RE: [ActiveDir] How Secure is a Domain Controller?
Thanks everyone. I have read some of that documentation but others are new to me. I will review them and see what else I can find. Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, March 05, 2006 3:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How Secure is a Domain Controller? I've written down some related thoughts once: http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, March 05, 2006 4:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How Secure is a Domain Controller? How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin
[ActiveDir] How Secure is a Domain Controller?
How Secure is a Domain Controller that is fully patched on a default install of Windows 2003? When promoted the domain controller has the two default policies, both of which are recommended not to be modified. But there are things that could be done better for added security. For example, NTLMv2 refuse NTLM and LM. Is it common practice to add additional GPOs to the DC OU? Or is DC protected enough to where all that is needed to worry about are the member machines? If adding additional GPOs to the DC OU, is there anything that should definitely be avoided? Edwin
[ActiveDir] LDAP Server Request
My job is requesting that a LDAP server be built that would be able to communicate with the existing corporate Active Directory environment. I do not have much experience with LDAP so this will be a learning adventure for me. The reason for the LDAP Server is because of a massive project the company is working on. The project will be the backbone of the company and will require username and password authentication. The goal of the project is to have one centralized management solution for all different area needs instead of the disparate solutions that we have today. One immediate concern that I had with the project and the use of the corporate DCs was for any potential reports that are generated. I believe that if you are no longer with the company, then there is not need to keep your credentials or personal data on the network. Therefore, I delete this information. By deleting the users, these reports may become corrupt. This of course is a problem for management. Deleting the users is not a problem but any errors in reporting information is. Has anyone come across this problem before? Does this make sense? Another concern of mine was performance. The project design calls for a number of servers, each of them having their specific goals. It is very possible that any one server can hit the DCs for their information at any given time. My concern is that while this is happening an uncontrolled amount of times at any given time of day may cause the domain environment to suffer. Security is also a concern. The machines built as part of the project will be in a secure well protected environment. But things do happen unfortunately. I would rather see that the machines built as part of the project call one server that has access to the domain to query the information that it needs. That machine will be a read-only client of the AD environment. My initial thought is to investigate Microsoft ADAM. If ADAM can query the domain only checking for new entries while ignoring those that are deleted, I think that I can accomplish the task of addressing all of the concerns outlined above. What do you think? Is this solution possible? Is there an easier solution? One that is preferable to this? Thank you in advance for your responses, Edwin
RE: [ActiveDir] LDAP Server Request
I think that I have enough information about what needs to be done. ADAM is definitely a require solution to this problem. I have been reading more on the use and functionality of ADAM and it fits the bill. In fact, the example that is provided in the ADAM documentation provide by Microsoft is just about as close to the real life situation I am facing as you can get. Thank you all for your replies, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, February 28, 2006 5:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Server Request A little more on the overall picture. What you seem to be describing is an identity lifecycle management environment (call that marketecture :) To play back requirements: 1) system must be able to account for identities for undertemined amount of time for the purposes of reporting 2) system must be resilient to usage patterns 3) system must be securable in its final implementation 4) system must be able to authenticate user objects utilizing name and password credential pair. Some thoughts: regardless of the identity store you use, you'll want to pay particular attention to identity lifecycle. That is, what happens to the identity from cradle to the grave? An identity archive might be more of a solution. Maybe a separate directory or even a database somewhere else that stores information about past identities for the purposes of reporting. The rest of the stuff(day to day) is pretty straightforward and is easily solvable based on the information you've given. The process of archiving a user, i.e. what to do, what to keep, etc is something you'll have to define for your company. Make it flexible and comprehensible enough that you don't have to revisit very often, but that you could if you had to. Not sure synchronization fits the bill here because you haven't said that all accounts must live in AD. In fact, I suspect that some may not. Is that the case? Al On 2/28/06, Tomasz Onyszko [EMAIL PROTECTED] wrote: Edwin wrote: (...) My initial thought is to investigate Microsoft ADAM.If ADAM can query the domain only checking for new entries while ignoring those that are deleted, I think that I can accomplish the task of addressing all of the concerns outlined above. What do you think?Is this solution possible?Is there an easier solution?One that is preferable to this? Everything is possible :). OK - from quick reading You should investigate option of using ADAM with some synchronization solution like IIFP, MIIS or even ADAM Synchronizator which comes with ADAM SP1. When somebody is leaving the company his account should be removed (it can be logical remove - not physical deletation of account) from corporate AD - then this change should be synchronized to Your LDAP server. That's about case of deleted accounts. You can address performance with several ADAMinstances working in load balanced environment. ADAM has replication mechanisms like AD and this will keep Your AD instances in synch, while LB will let You balance workload among different LDAP servers. Your security concernes are a little mitigated if You are using a solution which synchronizes the data _to_ ADAM - in such case data changes are pushed to ADAM. That's few quick ideas - I'm sure that You will get more feedback from other persons and I will try to get back to this topic in the evening (my time zone :) ). -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Recycle Bin and Roaming Profiles
I have roaming profiles set up on users and it works like it is supposed to except for one thing. When I delete a file it deletes it permanently. How can I get files to go into the Recycle Bin? Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
Thanks everyone for your replies. I can see that I have a lot of discussion to look forward to with the network engineers. I definitely have enough information to get me started in making a good decision. If only Longhorn and Vista were released already then it would seem as though my question could be more easily answered. Thank you again everyone. Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Garrett Sent: Saturday, February 04, 2006 9:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP As somebody earlier mentioned, Cisco has the Port Security option on their switches, if you happen to be running a Cisco network. Once a device is plugged in, only that device can use the port. Unplug it and plug something else in and the port shuts down. In the same vein, Cisco has Network Access Control (NAC) for doing the antivirus checks, patch checks, etc. Your laptop doesnt meet certain criteria, it isnt allowed on the network. Al -Original Message- From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Saturday, February 04, 2006 6:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Edwin, I'm sure you've noticed by now but joe and Brian (both) have given you a really good idea of what you need to do to solve this. As indicated, to achieve your goal of preventing any unauthorized access to the network, you'd pretty much have to have control at the phys layer. By that I mean you'd have to control who/what can gain access there. I think you'll want to plan (as joe suggests) because issues such as temporary access i.e. a vendor is working on site for 2 weeks and requires limited access to the internet for the job function, or somebody needs to roam to another site where they don't have access. You also need something that's as automated as you can get it because you certainly can't scale a solution that requires knowing something like a MAC; ask any firewall admin that has had to do that :) Even if you did know the MAC, that's not enough to secure your network IMHO. The NAP idea coupled with some ideas around multiple networks would likely get you much closer to solving your problem(s). I don't view a solution that requires a new OS os special software to be a solution however. Too many variables that need to work i.e. linux laptops, old-ish clients (XP is getting long in tooth and many haven't even upgraded to that yet!) Nope, to me it needs to be isolated from the OS that wants access and not require specialized client software. It should include authenticated access and a method to allow access long enough to become authenticated. My $0.04 worth, as if you needed it. Al On 2/4/06, Brian Puhl [EMAIL PROTECTED] wrote: At Microsoft we do not use 802.1x, so if you were to walk up to a port on our corporate network and plug in, you would get an IP and have access to some things. What we do instead is domain isolation via IPSec, which means that machines which are not joined to an MSIT managed domain (basically, our production forests) cannot establish connections with machines that are in our domains. Rather than deploying 802.1x, we are in the process of implementing Network Access Protection, which is a Longhorn/Vista feature.Basically when a machine connects to the network it is quarantined and must pass a health check (think patches, AV, and any other config we want to mandate) before they are released from quarantine.We haven't deployed this widely, it's still in an engineering phase, however this is the direction we're taking our network controls. The connect to the network using plastic thingy with chip would be our VPN solution, which we implemented.Effectively it's NAP as described above, but requires smartcards (plastic thingys) for authentication and the VPN client performs the health check. Brian Puhl Microsoft IT -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dean Wells Sent: Friday, February 03, 2006 7:19 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Getting better control over DHCP Microsoft uses 802.1x auth. I believe ... as do many. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, February 03, 2006 8:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting better control over DHCP Can't this be done with ...what is MS using? Is it Ipsec and smartcard authentication? You go to Redmond, stick in a rj45 and unless you have a lovely plastic thingy with a chip you don't get access on corpnet. joe wrote: There is nothing you can do around a DHCP server that will really help you as you point out. You simply need
[ActiveDir] Getting better control over DHCP
Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
RE: [ActiveDir] Getting better control over DHCP
Assigning IPs based off of MAC addresses would be a huge headache! Besides, just as you said the network savvy person can easily find out the IP range if needed and assign them self an IP and spoof the MAC if needed. If something like this is possible, I would like to have a more concrete solution. But thank you very much for your reply. Edwi From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, February 03, 2006 7:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting better control over DHCP I'm not sure if it's the best way to do it, but you could set your entire scope to be in one exclusion range, then assign static DHCP to authorised MACs. After that, for added security, you could set a second scope to give out leases outside your network range so that unauth ppl will get a lease, but not be able to see anybody, only downside to that would be that the network savvy user could look under network settings and see what the IP of the DHCP server is and then assign a static IP within that range. HTH - Marc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: February 3, 2006 20:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting better control over DHCP Is it possible within a domain on an authorized DHCP server to restrict what machines get a DHCP IP Address? For example, I want to prevent someone from bringing in an unauthorized laptop and getting an IP Address on the network. I want it to be so that if the machine is not a part of the domain, it does not get any network connectivity from the DHCP server. Thanks, Edwin
