[ActiveDir] OT: SpecOps GPUPDATE tool

[McCann, Danny]

Hi

Has anyone used the WoL feature of this tool? If so, can you let me know
of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers

Danny

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

[McCann, Danny]

Including bugs! :)
Maybe should have been 2 emails - One here for any problems encountered
and one to SpecOps for technical detail.
Any users encountered any problems with this tool? :)))
 
Kind regards
 
Danny
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 07 December 2006 14:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool


I would expect specops to provide that info, if I were in your
position.
 
neil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool



Hi 

Has anyone used the WoL feature of this tool? If so, can you let
me know of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers 

Danny 

PLEASE READ: The information contained in this email is
confidential and 
intended for the named recipient(s) only. If you are not an
intended 
recipient of this email please notify the sender immediately and
delete your 
copy from your system. You must not copy, distribute or take any
further 
action in reliance on it. Email is not a secure method of
communication and 
Nomura International plc ('NIplc') will not, to the extent
permitted by law, 
accept responsibility or liability for (a) the accuracy or
completeness of, 
or (b) the presence of any virus, worm or similar malicious or
disabling 
code in, this message or any attachment(s) to it. If
verification of this 
email is sought then please request a hard copy. Unless
otherwise stated 
this email: (1) is not, and should not be treated or relied upon
as, 
investment research; (2) contains views or opinions that are
solely those of 
the author and do not necessarily represent those of NIplc; (3)
is intended 
for informational purposes only and is not a recommendation,
solicitation or 
offer to buy or sell securities or related financial
instruments. NIplc 
does not provide investment services to private customers.
Authorised and 
regulated by the Financial Services Authority. Registered in
England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems 

RE: [ActiveDir] OT: SpecOps GPUPDATE tool

[McCann, Danny]

Hi Neil
 
You were right, they did. It's no good for us as the tool won't work
with non-windows DHCP, which I guess is used to retrieve the MAC
addresses.
Sould have though of this in the first instance, but to quote the parrot
sketch, I have a cold. :)
 
All the best
 
Danny
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 07 December 2006 14:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: SpecOps GPUPDATE tool


I would expect specops to provide that info, if I were in your
position.
 
neil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 07 December 2006 13:54
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: SpecOps GPUPDATE tool



Hi 

Has anyone used the WoL feature of this tool? If so, can you let
me know of any issues that you came across please? We are currently only
interested in the Shutdown/WoL feature, and would be interested to know
how it obtains the MAC addresses required and the method of transmission
of the wake up packet across the subnets - to keep our active network
team happy. They had a recent incident with a Ghost server and they're a
bit edgy. :)

Cheers 

Danny 

PLEASE READ: The information contained in this email is
confidential and 
intended for the named recipient(s) only. If you are not an
intended 
recipient of this email please notify the sender immediately and
delete your 
copy from your system. You must not copy, distribute or take any
further 
action in reliance on it. Email is not a secure method of
communication and 
Nomura International plc ('NIplc') will not, to the extent
permitted by law, 
accept responsibility or liability for (a) the accuracy or
completeness of, 
or (b) the presence of any virus, worm or similar malicious or
disabling 
code in, this message or any attachment(s) to it. If
verification of this 
email is sought then please request a hard copy. Unless
otherwise stated 
this email: (1) is not, and should not be treated or relied upon
as, 
investment research; (2) contains views or opinions that are
solely those of 
the author and do not necessarily represent those of NIplc; (3)
is intended 
for informational purposes only and is not a recommendation,
solicitation or 
offer to buy or sell securities or related financial
instruments. NIplc 
does not provide investment services to private customers.
Authorised and 
regulated by the Financial Services Authority. Registered in
England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

Email has been scanned for viruses by Altman Technologies' email
management service http://www.altman.co.uk/emailsystems 

Re: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

[Danny]

 Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777(Mobile : +31-(0)6-26.26.62.80
*E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Danny
Sent: Tue 2006-11-07 18:24To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers nextThanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually..
Thanks,...DThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

[Danny]

Thanks to advice from the ActiveDir community (this mailing list) and Microsoft's ADMT and ExMerge, we have successfully completed an interforest migration - of users, computers, and mailboxes. Next up: the servers, 12 of them. Two DC's, the rest are made up of file, print, Exchange, MS SQL (integrated auth), Citrix, and backup. The source forest will no longer be necessary in a few weeks. Would you recommend using ADMT for the servers as well? I know that the DC's and Exchange server will be done manually..
Thanks,...D

Re: [ActiveDir] Active Directory Health Check tool - where can it run from?

[Danny]

On 10/31/06, Washington, Booker [EMAIL PROTECTED] wrote:
Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation.Just curious.ThanksWhich tool are you specifically referring to? dcdiag? If so, I would check the documentation:
http://technet2.microsoft.com/WindowsServer/en/library/5237db58-a1e8-40cd-ae8a-7f52848a90f21033.mspx?mfr=true
...D

[ActiveDir] ADMT v3 Profile cleanup options

[Danny]

Computer and user migration with ADMT v3 scenario:Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much.
Windows Server 2003 and Windows XP Pro SP2 environment.Thanks,...D

Re: [ActiveDir] How to grant administrator from trusted forest local PC Admin rights

[Danny]

Excellent - I will try it out. ThanksDOn 10/26/06, Chong Ai Chung [EMAIL PROTECTED] wrote:
You can use restricted group feature in GPO for this.
Please refer to following link for more detail:
http://www.msresource.net/content/view/45/46/

On 10/27/06, Danny [EMAIL PROTECTED] wrote:

Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration.
Thanks,...D

-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

Re: [ActiveDir] ADMT v3 Profile cleanup options

[Danny]

On 10/27/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
* within the same forest -- no need to translate profiles (although different SID, GUID takes care of this)* between different forests -- profile translation is needed (different GUID and SID)
Different forests.you can use ADMT or any third party tool
Sorry, I am not familiar with what profile translation entails behind the scenes. Is profile translation when the new user simply has NTFS permissions to their old profile, but when they log into Windows a new empty/blank profile is created, and so if they wanted to all of their previous settings they would have to manually copy favourites, documents, etc. from their old profile to their new profile?
as soon as users start to use their new account you need to translate the profile
This will log the new user into the exisitng profile then?Thanks, JorgeD
From: [EMAIL PROTECTED] on behalf of DannySent: Fri 2006-10-27 15:32To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADMT v3 Profile cleanup optionsComputer and user migration with ADMT v3 scenario:Users have local profiles (non-roaming). It appears as though when you migrate user and computer into new forest, the new user in the target forest logs into the same computer (now part of target domain) and a new profile is created; they are not routed into their existing profile. Just curious how you have all managed to get around this without interrupting the users too much.

Windows Server 2003 and Windows XP Pro SP2 environment.Thanks,...DThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] New server to replace DC and FP role - options for keeping the same name

[Danny]

Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name?Thanks,...D

Re: [ActiveDir] New server to replace DC and FP role - options for keeping the same name

[Danny]

Thanks, Susan - I'll have a go at it.On 10/26/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED]
 wrote:www.sbsmigration.com
In the SBS world this is what we do all the time when we are replacingour SBS box and we don't want to have to touch the workstations.Original server is sync'd up with a temp DC with the name of TempDC.Ensure replication occurs, cut the cord.
Seize FSMO roles to that TempDC.Sync up with another server that is made an additional DC which has theexact same name as the original server. Ensure replication occurs, cutcord with the TempDC.Seize FSMO roles.
TempDC can be a virtual PC image of Win2k3 server on a laptop used onlyto move that AD gunk from the one DC to the other.You now have the original server and a replica server ... same name..same domain that can be slid in place and the workstations are none the
wiser.Danny wrote: Quick question; an existing remote office DC/file/print server will be replaced with a brand new server. What options do I have if they wish to keep the same name?
 Thanks, ...D--Letting your vendors set your risk analysis these days?http://www.threatcode.comIf you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbsList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] How to grant administrator from trusted forest local PC Admin rights

[Danny]

Looking for ideas on how to provide a domain administrator in a separate forest local administrator rights on all domain computers to assist with ADMT v3 computer migration.Thanks,...D

Re: [ActiveDir] Seperate forest migration notes

[Danny]

I found some more information, however, in the Before using ADMT v3 help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this?
Thanks,...DOn 9/5/06, Danny [EMAIL PROTECTED] wrote:
Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined?

On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote:

Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. 


Order of migration: 
Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. 


That leads to expectations: 
Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). 


Did I mention name resolution? That's important, so I don't mind mentioning it twice. 

Planning is your friend when it comes to migrations. 

I imagine that Guido might chime in here. I hear he's done this once or twice. :)
On 8/29/06, Danny [EMAIL PROTECTED] wrote:


A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: 
Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access 
Am I missing anything? Any tips?Thanks,...D
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

Re: [ActiveDir] Seperate forest migration notes

[Danny]

Thanks - I will try that out. Also, do you know if the Windows firewall needs any exceptions for the computer migration component to function?On 9/8/06, Chong Ai Chung
 [EMAIL PROTECTED] wrote:
You can add your account to administrators group on all computers using restricted group in GPO.

http://support.microsoft.com/Default.aspx?kbid=279301

On 9/9/06, Danny [EMAIL PROTECTED] wrote:


I found some more information, however, in the Before using ADMT v3 help document included with ADMT, is states that the account that I am running ADMT, must be a member of the administrators group on all computers that I want to migrate. How would I accomplish this? 
Thanks,
...D

On 9/5/06, Danny [EMAIL PROTECTED] wrote:
 

Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined?

On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote:
 


Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. 


Order of migration: 
Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. 


That leads to expectations: 
Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). 


Did I mention name resolution? That's important, so I don't mind mentioning it twice. 

Planning is your friend when it comes to migrations. 

I imagine that Guido might chime in here. I hear he's done this once or twice. :)

On 8/29/06, Danny [EMAIL PROTECTED] wrote: 


A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: 
Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access 
Am I missing anything? Any tips?Thanks,...D
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer -- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 



-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] AD object (User accounts) Permissions dissappearing

[Danny]

Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users.
I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D

Re: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Danny]

You are right! Thanks!On 9/7/06, Williams, Robert [EMAIL PROTECTED] wrote:

















Maybe AdminSDHolder is biting you?



Here's an article that talks about
the Send-As specifically, but it's more than just that:


http://support.microsoft.com/kb/907434/



If the user in question is a member of any
of the following groups, then you could be seeing this:



The following list describes the protected groups in
Windows 2000: 


 
  
  •
  
  
  Enterprise Admins

  
 
 
  
  •
  
  
  Schema Admins
  
 
 
  
  •
  
  
  Domain Admins
  
 
 
  
  •
  
  
  Administrators
  
 



The following list describes the protected groups in Windows Server 2003 and in
Windows 2000 after you apply the 327825 hotfix or you install Windows 2000
Service Pack 4: 


 
  
  •
  
  
  Administrators
  
 
 
  
  •
  
  
  Account Operators
  
 
 
  
  •
  
  
  Server Operators
  
 
 
  
  •
  
  
  Print Operators
  
 
 
  
  •
  
  
  Backup Operators
  
 
 
  
  •
  
  
  Domain Admins
  
 
 
  
  •
  
  
  Schema Admins
  
 
 
  
  •
  
  
  Enterprise Admins

  
 
 
  
  •
  
  
  Cert Publishers
  
 


Additionally the following users are also considered
protected: 


 
  
  •
  
  
  Administrator
  
 
 
  
  •
  
  
  Krbtgt
  
 


The above was taken from: 
http://support.microsoft.com/kb/817433/



Robert Williams 











From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Danny
Sent: Thursday, September 07, 2006
10:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object
(User accounts) Permissions dissappearing





Environment: Windows Server 2003 R2 and 2000 mixed AD forest with
Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES
user. Out of the blue the user is unable to send from their BlackBerry.
Permissions are checked in ADUC, and the required SendAs permission granted to
the BES account have disappeared. This has happened to new and existing users. 

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are
any potentially related problems.

Thanks,

...D




2006-09-07, 13:03:30
The information contained in this e-mail message and any attachments may be privileged and confidential.  If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.





-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

Re: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Danny]

No, but the user is part of a group that is part of a group that has Admin-type permissions on an OU for their site.On 9/7/06, Brian Desmond 
[EMAIL PROTECTED] wrote:












This user isn't a domain admin or enterprise admin is he/she?



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132









From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Danny
Sent: Thursday, September 07, 2006 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing







Environment: Windows Server 2003 R2 and 2000 mixed AD forest
with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server)
server.

Scenario: Existing AD account with full Exchange mailbox and provisioned BES
user. Out of the blue the user is unable to send from their BlackBerry.
Permissions are checked in ADUC, and the required SendAs permission granted to
the BES account have disappeared. This has happened to new and existing users. 

I do not know where to start. I am reviewing a dcdiag /e /v to see if there are
any potentially related problems.

