going to get you much if anything. Personally I think DMZs are outdated and not a good model anymore. I would go with option 1. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, December 05, 2006 11:42 AM To: ActiveDir.org Subject: [ActiveDir] OT: Exchange Design Question A friend of mine has asked me to ask the group the following Exchange related question. An Exchange 2003 environment that has been upgraded from Exchange 2000 needs to have SMTP reconfigured for outbound mail. There are two proposals on the table but they are not sure of the best approach. 1 Exchange Frontend/Backend configuration with both servers on the internal network and an ISA server in the perimeter network publishing internal SMTP to the internet or in this case messagelabs or 2 Exchange Frontend/Backend configuration with both servers on the internal network and an SMTP server in the DMZ relaying to messagelabs Messagelabs host the MX records and cleanses most viruses out of the emails but may change in the future though there is no current managment thinking to do so. Given these two scenarios which one would most people choose and if so why? The environment is approx 2000 users and there are eight sites and the chosen SMTP configuration will be repeated in another site for resilience. Many thanks as always, Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿà ŠVryÊý§Š÷Š¹ŠV¶+v*
RE: [ActiveDir] OT: Exchange Design Question
Well itâs a Juniper NetScreen probably not a server ... just a firewall. I'd either throw ISA there behind the Juniper or just go with option three and point the NAT on your Juniper straight to the backend. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, December 05, 2006 6:37 PM To: ActiveDir.org Subject: Re: [ActiveDir] OT: Exchange Design Question Thanks for the responses so far - I have also been kicked for not mentioning that there is a Juniper server in the equation to which OWA is published. So OWA goes through the Juniper appliance in another dmz and does not touch the ISA dmz. Still the same responses? Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Mark Parris [EMAIL PROTECTED] Date: Tue, 5 Dec 2006 16:41:30 To:ActiveDir.org ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Exchange Design Question A friend of mine has asked me to ask the group the following Exchange related question. An Exchange 2003 environment that has been upgraded from Exchange 2000 needs to have SMTP reconfigured for outbound mail. There are two proposals on the table but they are not sure of the best approach. 1 Exchange Frontend/Backend configuration with both servers on the internal network and an ISA server in the perimeter network publishing internal SMTP to the internet or in this case messagelabs or 2 Exchange Frontend/Backend configuration with both servers on the internal network and an SMTP server in the DMZ relaying to messagelabs Messagelabs host the MX records and cleanses most viruses out of the emails but may change in the future though there is no current managment thinking to do so. Given these two scenarios which one would most people choose and if so why? The environment is approx 2000 users and there are eight sites and the chosen SMTP configuration will be repeated in another site for resilience. Many thanks as always, Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 .+-Å wèâ Ãiÿü0ç- [EMAIL PROTECTED] Å¡Å V«r¯yÃý§- Š÷Š¹šŠVŶ+Ãv*è®.+Å wâ ÃÿüçŠ÷ŠºÆò²Ã§²ÃB§ÿö+v*®ŠÃ§²Ãrz§ÿà ŠVryÃý§Š÷Š¹ŠV¶+v* [EMAIL PROTECTED] ��V�r�y���-�÷¹ï¿½ï¿½V��+�v*��
RE: [ActiveDir] OT: Vista Activation and KMS
On the VL site there are different MAK and KMS keys...which did you use Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Monday, December 04, 2006 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
RE: [ActiveDir] Renaming sites
You should be fine, but your example leads me to believe that you should hash out your naming conventions such that they're thoughtful and future-proof and only do this once. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Huber, Rob (HNI Corp) Sent: Monday, December 04, 2006 5:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Renaming sites Does anyone know of any issue with renaming sites? For example, if we change the site call Chicago to ChicagoIL, what issues could arise? I expect that since the GUID is not changes that there will not be a problem. How about if we use SMS??
RE: [ActiveDir] Import User Details from a XLS file
Look at csvde Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj Sent: Thursday, November 30, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Import User Details from a XLS file Dear All, How can I import, AD Users Details like Department, Telephone No, Location etc... from an XLS file. Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.
RE: [ActiveDir] Child domain for external SharePoint users
You need a separate forest to get the effect you want. The Domain gets you nothing more than an OU would. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Thursday, November 30, 2006 11:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Child domain for external SharePoint users Hi all We are in the process of creating a SharePoint site that external users (dealers) can access to obtain shipping information. I have the SharePoint server in my LAN with a reverse proxy appliance in the DMZ that the dealers will use to access the SharePoint server. The discussion came up about using a child domain for these dealers to authenticate to the SharePoint server. Is this an accepted practice (create a child domain for the external users)? How safe is this compared to creating a separate OU for the dealer in the parent domain? Thank you Russ
RE: [ActiveDir] Split pagefile
You're going to have other issues if you have that little free space on your C drive. My suggestion is that you find something else to cleanup or else replace the spindles with larger ones. Yes its fine to store the pagefile elsewhere though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] dynamic variables within an event log entry?
Michael- I don't have an AD install or ADFind in front of me, but whencreated=Now-24hr gives you everything in the past 24 hours. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 9:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Tony and Laura, Thanks for the replies! Actually, I am already trapping eventid 624 and I see the Caller User Name: entry with the right value. Where I got confused was when I built a daily job using adfind (with the -owner switch) to produce a list of users created during the previous 24 hours. Laura's #2 answer explains why I see what I do for accounts created by members of the Domain Admins. Her #1 answer is going to make me rethink how we do some of the account creations. Her #3 answer begs the question of how would I construct a query to produce new accounts created over a 24 hour period? Adfind was the first (and maybe only) tool that popped into my head to do this. Other suggestions? Thanks! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
RE: [ActiveDir] Pointsec software vs. Active Directory
Vincent- I have no idea what Pointsec is or does, perhaps you could share a little bit about this. What are the characteristics of the domain controllers in your test forest? How much memory? Disk config? How big is the DIT? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Potter Vincent Sent: Tuesday, November 28, 2006 11:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Pointsec software vs. Active Directory Hi, My organisation is looking into testing and implementing Pointsec software for encryption purposes for our client environment. I'm responsable for the DIrectory service and they've asked me to participate. I've set -up a development forest and let the Pointsec team loose on that one. I activated some perfmon counters to see the impact on one DC. Regarding LDAP queries it was quite ok (only 1 reference to an expensive one) but I saw some implication on the physical disks of the machine that were hit quite heavily. Also a collegue of mine could remember from his previous company that the roll out of that soft brought some issues along. Does anyone of you have experience with the implementation of Pointsec and the impact on the directory service (especially the boxes) in a large environment? _ Vincent De Potter Volvo Information Technology
RE: [ActiveDir] Anonymous Access to Virtual Directory or Web Site...