[ActiveDir] User Password Expiration
Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset their password upon first use. As it stands, I can reset the password and still authenticate to many other servers as long as I am within the 2 minute expiration rule. How can I have force a password to expire upon first use? Is this possible? Thank you for your replies, Edwin
RE: [ActiveDir] User Password Expiration
No. That is not what is happening. I work for a web hosting that has thousands bastion host servers that are on a domain. These servers are accessed multiple times based upon need by the support staff. So that there is no universal password among all servers (for obvious reasons) we have this system in place (dynamically assigned passwords for users). The problem is that a support technician can log into multiple machines at once providing that they login before their password expires. This is what I want to prevent. I want for them to use their password once and only once. I want for their password to expire upon first successful authentication use. Joe, based off of our statements, would it be possible to have a logon script communicate to the DC and then update a property of that user to immediately expire their password? If so, can you provide some direction? Thanks, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Password Expiration If the whole goal is to disallow access to other machines and it has to be enforced, I would not use a domain ID. I would work with local IDs on the specific machines, these IDs should not be the same as the IDs on other machines and shouldn't have passwords in sync. That way if anything breaks that is supposed to go back and lock down access the folks still don't have access to other machines. They could have access to log into the local machine again which may be a pain but if they were just on it, I don't see that as incredibly bad. You can obviously use the same or a similar mechanism currently in use to lock down the ID after 2 minutes. Another solution to lock the ID down quickly on the local machine would be to have a service that just watches an account and once it shows password not expired, sleep 5 seconds and then change the password and expire it again. Any lockdown done on a domain ID would not be fully in effect until replication carried that change to all DCs. It could get messy if DCs in different sites were used. I guess if you wanted to get really fancy (read complex and subject to failure and issues) with a domain ID you could have a logon script for the ID, the logon script sends a request to some machine with then locks the ID down, then the script keeps querying that machine and the machine says STOP until it has detected that the ID has been locked down on all DCs, then the script gets a GO message to continue the logon. If the GO doesn't come in x seconds/minutes, the logon script tells the user there has been a problem and logs them back off without ever letting them do anything. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 05, 2006 10:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] User Password Expiration Basically, you want them to have aone-time-use password? Is that correct? That's interesting. I haven't seen anything like that, but I imagine that's something that allows an outside vendor to have remote access to do something they need to do, but for security reasons you wouldn't want them to have full access to everything. I wonder if it would be better to grant them access to the machine they'll access when they reset the password to prevent them from accessing other machines? i.e. Reset password limit the desktop they can access at the same time. Would that give better control? Aside from that, can you define the exact requirements a little more? I think it might jar somebody's thinking a little more to hear some additional information about the requirements. My initial thought, if the above doesn't get you closer to the requirements, would be to use a logon script or change in the code to do this. Maybe with a timer. I.E. reset the password, set it to expire at x minutes (if that helps), limit the machine it can logon to, and after x amount of time check for usage. If found, reset the password. I do have to ask if this would allow them to accomplish the function they need to accomplish however. I wonder if you're not giving them enough time to do what they need to do. My rambling thoughts anyway. Al On 1/5/06, Edwin [EMAIL PROTECTED] wrote: Hello Everyone, I have an application that allows different users to reset a special domain account that allows for RDP sessions to be established on thousands of machines on a domain. These usernames have a policy that forces the password to expire within 2 minutes. If the password has expired, they must reset the password from within the application again to gain access to another server. I am aware of the password expiration policy(ies), but I would like something different. What I would like to do is force a user to reset
[ActiveDir] Active Directory Naming Question
Hello Everyone, I was working for a business (Bus1) that was partially acquired by another (Bus2). Bus1 has a corporate network and is reliant upon Active Directory to complete their daily activities. Bus2 is dependant on Bus1s current infrastructure for the time being. This obviously needs to be changed immediately! Now that I am with Bus2, I am trying to build a new domain. I do not want to name the new domain based off of Bus2s REAL name i.e. microsoft.com. I want to name it something more generic, i.e. corporatedomain.ad. My thinking behind this is because I want to prepare for another company acquisition should it ever happen. If Bus3 buys Bus2, it is possible that they will not like the old domain name because it carries the REAL name of the acquired Bus2. But by having something more generic, I hope to avoid this problem. With the above said, I have two questions: Bus2 does not have licensing for MS Exchange. Currently IMAP (yuck) is the mail solution. I do not thing that IMAP will last long in our environment especially since we come from a MS Exchange environment with Bus1. If in the event that MS Exchange is used at a future date within the Bus2 domain, will MS Exchanges functionality or administration be affected? I am aware about the domain rename feature that is available with Windows 2003. Regardless of the domain name used for the corporate network, can the domain rename tool be used when there exists a MS Exchange server? Outside of unforeseen problems, is using this tool a general problem or something that should be avoided all together? Bus2 has several geographic areas. A geographic domain setup is not established but I have already started the wheels spinning. Who knows when anything real will come out of it? Because of that, I will more specifically name the domain chicago.corporatedomain.ad in preparation for a new forest. Then, all that would be needed is to add my existing domain to the newly created forest that Bus2 creates. Will any of the above answers change now that a forest is being created? Thank you all for your replies, Edwin
RE: [ActiveDir] Active Directory Naming Question
Thanks Joe for your quick and very well explained reply. For question 2, I never wanted to rename the domain regardless if a tool was available or not. That is why I want to go with something more generic. As for question 3, that sort of holds me up and makes my course of action change. Thanks again, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, December 29, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Naming Question 1. The domain name can be disjoint from the Exchange domain names handled. In fact, I have a joeware.local which handles mail for joeware.local, joeware.net, and joeware2.net. It could just as easily be hosting bob.com and steve.com email. 2. Yes it can. But don't go into a new domain thinking you will rename it. You should try to avoid the rename options. They can be involved. 3. Ah no. When you create your domain, if it isn't joined to a forest at that point, you are creating a new forest. You won't be joining any other forests later, if you need to be in another forest you will be migrating to a new domain inthat forest. You need to sit down and chat with the Bus2 IT folks and DNS folks and network folks and get an idea of what the future holds if not everything worked out before you start spinning anything up that you want to have that isn't completely temporary. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, December 29, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Naming Question Hello Everyone, I was working for a business (Bus1) that was partially acquired by another (Bus2). Bus1 has a corporate network and is reliant upon Active Directory to complete their daily activities. Bus2 is dependant on Bus1s current infrastructure for the time being. This obviously needs to be changed immediately! Now that I am with Bus2, I am trying to build a new domain. I do not want to name the new domain based off of Bus2s REAL name i.e. microsoft.com. I want to name it something more generic, i.e. corporatedomain.ad. My thinking behind this is because I want to prepare for another company acquisition should it ever happen. If Bus3 buys Bus2, it is possible that they will not like the old domain name because it carries the REAL name of the acquired Bus2. But by having something more generic, I hope to avoid this problem. With the above said, I have two questions: Bus2 does not have licensing for MS Exchange. Currently IMAP (yuck) is the mail solution. I do not thing that IMAP will last long in our environment especially since we come from a MS Exchange environment with Bus1. If in the event that MS Exchange is used at a future date within the Bus2 domain, will MS Exchanges functionality or administration be affected? I am aware about the domain rename feature that is available with Windows 2003. Regardless of the domain name used for the corporate network, can the domain rename tool be used when there exists a MS Exchange server? Outside of unforeseen problems, is using this tool a general problem or something that should be avoided all together? Bus2 has several geographic areas. A geographic domain setup is not established but I have already started the wheels spinning. Who knows when anything real will come out of it? Because of that, I will more specifically name the domain chicago.corporatedomain.ad in preparation for a new forest. Then, all that would be needed is to add my existing domain to the newly created forest that Bus2 creates. Will any of the above answers change now that a forest is being created? Thank you all for your replies, Edwin
[ActiveDir] Hardware Suggestions
Currently there is an open thread entitled RAID suggestions for DC; maybe OT. I didnt want to dirty that thread by introducing my question that builds upon it. How about other hardware requirements such as CPU, Disk Size and RAM? RAID configuration I think is documented very well but how can you scale Active Directorys growth? I downloaded ADSizer (http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/adsizer-o.asp) but the recommended hardware did not display good results in my opinion. It was suggested that I have a machine with 4 x 933 Xeon Processors and 512 MB or RAM. It just does not make sense to me to have so much CPU but so little RAM. ADSizer does recommend Disk recommendations, but my results returned a System Disk in RAID1 but nothing for Log or Database Disks. In the environment that I wish to deploy a new domain, I will have around 150 or so member computers and possibly 50 or so others that are stand alone workstations. MS Exchange 2003 will also be a part of the domain. Initially, I do not think that any attributes other than the required defaults will be used on user objects, but eventually I would like to populate or add this information in the future. Are there guidelines on recommended hardware for DCs in a domain? MS Exchange seems to be well documented on this but I have not found much on DCs. Thanks, Edwin
RE: [ActiveDir] Hardware Suggestions