Thanks,

...D









-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] Unable to unpublish old ILS server and replace with new

[Danny]

Netmeeting is utilizing ILS for directory lookup, however, the original ILS server died, so I am trying to unpublish the old and publish the new one. However, I am receive error messages that our beloved search engines and help documentation are not helping much.
When I restart all related (IIS and ILS) services, I do not see any error messages in the event log.Here is what is going on...c:\ilscfg ilsserver.example.org
/publishRegister ILS service returned error: The system detected an invalid pointer address in attempting to use a pointer argument in a call.c:\ilscfg /listpubILS server:
oldilsserver.example.org, Port:1002Found 1 service(s).c:\ilscfg oldilsserver.example.org /unpublish port 1002Unregister ILS service returned error: The system detected an invalid pointer ad 
dress in attempting to use a pointer argument in a call.c:\ilscfg oldilsserver.example.org /unpublish 1002  Unregister ILS service returned error: The system detected an invalid pointer ad
 dress in attempting to use a pointer argument in a call. c:\ilscfg oldilsserver.example.org /unpublish port:1002  Unregister ILS service returned error: The system detected an invalid pointer ad
 dress in attempting to use a pointer argument in a call. References:https://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=""
 http://search.microsoft.com/results.aspx?mkt=en-USsetlang=en-USq=ilscfgSo, is there a way manually unpublish this information and publish the new ILS server in Active Directory?
Thanks!-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

RE: OT - RE: [ActiveDir] W. in hell

[McCann, Danny]

Title: Message



More annoying, 
at least to me,are questions that are ON TOPIC but someone didn't take 
time to look at the archives or google and asking like it was the first time it 
was asked versus maybe revisitng the previous discussion in new 
light.

Irecently replied to a mail from a 
few months ago and re-launched a mini-debate. I'd reversed the chronological 
order while looking for a particular email,forgot tochange it back, 
spotted a subject I'd only just been reading about.I only noticed the date 
a wee while later! :)))

Danny

Re: [ActiveDir] Seperate forest migration notes

[Danny]

Thank you, Al! I will provide an updated outline of our plan based on your suggestions.One question, though: Does anyone know what ADMT v3 is not capable of migrating in the environment I outlined?
On 8/29/06, Al Mulnick [EMAIL PROTECTED] wrote:
Overall, that's pretty good for the plan. If you haven't already seen it, there's a migration cookbook available on Microsoft's website. Some things to pay attention to: name resolution for the clients - it's important :) Trust configurations - if a recent enough version, there are some security components that you'll want to be aware of - specifically quarrantine and sidfiltering. Be sure those are configured appropriately for your environment. 


Order of migration: 
Be sure to understand the impacts of the order that you migrate the users.I don't know enough about the versions of Exchange, but it would make sense to move the users after or before you move the mailboxes. All the users or all the mailboxes pretty much. If you try to do both at the same time, it can be difficult to troubleshoot and you'll slow your migration down trying to chase the issues. 


That leads to expectations: 
Be sure that nobody expects to stay in the partially-migrated state for very long while you chase down integration issues. Once you start, be prepared to sprint to the finish line. Co-existence sucks. No doubts about that. If you try to continue on with migration and coexistence and new projects and...etc you'll be torn to the winds. Your best bet is to continue to push regardless of the issues once you begin (post pilot of course). 


Did I mention name resolution? That's important, so I don't mind mentioning it twice. 

Planning is your friend when it comes to migrations. 

I imagine that Guido might chime in here. I hear he's done this once or twice. :)
On 8/29/06, Danny [EMAIL PROTECTED] wrote:


A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan: 
Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access 
Am I missing anything? Any tips?Thanks,...D
-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] Seperate forest migration notes

[Danny]

A company was acquired. Seperate 2000/2003 forest, now a two-way trust exists, but we are looking at migrating their users, mailboxes, computers, and servers into our forest.Working on a plan to test moving a user, mailbox, computer, and server into our forest. Plan:
Select test users and computersInstall ADMTTest user migration via ADMTTest computer migration via RDP manaully or script (must locate)Test mailbox migration via Exchange Migration WizardLogin as user and test services/access
Am I missing anything? Any tips?Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?

[Danny]

We should be good, then. Thanks, JoeDOn 8/29/06, joe [EMAIL PROTECTED] wrote:





Nope youshould be good unless you have some special 
dependence on that DC. Normally youneed to worry once you start to 
approach the TSL which is usually 60 days for most places or if you don't know 
why the DC is down (i.e. Mr. BlackHat is hacking your server in an offline 
fashion). If the machine does approach the TSL time down, just whack it out of 
the directory and rebuild when it comes back up.

 joe


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of 
DannySent: Tuesday, August 29, 2006 10:50 AMTo: 
ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site down for 36 
hours so far - anything proactive to do?
One of our sites has been without power for over 36 hours now. Is 
there anything that I should do in AD if the site could potentially be down for 
the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. 
Thanks,...D-- CPDE - Certified Petroleum 
Distribution EngineerCCBC - Certified Canadian Beer Consumer 

-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

RE: [ActiveDir] Weak AD passwords

[McCann, Danny]

Title: Message



Hi

Haven't used it, but one of my colleagues swears it's too good. 
:)Try Rainbow Tables.

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Rimmerman, RussSent: 20 March 2006 
  21:38To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Weak AD passwords
  Can anyone 
  recommend any tools to find which of our users have weak AD passwords? 
  We used to use L0phtcrack back in the day, but it doesn't appear to be 
  supported any longer? Other than enforcing complex passwords (which we 
  do) and 8 character minimum, we'd like to figure out who uses things like 
  "Password1" or something silly like that.
  
  Thanks in 
  advance
  Email has been scanned for viruses 
  by Altman Technologies' email management service
  


  ~~This 
e-mail is confidential, may contain proprietary informationof the 
Cooper Cameron Corporation and its operating Divisionsand may be 
confidential or privileged.This e-mail should be read, copied, 
disseminated and/or used onlyby the addressee. If you have received 
this message in error pleasedelete it, together with any 
attachments, from your 
system.~~

Re: [ActiveDir] Adding the first Win2003 R2 DC

[Danny]

On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote:

I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4.  I'd
like to add a new DC that is Win2003 R2.  Is there anything special I need
to do (i.e. forestprep/domainprep) or can I join it just like another
Win2003 SP1 DC?


Yes, run adprep from CD 2:

http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true

...D

--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Acqusition of 2003 Forest - options experiences

[Danny]

Thanks everyone for your feedback - much appreciated. I received a quote from Quest, and we are looking at minimum commitment of $40,000 CDN. Still working out the budget, but I think a business decision will be made by management to go the ADMT route. :)
Please keep the opinions and experiences coming. I look forward to posting my experience as we move forward. :)...DOn 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E]
 [EMAIL PROTECTED] wrote:














I can vouch for the Aelta/Quest Migration
tools and say they are pretty good for NT to AD migrations, and AD to AD
migrations. There was a lot of innovation in the space a couple years ago,
but I think most of the solutions today are pretty stable and offer comparable
features. The value of third-party tools is that with some you can get around
certain group limitations, password migration issues, and workstation
provisioning.



Here is a tip, when evaluating, ask what
API's they use for achieving their migration functions. Some vendors
just write Project Management Code around the MS API's, others take a
more "unique" approach and develop their own API's to give
you more flexibility.



One more thing, several of the vendors
only offer professional services instead of access to their software, due to
the fact a lot of time you pretty much needed their expertise on site anyway.
I encourage you to have an open mind about that, but also not just assume
everything is magic.



Good luck,



Todd 











From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, July 12, 2006
2:09 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Acqusition
of 2003 Forest - options  experiences






I think you'd be doing yourself a favor to at least
look into Quest Software's tools including Migration Manager for Active
Directory. While I haven't used that particular tool I have used several of
their other tools including their Domain Migration Wizard to move from NT4 to
2000/2003 with much success. They really reduce the workload in my experience
and they have so much experience that they are less likely to miss something
then if you try to do it manually =) 

Andrew
Fidel 





 
  
  Danny
  [EMAIL PROTECTED]
 
  Sent
  by: [EMAIL PROTECTED]
 
  07/12/2006 01:18 PM 
  
   


Please
respond to
 ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To



ActiveDir@mail.activedir.org 

   
   

cc




   
   

Subject


[ActiveDir] Acqusition of 2003 Forest - options  experiences

   
  
  
  
   






   
  
  
  
 





A
company with an independent 2003 Forest has been acquired. They
have Exchange 2003 and a Citrix server. We
have a similar
configuration minus Citrix. The goal is
obviously to migrate key AD
objects, mailboxes, and servers into our 2003
forest.

I understand that ADMT is often the right tool for
the job, but I
would greatly appreciate hearing your personal
experiences and any
caveats that you may have run into. And is
it the only tool you need?

I am off to read some MS docs on the topic and
specifically ADMT.
Hopefully I am able to contribute back to the
list.

Thanks,

...D
List info  :
http://www.activedir.org/List.aspx
List FAQ  :
http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.activedir.org/ml/threads.aspx








-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer

[ActiveDir] Acqusition of 2003 Forest - options experiences

[Danny]

A company with an independent 2003 Forest has been acquired.  They
have Exchange 2003 and a Citrix server.  We have a similar
configuration minus Citrix.  The goal is obviously to migrate key AD
objects, mailboxes, and servers into our 2003 forest.

I understand that ADMT is often the right tool for the job, but I
would greatly appreciate hearing your personal experiences and any
caveats that you may have run into.  And is it the only tool you need?

I am off to read some MS docs on the topic and specifically ADMT.
Hopefully I am able to contribute back to the list.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Higher Education web access

[McCann, Danny]

Title: Message



We use 
it here (Glasgow Caledonian) to an extent, without issue. And I believe it's 
used very successfully and extensively at Strathclyde (much bigger uni than we 
are).

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve RochfordSent: 20 June 2006 
  16:32To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] OT: Higher Education web access
  All you're "taking away" is the limitation of 1 file at a 
  time. (OK, the interface is different but for Windows users it's going to be 
  much more like what they use when they're working with local 
  files)
  
  Steve
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  GlennSent: 20 June 2006 14:13To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Higher 
  Education web access
  I myself would be more than happy with this scenario. 
  However, when I discuss this with the VP he says we can't take away anything 
  they have now. So that means I have to find a way for them to access 
  their files through some type of web interface (which maybe I can convience 
  him WEBDAV is almost like what they have now) and also be able to publish 
  their own web pages. Paul
  On 6/20/06, Steve 
  Rochford [EMAIL PROTECTED] 
  wrote: 
  


We use 
webdav and publish instructions for staff/students to just add their home 
folder as a "my network place" on their home computers. This works well - 
once you've connected it's just another location that appears in explorer or 
file dialogues.

If 
you're happy to continue with FTP access to the web folder then that's 
perfectly possible; I'm assuming you're scripting creation of users so it's 
just a case of adding an extra bit to create and permission a folder 
somewhere in the IIS folder for each user.

Steve


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
Paul GlennSent: 19 June 2006 21:27To: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] OT: Higher Education web access

Hello all,Sorry for the OT, but I'm a bit at a loss on 
parts of the big move. As I've said in the past, I'm in the process of 
moving our student population from eDirectory to Active Directory. 
We've overcome several hurdles up to this point. Our next big one is 
how to give access to our student's files via a web brower and also a way to 
host their own web pages. Currently we accomplish this via IUAdmin and 
apache services. IUAdmin is not ported to the Windows platform and 
Apache for Windows has a few drawbacks. I was wondering if there are 
any higher education folks out there that wouldn't mind talking with me 
about their environment. To help give a better idea of what we do, I 
offer three web pages: Students can login to the following page and 
gain access to their files.http://locker.uky.edu 
The next link shows you some screenshots of what you would see if 
you logged in as bigtest. http://locker.uky.edu/help.htmThen off course we 
offer a way for them to publish their own webpages (the first link will show 
you where I get my signature):http://locker.uky.edu/~pglennThanks for 
any help even if it's just a pointer to another listservPaul-- 
***"I've 
got a fever and the only prescription is more 
cowbell."--Christopher 
Walken***
-- 
  ***"I've 
  got a fever and the only prescription is 
  morecowbell."--Christopher Walken 
  ***
  Email has been scanned for viruses 
  by Altman Technologies' email management 
service

RE: [ActiveDir] FRS/DFS woes

[McCann, Danny]

Is the DNS configuration of this server pointing to itself for DNS
resolution? Are the other server resolving against the same DNS?

Cheers

Danny



The root of the DFS is located on our PDC emulator, which is also a DNS
server itself.  If I go into the dfs root on the PDC emulator I see the
file I copied to the \\domain.com\dfs\software directory, it's just not
replicating to any of the other links.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Tuesday, June 13, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FRS/DFS woes

Where is the root of the DFS located?
I seem to remember having problems with DFS replication before, because
one of the servers hosting the root had it's DNS incorrectly configured.
Ultrasound would report any errors sure enough. After decoding what it
all means you'll need a dark room to lie down in for a few hours. :)

Cheers

Danny


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 13 June 2006 15:31
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FRS/DFS woes



I'm trying to set up a DFS share and having all sorts of issues getting
it to work.  I've installed Ultrasound and i'm either not sure where to
look in it for the answer or it's not giving me the answer.