On IIS 6 ensure that Network Service has rights to the content. On IIS5 or IIS6 in IIS5 compatability mode ensure ISUR_HOSTNAME has access to the content. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, November 28, 2006 8:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Anonymous Access to Virtual Directory or Web Site... Hi Ravi Have you checked the NTFS security in addition to the IIS settings? I had a similar problem before and it had to do with the policy settings for User Rights Assignments. Guests had been added to the list of those denied access in the following setting: Computer Configuration - Windows Settings - Security Settings - Local Policies - User Rights Assignments - Deny Access to this computer from the network. My problem was resolved by removing Guests from the list. Tony -- Original Message -- From: Ravi Dogra [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Wed, 29 Nov 2006 06:20:41 +0530 Hi, I want to configure anonymous access to virtual directory. But when i try to configure the same it gives me access denied error. but when i do a mixed auth it askes me for username and password and works fine. But thats what i dont want. i dont want it to ask me user name and password when opening the page. Please help!!! -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] mailNickName(OT)
Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out of necessity. If you fit in that scenario, your stuff is a tested scenario. If not, it's something they may have thought of but didn't think enough customers would use and so didn't spend time testing thoroughly - aka if it works, it was meant to do that. If it does not, what the ^%$# were you thinking? Don't you read that (often non-existent) documentation that explicitly says not to do that? Or didn't you know that it wouldn't work like that? I mean, it's common sense right? Anyhow, I always remember two things about consultants - without common understanding, there can be no common sense (I ripped that off in case you wonder) and everything should be explicitly written down. When in doubt ask for the project notes and verify that the information you're working off
RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system
Yeah. I suspect you'll bottleneck on disk and memory before you do on CPU, so 1 quad will get you more than enough, as would I suspect 1 dual. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: Thursday, November 23, 2006 4:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I am not sure if I interpreted you correctly. After reading your reply again I now think you would go with the single quad because even with one quad, cpu resources would not be an issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor W. Sent: donderdag 23 november 2006 0:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system You mean that it is in fact overkill. I have thought about this and I know that it probably is. 2 Dual Cores will be probably overkill as well. Both options probably being overkill, with one quad, we at least have the option to add another one later in case this may be necessary and one quad will be cheaper than 2 Duals. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: woensdag 22 november 2006 19:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system A pair of quad cores is a lot of horsepower for testing. I suspect you will run out of disk i/o perf and memory long before you encounter the need for a second quad core chip given the scenarios you've described. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 8:55 AM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I posted this on the VMWARE forum as well but I am very interested in the opinion of the people who post to this list and there must be some people with hands on experience with ESX and DC's and Exchange 2007 running on VM's on top of ESX 3.0.1. I am interested in the following: We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine in a test lab only and will be testing mainly Exchange 2007 and simulating AD issues. We would like to deploy ESX 3.0.1 (or the newest versionwith several Exchange 2007 VM's and several W2K3 R2 Domain Controller VM's on it. We are doubting between the following configurations, both DELL 2900's. We will unfortunately only be buying one system so we definately need to make the right choice. As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see here under: - 1 Quad Core 2.33 GHz Processor, Xeon 5345 - 2 Dual Core 2.33 GHz Processors, Xeon 5140 Both systems will have 8 GB of 667 MHz RAM to start with. We have contacted Dell and we were told that the 5345 Xeon will be available in January at the latest. We dont really care about the price at this moment. The first thing that comes to mind when making a choice, to me is the fact that if one Quad would not be enough, we could always plug in another one :-) at a later time. Any suggestions are greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] mailNickName(OT)
I don't understand your issue, then. Can you rehash it for me and I'll make a second attempt? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) Hey, thanks Brian. I really appreciate that. I know you can do that with the RUS and I'm sure they know, but they don't. It could have something to do with sharing the external domain with exchange,lotus, and funmail, but i'm not totally sure. Thanks!! Happy Thanksgiving,btw. On 11/23/06, Brian Desmond [EMAIL PROTECTED] wrote: Hi Tom, Glad to hear you've moved on to bigger things. It only gets more fun as the numbers get larger. :) With regard to your email address question, you can update the recipient policy the RUS uses to automatically stamp everything with [EMAIL PROTECTED] You would set your recipient policy to include [EMAIL PROTECTED] to generate this for each object. Reference Q285136 for more info. 8 People for 110K mailboxes seems like a lot to me, but that's just me. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 23, 2006 9:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) I ask because the reason mailNickName is in firstname.lastname format, is due to a dirsync process that runs once a day and reads that attribute to do an address rewrite. When a mailbox enabled user is created, the RUS stamps it with an [EMAIL PROTECTED]. Later, the dirsync process adds [EMAIL PROTECTED], so when mail goes out, sendmail rewrites the RHS portion of the smtp addy. if mailNickName is sAMAccountName, it doesnt work. Sometimes during the provisioning process, the lan access guys forget to set this attribute to that value, so the exchange team was looking for a way to automatically generate the value in the correct format, kinda like displayName. I just started here about 2 months ago, so i'm not complelety sure how the process works and i'm trying not to annoy everyone with too many questions. This is the first truly large corp i've ever worked for. Before i was the AD/Exchange guy for a 3500 user financial firm. Now i'm on an 8 member Exchange team for a 110,000 user bank that you've all heard of and i guess i'm trying to wrap my head around how a org this size works... i'm actually kinda surprised no one on the exchange team knows how to script or is very knowldgable about AD. Then again the AD team doesn't seem that knowldgable about AD. They just migrated from EX 5.5 to EX2K3 when i started, so i guess they are trying to get up to speed witn exchange. i only made the MS comment because a corp this large seems to have a lot of resurces at MS and I saw that someone from MS did their EX2K3 design doc. I'm not under the illusion that just because someone is from MS that they know what they are doing but i guess i have illusions about companies this size and that they would somehow get the better support from MS and other vendors. Thanks for your responses and help. On 11/22/06, Al Mulnick [EMAIL PROTECTED] wrote: I think I see the reason that it hasn't been as big a problem as it could be. The id is not yet everywhere. You will run into those collisions. Statistically (note, I'm not a statistician, but I sometimes play one on the internet) your numbers are just too large not to. When you hook in MIIS, you'll start to see a lot of john smith's and you'll have to map them and come up with rules to automatically resolve those if possible. I dunno though, you may be an organization that enjoys manual processes. Even for first.lastname for smtp addresses I'm reasonably sure there's either a really strong nepotism policy in your organization or you've got some *process* that allows for making those unique. I've worked in much smaller shops that had such policies (sadly, no strong nepotism rule, but that's another story altogether.) I second what joe says about not taking their word for anything. I'll go so far as to qualify that and say that the best answer you should get from a consultant or on-site resource is it depends. What that really means is that depending on the information available, your current best practice as it was intended is to do x. I can't begin to tell you how many things that started from the product teams as the product only does this later ends up to be, for the love of insert your favorite deity here don't do this!!! Think clustering and you'll know what I'm talking about. Every bit of it depends. But Microsoft developers need more parameters than it depends so they come up with scenarios. And they narrow those down out
RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system
A pair of quad cores is a lot of horsepower for testing. I suspect you will run out of disk i/o perf and memory long before you encounter the need for a second quad core chip given the scenarios you've described. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 8:55 AM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I posted this on the VMWARE forum as well but I am very interested in the opinion of the people who post to this list and there must be some people with hands on experience with ESX and DC's and Exchange 2007 running on VM's on top of ESX 3.0.1. I am interested in the following: We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine in a test lab only and will be testing mainly Exchange 2007 and simulating AD issues. We would like to deploy ESX 3.0.1 (or the newest versionwith several Exchange 2007 VM's and several W2K3 R2 Domain Controller VM's on it. We are doubting between the following configurations, both DELL 2900's. We will unfortunately only be buying one system so we definately need to make the right choice. As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see here under: - 1 Quad Core 2.33 GHz Processor, Xeon 5345 - 2 Dual Core 2.33 GHz Processors, Xeon 5140 Both systems will have 8 GB of 667 MHz RAM to start with. We have contacted Dell and we were told that the 5345 Xeon will be available in January at the latest. We dont really care about the price at this moment. The first thing that comes to mind when making a choice, to me is the fact that if one Quad would not be enough, we could always plug in another one :-) at a later time. Any suggestions are greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000
Tim- There is a hotfix for this, I think for Exchange. The issue is that the Exchange 2000 RUS doesn't sense changes when Linked Value Replication is happening. The easiest solution is to introduce an Exchange 2003 server to run your RUS. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mischler, Timothy J CTR USAF NASIC/SCNA Sent: Wednesday, November 22, 2006 11:27 AM To: activedir@mail.activedir.org Subject: [ActiveDir] [ActiveDIR] OT: Windows 2003 Forest Functional Level 2 while running Exchange 2000 Hello, I was wondering if anyone had any experience with changing their Windows 2003 Forest Functional Level to 2 (Windows Server forest level) while running Exchange 2000 (post SP3)? I've found some documentation stating the Exchange 2000 recipient update service does not replicate changes successfully in forest functional level 2 in a 2003 Active Directory. From what I've read the best practice is to leave the Forest Functional Level on 0 (mixed level forest) until the Exchange 2000 server has been migrated to Exchange 2003. Any input is much appreciated. Tim
RE: [ActiveDir] AD Replication Problem
I would wipe INSIDADC52 and do a metadata cleanup removing it from the domain and then rebuild/repromote it. That will be the easiest route. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj Sent: Saturday, November 18, 2006 9:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Replication Problem Dear All, I am facing some problem in AD Replication. I m sending you the dcdiag logs. Kindly help me to get rid from this problem. Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: AP-IN-KOL\INSIDADC52 Starting test: Connectivity . INSIDADC52 passed test Connectivity Doing primary tests Testing server: AP-IN-KOL\INSIDADC52 Starting test: Replications [INSIDADC50] DsBindWithSpnEx() failed with error -2146893022, The target principal name is incorrect.. REPLICATION-RECEIVED LATENCY WARNING INSIDADC52: Current time is 2006-11-18 20:17:07. CN=Schema,CN=Configuration,DC=sony,DC=com Last replication recieved from HKSIHADC03 at 2006-07-14 15:28:03. WARNING: This latency is over the Tombstone Lifetime of 60 days! . INSIDADC52 passed test Replications Starting test: NCSecDesc [INSIDADC52] LDAP bind failed with error 8341, A directory service error has occurred.. . INSIDADC52 failed test NCSecDesc Starting test: NetLogons . INSIDADC52 passed test NetLogons Starting test: Advertising . INSIDADC52 passed test Advertising Starting test: KnowsOfRoleHolders [USBMAGDC03] DsBindWithSpnEx() failed with error 5, Access is denied.. Warning: USBMAGDC03 is the Schema Owner, but is not responding to DS RPC Bind. [USBMAGDC03] LDAP bind failed with error 1323, Unable to update the password. The value provided as the current password is incorrect.. Warning: USBMAGDC03 is the Schema Owner, but is not responding to LDAP Bind. Warning: USBMAGDC03 is the Domain Owner, but is not responding to DS RPC Bind. Warning: USBMAGDC03 is the Domain Owner, but is not responding to LDAP Bind. [SGAPADC04] DsBindWithSpnEx() failed with error -2146893022, The target principal name is incorrect.. Warning: SGAPADC04 is the PDC Owner, but is not responding to DS RPC Bind. [SGAPADC04] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: SGAPADC04 is the PDC Owner, but is not responding to LDAP Bind. Warning: SGAPADC04 is the Rid Owner, but is not responding to DS RPC Bind. Warning: SGAPADC04 is the Rid Owner, but is not responding to LDAP Bind. [SGSINSISSAPIPS3] DsBindWithSpnEx() failed with error -2146893022, The target principal name is incorrect.. Warning: SGSINSISSAPIPS3 is the Infrastructure Update Owner, but is not responding to DS RPC Bind. [SGSINSISSAPIPS3] LDAP bind failed with error 8341, A directory service error has occurred.. Warning: SGSINSISSAPIPS3 is the Infrastructure Update Owner, but is not responding to LDAP Bind. . INSIDADC52 failed test KnowsOfRoleHolders Starting test: RidManager . INSIDADC52 failed test RidManager Starting test: MachineAccount . INSIDADC52 passed test MachineAccount Starting test: Services . INSIDADC52 passed test Services Starting test: ObjectsReplicated . INSIDADC52 passed test ObjectsReplicated Starting test: frssysvol . INSIDADC52 passed test frssysvol Starting test: frsevent . INSIDADC52 passed test frsevent Starting test: kccevent An Warning Event occured. EventID: 0x8785 Time Generated: 11/18/2006 20:03:00 Event String: The attempt to establish a replication link for An Warning Event occured. EventID: 0x8785 Time Generated: 11/18/2006 20:03:09 Event String: The attempt to establish a replication link for An Warning Event occured. EventID: 0x8786 Time Generated: 11/18/2006 20:03:10 Event String: The attempt to establish a replication link to a An Warning Event occured. EventID: 0x8786 Time Generated: 11/18/2006 20:03:12 Event String: The attempt to establish a replication link to a An Warning Event occured.
RE: [ActiveDir] Domain and Subdomain. Duplicating accounts
What Laura said, plus - why do you have two domains for this scenario. I know nothing about your environment, but my instinct says that you don't need them. Thanks, Brian From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Thu 11/16/2006 7:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts Besides significantly increasing the likelihood of people logging onto the wrong domain and generating support calls along the lines of where's my stuff? Not really. AD accommodates the same name in multiple domains, as long as the UPNs are different (which they are, or account creation would have failed). Why doesn't the other SA just let people use their regular accounts? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 16, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts Hi, The company I work for has 2 office in 2 different states. The main office is domain.com and other office is a subdomain (sub.domain.com). Our users sometimes go to the other office (sub.domain.com) to work for a week or so, I just found out that other SA has been creating accounts for my users in the subdomain. So now I have same user in the domain and subdomain, beside being a stupid way of doing things is there any technical issue this could create? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ winmail.dat
RE: [ActiveDir] AD Audit/Compliance Tool
Probably could get some of this out of a Quest Reporter type tool. Personally Id just write a bunch of small .net apps (or use adfind if appropriate) that pump out csv files. Then I import them into a SQL database and make my queries and voila. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Merry, Joel (US - Philadelphia) Sent: Tuesday, November 14, 2006 4:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Audit/Compliance Tool Hi All ... I'm looking for a tool that will query all of the domains in a single forest and show me expired accounts, accounts with passwords older than xx days, duplicate accounts (accounts with the same samaccountname in different domains), accounts with primary SMTP address of something other than @domain.com, @domain1.com, @domain2.com, etc. I'm scripting most of it now, but it's a pain. Any suggestions? Thanks, Joel This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
RE: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy!
I think MS may have signed them all. Dunno if that increases size. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Javier Jarava Sent: Monday, November 13, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new ms-Sysinternals utils: .exe size gone up like crazy! Hi! Just a quick question to the list, to see what the honrable members (tm) think. I have just d/l some of the the updated sysinternals tools from MS (filemon, regmon, autoruns and pstools to be precise), and I have noticed that most if not all the utils have grown in size A LOT. As an example, this is the change I see from pstools v2.34 and v2.4: Archive: SYSINTERNALS PsTools v2.34 -20060710- PsTools.zip Length Date TimeName 122880 20/03/06 16:19 psshutdown.exe 94208 02/08/05 11:14 pskill.exe 65536 30/03/06 10:05 psloglist.exe 49152 27/03/06 13:07 psloggedon.exe 106496 21/07/05 10:22 psgetsid.exe 146704 26/07/00 12:00 pdh.dll 57344 06/04/06 14:52 psservice.exe 53248 30/12/05 03:15 psfile.exe 135168 11/07/06 09:00 psexec.exe 63786 08/07/06 11:10 Pstools.chm 135168 13/12/05 09:51 Psinfo.exe 106496 07/11/03 14:42 pssuspend.exe 86016 01/12/04 17:27 pslist.exe 57344 16/05/04 08:36 pspasswd.exe 1969 11/02/06 09:22 Eula.txt 39 10/07/06 13:58 version.txt --- 1281554 16 files Archive: SYSINTERNALS PsTools v2.4 -20061101- PsTools.zip Length Date TimeName 412472 01/11/06 13:07 psexec.exe 166712 01/11/06 13:06 psfile.exe 322360 01/11/06 13:07 psgetsid.exe 428856 01/11/06 13:07 Psinfo.exe 318264 01/11/06 13:07 pskill.exe 191288 01/11/06 13:06 pslist.exe 162616 01/11/06 13:06 psloggedon.exe 187192 01/11/06 13:06 psloglist.exe 170808 01/11/06 13:06 pspasswd.exe 179000 01/11/06 13:06 psservice.exe 404280 01/11/06 13:07 psshutdown.exe 375608 01/11/06 13:07 pssuspend.exe 63786 08/07/06 11:10 Pstools.chm 38 15/10/06 16:32 psversion.txt 153672 01/11/06 13:05 pdh.dll 7005 28/07/06 08:32 Eula.txt --- 3543957 16 files Just wondering outloud what is the reason for the size change. Different compiler, maybe? Thanks a lot for your time in reading thus far. Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Beginner's Book on Scripting - WSH or VBScript?