I found a MSFT site for planning domain controller capacity. If anyone is interested, you can find it via the URL http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi t/4af3271a-4407-4ca5-9cd5-e05b79046d08.mspx Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, November 07, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Interesting. If that solution becomes a problem, have a look at http://www.centrify.com and see if you can change some of that :) Seriously, it is interesting and I'm interested to hear of the long term results as they occur. Shall we check back in a year or so? Al From: Rob MOIR [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org,ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Date: Mon, 7 Nov 2005 19:07:28 - Nope, DASD to a Apple G5 Xserve for a very small amount of Apple clients (10) with very high storage requirements. To be honest, the thing that made me go for this solution in the end was that performance was better using the native Apple stuff end to end and writing to SATA than it was having to translate at some point on the network in order to write to SCSI. So now I have a nice complicated totally seperate Apple Open Directory Domain with trusts into the Windows Forest so that all the pain of making it work falls on me and the network support team here instead of on the desktop user. Which is how it should be after all, and it doesn't do the old resume any harm to have this all on there! -Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 18:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions That's a desktop user? The apple desktop? I don't have a problem with SATA (an upgrade from PATA) if used as designed. It's designed for desktop storage. Not that it can't be adjusted to server/enterprise, but it's price point and architecture are intended for desktops (i.e. cheap but not as reliable as a shared resource). Used appropriately, I'm quite happy with it. But it's intended to be cheap and replaceable. Cheap, fast, reliable - pick two (or something like that ;) That shouldn't last if history is any indication, but for now I'll try not to build too many centrally required applications on that technology unless I can put a lot of abstraction in front of it (large pools that aren't bothered by the loss of several components at a time.) From: Rob MOIR [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org,ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Date: Mon, 7 Nov 2005 18:36:10 - I've deployed SATA for storage of large files in Apple XRaid units in a Raid 5+1 config, and so far so good. Ask me in 3 years if I'm still just as happy ;-) but it was the only way to give the user what they wanted inside the budget we had. One advantage of the XRaid is that it's fitted out from the get go to use SATA disks and the only reason you'd ever have to do anything to it is to replace a drive that you already know has gone bad. -Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 17:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions silly no-hair-color alert SATA == Desktop drives. They weren't originally concepted to be enterprise class storage. I see them as being back-engineered to be used this way, but most of what I've seen has been to deploy them as a JBOD in situations where you can absorb the continuous loss of hardware and not impact performance and availability. Typically in pools of disk and hsm solutions (what is it that hsm is called now? ILM? :) If you plan to deploy DAS solutions (internal or external), SATA is not likely the way to go right now. You may want to wait a bit longer if the data is important. For large pools of inexpensive disks, SATA might be worthwhile to investigate if you have a large loading bay, a good support agreement, and close access to the highway. -ajm From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions Date: Mon, 07 Nov 2005 09:13:19 -0800 Stupid blonde alert I personally have SATA experience in the tower/desktop world but none in the rack units. Are the physical connections any stronger in the rack world? I like SCSI and IDE not only for their proven track record [server and desktop respectively] but because the dang cables don't get knocked off each time I reach into the case. Those cable connections on the back of the SATA drives are a little worrying. I've
RE: [ActiveDir] Limiting User Logon to Specific Machines
Hello Everyone: Why not make them stand alone machines? These are in fact learning play toys for the inexperienced user therefore a domain is not necessarily required. If it is possible, I would suggest isolating that room from your existing network and building an ADS machine. I would make sure that the workstations support PXE before doing so. The machines in the classroom would all then be configured to listen to PXE requests and have images pushed to them as needed. Using this method would do a couple of things. 100% isolation from the existing domain leaving no possible risk to the rest of your network infrastructure. If the user were to somehow break something because you thought something was configured that should have denied access, you can simply push a new image at the machine with minimal effort. You can also update your image so that you can update any new security changes you would like to implement. You will not have to waste the time and resources in your current environment managing workstations that are not a critical aspect of the entire network. Another thing that I think is the most important is the fact that you have isolated the communal user from doing anything outside of the classroom. If I were a student of the class taking entry level computer training sessions and had years of computer experience under my belt including several personally written virus I would be very upset and bored. I would be finding a way to break something. Add to that the fact that I know everyone is using a global user, therefore if I did anything malicious I could probably get away with it because it is not tied to my unique account ID. I could do anything I wanted to with minimal risk to myself of getting caught. If it were me and I were in this situation this is what I would do. You could also expand upon this and create a new domain that has a specific purpose for this classroom environment. The domain would have nothing to do with the rest of the network. Then you can eliminate the communal user, still manage all workstations within the isolated domain and provide the highest level of security to the rest of the network. You would also be under the protection of the ADS server should anything go bad to where you had to push out new images to the workstations. My two cents, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Aragon Sent: Thursday, November 03, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Limiting User Logon to Specific Machines Joe, I agree, it would be impossible to block all avenues, but I don't think that would be necessary. The users we are concerned with are inexperienced students (hence the need for the class) who, as students will often do, find it easier to logon with a communal account than with their own (the latter requires they remember their password, which is a new experience for many of them - we get between 450 and 600 requests a week to reset passwords because a lot ofstudents can't remember what password they set the previous day). We are trying to prevent them from using the communal user everywhere except on the 250 lab computers, especially because they are not authorized to use any other system on campus until they complete the class. Ilike the idea of using a logon script. That might be doable, as all the machines in the lab have the same prefix. And while I can't speak for others, I for one would be very interested to get a copy of the tool/script you described. Thank you for the assistance. David Aragon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, November 03, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Limiting User Logon to Specific Machines Use a logon script. Nothing you do can prevent all mechanisms that could be used to use the ID (i.e. runas or look-a-likes, net use /user, etc) and the fact that you are targeting one single ID saysto me logon script for that one ID. Have it look for something on the machine or the machine name itself and if it doesn't find it, it immediately logs back off. I actually wrote a Quick Logoff tool back in like 2001 (called qlogoff) that is specifically for getting people logged off of a machine quickly if they shouldn't be there. I used it for logon scripts used by domain admin IDs, anytime they tried to log onto workstations interactively they got booted right back off. Obviously it could be overridden since they were DAs but it served as a gentle reminder of proper use of the ID. I wanted to expand it to trying to interactively log onto any machine that wasn't a DC. If I ran an environment in the future with the RODCs and had delegated the ability to administrate one of the RODCs to a local admin I certainly would make sure domain admins couldn't log into those machines
[ActiveDir] DNS Forwarding
Is it possible within MSFT DNS to only accept DNS forwards from internal requests? Please consider the fact that a domain may not always be configured to look at internal DNS servers only. Also, it is not required for a domain to be used when DNS services are required. DNS may be configured on a machine that is for either internal or external use or both. If this is possible, this will help with DNS Smurfing attacks that could affect a network. If you havent read it already, you may find the information in the URL http://www.measurement-factory.com/press/20051024.html useful. This article brings me to my question about preventing external DNS forwards. Thanks, Edwin
[ActiveDir] Geographic Domain Setup
Hello Everyone. The company that I work for has been divided into two isolated parts. As a result the corporate domain that is used will also need to be divided. The employees of the old domain will remain in their place while others will be put into a new domain. One domain will have nothing to do with the other. I have been tasked with heading the creation of a new domain that will be used in different geographic locations; Atlanta, Georgia Miami, Florida Orlando, Florida Houston, Texas Fremont, California Vancouver, Canada I have built a domain before but this was for one office of less than 100 employees. This domain is of a much larger scale and more complex. I have read a few MSFT articles and have a little bit of information as to what I am getting myself into. I was hoping that I would be able to get more information from the community in hopes of getting real life experience knowledge than a document that outlines best practices. When I built the single site domain I had the below configuration that worked very well for me. I think that I am going to create a similar if not exact root domain. I think that I would am having more problems with considering the geographic issues that I will be facing. 2 Domain Controllers Both DNS Servers FSMO roles divided Both Global Catalogs 1 File Server Roaming Profiles Centralized Storage for User Files 1 Anti-Virus Server 1 WSUS Server 1 Exchange Server Thank you all for your replies, Edwin
RE: [ActiveDir] OT: Server With Hyperthreading/Multicore Licensing
Microsoft Windows does not distinguish between physical and logical processors. Windows simply fills out the license limit using the first processors counted by the BIOS. http://www.microsoft.com/windows2000/server/evaluation/performance/reports/hyperthread.asp SQL Server does not have this luxury. SQL Server counts each logical processor as an individual processor. But you do not need to obtain a separate license to be in compliance when using HTT. http://www.microsoft.com/sql/howtobuy/SQLonHTT.doc Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Monday, October 24, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Server With Hyperthreading/Multicore Licensing Sorry for the OT post, I have a quick question that one of my students asked and I am not sure myself of the correct answer. How does a multithreaded processor affect licensing and server abilities. What would happen if you had a quad CPU server, but the CPUs were also hyperthreaded, effectively making it an 8 CPU system, could you use Server 2003 Standard, or would you need to get Enterprise? How would this affect other server products with per-cpu licensing such as SQL. And how about a CPU that is multi-core, 8 seperate processes, 4 chips but with 8 CPU cores. Any help would be appreciated. - Marc _-_-_-_-_-_-_-_-_- -During times of universal deceit, telling the truth becomes a revolutionary act. - George Orwell, 1984 _-_-_-_-_-_-_-_-_- Marc A. Mapplebeck, MCP/MCDST/N+/A+/CNA IT Manager, City Animal Hospital Ltd. MCP#: 3146827 CompTIA#: COMP001002835054 [EMAIL PROTECTED] [EMAIL PROTECTED] _-_-_-_-_-_-_-_-_- P: 506-471-7044 ICQ: 26743793 Yahoo!: mmapplebeck MSN: [EMAIL PROTECTED] _-_-_-_-_-_-_-_-_- This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. Your co-operation is appreciated. Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Nous sommes reconnaissants de votre collaboration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: October 24, 2005 09:38 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Geographic Domain Setup Hello Everyone. The company that I work for has been divided into two isolated parts. As a result the corporate domain that is used will also need to be divided. The employees of the old domain will remain in their place while others will be put into a new domain. One domain will have nothing to do with the other. I have been tasked with heading the creation of a new domain that will be used in different geographic locations; Atlanta, Georgia Miami, Florida Orlando, Florida Houston, Texas Fremont, California Vancouver, Canada I have built a domain before but this was for one office of less than 100 employees. This domain is of a much larger scale and more complex. I have read a few MSFT articles and have a little bit of information as to what I am getting myself into. I was hoping that I would be able to get more information from the community in hopes of getting real life experience knowledge than a document that outlines best practices. When I built the single site domain I had the below configuration that worked very well for me. I think that I am going to create a similar if not exact root domain. I think that I would am having more problems with considering the geographic issues that I will be facing. 2 Domain Controllers Both DNS Servers FSMO roles divided Both Global Catalogs 1 File Server Roaming Profiles Centralized Storage for User Files 1 Anti-Virus Server 1 WSUS Server 1 Exchange Server Thank you all for your replies, Edwin