I set up a link with 3 targets in a ring replication topology.  2 of the
3 servers are Win2k3, 1 is Win2k.  The only server the file is showing
up on is the one that is set up as the master to replicate from.  The
errors i'm mostly seeing are:


The File Replication Service is having trouble enabling replication from
CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name
campatfs01.ccc.ourdomain.com. FRS will keep retrying.

Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name
campatfs01.ccc.ourdomain.com from this computer.

[2] FRS is not running on campatfs01.ccc.ourdomain.com.

[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.


and

Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
\\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration
information.


I'm thoroughly stumped.  Any advice?  Name resolution seems to be
working reverse and forward between the servers.

Thanks in advance

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Email has been scanned for viruses by Altman Technologies' email
management service - www.altman.co.uk/emailsystems
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Email has been scanned for viruses by Altman Technologies' email
management service - www.altman.co.uk/emailsystems
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] FRS/DFS woes

[McCann, Danny]

Hi Russ

Try pointing the server to itself for DNS resolution. 
This is the problem I had with one replica in a similar situation and it
resolved the problem for me. BTW, It only affected DFS replication,
SYSVOL was fine. 

Cheers

Danny


No, PDC emulator (which is also the root target) is not pointing to
itself for DNS.  Other servers are resolving against their local DNS
which is replicated from the same DNS as the root target.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Thursday, June 15, 2006 8:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FRS/DFS woes

Is the DNS configuration of this server pointing to itself for DNS
resolution? Are the other server resolving against the same DNS?

Cheers

Danny



The root of the DFS is located on our PDC emulator, which is also a DNS
server itself.  If I go into the dfs root on the PDC emulator I see the
file I copied to the \\domain.com\dfs\software directory, it's just not
replicating to any of the other links.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Tuesday, June 13, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FRS/DFS woes

Where is the root of the DFS located?
I seem to remember having problems with DFS replication before, because
one of the servers hosting the root had it's DNS incorrectly configured.
Ultrasound would report any errors sure enough. After decoding what it
all means you'll need a dark room to lie down in for a few hours. :)

Cheers

Danny


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 13 June 2006 15:31
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FRS/DFS woes



I'm trying to set up a DFS share and having all sorts of issues getting
it to work.  I've installed Ultrasound and i'm either not sure where to
look in it for the answer or it's not giving me the answer.


I set up a link with 3 targets in a ring replication topology.  2 of the
3 servers are Win2k3, 1 is Win2k.  The only server the file is showing
up on is the one that is set up as the master to replicate from.  The
errors i'm mostly seeing are:


The File Replication Service is having trouble enabling replication from
CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name
campatfs01.ccc.ourdomain.com. FRS will keep retrying.

Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name
campatfs01.ccc.ourdomain.com from this computer.

[2] FRS is not running on campatfs01.ccc.ourdomain.com.

[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.


and

Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
\\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration
information.


I'm thoroughly stumped.  Any advice?  Name resolution seems to be
working reverse and forward between the servers.

Thanks in advance

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Email has been scanned for viruses by Altman Technologies' email
management service - www.altman.co.uk/emailsystems
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Email has been scanned for viruses by Altman Technologies' email
management service - www.altman.co.uk/emailsystems
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

~~
This e-mail is confidential, may contain proprietary

RE: [ActiveDir] Group membership question

[McCann, Danny]

Title: Message



Thank 
you.

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: 13 June 2006 17:01To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group 
  membership question
  No it is a value in an attribute. A child object would be 
  an object that has a group as its parent... 
  
  I.E. cn=group,ou=someou,dc=dom,dc=com and the child 
  object of 
cn=somethingelse,cn=group,ou=someou,dc=com,dc=com
  
  In the default schema, the only objectclass that can be 
  instantiated as an object under a group is objectClass classStore. You can 
  determine that by looking at the possibleInferiors attribute of the group 
  object.
  
   joe
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
  DannySent: Tuesday, June 13, 2006 11:34 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group membership 
  question
  
  Sorry if this is a daft question, but I can't find 
  an answer anywhere: Is a User considered a 
  Child object of a Group to which it is a member? 
  Cheers 
  Danny 
  Email has been scanned for viruses 
  by Altman Technologies' email management 
service

[ActiveDir] Group membership question

[McCann, Danny]

Title: Group membership question






Sorry if this is a daft question, but I can't find an answer anywhere:

Is a User considered a Child object of a Group to which it is a member?


Cheers


Danny

RE: [ActiveDir] FRS/DFS woes

[McCann, Danny]

Where is the root of the DFS located?
I seem to remember having problems with DFS replication before, because
one of the servers hosting the root had it's DNS incorrectly configured.
Ultrasound would report any errors sure enough. After decoding what it
all means you'll need a dark room to lie down in for a few hours. :)

Cheers

Danny


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 13 June 2006 15:31
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FRS/DFS woes



I'm trying to set up a DFS share and having all sorts of issues getting
it to work.  I've installed Ultrasound and i'm either not sure where to
look in it for the answer or it's not giving me the answer.


I set up a link with 3 targets in a ring replication topology.  2 of the
3 servers are Win2k3, 1 is Win2k.  The only server the file is showing
up on is the one that is set up as the master to replicate from.  The
errors i'm mostly seeing are:


The File Replication Service is having trouble enabling replication from
CAMPATFS01 to CCVVPLFS01 for d:\communicator using the DNS name
campatfs01.ccc.ourdomain.com. FRS will keep retrying.

Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name
campatfs01.ccc.ourdomain.com from this computer.

[2] FRS is not running on campatfs01.ccc.ourdomain.com.

[3] The topology information in the Active Directory for this replica
has not yet replicated to all the Domain Controllers.


and

Following is the summary of warnings and errors encountered by File
Replication Service while polling the Domain Controller
\\camdhqdc01.ccc.ourdomain.com for FRS replica set configuration
information.


I'm thoroughly stumped.  Any advice?  Name resolution seems to be
working reverse and forward between the servers.

Thanks in advance

~~
This e-mail is confidential, may contain proprietary information of
Cameron and its operating Divisions and may be confidential or
privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Email has been scanned for viruses by Altman Technologies' email
management service - www.altman.co.uk/emailsystems
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] sample vbs script

[McCann, Danny]

Hi Antonio
 
Here's a link to one of the microsoft script centre repositories. You may want 
to look at some of the other sections to see how to set passwords, etc.
There are lots of other sites out there which will supply more sophisticated 
scripts, but this is a good start for picking up the building blocks.
 
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/manage/usmgvb05.mspx
 
Cheers
 
Danny
 

-Original Message- 
From: [EMAIL PROTECTED] on behalf of Antonio Aranda 
Sent: Tue 06/06/2006 20:28 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: [ActiveDir] sample vbs script



Could some one send me a sample vbs script that creates AD user 
accounts?  

 

Thanks

 

Antonio

Email has been scanned for viruses by Altman Technologies' email 
management service http://www.altman.co.uk/emailsystems 

winmail.dat

Re: [ActiveDir] Forcing Kerberos to use TCP instead of UDP

[Danny]

On 4/26/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:

Many times!   What is your concern?


Turns out the firewall admins had to explicitly allow TCP 135 on their
Checkpoint firewall, and the AD trust between the IPSec sites is
working.

Thank you to all of your for your assistance.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone

[Danny]

On 4/25/06, Douglas M. Long [EMAIL PROTECTED] wrote:

Some suggestions:

Look into the differences between 2000 and 2003 AD integrated DNS. I believe
in 2000 they are stored in the domain partition and in 2003 they are stored
in the application directory partition.
http://support.microsoft.com/?id=817470

http://support.microsoft.com/default.aspx?scid=kb;en-us;825036


Netdiag usually gives some useful information

If you do delete the zone and recreate it, you can then run netdiag /fix to
get things going again.

Make sure the DNS server service, the DNS client service, and the DHCP
client service are all running as expected.

If it ends up that one of the 2000 DNS servers is having issues and you need
to recreate it, this should help to ensure that you clean things.

http://support.microsoft.com/?kbid=294328

NOTE: Not totally sure of the impact of step 4 in the above KB, so make sure
you know what it is doing (test it) before doing it in production.

Hope this helps


Thanks, I will be trying this on May 13th.  Results will be posted here.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Network routing/Cisco mailing list

[Danny]

Happy Friday to you all.  Sorry for the OT - I am looking for a Cisco
network routing or just general network routing mailing list. Any
suggestions?  I did search as well.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Forcing Kerberos to use TCP instead of UDP

[Danny]

Has anyone? http://support.microsoft.com/?id=244474

RE: http://www.mail-archive.com/activedir@mail.activedir.org/msg41616.html

I am concerned about the impact on this environment.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Forcing Kerberos to use TCP instead of UDP

[Danny]

On 4/26/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Many times!   What is your concern?

1) Does this change need to be made to all DC's?
2) What changes need to be made to clients and/or GPO's?
3) Will this have a short (or long) term negative impact to operations?
4) Has this been a solution for you with broken AD trusts between site
to site VPN connections?
5) Is there any affect on over network traffic?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone

[Danny]

On 4/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 To directly answer your question:, I'd suggest:

 Convert the zone to Standard primary on the problematic server.
 Configure the server to now use another DNS server for lookup.
 Then delete the newly-converted zone on this server
 Remove DNS from this server
 Reboot for good measure
 Ensure that there are no DNS errors present anywhere on the other DNS servers
 Ensure that this server can resolve records using nslookup and can ping by
 name and IP
 Then reinstall DNS on this server.

There are six AD integrated DNS servers, all 2000 SP4, but this new DC
(2003 SP1), when I added DNS (AD integrated) and started the services
I see:

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4010
Date: 17/04/2006
Time: 2:11:04 PM
User: N/A
Computer: DMTOR2K3
Description:
The DNS server was unable to create a resource record for
dom.example.ca. in zone .. The Active Directory definition of this
resource record is corrupt or contains an invalid DNS name. The event
data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
: 7b 00 00 00   {...

Since all the servers share the same DNS information, I do not
understand which server to focus on as being problematic. Are you
referring to the new 2003 DC - to perform the steps that you suggest?

Thanks!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD trust between seperate forest - inconsistant RPC communication

[Danny]

Hello,

Company A acquired Company B:

A: Windows 2000 SP4 DC's and one Server 2003 SP1 DC

B: Windows Server 2003 DC's

A site to site IPSec VPN connection between the two sites was up and
running months ago. Ping by name (and IP address) results are good. 
Today, we added a two-way external non-transitive trust between the
two forests, first from domain A's 2003 DC and then domain B's 2003
DC. Subsequently, domain B shows up on Domain A member PC and is also
available from various security (permissions) locations, however, you
cannot enumerate domain B's AD from there.

Here are some error messages:

Event Type: Error
Event Source:   NETLOGON
Event Category: None
Event ID:   5719
Date:   24/04/2006
Time:   12:40:31 PM
User:   N/A
Computer:   NYDC2
Description:
This computer was not able to set up a secure session with a domain
controller in domain EXAMPLE due to the following:
The remote procedure call failed and did not execute.
This may lead to authentication problems. Make sure that this computer
is connected to the network. If the problem persists, please contact
your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator
in the specified domain. Otherwise, this computer sets up the secure
session to any domain controller in the specified domain.

I have looked at the following from Microsoft, but I am hesitant to
proceed.  Has anyone else seen this?


  Event ID 5719 - The system cannot log you on now because the domain
name is not available.

Symptoms: when attempting to logon a domain,  you keep getting an
error that The system cannot log you on now because the domain name
is not available.  Also, Event viewer shows Event ID: 5719.  No
Windows NT or Windows 2000 Domain Controller is available for domain
domain name. The following error occurred: There are currently no
logon servers available to service the logon request.

Resolutions: One possible cause of this error is that you have run out
of buffer space in the NetBT datagram buffer. To resolve this problem,
increase the MaxDgramBuffering value from 128 KB to 256 KB. Run
Regedt32.exe, go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters.
On the Edit menu, click Add Value, and then add the following
information:

Value Name: MaxDgramBuffering
Data Type: REG_DWORD
Value: 0x4

Refer to 072704RL
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone

[Danny]

On 4/17/06, Al Mulnick [EMAIL PROTECTED] wrote:

 When you talk about deleting and such are you thinking about the newsgroups
 posts like this one:
 http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.dns/2005-05/msg00245.html
   ???

Yes, along those lines.  But, the zone file in question in this
scenario is the forward lookup zone for AD.  Since DNS plays a
critical role in AD, I am sure that you can understand that I am
hesitant to just delete the AD DNS zone without understanding exactly
how a new zone will automatically create all the essential resource
records.