WSH hosts _vbscript_s, JScripts, other scripting languages. You can do some other stuff with it to package scripts and what have you, but, by and large you just want to pickup _vbscript_. The 2nd Edition of the Active Directory Cookbook has a ton of examples that you can likely benefit from as well. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett Sent: Thursday, November 09, 2006 10:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Beginner's Book on Scripting - WSH or _vbscript_? Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and _vbscript_, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and _vbscript_, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance.
RE: [ActiveDir] mailbox enumeration(OT)
I can think of a couple ways- You can modify the script here to just count: http://briandesmond.com/blog/archive/2006/09/04/Script-to-Dump-Exchange- Mailbox-Info-to-Spreadsheet-_2800_CSV_2900_.aspx You can also query the config partition, specifically cn=microsoft exchange,cn=services,dcn=configuration,dc=blah,dc=blech for whatever the cass is for the mailstores, I think msExchPrivateStore or something similar. Then just iterate each of those and search AD for homeMDB=DnOfThat. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, November 09, 2006 8:58 PM To: activedirectory Subject: [ActiveDir] mailbox enumeration(OT) Can anyone help me out with a script that will just query every exchange server and SG in the org and dump out the # of mailboxes on each store to a txt file? The output is simple, just EX severname-SGname-store-#of mailboxes. I can get the size of a mailbox or store but I can't seem to just query for # of mailboxes on a store and dump that to a text file.any example or suggestione would be appreciated. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
Id use ADMT at a minimum youll want to run the security translation wizard if you dont use the move computer wizard. MSSQL will require some manual work. I have no idea about Citrix. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Tuesday, November 07, 2006 12:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually.. Thanks, ...D
RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next
ADMT3 can replace subinacl Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 07, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next if you just want to migrate the servers from one domain to the other, you can use ADMT. However... if you also need to translate data, that is another story. File based data - ADMT Print services - SUBINACL Services - SUBINACL Shares - SUBINACL Registry - SUBINACL IIS - third party SQL - third party Citrix - don't know PS.: SUBINACL is in the resource kit, but make sure to download the latest version Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Danny Sent: Tue 2006-11-07 18:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually.. Thanks, ...D
RE: [ActiveDir] Decommissioning a DC
Well if you have some crappy app that is hardcoded to it by name or ip it will break, but thats fine you need to fix those problems anyway. Otherwise do it and forget about it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Tuesday, November 07, 2006 4:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decommissioning a DC We have several DCs in our environment all of which are 2003 SP1 servers except for one. I am preparing to demote this one through DCPromo this weekend. All of our DCs are also GCs, including this last remaining 2000 server. It does not own any FSMO roles. The Exchange RUS services are not using this DC. We are a single site and domain. Is there anything unique about demoting the last 2000 DC, given there are plenty of other 2003 DC/GCs available? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] OT - USB HD no boot
That is possible, then. G4 was when they added the USB ports on the front and the usb key stuff. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Sunday, November 05, 2006 1:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - USB HD no boot DL380 R03 P2400XEON US Product #: 257917-001 Thank you, Brian - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, November 04, 2006 6:09 PM Subject: RE: [ActiveDir] OT - USB HD no boot What generation and model is the server - DL is just the make, still need the model and year. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Saturday, November 04, 2006 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - USB HD no boot Nothing doing. I tried it on a 3-year old Proliant DL. I couldn't find any USB settings, not in the boot order, not in the boot selections, not anywhere. It's back to the old switch and bai...er...boot - Original Message - From: Albert Duro [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 03, 2006 7:14 PM Subject: Re: [ActiveDir] OT - Backup Follies That's a great revelation. Thank you. I'll try it first thing in the morning. - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 03, 2006 2:25 PM Subject: RE: [ActiveDir] OT - Backup Follies Remember when I asked about the BIOS? :-) http://www.microsoft.com/whdc/device/storage/usb-boot.mspx You can check out the links at the end for more information, but again, this is set in the BIOS of the machine. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Susan, How did you do that I would love to be able to reboot with a worry. Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, November 03, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Backup Follies And on my DC I removed the USB drive as a boot device. So now I can be at home in my jammies and remotely reboot the server with no issues and it will reboot just fine. Bob Anderson wrote: Laura, Yea that on bit me big time. Had our Domain Controller running and added a USB Drive all was fine. Along came Microsoft with the darned Updates and there 'Computer Must be restarted' Well it restarted alright and would not reboot. Talked to IBM Server Support for 4 hours be for I finally figured it out myself. That was the only time I ever taught something to them and not the other way around. I have since update the restart procedure to say 'Power off the USB drive before the system restarts.' Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 03, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Umm, that was kinda the point I was trying to make, Bob. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Laura, It doesn't matter what the boot order is. Most servers have an internal Raid configuration that doesn't kick in until after the machine goes through it's start up and by them it has found the USB and not the hard disks. And yes I have this on two of my servers. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 03, 2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies What's the boot order in the BIOS on those machines? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
[ActiveDir] Subnet Object Question
Question on Subnet Objects It appears that there is not an actual property designated for the subnet network/mask. Does anyone know does AD use the name or cn for this information/ Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Subnet Object Question