[ActiveDir] OT Maybe: Import GPO without Domain
I am using VB.NET to create an application that will configure the server from beginning to end without manual SysAdmin intervention. Basically, once a server is installed, it must be configured to our specifications. I am aware of ADS and RIS and I am already using these options. But in this particular case, it is not an option. What I would like to do is import a GPO but without the use of a domain. These machines need to be stand alone. I can only import the Security Settings section of the GPO by using secedit.exe How can I import/export the Computer Configuration and User Configuration sections? Thanks, Edwin
[ActiveDir] DHCP Conflicts
Hello everyone. There are about 50 machines in the office that I am in and occastionally I get complaints about IP Address conflicts how a machine tries to grab the IP Address of another machine. This also happens for a computer that has a reservation assigned to it. As for the reserved IP Address, when looking at the DHCP tables, it is modified to say BAD_ADDRESS for its Reservation Name and This IP Address is already in use for its description. In an attempt to try and correct the problem, I have deleted the leases on the DHCP server as well as did a Reconcile. Anyone experience this before? How can I resolve this problem? Thanks, Edwin
RE: [ActiveDir] DHCP Conflicts
There is only 1 DHCP server which also acts as a DC. The reserved IP Address is NOT excluded from the scope. That will hopefully correct that problem once I update the settings. How about the other occasional conflicts with other IP's? What could be a cause for those IP's? Thanks, Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, April 11, 2005 8:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP Conflicts You could implement Conflict Detection (right click server name in DHCP MMC -- properties -- advanced TAB) his should however only be used when two or more DHCP servers can assign the same set of available IP addresses. Before the IP address is assigned the DHCP checks if it already has been assigned. Is the reservation excluded from the scope? If you have reservations exclude the reservations from the scope! Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: maandag 11 april 2005 13:17 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DHCP Conflicts Hello everyone. There are about 50 machines in the office that I am in and occastionally I get complaints about IP Address conflicts how a machine tries to grab the IP Address of another machine. This also happens for a computer that has a reservation assigned to it. As for the reserved IP Address, when looking at the DHCP tables, it is modified to say BAD_ADDRESS for its Reservation Name and This IP Address is already in use for its description. In an attempt to try and correct the problem, I have deleted the leases on the DHCP server as well as did a Reconcile. Anyone experience this before? How can I resolve this problem? Thanks, Edwin This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Push GPO's to become Local Policies
On our domain we have 2 Win2K3 Standard Edition Domain Controllers and around 30 Win2K Pro Domain Members. All of the member machines have a default configuration of Services, Security Settings, Services and other related areas. There areas are then updated by GPOs defined by the Domain. For a while now, I have been paying attention to how long it takes for a machine to reboot and become ready for use. The time it takes is not something to cause great concern, but I would like to do something about it. If I could get the configurations defined within the GPOs to become local policies then I am sure that the machine would become ready for use much faster. This is because the server would already have the configuration needed, as defined by GPO, which should return a simple check versus a check and modify of settings. So here is my question. How can I make those settings become local policies on each workstation without visiting each machine? Thank you all for your replies. Edwin
[ActiveDir] How do I push Domain Policies as Local Policies?
Hello Everyone! On our domain we have 2 Win2K3 Standard Edition Domain Controllers and around 30 Win2K Pro Domain Members. All of the member machines have a default configuration of Services, Security Settings, Services and other related areas. There areas are then updated by GPOs defined by the Domain. For a while now, I have been paying attention to how long it takes for a machine to reboot and become ready for use. The time it takes is not something to cause great concern, but I would like to do something about it. If I could get the configurations defined within the GPOs to become local policies then I am sure that the machine would become ready for use much faster. This is because the server would already have the configuration needed, as defined by GPO, which should return a simple check versus a check and modify of settings. So here is my question. How can I make those settings become local policies on each workstation without visiting each machine? Thank you all for your replies. Edwin
RE: [ActiveDir] Domain Name and DNS Problems
It looks like I am just going to have to deal with the DNS problem as it is. I can perform the upgrade as easy as it sounds but I have never done one before. I dont mind jumping in and doing the work but I dont think my superiors will let me. I know that I can setup a test environment to at least get me familiar with the process for the first time but I am sure that it will be deemed to risky by those who will make the ultimate decision of moving on with this or not. Aside from that there are licensing issues with the latest version of Exchange. I dont think that the money will be invested in the upgrade. One lesson definately learned is NEVER to use your already in use domain again for Active Directory. I guess next time management should have sent me to training instead of me having to come up with a solution on my own. Thank you all for your assistance. Edwin On Thu, 2004-12-16 at 14:58 +0100, Jorge de Almeida Pinto wrote: and be sure to have recovery procedure im place (up-to-date and tested) for your AD forest if something goes wrong! regards jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, December 14, 2004 20:01 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems Edwin, You could theoretically upgrade your Exchange server to E2K3 followed by an upgrade of the OS to W2K3. At this point, even with the W2K Pro systems, you could perform a domain rename assuming your forest has a functional level of (2) Windows Server 2003 as a fix now exists for E2K3. Keep in mind that the domain rename process is not for the faint of heart and you should dedicate an entire weekend to it for your relatively small environmentjust in case. Also be sure and read through the approx. 90 page white paper regarding the rename process. Aside from that, you are doing what many other organizations do when a split-brain DNS is implemented. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Name and DNS Problems That is why I mentioned the Perl script that is used. That is exactly what it does. But this is not what I would like to see. I would like for our internal AD DNS to only host records for our internal systems and forward any other unresolved requests. On Tue, 2004-12-14 at 09:29 -0500, Salandra, Justin A. wrote: Why dont you just duplicate the records in the public DNS zone to the private zone. That is what I do since both my internal and external namespaces are the same. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Name and DNS Problems Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e. w39322.mycompany.net for Windows Web Servers and l23841.mycompany.net for Linux servers. There are other naming conventions that is not important for this topic. Throughout the every day work environment we are constantly accessing these servers for trouble shooting, investigations or other general use. The web servers are authoritative to public name servers ns1.mycompany.net and ns2.mycompany.net When the domain was put online within our internal network, I used mycompany.net as the domain name. I also have DNS services for the domain on a one of the DC's. Since I have named our internal domain the same as our public domain, we ran into problems where we were no longer able to connect to our web servers on the Internet. As a workaround solution we wrote a Perl script that goes out to our public name servers and reads the mycompany.net zone and grabs any information that it does not have. The data is then written to a text file that then runs DNSCMD to import the data into the DC's DNS zone for mycompany.net This is okay but still problematic and ultimately not the solution that I would like to have. Our domain consists of: 1. 2 Win2K3 Standard DC's 2. 1 Win2K3 Standard File Server 3. 1 Win2K Exchange Server with Exchange
RE: [ActiveDir] Domain Name and DNS Problems
That is why I mentioned the Perl script that is used. That is exactly what it does. But this is not what I would like to see. I would like for our internal AD DNS to only host records for our internal systems and forward any other unresolved requests. On Tue, 2004-12-14 at 09:29 -0500, Salandra, Justin A. wrote: Why dont you just duplicate the records in the public DNS zone to the private zone. That is what I do since both my internal and external namespaces are the same. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, December 14, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Name and DNS Problems Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e. w39322.mycompany.net for Windows Web Servers and l23841.mycompany.net for Linux servers. There are other naming conventions that is not important for this topic. Throughout the every day work environment we are constantly accessing these servers for trouble shooting, investigations or other general use. The web servers are authoritative to public name servers ns1.mycompany.net and ns2.mycompany.net When the domain was put online within our internal network, I used mycompany.net as the domain name. I also have DNS services for the domain on a one of the DC's. Since I have named our internal domain the same as our public domain, we ran into problems where we were no longer able to connect to our web servers on the Internet. As a workaround solution we wrote a Perl script that goes out to our public name servers and reads the mycompany.net zone and grabs any information that it does not have. The data is then written to a text file that then runs DNSCMD to import the data into the DC's DNS zone for mycompany.net This is okay but still problematic and ultimately not the solution that I would like to have. Our domain consists of: 1. 2 Win2K3 Standard DC's 2. 1 Win2K3 Standard File Server 3. 1 Win2K Exchange Server with Exchange 2000 4. Win2K Professional Workstations From what I understand Win2K3 has a new feature that will allow for you to change the domain name of an already configured network. But this will not apply to me since I have Win2K Pro Clients and an Exchange 2K Server. We do have an internal name server but it is a caching name server for the authoritative public name server. It is my understanding that AD requires for the nameserver to be authoritative for the domain and support SRV records. SRV records are not a problem but the authoritative part is since our public name server hold that role and it is not able to be changed. Also, to make the server authoritative would mean that our internal systems could be known by the public Internet. Can anyone offer any suggestions to overcome this problem? Ultimately, what I would like to have done is for the mycompany.net zone on the AD DNS Server only to contain entries for our internal network. Any requests not resolved by the AD DNS server then get forwarded to the public name server. This would allow me to then clean up the zone for the AD DNS server and still have the functionality that we require. Is this possible? Thank you all for your replies.