 Some questions:
 Is DNS AD-Integrated?

Yes, the default.

 Software revisions in use?

I am not sure what you mean, but there is a mix of Windows 2000 SP4
and Windows Server 2003 SP1.

 When the client fails, what's the error logged and what are they looking
 for? (I assume nslookup vs. live clients - is that correct?)

Example:

hosts file only contains one server on the LAN
DNS cache has been flushed
DNS client points exclusivley to IP of DNS server
NIC has been restarted
nslookup default server displayed; try a hostname lookup and I receive:

DNS request timed out.
timeout was 2 seconds

When I ping a hostname not previously looked up (or in the cache), it
takes a few seconds and then it finally resolves the name and pings
host successfully.

Regardless, do you know what can be done to resolve the original
issue?  What I have just described is more than likely a result of the
root problem.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DNS addition - event error 4010: unable to create RR for AD zone

[Danny]

New 2003 DC promoted into 2000 forest about 2 months ago.  Server was
stable so I added DNS services this morning.  The zones from the other
DC's showed up OK, but the following event was logged:

Event Type: Error
Event Source: DNS
Event Category: None
Event ID: 4010
Date: 17/04/2006
Time: 2:11:04 PM
User: N/A
Computer: DMTOR2K3
Description:
The DNS server was unable to create a resource record for 
dom.example.ca. in zone .. The Active Directory definition of this
resource record is corrupt or contains an invalid DNS name. The event
data contains the error.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
: 7b 00 00 00   {...


AND... when clients were pointed to the new DNS server, all lookups failed.

I have read some tips on eventid.net and Google Groups, but I wanted
to check with the AD guru's before I delete zones and such.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name

[Danny]

My goal is to automate a process to change Full Name and Display Name
from John Doe to Doe, John.  I am not yet familiar with VB et al
scripting, so assistance would be greatly appreciated if you propose a
scripting solution.

Thank you!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Roaming Profiles

[Danny]

Right, but if you have several remote sites in the US with a total of
150 users connected via site T1's to one Exchange server in Toronto
(Canada)?  Cached mode is pretty much necessary.

...D

On 2/3/06, Navroz Shariff [EMAIL PROTECTED] wrote:
 I would highly discourage against using cached mode for roaming
 profiles. Just imagine the network resources they would be hogging up
 when they log onto a different computer and not to mention HDD space. We
 definitely have disable cached mode for roaming profiles.

 -Nav

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Danny
 Sent: Friday, February 03, 2006 3:43 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OT: Roaming Profiles

 I agree... but what about OST files - Outlook cached mode.  Is anyone
 excluding the OST from the roaming profile?  If so, a new OST will need
 to be downloaded at each computer the user logs into.  Most are
 100-300MB.  Which is the lesser evil. :)

 ...D

 On 2/3/06, Thommes, Michael M. [EMAIL PROTECTED] wrote:
 
 
  As just another piece of this, users sometimes just throw stuff on
  their desktop since they don't know any better or because that might

  be the first location that shows up during a save operation.  The
  desktop is obviously included as part of the profile, leading to
 bloated sizes.
 
 
 
  Mike Thommes
 
 
 
 
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin,
  Steve
  Sent: Friday, February 03, 2006 8:45 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT: Roaming Profiles
 
 
 
  I too am a fan of local profile, but I do not think that directly
  addresses Frank's issues...
 
 
 
  A couple of jobs ago at a school we used roaming profiles exclusively
  - made sense in our scenario. There was still at least 3-4 staff on a
  bad day that needed their profile reconfig-ed (all students used a
 mandatory profile).
  Bottom line - use GPO's to limit the size of the user dumping
  grounds, and/or redirect them. It's amazing how your profile shrink
  dramatically when you don't allow users to store their files as a part

  of their profile, you don't copy their IE cache, and redirect a couple
 of other folders.
 
 
 
  I feel for you Frank, as with users with profiles in excess of, say,
  20 MB - with your links speeds, I am amazed that you do not experience

  more problems (but then I am sure it is only the ones that moves sites

  that cause the issues... give them a laptop and make them have local
  profiles!).  ;)
 
 
 
  My $0.02 inc GST...
 
 
 
  themolk.
 
 
 
 
 
  
 
 
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Krenceski,
  William
  Sent: Friday, 3 February 2006 10:54 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT: Roaming Profiles
 
  I personally avoid roaming and mandatory roaming like the plague. One
  thing you can do is create a DFS Root for the profiles of the users
  that move around replicate to all of the sites that they visit. I
  would not recommend doing it for everyone else. I would actually stop
  using roaming for everyone else that does not roam. there are many
  alternatives to roaming using Group Policies because no matter how you

  look at it you are slowing down the user logon and the network
 especially with that many users.
 
 
 
  JMTC
 
 
 
  Bill
 
 
  
 
 
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Frank
  Abagnale
  Sent: Friday, February 03, 2006 4:51 AM
  To: Active
  Subject: [ActiveDir] OT: Roaming Profiles
 
 
  Hi all,
 
 
  I have a question regarding Roaming Profiles. Our environment
  currently have 3500 users which are all roaming profile enabled. Their

  profiles are stored on the local site server. We have approx 56 sites
  which are all linked by 256-1mb lines.
 
 
  I like the concept of roaming profiles, however some of our users have

  profiles ranging from 5mb - 200mb, some even with 1GB profiles.
 
 
  Because alot of our users log on to different computers at different
  sites, we are finding issues with corrupted profiles and logon speeds.

  On a few occasions, where a user has been added to a group, the
  permissions assign to this group are not shown when the users is
  logged back on. Deleting the profile and recreating fixes this issue
  but it's quite a time consuming effort.
 
 
  How does everyone deal with roaming profiles if used? sometimes there
  are instances where users just want to logon to the PC without their
  roaming profile so they can remote desktop to their PC. In this
  situation they have to take their profile across which can take
  forever depending on the size of profile and link.
 
 
  Any creative ideas? how about using DFS to store the profiles?
 
 
  Thanks
 
 
  Frank
 
 
 
  
 
 
  Yahoo! Mail - Helps protect you from nasty

Re: [ActiveDir] OT: Roaming Profiles

[Danny]

I agree... but what about OST files - Outlook cached mode.  Is anyone
excluding the OST from the roaming profile?  If so, a new OST will
need to be downloaded at each computer the user logs into.  Most are
100-300MB.  Which is the lesser evil. :)

...D

On 2/3/06, Thommes, Michael M. [EMAIL PROTECTED] wrote:


 As just another piece of this, users sometimes just throw stuff on their
 desktop since they don't know any better or because that might be the
 first location that shows up during a save operation.  The desktop is
 obviously included as part of the profile, leading to bloated sizes.



 Mike Thommes








 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Molkentin, Steve
 Sent: Friday, February 03, 2006 8:45 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Roaming Profiles



 I too am a fan of local profile, but I do not think that directly addresses
 Frank's issues...



 A couple of jobs ago at a school we used roaming profiles exclusively - made
 sense in our scenario. There was still at least 3-4 staff on a bad day that
 needed their profile reconfig-ed (all students used a mandatory profile).
 Bottom line - use GPO's to limit the size of the user dumping grounds,
 and/or redirect them. It's amazing how your profile shrink dramatically when
 you don't allow users to store their files as a part of their profile, you
 don't copy their IE cache, and redirect a couple of other folders.



 I feel for you Frank, as with users with profiles in excess of, say, 20 MB -
 with your links speeds, I am amazed that you do not experience more problems
 (but then I am sure it is only the ones that moves sites that cause the
 issues... give them a laptop and make them have local profiles!).  ;)



 My $0.02 inc GST...



 themolk.





 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Krenceski, William
 Sent: Friday, 3 February 2006 10:54 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT: Roaming Profiles

 I personally avoid roaming and mandatory roaming like the plague. One thing
 you can do is create a DFS Root for the profiles of the users that move
 around replicate to all of the sites that they visit. I would not recommend
 doing it for everyone else. I would actually stop using roaming for everyone
 else that does not roam. there are many alternatives to roaming using Group
 Policies because no matter how you look at it you are slowing down the user
 logon and the network especially with that many users.



 JMTC



 Bill


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Frank Abagnale
 Sent: Friday, February 03, 2006 4:51 AM
 To: Active
 Subject: [ActiveDir] OT: Roaming Profiles


 Hi all,


 I have a question regarding Roaming Profiles. Our environment currently have
 3500 users which are all roaming profile enabled. Their profiles are stored
 on the local site server. We have approx 56 sites which are all linked by
 256-1mb lines.


 I like the concept of roaming profiles, however some of our users have
 profiles ranging from 5mb - 200mb, some even with 1GB profiles.


 Because alot of our users log on to different computers at different sites,
 we are finding issues with corrupted profiles and logon speeds. On a few
 occasions, where a user has been added to a group, the permissions assign to
 this group are not shown when the users is logged back on. Deleting the
 profile and recreating fixes this issue but it's quite a time consuming
 effort.


 How does everyone deal with roaming profiles if used? sometimes there are
 instances where users just want to logon to the PC without their roaming
 profile so they can remote desktop to their PC. In this situation they have
 to take their profile across which can take forever depending on the size of
 profile and link.


 Any creative ideas? how about using DFS to store the profiles?


 Thanks


 Frank



 


 Yahoo! Mail - Helps protect you from nasty viruses.

 Confidentiality Notice: The information contained in this message may be
 legally privileged and confidential information intended only for the use of
 the individual or entity named above. If the reader of this message is not
 the intended recipient, or the employee or agent responsible to deliver it
 to the intended recipient, you are hereby notified that any release,
 dissemination, distribution, or copying of this communication is strictly
 prohibited. If you have received this communication in error please notify
 the author immediately by replying to this message and deleting the original
 message. Thank you.


--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Automagically move AD computers into new/appropriate OU

[Danny]

On 1/10/06, Kamlesh Parmar [EMAIL PROTECTED] wrote:
 If you know the admin password of all new computers, you can use netdom.exe
 to join machine
 remotely, and at the same time put it in exact ou where you want to put it.

 NETDOM JOIN comp1 /DOMAIN:WINDOM /UO:LocalAdmin /PO:LocalAdminPassword
 /UD:WinDom\DomAdmin /PD:DomAdminPassword /OU:OU=MyComps,dc=dom,dc=com

 Where
 comp1 = remote computer to join the domain
 windom = domain to join
 localadmin = local administrator of comp1 computer
 localadminpassword = localadmin 's password
 windom\domadmin = domain account with rights to join machine to domain
 DomAdminPassword = windom\domadmin's password

Excellent, I will try this! Thanks!

...D

--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO - Windows classic view without losing Quick Launch bar in Win2000

[Danny]

Through GPO, is there a way to enforce Windows Classic View in the
Folder View (WinXP SP2) - without losing the Quick Launch bar on the
Windows 2000 computers.

Thanks,

...D

--
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Automagically move AD computers into new/appropriate OU

[Danny]

Is there a way to automagically place new AD computers into the
correct OU, as opposed to the built-in Computer container?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Automagically move AD computers into new/appropriate OU

[Danny]

This is all fantastic information; especially since there are
different ways of getting the same end result.  Thanks, everyone!

One more related question, if you have a dozen new PC's, what options
are available for joining/adding computers to the domain -- besides
logging into the PC and changing the network identification to the AD
domain?

Because I have only have experience in smaller environments, I have
always added computers to the domain by aforementioned method.

Cheers,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Promote 2003 member server in prep'd 2000 domain?

[Danny]

If I run forest and domain prep for 2003 on the 2000 schema
master/FSMO god, can I then dcpromo a new 2003 member server without
upgarding the Windows 2000 DC to Windows Server 2003?

We are talking about an all 2000 domain with two DC's, Netware 5.x,
and MSDSS for directory sync.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Promote 2003 member server in prep'd 2000 domain?

[Danny]

On 12/9/05, Almeida Pinto, Jorge de
[EMAIL PROTECTED] wrote:
 Yes you can...

Thought so, I just wanted to make sure I was reading between the lines
in the MSKB's.

[...] snip articles I have.


 Forestprep on the schema master
 Domainprep on the infrastructure master

This DC is both, so it is obviously OK to do both on this DC.

Thank you!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Netware 5, 2000 AD, and Exchange 5.5 to 2003

[Danny]

Netware 5 with 2000 AD and Exchange 5.5 will all be migrated to 2003. 
Anyone have experience with this - any tips/suggestions?

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Netware 5, 2000 AD, and Exchange 5.5 to 2003

[Danny]

On 12/7/05, Almeida Pinto, Jorge de
[EMAIL PROTECTED] wrote:
 More than half a year ago I did a migration from Netware 5, NT4 and Exchange
 5.5 to Windows/Exchange 2003. I remember posting information about it.

I will dust off the archives, then. Thanks.

[...]
 Another source you could use is the library from Quest. It contains 3 articles
 about migrating from Novell (http://wm.quest.com/library/)

Checking it out.