Well yes, but Im wondering which one is the actual value used. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, November 05, 2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Subnet Object Question Hi Brian, The following represents subnet 10.1.1.0/24, as you can see, it is used in the CN and NAME Expanding base 'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'... Result 0: (null) Matched DNs: Getting 1 entries: Dn: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN 2 objectClass: top; subnet; 1 cn: 10.1.1.0/24; 1 distinguishedName: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 1 instanceType: 0x4 = ( IT_WRITE ); 1 whenCreated: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight Time; 1 whenChanged: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight Time; 1 uSNCreated: 13938; 1 uSNChanged: 13938; 1 showInAdvancedViewOnly: TRUE; 1 name: 10.1.1.0/24; 1 objectGUID: d69ed007-4556-4f85-b018-d6ff405ae2f1; 1 systemFlags: 0x4000 = ( FLAG_CONFIG_ALLOW_RENAME ); 1 siteObject: CN=HQ,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 1 objectCategory: CN=Subnet,CN=Schema,CN=Configuration,DC=AD,DC=LAN Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Sun 2006-11-05 22:08 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Subnet Object Question Question on Subnet Objects It appears that there is not an actual property designated for the subnet network/mask. Does anyone know does AD use the name or cn for this information/ Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Subnet Object Question
As the actual representative subnet if CN=foo and name=10.10.10.0/24 will the match occur or vice versa if CN=10.10.10.0/24 and name=foo will the match occur? In other words which of the two attributs represents the actual subnet info? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Sunday, November 05, 2006 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Subnet Object Question Used for what? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, November 05, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Subnet Object Question Well yes, but Im wondering which one is the actual value used. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, November 05, 2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Subnet Object Question Hi Brian, The following represents subnet 10.1.1.0/24, as you can see, it is used in the CN and NAME Expanding base 'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'... Result 0: (null) Matched DNs: Getting 1 entries: Dn: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN 2 objectClass: top; subnet; 1 cn: 10.1.1.0/24; 1 distinguishedName: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 1 instanceType: 0x4 = ( IT_WRITE ); 1 whenCreated: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight Time; 1 whenChanged: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight Time; 1 uSNCreated: 13938; 1 uSNChanged: 13938; 1 showInAdvancedViewOnly: TRUE; 1 name: 10.1.1.0/24; 1 objectGUID: d69ed007-4556-4f85-b018-d6ff405ae2f1; 1 systemFlags: 0x4000 = ( FLAG_CONFIG_ALLOW_RENAME ); 1 siteObject: CN=HQ,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 1 objectCategory: CN=Subnet,CN=Schema,CN=Configuration,DC=AD,DC=LAN Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Sun 2006-11-05 22:08 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Subnet Object Question Question on Subnet Objects It appears that there is not an actual property designated for the subnet network/mask. Does anyone know does AD use the name or cn for this information/ Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] OT - USB HD no boot
Another thing, on HPQ's site if you go under support/downloads and search DL380 G3 you'll get some choices, among them DL380 Rack server or something like that, once you choose that you get all the downloads. One of them is a utility for formatting USB Keys for booting 380s. Never used it but it's there. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Sunday, November 05, 2006 10:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - USB HD no boot And have you tried booting the server with the USB drive formatted as a system drive? So far, your original statement has not been proven, and if the server boots properly with that USB drive formatted in a bootable fashion, then your original statement is actually *disproven*. Also, I don't know if you actually read the entire article that Susan provided (I'm not accusing you of not having read it, mind you), but if you haven't, you'll definitely want to. Based on the information there, I'd find it more likely than not that your particular DL 380s are capable of booting from USB devices. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Sunday, November 05, 2006 9:48 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - USB HD no boot I could not find the letters USB anywhere in the BIOS, and I looked down every menu tree. The paper you reference says that the DL380 does not support hot plug USB. It really looks like my original statement that some machines cannot boot with a live USB HD stands. Strangely enough, though, the machine isn't bothered by a USB memory stick or a USB diskette. BTW it also does not have a USB port in the front. What were they thinking? - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, November 05, 2006 12:25 PM Subject: Re: [ActiveDir] OT - USB HD no boot HP provides support for USB devices prior to the operating system loading through legacy USB support, which is enabled by default in the system ROM. http://h18004.www1.hp.com/products/servers/platforms/usb-support.html Can you disable that in the bios? Disable legacy USB support? Brian Desmond wrote: That is possible, then. G4 was when they added the USB ports on the front and the usb key stuff. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Sunday, November 05, 2006 1:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - USB HD no boot DL380 R03 P2400XEON US Product #: 257917-001 Thank you, Brian - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, November 04, 2006 6:09 PM Subject: RE: [ActiveDir] OT - USB HD no boot What generation and model is the server - DL is just the make, still need the model and year. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Saturday, November 04, 2006 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - USB HD no boot Nothing doing. I tried it on a 3-year old Proliant DL. I couldn't find any USB settings, not in the boot order, not in the boot selections, not anywhere. It's back to the old switch and bai...er...boot - Original Message - From: Albert Duro [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 03, 2006 7:14 PM Subject: Re: [ActiveDir] OT - Backup Follies That's a great revelation. Thank you. I'll try it first thing in the morning. - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 03, 2006 2:25 PM Subject: RE: [ActiveDir] OT - Backup Follies Remember when I asked about the BIOS? :-) http://www.microsoft.com/whdc/device/storage/usb-boot.mspx You can check out the links at the end for more information, but again, this is set in the BIOS of the machine. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Susan, How did you do that I would love to be able to reboot
RE: [ActiveDir] /3GB and/or /USERVA and/or /PAE???