[ActiveDir] Domain Name and DNS Problems
Hello Everyone. I have an ongoing problem and would like to get some assistance please. The domain that I am currently responsible for is the first domain that I have ever configured. As a result there was a lot of trial and error and most things were resolved but there remains this one problem that still lingers. I will try to explain as best as I can the scenario. I work for a company (mycompany.net) and we host many web servers out on the public Internet. Our servers follow a naming scheme that is dependent on the type of OS or special purpose for that server. i.e. w39322.mycompany.net for Windows Web Servers and l23841.mycompany.net for Linux servers. There are other naming conventions that is not important for this topic. Throughout the every day work environment we are constantly accessing these servers for trouble shooting, investigations or other general use. The web servers are authoritative to public name servers ns1.mycompany.net and ns2.mycompany.net When the domain was put online within our internal network, I used mycompany.net as the domain name. I also have DNS services for the domain on a one of the DC's. Since I have named our internal domain the same as our public domain, we ran into problems where we were no longer able to connect to our web servers on the Internet. As a workaround solution we wrote a Perl script that goes out to our public name servers and reads the mycompany.net zone and grabs any information that it does not have. The data is then written to a text file that then runs DNSCMD to import the data into the DC's DNS zone for mycompany.net This is okay but still problematic and ultimately not the solution that I would like to have. Our domain consists of: 1. 2 Win2K3 Standard DC's 2. 1 Win2K3 Standard File Server 3. 1 Win2K Exchange Server with Exchange 2000 4. Win2K Professional Workstations >From what I understand Win2K3 has a new feature that will allow for you to change the domain name of an already configured network. But this will not apply to me since I have Win2K Pro Clients and an Exchange 2K Server. We do have an internal name server but it is a caching name server for the authoritative public name server. It is my understanding that AD requires for the nameserver to be authoritative for the domain and support SRV records. SRV records are not a problem but the authoritative part is since our public name server hold that role and it is not able to be changed. Also, to make the server authoritative would mean that our internal systems could be known by the public Internet. Can anyone offer any suggestions to overcome this problem? Ultimately, what I would like to have done is for the mycompany.net zone on the AD DNS Server only to contain entries for our internal network. Any requests not resolved by the AD DNS server then get forwarded to the public name server. This would allow me to then clean up the zone for the AD DNS server and still have the functionality that we require. Is this possible? Thank you all for your replies.
[ActiveDir] Recycle Bin not being used.
Is it possible to have the Recycle Bin used when roaming profiles are used? I am assuming that files are being deleted just as they would when you delete a file across the network via a UNC which is basically what a roaming profile path is. How can I get use of the Recycle Bin?
[ActiveDir] Roaming Profiles and DFS
Last week I sent the below question to this thread. I apologize for having to resend it but my mail server experience problems and I am not sure if there were any replies to my question. If there were any posts to my question, would someone please resubmit it to the list so that I can read it? Below is what I previously wrote. Thank you. Edwin Currently I am working in a test environment with 2 Win2K3 DCs and 1 Win2K3 member server (all standard Edition). The member server is intended to be a File server where a users roaming profiles are stored. On our production environment has this same exact setup. The reason why I want to use DFS is because the user profiles are stored on a single IDE drive. The company did not want to spend more money on RAID. Before you ask, Yes, the OS is RAIDed. It is just the IDE drive I am immediately concerned about. In the test environment I setup DFS and all appears to be good. Now I create a user and setup the profile to point to the path \\ad.testdomain.com\sharedfiles$\%username% where \\ad.testdomain.com\sharedfiles$\ is the DFS root that I established. When I attempt to login, I am presented with an error message stating that the default profile will be used and any changes made to the profile will be lost because permission is denied. My question is if this is the way that DFS is intended to be? From what I gather, I am only able to write to the DFS root of the file server if I call the machine that directly i.e. \\testserver\sharedfiles$ and have replication take over from there. Shouldnt I be able to write to the DFS root directly? Thank you all for your responses. Edwin
RE: [ActiveDir] Roaming Profiles and DFS
Than you guys for your quick responses. This list rocks! I have noticed problems with DFS and roaming profiles on the test domain that I have but I wasnt sure if it was because of my lack of knowledge. As of now, I am beginning to use RoboCopy to where I will have the job run every 3 hours or maybe 6 hours. On the test domain, it looks good so far and I am about to begin using it on the production domain if I do not hear any objects. I was possibly thinking of having it run as part of a log off script. Would there be any objections to using RoboCopy? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, November 24, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and DFS Hi, See also http://www.microsoft.com/windowsserver2003/techinfo/overview/dfsfaq.mspx Here they also adviseagainst using roaming profiles with DFS. It is also not supported Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: woensdag 24 november 2004 14:32 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and DFS All I can add is putting our roaming profiles on DFS was a nightmare and I have gone back to not having it on DFS. I now use %variables% instead. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Wednesday, November 24, 2004 7:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Roaming Profiles and DFS Last week I sent the below question to this thread. I apologize for having to resend it but my mail server experience problems and I am not sure if there were any replies to my question. If there were any posts to my question, would someone please resubmit it to the list so that I can read it? Below is what I previously wrote. Thank you. Edwin Currently I am working in a test environment with 2 Win2K3 DCs and 1 Win2K3 member server (all standard Edition). The member server is intended to be a File server where a users roaming profiles are stored. On our production environment has this same exact setup. The reason why I want to use DFS is because the user profiles are stored on a single IDE drive. The company did not want to spend more money on RAID. Before you ask, Yes, the OS is RAIDed. It is just the IDE drive I am immediately concerned about. In the test environment I setup DFS and all appears to be good. Now I create a user and setup the profile to point to the path \\ad.testdomain.com\sharedfiles$\%username% where \\ad.testdomain.com\sharedfiles$\ is the DFS root that I established. When I attempt to login, I am presented with an error message stating that the default profile will be used and any changes made to the profile will be lost because permission is denied. My question is if this is the way that DFS is intended to be? From what I gather, I am only able to write to the DFS root of the file server if I call the machine that directly i.e. \\testserver\sharedfiles$ and have replication take over from there. Shouldnt I be able to write to the DFS root directly? Thank you all for your responses. Edwin ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Roaming Profiles and DFS
Todd, I want to have Robocopy copy the files from the single IDE drive found on the file server to the single IDE drive found on each of the domain controllers. Lara, I have never really had a use of Robocopy until now. I tested it and it worked great! The fact that it copies over ACLs is great! I have a scheduled job set to run every 3 hours on both of the DCs to connect to a UNC path with is where the file server is. Now if in the even that the file server goes down where the users roaming profiles are stored, I can just highlight a bunch of users and update their paths all at once to the new location. I wasnt aware of DFS and user profile problems except for the problems that I was having with them. I think using Robocopy is my best solution so far. Thank you everyone for your replies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lara, Greg Sent: Wednesday, November 24, 2004 9:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Roaming Profiles and DFS Robocopy is excellent, I've used it in many circumstances. The only problem you might find with running it from a logoff script is the extra time it will take the PC to shut down or log off. I'd run it regularly on the server, making sure you're only mirroring newer documents. Greg --- This e-mail message may contain privileged, confidential and/or proprietary information intended only for the person(s) named. If you are not the intended recipient, please destroy this message, and any attachments, and notify the sender by return e-mail. If you are not the intended recipient(s), or the employee or agent responsible for delivering the message to the intended recipient(s), you are hereby notified that any dissemination, disclosure or copying of this communication is strictly prohibited. --- From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 24, 2004 8:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and DFS Than you guys for your quick responses. This list rocks! I have noticed problems with DFS and roaming profiles on the test domain that I have but I wasn't sure if it was because of my lack of knowledge. As of now, I am beginning to use RoboCopy to where I will have the job run every 3 hours or maybe 6 hours. On the test domain, it looks good so far and I am about to begin using it on the production domain if I do not hear any objects. I was possibly thinking of having it run as part of a log off script. Would there be any objections to using RoboCopy? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, November 24, 2004 8:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and DFS Hi, See also http://www.microsoft.com/windowsserver2003/techinfo/overview/dfsfaq.mspx Here they also adviseagainst using roaming profiles with DFS. It is also not supported Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: woensdag 24 november 2004 14:32 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and DFS All I can add is putting our roaming profiles on DFS was a nightmare and I have gone back to not having it on DFS. I now use %variables% instead. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Wednesday, November 24, 2004 7:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Roaming Profiles and DFS Last week I sent the below question to this thread. I apologize for having to resend it but my mail server experience problems and I am not sure if there were any replies to my question. If there were any posts to my question, would someone please resubmit it to the list so that I can read it? Below is what I previously wrote. Thank you. Edwin Currently I am working in a test environment with 2 Win2K3 DC's and 1 Win2K3 member server (all standard Edition). The member server is intended to be a File server where a users roaming profiles are stored. On our production environment has this same exact setup. The reason why I want to use DFS is because the user profiles are stored on a single IDE drive. The company did not want to spend more money on RAID. Before you ask, Yes, the OS is RAID'ed. It is just the IDE drive I am immediately concerned about. In the test environment I setup DFS and all appears to be good. Now I create a user and setup the profile to point to the path \\ad.testdomain.com\sharedfiles$\%username% where \\ad.testdomain.com\sharedfiles$\ is the DFS root that I established. When I attempt to login, I am presented with an error message stating that the default profile will be used and any changes made to the profile
RE: [ActiveDir] Netlogon won't start
I had a similar problem in the past. Have you tried logging into the local administrator account? Then you could set the Net Logon service to Automatic within the Services Snap-In and then attempt to log into the domain after a server reboot. I did this in the past and everything was good after. Of course you do not have physical access to the machine so you will have to ask your buddy again for assistance. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 16, 2004 8:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Netlogon won't start I have a box which is god knows where not even mine doing some work for somebody thus dont have access to it physically. I was dcpromoing it down to a member server over a VPN when I lost my DSL line for a few. When the connection came back up I couldnt log back in b/c dcpromo had of course stopped netlogon. I had someone bounce the box, but, netlogon still hasnt started so I still cant get into it. Computer Manager wont connect b/c of netlgoon so I cant look at eventvwr. Any ideas on how to get this thing so I can log into it? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101
RE: [ActiveDir] Netlogon won't start