 I assume Netware 5 is used for file and print services and AD is used as the
 primary authentication system. Right?

File, Print, and user login - with some type of syncronizcation
between the two directories so that Exchange and Outlook works.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Broken 2000 AD? Trying to upgrade to 2003 Exchange 2003

[Danny]

Well, after rebooting the remote DC, fixing the DNS root hints (were
pointing to itself) and rebooting the server, the Exchange 2003 forest
and domain prep and upgrade were successful.

I am now about to prepare the forest for Windows Server 2003.

In the meantime, if you see anything obvious in my original post,
please let me know so that I can fix it.

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Broken 2000 AD? Trying to upgrade to 2003 Exchange 2003

[Danny]

On 12/3/05, Danny [EMAIL PROTECTED] wrote:
 Well, after rebooting the remote DC, fixing the DNS root hints (were
 pointing to itself) and rebooting the server, the Exchange 2003 forest
 and domain prep and upgrade were successful.

 I am now about to prepare the forest for Windows Server 2003.

 In the meantime, if you see anything obvious in my original post,
 please let me know so that I can fix it.

OK, stop the party; I am not seeing:

F:\I386adprep /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 domain controllers in the forest should
be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows
2000 SP2 (or later).

QFE 265089 (included in Windows 2000 SP2 and later) is required to prevent poten
tial domain controller corruption.

For more information about preparing your forest and domain see KB article Q3311
61 at http://support.microsoft.com.

[User Action]
If ALL your existing Windows 2000 domain controllers meet this requirement, type
 C and then press ENTER to continue. Otherwise, type any other key and press ENT
ER to quit.



c
Opened Connection to SRV01
SSPI Bind succeeded
Current Schema Version is 13
Upgrading schema to version 30
ERROR: Failed to transfer the schema FSMO role: 52 (Unavailable).

If the error code is Insufficient Rights, make sure you are logged in as a mem
ber of the schema admin group.
Adprep was unable to upgrade the schema on the schema master.
[Status/Consequence]
The schema will not be restored to its original state.
[User Action]
Check the Ldif.err log file in the C:\WINNT\system32\debug\adprep\logs\200512031
25020 directory for detailed information.



Adprep was unable to update forest-wide information.
[Status/Consequence]
Adprep requires access to existing forest-wide information from the schema maste
r in order to complete this operation.
[User Action]
Check the log file, Adprep.log, in the C:\WINNT\system32\debug\adprep\logs\20051
203125020 directory for more information.

Thanks!
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Failed to transfer the schema FSMO role - 2000 to 2003 upgrade

[Danny]

adprep /forestprep is failing. User is built-in administrator with full rights.

Adprep created the log file ADPrep.log under
C:\WINNT\system32\debug\adprep\logs\20051203132518 directory.



Adprep copied file D:\Win2003SRV\I386\schema.ini from installation
point to local machine under directory C:\WINNT.



Adprep copied file D:\Win2003SRV\I386\sch14.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch15.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch16.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch17.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch18.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch19.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch20.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch21.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch22.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch23.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch24.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch25.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch26.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch27.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch28.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch29.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\sch30.ldf from installation
point to local machine under directory C:\WINNT\system32.



Adprep copied file D:\Win2003SRV\I386\dcpromo.cs_ from installation
point to local machine under directory
C:\WINNT\system32\debug\adprep\data.



Adprep copied file D:\Win2003SRV\I386\409.cs_ from installation point
to local machine under directory C:\WINNT\system32\debug\adprep\data.



Adprep successfully made the LDAP connection to the local domain
controller SRV01.



Adprep was about to call the following LDAP API. ldap_search_s(). The
base entry to start the search is (null).



LDAP API ldap_search_s() finished, return code is 0x0



Adprep successfully retrieved information from the local directory service.



Adprep successfully initialized global variables.

[Status/Consequence]

Adprep is continuing.





ADPREP WARNING:



Before running adprep, all Windows 2000 domain controllers in the
forest should be upgraded to Windows 2000 Service Pack 1 (SP1) with
QFE 265089, or to Windows 2000 SP2 (or later).



QFE 265089 (included in Windows 2000 SP2 and later) is required to
prevent potential domain controller corruption.



For more information about preparing your forest and domain see KB
article Q331161 at http://support.microsoft.com.



[User Action]

If ALL your existing Windows 2000 domain controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type
any other key and press ENTER to quit.



Adprep was about to call the following LDAP API. ldap_search_s(). The
base entry to start the search is
CN=UID,CN=Schema,CN=Configuration,DC=DOM,DC=SRV-MH,DC=com.



LDAP API ldap_search_s() finished, return code is 0x20



Adprep successfully determined whether Microsoft Windows Services for
UNIX (SFU) is installed or not. If adprep detected SFU, adprep also
verified that Microsoft hotfix Q293783 for SFU has been applied.



Adprep was unable to upgrade the schema on the schema master.

[Status/Consequence]

The schema will not be restored to its original state.

[User Action]

Check the Ldif.err log file in the
C:\WINNT\system32\debug\adprep\logs\20051203132518 directory for
detailed information.



Adprep set the value of registry key
System\CurrentControlSet\Services\NTDS\Parameters\Schema Update
Allowed to 1



Adprep was unable to update forest-wide information.

[Status/Consequence]

Adprep requires access to existing forest-wide information from the
schema master in order to complete this operation.

[User Action]

Check the log file, Adprep.log, in the
C:\WINNT\system32\debug\adprep\logs\20051203132518 directory for more
information.



schupgr 

[ActiveDir] AD Wish list

[McCann, Danny]

Title: AD Wish list






Hi


I've been asked to contribute to a wish list and was planning on asking for some AD tools - specifically for reporting. I've had a look about, but the prices vary wildly. I know there's no chance of anything that's going to do a great job (Quest) as we're talking ,00's rather than ,000's. :)

Trouble is there are a lot of tools out there and often they're doing stuff much of which I can script (or plagiarise :) ), plus the odd extra.

Does anyone have good experiences of anything in the ,00's price range that'll report back auditing/stats/security info?

All the best


Danny

RE: re[2]: [ActiveDir] Getting computer name from a username

[McCann, Danny]

Hi Shane

Have a look at PsLoggedOn from Sysinternals. It may be what your looking
for.

Cheers

Danny


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager
Sent: 01 December 2005 11:08
To: ActiveDir@mail.activedir.org
Subject: re[2]: [ActiveDir] Getting computer name from a username


 nt\currentversion\winlogon /v defaultusername 

Thats not exactly what I was looking for. I have no idea what the
computer name the user has logged onto. Can you get this from his
username?



-- 
Shane De Jager
Technical Developer

INTERGAGE
High-performance, updateable Web sites

Switchboard   +44 (0)845 456 1022
==
www.intergage.co.uk
[EMAIL PROTECTED]

Are you aware of our referral scheme? Learn how you could profit
personally from passing us leads.

Click here to pass a referral: www.intergage.co.uk/referrals
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

Email has been scanned for viruses by Altman Technologies' email
management service - www.altman.co.uk/emailsystems
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VBSCRIPT ADSI IADs Get Method

[McCann, Danny]

Title: Message



Hi 
Steve

From Jorge's code, 
once you have sObjDN you can bind to it with "LDAP://"  
sObjDN, then do what youneed toeach account from there.Seems 
efficient enough. :)

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Steve RochfordSent: 01 December 2005 
  11:09To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] _vbscript_ ADSI IADs Get Method
  I've 
  done this kind of thing but (as Jeremy has said) it seems really inefficient 
  to have to make all those calls.
  
  As 
  an example, suppose I have a list of students whose accounts I want to 
  deactivate. I'll get that as a list of sAMAccountNames (because the student ID 
  number is used for their username). I now need to query active directory to 
  get the distinguishedname and then bind to that object to do things to 
  it.
  
  For 
  some purposes I know I can use getobject("WinNT://domain/samaccountname") but 
  that isn't always suitable. What I want is something which allows me to 
  specify the sAMAccountName in the LDAP: string.
  
  As a 
  complete aside, is there a reason for the odd capitalisation which always 
  seems to be used for sAMAccountName? SAMAccountName would seem much 
  better?
  
  Steve
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge deSent: 30 November 2005 20:14To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _vbscript_ 
ADSI IADs Get Method

It is possible... you 
only have to do it another way...
query AD for the object that matches a 
certain sAMAccountName
---
sDomainDNSW2Kx = 
"ADCORP.LAN"
ssAMAccountName = "JORGE"
Set oConnection = 
CreateObject("ADODB.Connection")Set oCommand = 
CreateObject("ADODB.Command")oConnection.Provider = 
"ADsDSOObject"oConnection.Open "ADs Provider"
Set oCommand.ActiveConnection = 
oConnectionsQuery = "SELECT DistinguishedName FROM 'LDAP://"  
sDomainDNSW2Kx  "' WHERE sAMAccountName = '"  ssAMAccountName 
 "'"oCommand.CommandText = sQuerySet oResults = 
oCommand.ExecutesObjDN = 
oResults.Fields("DistinguishedName")
---
cheers,
Jorge


From: [EMAIL PROTECTED] on 
behalf of Burkes, Jeremy [Contractor]Sent: Wed 11/30/2005 9:05 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] _vbscript_ ADSI IADs Get Method


Nevermind, just 
found the answer to my own question, and it is no, must use the persons CN, 
no other attributes are accepted, good to know. Thanks for the 
potential help.

Jeremy





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy 
[Contractor]Sent: 
Wednesday, November 30, 2005 3:02 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] _vbscript_ ADSI IADs 
Get Method

Everyone,
 
I am trying to write a _vbscript_ to connect to a user account using the 
samaccountname attribute to update some info. Is this even possible 
and if so can someone provide a code sample, I would think it would look 
something like this for Test in the Microsoft domain:

 
LDAP://sAMAccountName=Test, OU=Users,DC=Microsoft,DC=COM or 
LDAP://sAMAccountName=Test,CN=Users,DC=Microsoft,DC=COM

 
Then again, maybe this is not even possible. If not should I use ADO 
instead even though I am returning 1 record with each query, seems 
inefficient way to me when I can just use an ADSI pointer.

Jeremy
--Jeremy 
BurkesSystem Analyst/MIS SPHQ[EMAIL PROTECTED]PH: 
202-764-1270 Fax: 202-764-1503

  Email has been scanned for viruses 
  by Altman Technologies' email management 
service

RE: [ActiveDir] FSMO role transfer

[McCann, Danny]

Hi

I have to agree with Joe. Most of the time we (my colleagues and I :) )
are dealing with the mundane, which scripting makes interesting. :)
Also, a previous poster mentioned career $'s being linked to scripting.
Correct me if I'm wrong, but I think the point being made was that the
process of learning something like scripting forces you to think about
what's actually going on under the bonnet - reading far more technical
articles than you may possibley have otherwise (well for me anyway :) ).
That move up the curve is what opens door's to $'s not scripting in
itself (not for me though! :) ).

Cheers

Danny




joe,

I can't believe you said this.

Rarely are admins ever really doing hard
admin type thinking/troubleshooting work constantly except for the folks
who take on escalations from lower level admins.

I stopped reading after this.
Sorry.
But I've got to cool down first.
I've no argument with anything above this line and I concur and
understand.
BUT
This is flat out wrong.
Sorry.
YMYMYM
RH
___-

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Thursday, December 01, 2005 9:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer


Wow I feel heat directed at me  :o)

A non-scripting admin can not survive very well if at all in a large org
unless the org is willing to spend a lot of money for extra admins to
cover the overhead of wading through the GUI. Take my last ops position
as an example. Three people handling a Fortune 5 AD. Couldn't feasibly
done with the GUI. How long does it take you to enter 100 new subnets?
What if you need to expire 8,000 users a day until you have expired all
200,000 users? Is that real admin work or is it clerk work if you are
simply clicking on something in a GUI? If I were a manager of a
business, I would rather pay a contractor or other service $10 or $15 an
hour to click buttons for something like that than pay $40,$60,$100,
$150 an hour to someone who is supposed to keep things running.

So back to the 100 subnets question. How long in Sites and Services?
Hours? What are the chances of a mistake? High? Now you write a script
to do it, how long? Maybe hours to write it and then seconds to minutes
to run for ever after? Chances of a mistake? Low for entry, also
severely reduced for supplied data if script has sanity checks in it?
Also once in script form it is that much easier to say put on a web site
and delegate to others to do by entering basic answers to basic
questions in a form.

Don't create 100 subnets in small org? What other items do you do that
are no-brainer work that could be scripted. If you didn't have that
workload how much other work could you get done? Rarely are admins ever
really doing hard admin type thinking/troubleshooting work constantly
except for the folks who take on escalations from lower level admins.
Possibly this is different in the SBS world and there is no repetitive
work being done that isn't better served by a script, I don't have that
experience, I would expect however that there is quite a bit that could
be scripted or else Susan wouldn't have the I would rather see something
safe from MS than a script from someone in the backroom attitude.