You do want /3GB on the DCs but not /PAE. The older ones with 2gb dont need either. What I want to know is why youre not loading x64 Windows which solves this problem? Given your DIT is at 2.4GB and growing if you want to get it into memory (better perf), it will fit now but it shortly wont buy more RAM. Quad proc is a lot of horsepower must be some busy sites youre putting these into. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Saturday, November 04, 2006 12:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] /3GB and/or /USERVA and/or /PAE??? Hi all, We're running a Server 2003 AD environment across 110 DCs across North America and Europe. We have physical DCs on a variety of fairly new hardware and ESX VMs. Older server hardware, approxtwo years old: quad proc 2GB ram ESX VMs: dual proc 3.6GB ram New server hardware, from this summer: quad proc 4GB ram Our DIT is around 2.3-2.4 GB and still growing slowly as we continue migrations of users. Server migrations coming next. There's no Exchange in our environment and the DCs are single-purpose as we don't permit anything else to be loaded on them (except for SYSVOL, antivirus,and monitoring tools, of course). My concern is that none of the older hardware or the VMs are running /3GB or /PAE. Some of the new hardware is running /PAE and some is not. I would like to have some degree of consistency. From what I can tell, running /3GB would make sense on the VMs and the newer physical boxes as it would permit more RAM to be allocated LSASS. If we use /3GB do we need to, or want to, use /USERVA? I don't see any advantage, and in fact a disadvantage, to running /PAE. The disadvantage may just be bad press but it appears that there are issues with /PAE compatibility. Also, it appears that /PAE has no impact at or below 4GB? I read another thread from earlier this summer that the VMs should probably be replaced. We're looking into that but it will take a while. The thread seemed to indicate that /3GB might be the way to go. Anyway, I would like to know what you're running and/or would recommend. Called Microsoft about this and they looked up the same article that we already had but seemed to offer no advise based on real world experience. You guys are where the rubber meets the road. Thanks, Mike
RE: [ActiveDir] OT - USB HD no boot
What generation and model is the server - DL is just the make, still need the model and year. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Saturday, November 04, 2006 3:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - USB HD no boot Nothing doing. I tried it on a 3-year old Proliant DL. I couldn't find any USB settings, not in the boot order, not in the boot selections, not anywhere. It's back to the old switch and bai...er...boot - Original Message - From: Albert Duro [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 03, 2006 7:14 PM Subject: Re: [ActiveDir] OT - Backup Follies That's a great revelation. Thank you. I'll try it first thing in the morning. - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 03, 2006 2:25 PM Subject: RE: [ActiveDir] OT - Backup Follies Remember when I asked about the BIOS? :-) http://www.microsoft.com/whdc/device/storage/usb-boot.mspx You can check out the links at the end for more information, but again, this is set in the BIOS of the machine. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Susan, How did you do that I would love to be able to reboot with a worry. Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, November 03, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Backup Follies And on my DC I removed the USB drive as a boot device. So now I can be at home in my jammies and remotely reboot the server with no issues and it will reboot just fine. Bob Anderson wrote: Laura, Yea that on bit me big time. Had our Domain Controller running and added a USB Drive all was fine. Along came Microsoft with the darned Updates and there 'Computer Must be restarted' Well it restarted alright and would not reboot. Talked to IBM Server Support for 4 hours be for I finally figured it out myself. That was the only time I ever taught something to them and not the other way around. I have since update the restart procedure to say 'Power off the USB drive before the system restarts.' Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 03, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Umm, that was kinda the point I was trying to make, Bob. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Laura, It doesn't matter what the boot order is. Most servers have an internal Raid configuration that doesn't kick in until after the machine goes through it's start up and by them it has found the USB and not the hard disks. And yes I have this on two of my servers. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 03, 2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies What's the boot order in the BIOS on those machines? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Friday, November 03, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Backup Follies Ah, that brings up another interesting point. I use USB external hard drives too, and I've found that some WinXP and Server2003 machines will not boot if a USB hard drive is attached--I have to remember to turn it off while booting. Anyone else seen this? - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 02, 2006 9:02 PM Subject: Re: [ActiveDir] OT - Backup Follies (was) Exchange Log files --Disk Full-- No tape drives here. If it has a USB connection we are in business
RE: [ActiveDir] Phantom Exchange server(OT)
Can i just delete it from the config NC with adsiedit.msc? is there anything else I should worry about? I generally take this route Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, November 04, 2006 7:27 PM To: activedirectory Subject: [ActiveDir] Phantom Exchange server(OT) I have a server that used to be a clustered Exchange box. Exchange and MSCS was removed(I dont know how), but the Exchange server object is still in the config NC and ESM. I can't right click the server in ESM and select remove. The ex cluster 2 nodes are still live and in the domain. The exchange server cluster name is still in AD and in the Exchange servers GG The exchange server was not a bridgehead or route master or default PF server or any other exchange specific services. My question is, what is the best way to remove the exchange attributes of this server from AD? Can i just delete it from the config NC with adsiedit.msc? is there anything else I should worry about? Thanks alot! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] DC crashed
1 and 2 yes, 3 is certainly unnecessary. 4 I suppose if you don't think you squared things away or you only have a few. --brian From: [EMAIL PROTECTED] on behalf of Figueroa, Johnny Sent: Fri 11/3/2006 5:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC crashed 1) I would Google how to seize the FSMO roles. 2) Google how to cleanup metadata for the failed DC 3) Once all of that is done, I would still use a different name and IP for the rebuilt server before going on with a DCPROMO. Unless you had to use the same. 4) Use DCDIAG on the other DCs prior to and after promoting the rebuilt one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, November 03, 2006 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC crashed Did you delete this server object from ADUC? If not, that's probably what you need to do. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clingaman, Bruce Sent: Friday, November 03, 2006 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC crashed I apologize for not doing my homework first, but I'm in a pickle and need help fast. One of my domain controllers (which held all the fsmo roles) crashed and I had to reinstall. Now that I've reinstalled, I'm ready to rejoin and promote. But I can't; I get User already exists when trying to join. I am using the same computer name as before. I have not deleted or changed anything in the directory on the other server yet. What do I need to do to get my old server back as a domain controller? Links to articles or even words to search by would be of great help. Thanks for any advice. Bruce. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ winmail.dat