VNC'ing to a machine is no different than connecting to the machine via pcAnywhere, RDP or the local desktop except to say that it allows a remote connection. During login, you must differentiate between a domain account login and the local system login regardless of what method is used to connect to the machine. If you do not have your domain listed in the drop down menu, I would think that maybe there is a DNS problem. The Net Logon service relies on DNS to authenticate to the domain. If you can connect to the local system account, then I would probably check which name server the NIC was looking at and verify its setting with the domain controller's configured DNS server. I would also double check that the Net Logon service was set to automatic. In my opinion, you already have a messed up machine. This may cause problems in the future. You may want to have your buddy try another dcpromo but this time to uninstall the configuring of a domain, reboot and then start over. You shouldnt have a problem logging in with the local system account of the machine. If so, I would probably consider F8 during startup and using the last known configuration. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 16, 2004 10:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Netlogon won't start I just VNC'ed the box - equivalent to local logon. It has a log on to dropdown - the dropdown is empty though, no local machine name or domain - when you click the down arrow it just sorta sits there. Still whines about netlogon not being stated. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, November 16, 2004 9:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Netlogon won't start Yes. Local logon should still work. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 11/16/2004 6:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Netlogon won't start Well it's a member sever in a workgroup so the only account is the local admin account. Are you saying that this error will not be an issue if someone tries to log on at the console rather than via TS? Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, November 16, 2004 7:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Netlogon won't start I had a similar problem in the past. Have you tried logging into the local administrator account? Then you could set the Net Logon service to Automatic within the Services Snap-In and then attempt to log into the domain after a server reboot. I did this in the past and everything was good after. Of course you do not have physical access to the machine so you will have to ask your buddy again for assistance. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 16, 2004 8:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Netlogon won't start I have a box which is god knows where - not even mine - doing some work for somebody - thus don't have access to it physically. I was dcpromo'ing it down to a member server over a VPN when I lost my DSL line for a few. When the connection came back up I couldn't log back in b/c dcpromo had of course stopped netlogon. I had someone bounce the box, but, netlogon still hasn't started so I still can't get into it. Computer Manager won't connect b/c of netlgoon so I can't look at eventvwr. Any ideas on how to get this thing so I can log into it? Thanks. --Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Payton on the web! www.wpcp.org http://www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http
[ActiveDir] DFS and Existing FileShare
In our domain we have users with roaming profiles. I would like to use DFS for redundancy and performance. I know that when DFS is initially configured, it creates a share pointing to the DFS root. Does anyone see any problem with configuring a DFS root to an existing share? The sharename is hidden with a $. Does anyone know what will happen if I decide to remove the DFS root should I make a mistake and decide to start over? Will roaming profiles be broken or any other problems since I am using an existing share? I set up DFS once and it was a bit confusing to set up last time. I hope not to have problems again but I of course want to cover all of my bases. Thank you for your replies.
[ActiveDir] Prohibiting Java Applets
Is it possible to block all Java Applets from running on a domain except for those applets that are approved? If so, how? Thank you for your replies, Edwin
[ActiveDir] Unauthorized Java Applets
Is there a way via GPO to disable only certain Java Applets? Or better yet, only approve specific ones? I know that I can disable Java within IE but certain every tasks depend on Java Applets, specifically the time clock. We have several people here that are using, for example, the Java based version of AOL instant messenger. Of course management shouldnt have to tell them this but as we all know, some people learn things the hard way. Thank you for your replies, Edwin
RE: [ActiveDir] Exchange Authentication and WinXP Workstations
No. XP SP2 is not installed on these machines. This has been a long standing issue even before XP SP2 was officially released. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, September 21, 2004 8:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations Do the XP clients have SP2 on them. If so perhaps there is something in the windows firewall that is blocking the connection when connecting thru a public network? Just a though From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, September 21, 2004 3:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations Why would this only affect XP clients? I do not have the same problem when using Win2K Pro clients from the outside network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, September 21, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations The problem is you are using two totally separate DNS , not to mention you probably have a firewall between you and the Exchange server when on the public networkunless I got totally lost reading thisJ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, September 21, 2004 2:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations I created this thread a while ago but something came up that took priority over this question. I would appreciate it if I could continue to get help on this topic. For the first user, I assume then that you realize the answer right? No, I do not know the answer to this. Could you share this information with me? I do have Audit Logging enabled, but assuming that I am not overlooking anything, I do not see anything of relevance in the messages. Is there something in specific that I should be looking for? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 11:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations For the first user, I assume then that you realize the answer right? For the other users, see below for questions relating to the scope and steps so far taken. Add software in use to find out what's different about those 2K workstations that have a problem. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations I was informed of this problem today and it is with a certain individual who uses their laptop on the public network. When he uses that same laptop from within the network all is buttery! In a totally separate event that I was looking into, I noticed that some people were getting the same error. These workstations have Win2K Pro installed and are on a Win2K3 domain. If the user within the domain hit the RETRY button, it works. I myself am operating under the same GPO's and other related settings as the person who is getting the RETRY prompt from within the network but I do not get that error from my workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 9:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations That depends. What's the entire scope of the problem? One machine? Three machines? All machines? That makes a big difference for the solution that needs to be used. What gets logged on the domain controller when you attempt this (assuming you have audit logging enabled)? What happens on the wire during the attempts? Network trace? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 8:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange Authentication and WinXP Workstations Recently I was informed that users attempting to connect to our Exchange server when using WinXP are experiencing troubles. The error is that it cannot connect to the exchange server. I do not see any errors on the client XP machine or on the Exchange server itself. For some reason I am able to open the MAIL application within the control panel and successfully connect and authenticate to the Exchange server. But when you do a Check Name the error is returned that it could not connect. I found an article on Microsoft's site but it seems a bit extreme. http://support.microsoft.com/default.aspx?scid=kb;EN-US;255843 Has anyone else encountered this? Was there an alternate solution? Thank you all for your replies. Edwin
RE: [ActiveDir] Exchange Authentication and WinXP Workstations
I created this thread a while ago but something came up that took priority over this question. I would appreciate it if I could continue to get help on this topic. For the first user, I assume then that you realize the answer right? No, I do not know the answer to this. Could you share this information with me? I do have Audit Logging enabled, but assuming that I am not overlooking anything, I do not see anything of relevance in the messages. Is there something in specific that I should be looking for? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 11:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations For the first user, I assume then that you realize the answer right? For the other users, see below for questions relating to the scope and steps so far taken. Add software in use to find out what's different about those 2K workstations that have a problem. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations I was informed of this problem today and it is with a certain individual who uses their laptop on the public network. When he uses that same laptop from within the network all is buttery! In a totally separate event that I was looking into, I noticed that some people were getting the same error. These workstations have Win2K Pro installed and are on a Win2K3 domain. If the user within the domain hit the RETRY button, it works. I myself am operating under the same GPO's and other related settings as the person who is getting the RETRY prompt from within the network but I do not get that error from my workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 9:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations That depends. What's the entire scope of the problem? One machine? Three machines? All machines? That makes a big difference for the solution that needs to be used. What gets logged on the domain controller when you attempt this (assuming you have audit logging enabled)? What happens on the wire during the attempts? Network trace? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 8:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange Authentication and WinXP Workstations Recently I was informed that users attempting to connect to our Exchange server when using WinXP are experiencing troubles. The error is that it cannot connect to the exchange server. I do not see any errors on the client XP machine or on the Exchange server itself. For some reason I am able to open the MAIL application within the control panel and successfully connect and authenticate to the Exchange server. But when you do a Check Name the error is returned that it could not connect. I found an article on Microsoft's site but it seems a bit extreme. http://support.microsoft.com/default.aspx?scid=kb;EN-US;255843 Has anyone else encountered this? Was there an alternate solution? Thank you all for your replies. Edwin
RE: [ActiveDir] Exchange Authentication and WinXP Workstations
Why would this only affect XP clients? I do not have the same problem when using Win2K Pro clients from the outside network. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, September 21, 2004 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations The problem is you are using two totally separate DNS , not to mention you probably have a firewall between you and the Exchange server when on the public networkunless I got totally lost reading thisJ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, September 21, 2004 2:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations I created this thread a while ago but something came up that took priority over this question. I would appreciate it if I could continue to get help on this topic. For the first user, I assume then that you realize the answer right? No, I do not know the answer to this. Could you share this information with me? I do have Audit Logging enabled, but assuming that I am not overlooking anything, I do not see anything of relevance in the messages. Is there something in specific that I should be looking for? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 11:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations For the first user, I assume then that you realize the answer right? For the other users, see below for questions relating to the scope and steps so far taken. Add software in use to find out what's different about those 2K workstations that have a problem. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations I was informed of this problem today and it is with a certain individual who uses their laptop on the public network. When he uses that same laptop from within the network all is buttery! In a totally separate event that I was looking into, I noticed that some people were getting the same error. These workstations have Win2K Pro installed and are on a Win2K3 domain. If the user within the domain hit the RETRY button, it works. I myself am operating under the same GPO's and other related settings as the person who is getting the RETRY prompt from within the network but I do not get that error from my workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 9:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations That depends. What's the entire scope of the problem? One machine? Three machines? All machines? That makes a big difference for the solution that needs to be used. What gets logged on the domain controller when you attempt this (assuming you have audit logging enabled)? What happens on the wire during the attempts? Network trace? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 8:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange Authentication and WinXP Workstations Recently I was informed that users attempting to connect to our Exchange server when using WinXP are experiencing troubles. The error is that it cannot connect to the exchange server. I do not see any errors on the client XP machine or on the Exchange server itself. For some reason I am able to open the MAIL application within the control panel and successfully connect and authenticate to the Exchange server. But when you do a Check Name the error is returned that it could not connect. I found an article on Microsoft's site but it seems a bit extreme. http://support.microsoft.com/default.aspx?scid=kb;EN-US;255843 Has anyone else encountered this? Was there an alternate solution? Thank you all for your replies. Edwin