A saying I have used here in the past that I always used at work is that
you can't be too busy cutting down trees to sharpen your axe. It applies
both to training and scripting. If you are too busy to do nothing but
the work in front of you, you will never see the edge of the forest as
you get slower and slower at doing what you are doing. At some point you
have to step back and spend some time to make yourself more informed or
more efficient. The more time you spend getting more efficient, the more
time you have to keep yourself informed and get even more efficient.

Finally scripting requires understanding of how things are working,
using the GUI doesn't. Trying to script processes forces a person to
learn more about the product they are supporting and could very likely
get them to learn enough that the next time they encounter a failure,
they fully or at least more fully troubleshoot versus changing things in
the GUI until it works.

If you look at an admin making $35k a year versus one making $60k a year
versus one making $80k a year versus one making $150k a year versus one
making over $240k a year you are probably not looking at a raise in
salary because someone knows the GUI better than the others. If you see
someone who rose through those salary ranks in say 5 years, it isn't
because they knew the GUI keyboard shortcuts.

Understanding scripting makes you more valuable both because you can
operate more efficiently and because you tend to have a better grasp
of how things work because you are forced to learn the details which are
covered by the GUI. Not only that, you can troubleshoot better because
you have more options to you. I recently ran into an issue where

Re: [ActiveDir] OT: Licensing compliance SBS

[Danny]

On 11/30/05, Creamer, Mark [EMAIL PROTECTED] wrote:
[...]
 Also, since I don't have any experience with SBS other than a very old
 version, does a client purchase one CAL that applies to all products
 utilized on the SBS server, or are there individual CALS for server,
 Exchange, etc?

An SBS CAL includes licensing all products found on the SBS media. 
For example, with Premium Edition: Exchange, SQL, ISA, etc.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] 2003 upgrade failure - domain prep was not run, but it was!

[Danny]

On 11/22/05, Almeida Pinto, Jorge de
[EMAIL PROTECTED] wrote:
 From your post I see the following:

 * RPCLOCATOR service on RADAR is disabled. Set it to STARTUP=MANUAL

 * OutBound REPLICATION is disabled on RADAR. ENABLED it. To enable both
 inbound and outbound REPADMIN /OPTIONS DC -
 DISABLE_INBOUND_REPL -DISABLE_OUTBOUND_REPL

Thanks, I will try that.

 I assume RADAR is the schema master, you disabled outbound repl, updated
 the schema and forgot to enable repl. So it could ben true other DCs have not
 yet received the forestprep and domainprep updates

RADAR has all the FSMO roles. I am not sure that this happened because
I inherited this server after the original attempts were made.


 By the way: if you have exchange 2000 you should have fixed the schema before
 running w2k3 forestprep. If you have exchange 2000 look at:
 * W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain 
 E2K Servers ? MS-KBQ314649 (http://support.microsoft.com/?id=314649)

Exchange 2000 was upgraded to 2003 on this server in July.

 To see if forestprep and domainprep did their work see: MS-KBQ
 o Operations that are performed by the Adprep.exe utility when you add a 
 Windows Server 2003 domain controller to a Windows 2000 domain or forest ? 
 MS-KBQ309628 (http://support.microsoft.com/?id=309628)


OK

 General info:
 o How to upgrade Windows 2000 domain controllers to Windows Server 2003 ? 
 MS-KBQ325379 (http://support.microsoft.com/?id=325379)
 o Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in 
 hotfix 324392 ? MS-KBQ324392 (http://support.microsoft.com/?id=324392)
 * Initial synchronization requirements for Windows 2000 Server and Windows 
 Server 2003 operations master role holders ? MS-KBQ305476 
 (http://support.microsoft.com/?id=305476)

I will look at these as well.

Thank you for your feedback and prompt assistance, Jorge.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] 2003 upgrade failure - domain prep was not run, but it was!

[Danny]

Windows 2000 (SP4, all DC's) Server to 2003 upgrade. Forest and domain
prep were both run on the root DC. Insert Windows Server 2003 CD and
setup cannot continue because domain prep was not run. So, we run
domain prep again.  Here is a dcdiag and the adprep logs:


DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests

   Testing server: Default-First-Site-Name\RADAR
  Starting test: Connectivity
 . RADAR passed test Connectivity

   Testing server: Default-First-Site-Name\TRAPPER
  Starting test: Connectivity
 . TRAPPER passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\RADAR
  Starting test: Replications
 [Replications Check,RADAR] A recent replication attempt failed:
From TRAPPER to RADAR
Naming Context: CN=Schema,CN=Configuration,DC=Dom,DC=example,DC=com
The replication generated an error (8524):
The DSA operation is unable to proceed because of a DNS
lookup failure.
The failure occurred at 2005-11-17 18:13.07.
The last success occurred at 2005-11-17 17:48.51.
2 failures have occurred since the last success.
The guid-based DNS name
83991b20-390e-411f-9c4b-de24adbff2f0._msdcs.Dom.example.org
is not registered on one or more DNS servers.
 . RADAR passed test Replications
  Starting test: NCSecDesc
 . RADAR passed test NCSecDesc
  Starting test: NetLogons
 . RADAR passed test NetLogons
  Starting test: Advertising
 . RADAR passed test Advertising
  Starting test: KnowsOfRoleHolders
 . RADAR passed test KnowsOfRoleHolders
  Starting test: RidManager
 . RADAR passed test RidManager
  Starting test: MachineAccount
 . RADAR passed test MachineAccount
  Starting test: Services
RPCLOCATOR Service is stopped on [RADAR]
 . RADAR failed test Services
  Starting test: ObjectsReplicated
Authoritative attribute options on RADAR (writeable)
   usnLocalChange = 4294409
   LastOriginatingDsa = RADAR
   usnOriginatingChange = 4294409
   timeLastOriginatingChange = 2005-11-17 18:48.21
   VersionLastOriginatingChange = 3
Out-of-date attribute options on TRAPPER (writeable)
   usnLocalChange = 2453
   LastOriginatingDsa = 279cc9cf-7460-4f3a-bd02-062d5f07676e
   usnOriginatingChange = 1363
   timeLastOriginatingChange = 2002-01-26 15:55.55
   VersionLastOriginatingChange = 1
 . RADAR failed test ObjectsReplicated
  Starting test: frssysvol
 There are errors after the SYSVOL has been shared.
 The SYSVOL can prevent the AD from starting.
 . RADAR passed test frssysvol
  Starting test: kccevent
 An Warning Event occured.  EventID: 0x845B
Time Generated: 11/17/2005   18:36:46
(Event String could not be retrieved)
 . RADAR failed test kccevent
  Starting test: systemlog
 An Error Event occured.  EventID: 0xC0009007
Time Generated: 11/17/2005   18:23:30
Event String: A fatal error occurred while creating an SSL

 An Error Event occured.  EventID: 0xC0009007
Time Generated: 11/17/2005   18:23:30
Event String: A fatal error occurred while creating an SSL

 . RADAR failed test systemlog

   Testing server: Default-First-Site-Name\TRAPPER
  Starting test: Replications
 [Replications Check,TRAPPER] A recent replication attempt failed:
From RADAR to TRAPPER
Naming Context: CN=Configuration,DC=Dom,DC=example,DC=com
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2005-11-17 18:38.02.
The last success occurred at 2005-11-17 17:57.38.
4 failures have occurred since the last success.
Replication has been explicitly disabled through the server options.
 [Replications Check,TRAPPER] A recent replication attempt failed:
From RADAR to TRAPPER
Naming Context: DC=Dom,DC=example,DC=com
The replication generated an error (8456):
The source server is currently rejecting replication requests.
The failure occurred at 2005-11-17 18:46.54.
The last success occurred at 2005-11-17 18:35.00.
4 failures have 

Re: [ActiveDir] 2003 upgrade failure - domain prep was not run, but it was!

[Danny]

On 11/21/05, Medeiros, Jose [EMAIL PROTECTED] wrote:
 Are you also running Exchange 2000?

One upgraded from Exchange 2000 (in July) to Exchange Server 2003;
same server (not my choice; business decision).

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Improving your AD's fault tolerance with old hardware?

[Danny]

Thanks for all your feedback guys.  I am off to do some promoting,
member server promoting that is.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Methods to verify GC promotion

[Danny]

Could you please let me know all the ways to verify a DC has been
successfully promoted to a GC?  For example, will a dcdiag 100% verify
this?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Improving your AD's fault tolerance with old hardware?

[Danny]

Correct me if I am wrong, but assuming the more DC's you have in your
forest, the more fault tolerant your Active Directory will become, is
it therefore worth it to use retired, possibly out of (hardware)
warranty servers or workstations for this purpose if you are
budget-less (to purchase new servers)? In this case, I am referring to
orgs with 20-200 AD users.

How about GC's and other related AD roles and critical software based
services?  Same deal?

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Exchange alternate email address

[Danny]

On 10/4/05, joe [EMAIL PROTECTED] wrote:

 One small thing, if the account is disabled, set the associated external
 account, if the account isn't disabled, don't set it. Also if it is disabled
 and you set the associated external account, verify that
 msExchMasterAccountSid gets populated with the SELF SID.

Good points, Joe.  One question: how do I verify
msExchMasterAccountSid gets populated with the SELF SID?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] OT: Additional DHCP server same LAN

[Danny]

Your assumptions were correct.  Conclusion: wait for physical LAN to seperate.

Thanks for everyone's assistance!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Additional DHCP server same LAN

[Danny]

Two companies sharing the same physical LAN, IP configuration, Windows
2000 servers, two seperate forests, and one DHCP server.  In the the
not so distant future they will seperate.  In the meantime, is there a
way to point the XP pro clients from CompanyB to a new DHCP server on
the same physical LAN through Group Policy or WMI Scripting?


Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] csvde Import in AD

[Danny]

I am attempting to import Notes contacts into Exchange. Without
involving the complexity and maintenance of a Notes connector for this
one time import, it appears as though Microsoft believes csvde is the
best bet.

So, based on the limited csvde help (from csvde /?) I am left with
several crtical questions:

1) When csvde -i -f c:\filename.csv is run, where in AD will the
contacts be imported when the OU is not specified in the command?

2) When an export is performed, is AD modified or is it a simple copy?

I do not have a test environment available to me this morning, and I
am running out of time, so any assistance would be greatly
appreciated.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

On 8/31/05, joe [EMAIL PROTECTED] wrote:
 Yes.
 
 Someone followed the MS book examples pretty explicitly. :o)

Can I simply break the AD trust and hope it does melt down? :)

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

On 8/30/05, Al Mulnick [EMAIL PROTECTED] wrote:
 What is it you need to accomplish then?  If they're already separate,
 what's to separate other than name resolution and DHCP/network services?

From an Active Directory point of view, the AD trust will need to be
broken, but I would like to know what it might break - I am new to
this specific environment, so I don't know what is currently relying
on the trust.

DHCP is shared, many AD sites are as well.  Shared WAN and firewall,
as well as many frame relay connections to remote offices.

 Can you get more clarifiction of the topology? Confirm it's two separate
 forests and not two separate domains in the same forest (dijointed
 namespace)?

External trust, non-transitive. How can I confirm these are two
seperate forests - besides looking in ADDT?

Thanks,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

On 8/31/05, Al Mulnick [EMAIL PROTECTED] wrote:
 Finding the root.  I believe it was Dean who posted this a little while back.
 ... another thought, to determine your forest root in order to validate
 the dn you're supplying, the following single-line command line syntax
 will help -
 
 portqry -n domain name -e 389 | find root
 Run that on both domains and compare.

portqry -n dc2 -e 389 | find root
rootDomainNamingContext: DC=Dom,DC=example,DC=org
 
portqry -n dc1 -e 389 | find root
rootDomainNamingContext: DC=Dom,DC=contoso,DC=com

Safe to say - seperate forests?

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

Good day to you all,

Two companies that share the same IT staff, NOC, WAN connections (to
remote offices), DHCP services, LAN distribution, some DNS, firewall,
and an AD trust -- are very shortly separating in more ways than one.

I would appreciate any tips or suggestions on where to start planning
such spilt?

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.

[Danny]

On 8/30/05, Phil Renouf [EMAIL PROTECTED] wrote:
 Hmm, interesting my gmail now looks like a word edited message. Funny...

Click Plan Text... instead of Rich Formatting. I thinks.
  
 Can you describe your AD environment a little more?

I am a couple of days into this environment, so don't laugh, but I am
pretty sure they are two separate forests with a trust between the
two.