RE: [ActiveDir] OT - Backup Follies
Compaq ILO/RILOE board, Dell DRAC, IBM Remote Access, IP KVM + APC PDU w/ remote access are all viable options... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Susan, How did you do that I would love to be able to reboot with a worry. Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, November 03, 2006 3:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Backup Follies And on my DC I removed the USB drive as a boot device. So now I can be at home in my jammies and remotely reboot the server with no issues and it will reboot just fine. Bob Anderson wrote: Laura, Yea that on bit me big time. Had our Domain Controller running and added a USB Drive all was fine. Along came Microsoft with the darned Updates and there 'Computer Must be restarted' Well it restarted alright and would not reboot. Talked to IBM Server Support for 4 hours be for I finally figured it out myself. That was the only time I ever taught something to them and not the other way around. I have since update the restart procedure to say 'Power off the USB drive before the system restarts.' Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 03, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Umm, that was kinda the point I was trying to make, Bob. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Friday, November 03, 2006 11:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies Laura, It doesn't matter what the boot order is. Most servers have an internal Raid configuration that doesn't kick in until after the machine goes through it's start up and by them it has found the USB and not the hard disks. And yes I have this on two of my servers. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 03, 2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Backup Follies What's the boot order in the BIOS on those machines? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Friday, November 03, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Backup Follies Ah, that brings up another interesting point. I use USB external hard drives too, and I've found that some WinXP and Server2003 machines will not boot if a USB hard drive is attached--I have to remember to turn it off while booting. Anyone else seen this? - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 02, 2006 9:02 PM Subject: Re: [ActiveDir] OT - Backup Follies (was) Exchange Log files --Disk Full-- No tape drives here. If it has a USB connection we are in business. Albert Duro wrote: Yes, BE does do disk backup. But I have some objections: A. They don't make it easy, infact they make an unnecessarily complicated production of it. B. I started doing NTBackup to disk while (and because) I was still troubleshooting BE. When I gave up on BE and its brethren, NTBackup was a natural segway, and already in place and working. C. I discovered one great advantage that NTBackup-to-disk has over any other backup system: with a bit of planning, it is proof against almost any combination of crash and burn. You have a backup file on two or more disks/machines. Things go bad, you can do recovery from any Windows machine; you can move or copy the backup disks/files to any machine. Try doing that with a sophisticated tape-based or SAN-based system. Imagine having to replace the tape drive/autoloader with the exact same type, while rebuilding a same-hardware three-year old server to the exact same configuration, same SPs, same backup software, same drivers. I can guarantee that at least one of those necessary replacement elements will be impossible to find, even under leisurely conditions. [1] Yes, there are strategies
RE: [ActiveDir] Active Directory Health Check tool - where can it run from?
Which tool is this? The AD Snapshot tool that you get from an ADRAP can run from any server. --brian From: [EMAIL PROTECTED] on behalf of Washington, Booker Sent: Tue 10/31/2006 4:04 PM To: ActiveDir@mail.activedir.org Subject: Active Directory Health Check tool - where can it run from? Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation. Just curious. Thanks winmail.dat
RE: [ActiveDir] Active Directory Health Check tool - where can it run from?
ADRAP being AD Risk Assesment Program or something along that line - MS comes out for some number of days, runs that tool and makes recommendations on changes to make to the forest - it's a health check, basically. Your forest admins aren't supposed to be emailing that thing around the company. My recollection is that the license is one year from the date of the ADRAP to be used on the machine it was installed on only. --brian From: [EMAIL PROTECTED] on behalf of Washington, Booker Sent: Tue 10/31/2006 4:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Health Check tool - where can it run from? It is the Active Directory Health Check Snapshot Tool. What exactly is ADRAP? I got a copy from our Forest Admins because I am a child domain of the forest. The reason that I ask is because I seem to get buggy results when I go from an XP workstation, or a member server, and I wondered if I needed to run it from the DC itself. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, October 31, 2006 5:15 PM To: ActiveDir@mail.activedir.org Subject: RE: Active Directory Health Check tool - where can it run from? Which tool is this? The AD Snapshot tool that you get from an ADRAP can run from any server. --brian From: [EMAIL PROTECTED] on behalf of Washington, Booker Sent: Tue 10/31/2006 4:04 PM To: ActiveDir@mail.activedir.org Subject: Active Directory Health Check tool - where can it run from? Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation. Just curious. Thanks winmail.dat
RE: [ActiveDir] Need some advices....
If the domain was created in Windows 2000 or 2003 R2, youve got 60 days to fix it, 2003 domains you have 180 days. This is assuming you havent tweaked the tombstone lifetime. 4 hours is nothing. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Wednesday, October 25, 2006 10:23 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Need some advices Hello all ;) Due tonetwork outagethat is scheduled for 4 hourson a active directory site, i'd like to leave our DCs upwithoutshut them down. Question: Could il leave all my DCs up despite they can not communicate with each others for 4 hours ?Willthatcause anyissues (repl, auth,etc..)? or Do i have to shut them down and next reboot them when networkwill up ? Thanks for advices. Cheers, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
RE: [ActiveDir] Need some advices....
That sounds right - I forgot about the SP1 change Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, October 25, 2006 12:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need some advices If memory serves me right the forest/trees tombstone values whatevers (you know those things we never worry about in SBSland) are different depending on how that SP1 got on the box... 2003 RTM you have 60 days 2003 SP1 (clean install) you have 180 days 2003 R2 (clean install) you have 60 days (they kinda went backwards on the r2 and reintroduced the 60 days if I remember right.) Brian Desmond wrote: *If the domain was created in Windows 2000 or 2003 R2, you've got 60 days to fix it, 2003 domains you have 180 days. This is assuming you haven't tweaked the tombstone lifetime. 4 hours is nothing. :)* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Yann *Sent:* Wednesday, October 25, 2006 10:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Need some advices Hello all ;) Due to network outage that is scheduled for 4 hours on a active directory site, i'd like to leave our DCs up without shut them down. Question: Could il leave all my DCs up despite they can not communicate with each others for 4 hours ? Will that cause any issues (repl, auth,etc..) ? or Do i have to shut them down and next reboot them when network will up ? Thanks for advices. Cheers, Yann - --- Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/