[ActiveDir] Unauthorized DHCP Requests
Our domain is using a Win2K3 server which is also a domain controller as its DHCP solution. Often I look at the DHCP tables and notice that there are unauthorized machines that connect to our network. This seems to occur from employees who bring in their laptop during the weekend when the workload is light and management does not have as much a presence. The workstations within the domain all follow a naming scheme. For example, ORL-RM3-204-2 which means, the server is located in Orlando, physically located in Room3, desk number 204 and the number of times that that particular workstation has been replaced. So if I see a workstation in the DHCP tables that does not follow that naming scheme, then I know that something else has managed to get an IP Address from the network. Is there a way to prevent unauthorized machines from retrieving an IP address? If so, is there also a way to make an exception to the rule should a non-standard naming convention machine require authorized access to the network? Thank you all for your replies. Edwin
RE: [ActiveDir] Exchange Authentication and WinXP Workstations
I was informed of this problem today and it is with a certain individual who uses their laptop on the public network. When he uses that same laptop from within the network all is buttery! In a totally separate event that I was looking into, I noticed that some people were getting the same error. These workstations have Win2K Pro installed and are on a Win2K3 domain. If the user within the domain hit the RETRY button, it works. I myself am operating under the same GPOs and other related settings as the person who is getting the RETRY prompt from within the network but I do not get that error from my workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, September 09, 2004 9:16 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange Authentication and WinXP Workstations That depends. What's the entire scope of the problem? One machine? Three machines? All machines? That makes a big difference for the solution that needs to be used. What gets logged on the domain controller when you attempt this (assuming you have audit logging enabled)? What happens on the wire during the attempts? Network trace? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, September 09, 2004 8:57 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange Authentication and WinXP Workstations Recently I was informed that users attempting to connect to our Exchange server when using WinXP are experiencing troubles. The error is that it cannot connect to the exchange server. I do not see any errors on the client XP machine or on the Exchange server itself. For some reason I am able to open the MAIL application within the control panel and successfully connect and authenticate to the Exchange server. But when you do a Check Name the error is returned that it could not connect. I found an article on Microsoft's site but it seems a bit extreme. http://support.microsoft.com/default.aspx?scid=kb;EN-US;255843 Has anyone else encountered this? Was there an alternate solution? Thank you all for your replies. Edwin
RE: [ActiveDir] IIS and Scripting Question
Hunter, Thanks for your reply. I must say that in the many times I have asked this question, you have probably given me the best answer. I have always received something like, we just do it because it is easy , I dont know, no one said that it wasnt okay so why not do it? or something else that in my opinion may not be as professional a reply as it should be. I think that you are right. I dont think that a definite answer is out there. I am sure that there is a Microsoft reader on this list that will have an answer or maybe be able to direct us to that answer if one does exist. If there is a person, I would like to request that they start another thread with this topic. I am sure that I am not the only one with this as a question when it comes to bastion hosts and a domain. Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, September 01, 2004 10:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS and Scripting Question Edwin- I don't think you're going to find a simple yes or no on the question of whether to put public facing servers in a (separate) domain. Assume for a minute that one of your public servers gets compromised. If it's a standalone server, then the attacker is somewhat constrained in her ability to leverage that server against your other servers. If it's in a domain, then the attacker has a somewhat easier task of expanding the attack to other servers in the domain. Of course, you may find it easier to lock down your public servers via group policy, SUS, and other things if you are able to use domain-based management tools. And you may find that having your users and developers using a single domain account cuts down on the number of passwords taped to monitors and under keyboards. As is often the case, the closest you'll come to a definitive answer is It depends... Hunter From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 01, 2004 5:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question Micheal, If I may, I would like to ask you a question based off of your last reply to this thread. You said, It can't be a part of the domain (our policy is that shared hosting servers (excepting our Exchange hosting servers, which have their own domain) are standalone) I share this same opinion while others in the organization I work for insist on having a domain for ease of management and other features. I believe that there are other ways to easily manage servers and use whatever features you want without the use of a domain. My question to you is if your last statement is based on a preference of your organization or because of a document that gives good arguments as to why a domain should not be used on public servers? If based on a document, would you be able to share this information? I have found many documents that say having a domain on a public server is no problem, but that the domain should be isolated from other domains. But none of the documents give a recommendation as to whether or not it should or should not be used. I am basically looking for a definite yes or no answer and not something like, sure, its okay to do. I don't know if such a document exists, but if there is an official statement from Microsoft about it, I would love to begin an argument with my co-workers about it. Thank you, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, September 01, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question No, the provisioning application needs to be able to create a folder and a file within that folder and assign rights. It can't be a part of the domain (our policy is that shared hosting servers (excepting our Exchange hosting servers, which have their own domain) are standalone). Thanks for the thought. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, September 01, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question So really the rights you need are the ability to open a file on a file share you have rights to? Is it possible to make it part of the domain? You could use the machine account or the IIS account then. If not, then the trick here is to allow file system access to the application (the user-context of the application really). Would that work? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, September 01, 2004 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question I have a provisioning application that runs on a domain member that needs administrative access to a standalone server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, September 01, 2004 1:27 PM To: '[EMAIL
RE: [ActiveDir] IIS and Scripting Question
Micheal, If I may, I would like to ask you a question based off of your last reply to this thread. You said, It can't be a part of the domain (our policy is that shared hosting servers (excepting our Exchange hosting servers, which have their own domain) are standalone) I share this same opinion while others in the organization I work for insist on having a domain for ease of management and other features. I believe that there are other ways to easily manage servers and use whatever features you want without the use of a domain. My question to you is if your last statement is based on a preference of your organization or because of a document that gives good arguments as to why a domain should not be used on public servers? If based on a document, would you be able to share this information? I have found many documents that say having a domain on a public server is no problem, but that the domain should be isolated from other domains. But none of the documents give a recommendation as to whether or not it should or should not be used. I am basically looking for a definite yes or no answer and not something like, sure, its okay to do. I dont know if such a document exists, but if there is an official statement from Microsoft about it, I would love to begin an argument with my co-workers about it. Thank you, Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, September 01, 2004 2:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question No, the provisioning application needs to be able to create a folder and a file within that folder and assign rights. It can't be a part of the domain (our policy is that shared hosting servers (excepting our Exchange hosting servers, which have their own domain) are standalone). Thanks for the thought. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, September 01, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question So really the rights you need are the ability to open a file on a file share you have rights to? Is it possible to make it part of the domain? You could use the machine account or the IIS account then. If not, then the trick here is to allow file system access to the application (the user-context of the application really). Would that work? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, September 01, 2004 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] IIS and Scripting Question I have a provisioning application that runs on a domain member that needs administrative access to a standalone server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, September 01, 2004 1:27 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] IIS and Scripting Question Credentials other than the ones that IIS is running under? Personally, I haven't seen a way to do that and wonder why you would want to do it that way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, September 01, 2004 9:33 AM Subject: [ActiveDir] IIS and Scripting Question Is there any way tocreate a FileSystemObject with alternate credentials, similar to what I can do with OpenDSObject for an ASP web page? Thanks, M
[ActiveDir] Joining Computers to a Domain
I believe that I have read something like this before but now that I need it, I cant find the answer. I would like to be able to have a non-admin user with permissions of nothing more than being able to add a computer to a domain. Is this possible? Thank you for your responses. Edwin
[ActiveDir] Remote Installation Headaches
I am attempting to use RIS and am getting problem after problem. I posted a question about PXE and the NIC being used and was informed that I would have to download and use RIS specific drivers for the network card I am using. http://downloadfinder.intel.com/scripts-df/Detail_Desc.asp?agr=NProductID=407DwnldID=6760 This worked great! It did what I needed. Now, the install runs through with no problem but when it has completed, I see that the NIC is not being recognized nor the Audio card. I dont really care for the Audio right now. Also, I am updating the ristndrd.sif file to try and add the machine to the domain and have added the values as displayed below: [Identification] JoinDomain = mydomain DomainAdmin = User DomainAdminPassword = password The computer is being added to the OU that I want (I assume when in Text Mode) but the machine doesnt appear to be a part of the domain once the new OS install is completed. And if it was, I would still need to resolve the NIC problem. I have created and modified the same above file to look for 3rd party drivers. The driver files are located in the specified locations. The updated section of the file is also below: [Unattended] OemPreinstall = no NoWaitAfterTextMode = 0 FileSystem = LeaveAlone ExtendOEMPartition = 0 ConfirmHardware = no NtUpgrade = no Win31Upgrade = no TargetPath = \WINNT OverwriteOemFilesOnUpgrade = no OemSkipEula = yes InstallFilesPath = \\%SERVERNAME%\RemInst\%INSTALLPATH%\%MACHINETYPE% OemPreinstall = yes OemPnpDriversPath = Drivers\Audio;Drivers\NIC Why doesnt the machine become a part of the domain and how come the NIC isnt being installed?