Company A head office - approx 70 users:

Example client DHCP:

Hostname: A123WRKSTN.dom.example.org
IP: 10.10.10.125
Subnet Mask: 255.255.255.0
Default GW: 10.10.10.1
DHCP Server: 10.10.10.122
DNS: 10.10.10.10, 10.10.10.11

Company B head office - approx 100 users:

Hostname: B123WRKSTN.dom.contoso.org
IP: 10.10.10.212
Subnet Mask: 255.255.255.0
Default GW: 10.10.10.1
DHCP Server: 10.10.10.122
DNS: 10.10.10.10, 10.10.10.11

IE settings:

Company A:  isa2000srv
Company B:  proxy2.0srv

Outlook settings:

Company A: exchange2000.dom.example.org
Company B: exchange2000.dom.consoso.org

 You have two forests with a trust? Is it a Forest trust or an NT4 style trust?

External trust, non-transitive. How can I confirm this (whether or not
NT 4 style trust for example) besides looking in ADDT?

 You say they share 'some' DNS, can you qualify that a bit better?

I will clarify this tomorrow.

 When you say they are going to split, how split are they going to get?

Still in discussion.  In the least, layer one of the network will be
divided, the AD trust will need to be broken, DHCP and DNS separated.

 Will this be a physical split (ie: one company physically moving)? Or will it 
 be
 more of a logical split with the two still continuing to share some 
 infrastructure? 

They are discussing two separate NOC's, because all the servers,
switches, firewalls, i.e. all network equipment is in the same NOC.

Right now all is calm, but one is suing (three week old news) the
other, so all hell could break lose.

Thank you!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Latency in Group membership

[McCann, Danny]

Title: Message



Hi

We only have one 
siteand a mesh topology. Replication is hourly, but even when we update 
group membership then force replication the latency still exsists. All the DC's 
are on Gig links!

Cheers

Danny



  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Carerros, CharlesSent: 13 July 2005 
  15:31To: 'ActiveDir@mail.activedir.org'Subject: RE: 
  [ActiveDir] Latency in Group membership
  Just 
  curious, how often are you replicating between your sites?And what 
  does your topology look like. 
  
  We 
  have noticed this type of issue when we make the changes on one of our DCs 
  that doesn't directly replicate to the one that is being authenticated 
  to. So we had to wait one hour for one set of replications to take place 
  and then another 3 for the other set. (We have a really slow link with a 
  DC at one end so we had to do the longer replication 
time.)
  
  Charlie
  
-Original Message-From: McCann, Danny 
[mailto:[EMAIL PROTECTED]Sent: Wednesday, July 13, 2005 9:18 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Latency in Group membership
Hi

There are no 
apps running on the DC's. The event logs are clean, butthere is the 
occasionaldirectory replication problem (every few days), a single 
object with "directory busy, will try again later", which willthen 
succeed on the next replication. Butthey pass all the DCDiag 
tests.

Cheers

Danny



  
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: 13 July 2005 13:18To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in 
  Group membership
  What apps are running on the DC's? Have you checked 
  to be sure that replication is functioning correctly? Event logs 
  clean?
  
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
  DannySent: Wednesday, July 13, 2005 4:33 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Latency in 
  Group membership
  
  Hi 
  Recently our domain has began to show some 
  latency in resolving group membership. Ie When someone is newly added to a group for access to a 
  particular resource it's now taking much longer than was the norm to 
  resolve that security. It's taking anything from 30mins to the next day to 
  resolve itself.
  Logging off and back on again to clear the 
  kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance 
  counters and everything appears to be fine. Network performance is good and there's no great loading on any of 
  the DC's. 
  I'd be grateful if anyone could help me out 
  with some guidance on where to look next. 
  Thanks 
  Danny 

RE: [ActiveDir] Latency in Group membership

[McCann, Danny]

Title: Message



Hi

We do have the odd 
user whois member of a large number of groups (~20). How many is too 
many?
Looks like a lot 
of investigative work required then. Oh well, coffee on and sleeves rolled 
up!

Cheers

Danny


  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: 14 July 2005 04:36To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in 
  Group membership
  You need to determine what your replication latency is. 
  If the group membership is set on an authenticating DC, you will get it is in 
  your token unless there are other issues like having way too many group 
  memberships or something else that causes a kerberos issue. So again, look at 
  how long your latency is for making a chance and seeing it on all DCs. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
  DannySent: Wednesday, July 13, 2005 10:18 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in 
  Group membership
  
  Hi
  
  There are no 
  apps running on the DC's. The event logs are clean, butthere is the 
  occasionaldirectory replication problem (every few days), a single 
  object with "directory busy, will try again later", which willthen 
  succeed on the next replication. Butthey pass all the DCDiag 
  tests.
  
  Cheers
  
  Danny
  
  
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 13 July 2005 13:18To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Latency in 
Group membership
What apps are running on the DC's? Have you checked to 
be sure that replication is functioning correctly? Event logs 
clean?

Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
DannySent: Wednesday, July 13, 2005 4:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Latency in Group 
membership

Hi 
Recently our domain has began to show some 
latency in resolving group membership. Ie 
When someone is newly added to a group for access to a particular resource 
it's now taking much longer than was the norm to resolve that security. It's 
taking anything from 30mins to the next day to resolve itself.
Logging off and back on again to clear the 
kerberos ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance 
counters and everything appears to be fine. Network performance is good and there's no great loading on any of 
the DC's. 
I'd be grateful if anyone could help me out with 
some guidance on where to look next. 
Thanks 
Danny 

RE: [ActiveDir] Latency in Group membership

[McCann, Danny]

Hi

That's a highly likely explanation. Some re-organisation of the
groups/membership  required then. We're due a spring clean anyway. :)
Is an offline Metadata cleanup worthwhile performing?

Thanks to all for the advice. Much appreciated!

Cheers

Danny


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: 14 July 2005 10:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Latency in Group membership



My gut says that it is not a member of a lot of groups, but more a group
with too many memberships ... 

If you have too many values for a group (the official soft limit is
5000), then you can get write conflict, or version store issues, that
can cause the group membership change to not be applied because of a
timing issue or resource issues, that may be temporary.  Replication
continues to try, and eventually succeeds.  This could be an
explanation.

Cheers,
BrettSh [msft]
SDE

On Thu, 14 Jul 2005, McCann, Danny wrote:

 Hi
  
 We do have the odd user who is member of a large number of groups 
 (~20). How many is too many? Looks like a lot of investigative work 
 required then. Oh well, coffee on and sleeves rolled up!
  
 Cheers
  
 Danny
  
 
   -Original Message-
   From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
   Sent: 14 July 2005 04:36
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Latency in Group membership
   
   
   You need to determine what your replication latency is. If the
group 
 membership is set on an authenticating DC, you will get it is in your 
 token unless there are other issues like having way too many group 
 memberships or something else that causes a kerberos issue. So again, 
 look at how long your latency is for making a chance and seeing it on 
 all DCs.
 
   _
 
   From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
   Sent: Wednesday, July 13, 2005 10:18 AM
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Latency in Group membership
   
   
   Hi

   There are no apps running on the DC's. The event logs are clean,
but 
 there is the occasional directory replication problem (every few 
 days), a single object with directory busy, will try again later, 
 which will then succeed on the next replication. But they pass all the

 DCDiag tests.

   Cheers

   Danny


 
   -Original Message-
   From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
   Sent: 13 July 2005 13:18
   To: ActiveDir@mail.activedir.org
   Subject: RE: [ActiveDir] Latency in Group membership
   
   
   What apps are running on the DC's? Have you checked to
 be sure that replication is functioning correctly?  Event logs clean?

   Al
 
   _
 
   From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
   Sent: Wednesday, July 13, 2005 4:33 AM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Latency in Group membership
   
   
 
   Hi
 
   Recently our domain has began to show some latency in
resolving 
 group membership.
   Ie When someone is newly added to a group for access to
 a particular resource it's now taking much longer than was the norm to

 resolve that security. It's taking anything from 30mins to the next 
 day to resolve itself.
 
   Logging off and back on again to clear the kerberos
 ticket doesn't (usually) solve the problem. 
   I've tested AD and monitored some NTDS performance
 counters and everything appears to be fine. 
   Network performance is good and there's no great loading
 on any of the DC's.
 
   I'd be grateful if anyone could help me out with some
guidance on 
 where to look next.
 
   Thanks
 
   Danny
 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DFS Client for Mac and UNIX

[McCann, Danny]

A while back our Mac guy asked Apple if they could engineer a DFS client
and they said they would look into it - same problem as yourself.
I don't know what came of it, or if he found an alternative solution,
but I'll find out and let you know if anything useful came out of it.
He's on holiday at the moment though :).

Cheers

Danny


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: 14 July 2005 11:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DFS Client for Mac and UNIX


Hey All,

Been a while... Got a problem.

I am being tasked to work on an automated provisioning system for
network resources.  Obviously AD will be the security provider HUB.  I
would also like to be able to use DFS as the HUB for access to shared
network data. The problem is that we have a large contingency of Mac's
and possibly some Linux / UNIX.  I have been searching, and it looks
like it might be possible to use SAMBA as a DFS client.

Does anyone here have any experience or suggestions on how best to allow
alternative clients access to DFS shares?

Thanks in Advance,

Todd Myrick 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Latency in Group membership

[McCann, Danny]

Title: Latency in Group membership






Hi


Recently our domain has began to show some latency in resolving group membership.

Ie When someone is newly added to a group for access to a particular resource it's now taking much longer than was the norm to resolve that security. It's taking anything from 30mins to the next day to resolve itself.

Logging off and back on again to clear the kerberos ticket doesn't (usually) solve the problem.

I've tested AD and monitored some NTDS performance counters and everything appears to be fine.

Network performance is good and there's no great loading on any of the DC's.


I'd be grateful if anyone could help me out with some guidance on where to look next.


Thanks


Danny

RE: [ActiveDir] Latency in Group membership

[McCann, Danny]

Title: Message



Hi

There are no apps 
running on the DC's. The event logs are clean, butthere is the 
occasionaldirectory replication problem (every few days), a single object 
with "directory busy, will try again later", which willthen succeed on the 
next replication. Butthey pass all the DCDiag tests.

Cheers

Danny



  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al MulnickSent: 13 July 2005 
  13:18To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Latency in Group membership
  What apps are running on the DC's? Have you checked to be 
  sure that replication is functioning correctly? Event logs 
  clean?
  
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of McCann, 
  DannySent: Wednesday, July 13, 2005 4:33 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Latency in Group 
  membership
  
  Hi 
  Recently our domain has began to show some latency 
  in resolving group membership. Ie When 
  someone is newly added to a group for access to a particular resource it's now 
  taking much longer than was the norm to resolve that security. It's taking 
  anything from 30mins to the next day to resolve itself.
  Logging off and back on again to clear the kerberos 
  ticket doesn't (usually) solve the problem. I've tested AD and monitored some NTDS performance counters and 
  everything appears to be fine. Network 
  performance is good and there's no great loading on any of the DC's. 
  
  I'd be grateful if anyone could help me out with 
  some guidance on where to look next. 
  Thanks 
  Danny 

Re: [ActiveDir] Attemping to remove DC - NTDS Replication 2022 Er ror

[Danny]

On 6/20/05, Tony Murray [EMAIL PROTECTED] wrote:
 No.  In that case it looks like the two DCs might have conflicting
 information about how the FSMO roles are distributed.

Not sure how that happened.
 
 What happens when you run the command against both servers?  For example,
 
 netdom query fsmo /server:YourDC1
 
 and then
 
 netdom query fsmo /server:YourDC2
 
 If that still gives no further clue then consider running DCPROMO again
 using the /forceremoval switch, as described in the following article.
 
 http://support.microsoft.com/default.aspx?scid=kb;en-us;332199

Good point.  Done.

 If you use this method then you will need to perform a metadata cleanup,
 which is described in another KB article:
 
 http://support.microsoft.com/default.aspx?scid=kb;en-us;216498

I will finish this part tomorrow.

Thank you very much, Tony.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Attemping to remove DC - NTDS Replication 2022 Error

[Danny]

Greetings,

I am trying to remove the second domain conroller from a 2003 domain,
however, when I attempt to remove the DC via dcpromo, I receive the
following errors in the event log:

Event Type: Error
Event Source:   NTDS Replication
Event Category: Replication
Event ID:   2022
Date:   20/06/2005
Time:   2:28:58 PM
User:   NT AUTHORITY\ANONYMOUS LOGON
Computer:   MAIL2
Description:
The operations master roles held by the local domain controller could
not transfer to the following remote domain controller.

Remote domain controller:
\

The local domain controller cannot complete demotion.

User Action
Investigate why the remote domain controller might be unable to accept
the operations master roles, or manually transfer all the roles that
are held by the local domain controller to the remote domain
controller. Then, try to demote this domain controller again.

Additional Data
Error value:
5005 The directory service was unable to transfer ownership of one or
more floating single-master operation roles to other servers.
Extended error value:
0
Internal ID :
52497778

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.




Event Type: Warning
Event Source:   NTDS Replication
Event Category: Internal Configuration
Event ID:   1837
Date:   20/06/2005
Time:   2:28:58 PM
User:   example\exchange$
Computer:   MAIL2
Description:
An attempt to transfer the operations master role represented by the
following object failed.

Object:
CN=Infrastructure,DC=DomainDnsZones,DC=example,DC=LOCAL
Current operations master role:
CN=NTDS 
Settings,CN=MAIL2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=LOCAL
Proposed operations master role:
CN=NTDS 
Settings,CN=exchange,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=LOCAL

Additional Data
Error value:
3

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Attemping to remove DC - NTDS Replication 2022 Er ror

[Danny]

On 6/20/05, Tony Murray [EMAIL PROTECTED] wrote:
 Hi Danny
 
 Have you tried the suggested workaround, i.e. to transfer the FSMO role(s)
 to your other DC and then try DCPROMO again?
 
 To find out how the roles are distributed you can run the command;
 
 netdom query fsmo

Yes, all the roles have been transferred to the other DC.
 
 To find out more about transfer of roles have a look at the following KB
 article.
 
 http://support.microsoft.com/?id=324801

If all the roles listed from a 'netdom query fsmo' are on the other
DC, does this KB apply?

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD DR - replication lag site

[Danny]

I am interested in your thoughts regarding this suggestion for DR:

http://searchwin2000.techtarget.com/tip/1,289483,sid1_gci1086805,00.html
(You may need to register)

Basically it states that you should create another AD site and set the
replication for 168 hours.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] All (Now the definition of a CV)

[Danny]

On 5/9/05, Francis Ouellet [EMAIL PROTECTED] wrote:
 Curriculum Vitae, also known as resume ;-)

1) http://www.google.ca/search?q=define%3ACurriculum+Vitae

2) A CV in North America is much different than a CV in Europe; a CV
in North America is not the same as a resume.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Odd exchange error

[Danny]

On 5/6/05, John Parker [EMAIL PROTECTED] wrote:
 Hey all
 
 I have an issue with Microsoft Exchange Server 2000 Enterprise running on a 
 Win2K AD box.
 In the event viewer I keep getting this error message:
 Error 0x7da occurred while rendering message 0001-76cb for download
 for user [EMAIL PROTECTED]
 This error is repeating every few seconds when the user has his email client
 (Outlook Express 6) opened and this goes on since a few ago. It is always
 the 0001-76cb message. Can I delete that message somehow? How? What
 does the number 0001-76cb mean and how can I access the specific
 message?

Send us your event ID #, and then look it up at eventid.net

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Windows Server 2003 R2 Public Beta now Available

[Danny]

http://blogs.technet.com/windowsserver/archive/2005/05/06/404591.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] [exchangelist] RE: Password protecting OST

[Danny]

On 5/2/05, Al Mulnick [EMAIL PROTECTED] wrote:
 Agreed that there is little benefit to locking an OST (mirror of your
 mailbox and is protected by domain credentials inherently).

Yes, there is little benefit if one relies on a password protected PST
(or OST) as the one and only layer of defence.

However, there are casual and undetermined attempts to access other
peoples data, and by password protecting the OST as one of many other
layers of defence, you make it that much more difficult; but of course
- never impossible.

[...]

 Curious why you ask though.  What's the high-level goal?

I simply wanted to know if someone had found a way to password
protected an OST like a PST - separate from domain credentials.  I am
not looking for an elaborate solution or undermining a higher-level
goal.  I do appreciate all of your thoughts.


...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] How to verify successful installation of additional DC

[Danny]

On 4/24/05, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
 KB
 http://support.microsoft.com/default.aspx?scid=kb;en-us;298143

Excellent!  Thank you all!

Good morning to you.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] How to verify successful installation of additional DC

[Danny]

How can I verify successful installation of additional domain
controller in a 2003 domain?

(Used to be one DC, now there are two, but I want to make sure the
installation of the second DC was 100% successful)

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] How to verify successful installation of additional DC

[Danny]

On 4/23/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote:
 Running DCDIAG on both DCs would be a good start.

That would be a good start. :)  So I did at dcdiag /f:output.txt 

On the original DC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MAIL1
  Starting test: Connectivity
 . MAIL1 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MAIL1
  Starting test: Replications
 . MAIL1 passed test Replications
  Starting test: NCSecDesc
 . MAIL1 passed test NCSecDesc
  Starting test: NetLogons
 . MAIL1 passed test NetLogons
  Starting test: Advertising
 . MAIL1 passed test Advertising
  Starting test: KnowsOfRoleHolders
 . MAIL1 passed test KnowsOfRoleHolders
  Starting test: RidManager
 . MAIL1 passed test RidManager
  Starting test: MachineAccount
 . MAIL1 passed test MachineAccount
  Starting test: Services
 . MAIL1 passed test Services
  Starting test: ObjectsReplicated
 . MAIL1 passed test ObjectsReplicated
  Starting test: frssysvol
 . MAIL1 passed test frssysvol
  Starting test: frsevent
 . MAIL1 passed test frsevent
  Starting test: kccevent
 . MAIL1 passed test kccevent
  Starting test: systemlog
 . MAIL1 passed test systemlog
  Starting test: VerifyReferences
 . MAIL1 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
  Starting test: CrossRefValidation
 . ForestDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
 . ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
  Starting test: CrossRefValidation
 . DomainDnsZones passed test CrossRefValidation
  Starting test: CheckSDRefDom
 . DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
  Starting test: CrossRefValidation
 . Schema passed test CrossRefValidation
  Starting test: CheckSDRefDom
 . Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
  Starting test: CrossRefValidation
 . Configuration passed test CrossRefValidation
  Starting test: CheckSDRefDom
 . Configuration passed test CheckSDRefDom
   
   Running partition tests on : DOMAIN
  Starting test: CrossRefValidation
 . DOMAIN passed test CrossRefValidation
  Starting test: CheckSDRefDom
 . DOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : DOMAIN.LOCAL
  Starting test: Intersite
 . DOMAIN.LOCAL passed test Intersite
  Starting test: FsmoCheck
 . DOMAIN.LOCAL passed test FsmoCheck


And on the new DC:

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\MAIL2
  Starting test: Connectivity
 . MAIL2 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\MAIL2
  Starting test: Replications
 . MAIL2 passed test Replications
  Starting test: NCSecDesc
 . MAIL2 passed test NCSecDesc
  Starting test: NetLogons
 . MAIL2 passed test NetLogons
  Starting test: Advertising
 . MAIL2 passed test Advertising
  Starting test: KnowsOfRoleHolders
 . MAIL2 passed test KnowsOfRoleHolders
  Starting test: RidManager
 . MAIL2 passed test RidManager
  Starting test: MachineAccount
 . MAIL2 passed test MachineAccount
  Starting test: Services
 . MAIL2 passed test Services
  Starting test: ObjectsReplicated
 . MAIL2 passed test ObjectsReplicated
  Starting test: frssysvol
 . MAIL2 passed test frssysvol
  Starting test: frsevent
 There are warning or error events within the last 24 hours after 

Re: [ActiveDir] Export and import essential AD objects for new forest

[Danny]

Thank you all for your most helpful responses!  You guys are
fantastic.  Specifically: Jose Medeiros, Ken Jensen, and Ken
Cornentet.

Due to time constraints, I think I am going to go with the swing
method, so here is my proposed plan of attack:

Temp Server/ Server B:
1) Install Windows Server 2003 Standard
2) dcpromo as DC for existing domain
3) Make server as GC
4) Install Exchange Server 2003 Standard - use the same exact same
naming convention as production (Server A) server?
5) Migrate mailboxes from production server (Server A) to Server B --
would I simply use the move mailbox function in ESM?
6) Move FSMO Roles from Server A to Server B
7) Verify DNS and WINS Configuration


Production Server/Server A:
1) dcpromo original server down -- Ken Cornetet can you please
elaborate on this one?
2) Wipe OS clean from Server A, and clean install Windows Server 2003
-- is this safe to do now Ken?
3) dcpromo as DC for existing domain
4) Make server as GC
5) Install Exchange Server 2003 Standard - use the same exact same
naming convention as the original production server?
6) Migrate mailboxes from temp server (Server B) to Server A -- would
I simply use the move mailbox function in ESM again?
7) Move FSM Roles from Server B to Server A
8) Verify DNS and WINS Configuration
9) Install SP1 for Exchange
10) Install SP1 for Windows
11) Install AV Software and other misc. software
12) Decide what I want to do with Server B.
13) Now everything should work if Server B was powered down for
example -- correct?

Does this make sense?

Hopefully you can move Exchange mailboxes from Enterprise to Standard
through the ESM.

Thank you!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Export and import essential AD objects for new forest

[Danny]

One follow-up to my last post: 

Should I be transferring or seizing the FSMO roles during this migration?

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Export and import essential AD objects for new forest

[Danny]

Temporary small biz config: 1 Forest, DC, domain, and Exchange on one
physical server - all version 2003.  Core problem: I have to downgrade
from Enterprise Edition to Standard Edition (demo turned into
production).

My goal: To export all of the essential Active Directory data from the
Windows Server 2003 Enterprise Edition, and then import it into a
fresh install and dcpromo with the same Forest and domain info of
Windows Server 2003 Standard.

What have I done so far?

1) Referenced http://support.microsoft.com/default.aspx?scid=kb;en-us;840015
- however it assumes that the OS and AD do not need to be re-installed
- which is what I have to do.

2) Setup a test server on a segmented network with Windows Server 2003
STD + dcpromo with brand new forest and domain with the same name.

3) From the currently live Enterprise server, I exported AD info via
ldifde -f domain.ldf, and then tried to import it on a test server
with Windows Server 2003 + New AD with same domain and forest name. 
However, the test import live failed on the first line using the
simple examples from ldifde help.

4) Searched a bit, but I guess I really need to find out what exactly
I need to export and import - the essential AD stuff to accomplish my
goal.

Any assistance would be greatly appreciated.

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] 2003 SP1 DC Disaster Recovery Testing - Reboots after selecting install from Recovery Consonle

[Danny]

Testing backups.  Fresh install of 2003 SP1 and Exchange 2003.  Backed
up System State and Exchange IS.  Purposely Destroyed AD, Exchange
DB's and deleted System State boot files.  Rebooted server, of course
NTLDR missing.  So, I boot from Windows Server 2003 CD, hit R for
Repair/Recovery.  Select C:\Windows as the install, but then it just
reboots.

Am I missing something?  Have a found a bug in 2003 SP1?

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses

[Danny]

,CN=Microsoft Exchange System Objects,DC=testing,DC=local
changetype: add

dn: CN=exchangeV1,CN=Microsoft Exchange System Objects,DC=testing,DC=local
changetype: add

dn: CN=OWAScratchPad{5A6F9B24-8CAA-41CC-94DC-2646461C95ED},CN=Microsoft
Exchange System Objects,DC=testing,DC=local
changetype: add

dn: OU=Local Users,DC=testing,DC=local
changetype: add

dn: CN=Danny smith,OU=Local Users,DC=testing,DC=local
changetype: add
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses

[Danny]

On Apr 6, 2005 11:06 AM, Burkes, Jeremy [Contractor]
[EMAIL PROTECTED] wrote:
 Try this:
 
 ldifde -f smtpaddress.ldf -s myserver -r (objectClass=user) -l
 ProxyAddresses=SMTP:*

Pretty much the same results from what I can tell; no SMTP addresses
listed.  I will run a windiff to compare the results, but my eyes are
pretty good. :)

Thank you,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Trouble with ldifde - trying to export list of SMTP addresses (SOLVED)

[Danny]

On Apr 6, 2005 11:23 AM, joe [EMAIL PROTECTED] wrote:
 Danny, are you sure that is the output from that command? Did you cut and
 paste that command? 

Fresh install of Windows Server 2003 SP1.  One AD user account for
testing. I am 99.9% sure it's the correct output.  I copied and pasted
from RDP.

 That filter would only show user objects and the output
 you show is all objects which would be more of a filter like objectclass=*.
 I just verified the command you used in my forest and it worked fine except
 it returned computers and users (as expected from the filter) and didn't
 return any proxyaddresses (again expected from that command).

That sounds right.  To be honest, we played with ldifde in school many
moons back, but I am just starting to play with it again today.

 You need to correct these issues.
 
 You should change the filter to be
 
 ((objectcategory=person)(objectclass=user)(proxyaddresses=smtp:*))

Interesting.  Makes more sense.

 And you should change the attributes returned to
 
 proxyAddresses
 
 So the whole command would look more like
 
 ldifde -f smtpaddress.ldf -s myserver -r
 ((objectcategory=person)(objectclass=user)(proxyaddresses=smtp:*)) -l
 proxyAddresses

Worked as advertised.  Now would this (ldifde) compare to your AdFind tool?

 Note that this will filter down to just user objects with proxyaddresses
 that have smtp in them. Note that it will still return x400 addresses and
 other values in the proxyaddresses attribute. You can't pick which values
 you want returned out of the proxyaddresses attrib, it is all or nothing.

I would rather all in this case, then.

Thank you, Joe.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/