[ActiveDir] RIS Headaches
I am attempting to perform a RIS installation on a machine that continues to fail. The error that I am getting and other related information can be found via the URL http://support.microsoft.com/?kbid=315074 The operating system image you selected does not contain the necessary drivers for your network adapter. Try selecting a different operating system image. If the problem persists, contact your system administrator. Setup cannot continue. Press any key to exit. The network card that I have within the machine is supported by RIS (Intel(R) PRO/100 Desktop Adapter) and is successfully initialized, receives an IP Address and allows for domain authentication. As part of the resolution in the above URL, I am asked to download the latest service pack for Windows 2000. I am not sure how I am supposed to download and install that since I have yet to install the new image. Under the notes section, it does mention that I can receive this error if I am running RIS on a Win2003 machine. This is exactly what I am doing. I am trying to use RIS on Win2K3 to deploy Win2K Pro. I have read and followed the instructions from the below URLs but the status still has not changed. http://support.microsoft.com/default.aspx?scid=kb;EN-US;246184 http://support.microsoft.com/default.aspx?scid=kb;EN-US;254078 http://support.microsoft.com/default.aspx?scid=kb;en-us;325862 I have also reviewed and downloaded the latest available version of the drivers from the Microsoft Windows Catalog from within Windows Update. I am at a loss here. Can anyone please help? Thank you in advance, Edwin
RE: [ActiveDir] RIS Headaches
I did add the drivers. I did that according to the article at URL http://support.microsoft.com/default.aspx?scid=kb;EN-US;315279 and http://support.microsoft.com/default.aspx?scid=kb;EN-US;246184 Are you talking about adding the drivers a different way? If so, how? I thought by me adding the \$oem$\$1\Drivers\NIC and updating the *.sif file I would be defining an alternate driver installation location. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe L. Casale Sent: Sunday, August 22, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RIS Headaches You need to add the drivers, then download the updated inf on the same page, then purge all the oem?.inf/pnf files, then restart the services jlc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, August 22, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] RIS Headaches I am attempting to perform a RIS installation on a machine that continues to fail. The error that I am getting and other related information can be found via the URL http://support.microsoft.com/?kbid=315074 The operating system image you selected does not contain the necessary drivers for your network adapter. Try selecting a different operating system image. If the problem persists, contact your system administrator. Setup cannot continue. Press any key to exit. The network card that I have within the machine is supported by RIS (Intel(R) PRO/100 Desktop Adapter) and is successfully initialized, receives an IP Address and allows for domain authentication. As part of the resolution in the above URL, I am asked to download the latest service pack for Windows 2000. I am not sure how I am supposed to download and install that since I have yet to install the new image. Under the notes section, it does mention that I can receive this error if I am running RIS on a Win2003 machine. This is exactly what I am doing. I am trying to use RIS on Win2K3 to deploy Win2K Pro. I have read and followed the instructions from the below URLs but the status still has not changed. http://support.microsoft.com/default.aspx?scid=kb;EN-US;246184 http://support.microsoft.com/default.aspx?scid=kb;EN-US;254078 http://support.microsoft.com/default.aspx?scid=kb;en-us;325862 I have also reviewed and downloaded the latest available version of the drivers from the Microsoft Windows Catalog from within Windows Update. I am at a loss here. Can anyone please help? Thank you in advance, Edwin
[ActiveDir] GPO's, RIS and Software Deployment
Can anyone provide me with good documentation on RIS and software deployment through GPO? We currently use MS ADS and I dont like it and I believe it to be the cause of problems. Aside from that, I think that I can benefit more from RIS if my plan goes through well. I am not interested in using RipRep since it act similar to MS ADS and documentation of the product is similar in its requirements to successfully use. I have two Wind2K3 Enterprise Domains, a Win2K3 Standard File server and Win2K Pro workstations. The main pieces of software that I would like to push out would be MSSQL 2000 (client tools only), MS Office 2000, Symantec AV Corporate Edition. I have read some documentation on this but would like to know if any of you have other good known sources. My information comes from a book and the help files that are found within the DEPLOY.CAB file in the /support/tools/ folder of the Win2K3 CD. Thank you all for your replies. Edwin
[ActiveDir] Fileserver and Self-Executing Programs
Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldnt be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I dont have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
RE: [ActiveDir] Fileserver and Self-Executing Programs
What I have noticed, in the couple of test I have done, is that if the installer is a MSI package, it will immediately be denied any further access. If it is a *.exe then there may be progress on the installation and it is up to the *.exe on how to proceed. If a *.exe is used, the system itself appears never to be modified except within the users own profile allotted space. I am not sure how to restrict file extensions on a folder. Do you have more information on this? I know that I can remove execute permissions but this will take some work to do and resolve my issue. I am not complaining about the work. Just that it will take some time. I guess if there is a way to filter out certain executables I would want to filter them all out. So I guess removing execute access will be the best way. But this would also mean I would have to remove this type of permission to their desktop or My Documents since they could also install such a program there providing it was under their 10MB limit. But to go that far would be nasty and I dont think it would be recommended. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell Sent: Wednesday, August 04, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Fileserver and Self-Executing Programs The first thing that comes to mind is disabling Windows Installer for non-managed apps via GPO, considering you are already doing something similar as you had mentioned that may be the most viable solution. Otherwise, I'm not sure if its possible or how difficult it would be to implement but you could restrict the use of certain file extensions in the user folder tree which would prevent users from running executables for instance. Just two ideas... I'm sure there will be more From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Wednesday, August 04, 2004 8:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Fileserver and Self-Executing Programs Within our domain, roaming profiles are used. The roaming profiles are limited to 10MB by means of a GPO. The user is also given a networked drive (K:\) that gives them an additional 40MB which gives them a grand total of 50MB of usable space when on their workstations. The 50MB limit is then enforced by Disk Quotas. The roaming profile data and the networked drive are both on the same machine. The user logging into their workstation is not able to install applications unless first approved. What I have noticed however is that users within the domain are still managing to run unauthorized pieces of software. They are doing this by copying the files K:\ The application that they want to use is a self executing program that does not need to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I installed the software with under the same user privileges and was able to do so but with a warning that the application may not install correctly without Admin rights. The application did install to the K:\ and worked correctly when was opened. The good thing about this was that anything that was written to the registry was access denied. So here is the question. How can I prevent users from installing these type of applications to the K:\? When they do this, they are using resources on the remote machine that shouldnt be. I could care less that they are using more drive space since it will only affect them and their ability to write more files to the remote machine or will prevent them from logging off of their desktop until the space is cleared. I dont have a problem putting fear into those who are doing this, but I would rather just cut them off and keep my mouth shut if a solution is available. Any thoughts? Thanks everyone for your replies, Edwin
[ActiveDir] Domain Controller Backups
I have a nightly backup performed on the domain controllers during the overnight hours. This backup only consists of the System State which is run on both DCs and is copied to a different server. Is the System State enough to consider backing up? Will this be enough information to recover from a disaster?
[ActiveDir] Renaming the Administrator account
I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin
RE: [ActiveDir] Renaming the Administrator account
Excellent! Thank you everyone for your replies. I was concerned about the information that I got but I wasnt in a position to question it since I honestly was not 100% sure. Now, I believe I have some good ammunition for a good argument. Thank you Tony for that URL. This list rocks! Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, July 21, 2004 7:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming the Administrator account there's no issue renaming it - in 2003 you can actually disable it to make the environment more secure (but caution - this is the only account that doesn't get locked when you have configured a lockout threshold in your PW policy) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Mittwoch, 21. Juli 2004 13:38 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming the Administrator account I have always renamed the default Administrator account on every system build I have performed for security reasons. I did the same on the domain but was then scolded by a more experienced AD Administrator. The reason given to me was because there are parts of AD that authenticate or use the SID of the administrator account while other areas may use the Administrator username explicitly. If I were to rename the default Administrator account then those references that call the username explicitly may fail. I am still new to AD so I took the above warning with caution and therefore renamed the default user back to its original settings. I would appreciate anyones input on the above. I would like to rename the Administrator account as part of best practices but if it may cause problems then of course this would not be an option. However, I have a hard time understanding why renaming the account could cause potential problems. I would think that any reference to the Administrator account would be made by the SID and if any call to the username itself was made, it would access a database that was populated with the correct information as it was changed. The only information I have about renaming the account is above. Thank you all for your responses. Edwin
RE: [ActiveDir] home directory modifications
This is my first attempt at answering a question here on the list, but I believe that I have an accurate answer to the question in this thread. If I am incorrect, I apologize for any confusion that I may have caused. 200 or so members would be a lot to perform updates on individually but I would assume that those users are within different OU's. Since they are in OU's you would only have to make an update for each OU that you have your 200 or so members in. Why not select all the users in the OU and update their properties all at once. The Profile tab should be available to where you can update the path as needed. Now you can then update your \\goofy\home\ to \\mickey\home\ as you like. I had to do the same thing when I took over a domain that uses roaming profiles. I moved around a lot of files and folders for performance and best practice reasons which forced me to update everyone's roaming profile path using the method above. The only exception was that I added their username to the path such as \\mickey\home\%username% If you can find a programming solution then I say go for it! I myself need to learn how to automate stuff when managing Active Directory. I have found that not to be so easy. But if you need a quick solution, then the above might work for you. Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 5:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] home directory modifications Do so - at your peril, Sir! and, while you are at it, don't tell Joe :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Mulnick, Al Sent: Wed 7/21/2004 2:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] home directory modifications If option two doesn't do it, this might be a good starting point (Deji's option 2) http://tinyurl.com/5jne3 The code here assumes you already have the userdn. That's easy enough to get if they're all in the same ou. If not, modify Deji's script -- it'll be faster. Once you bind to the user object, read the homedrive attribute, parse it (split is a pretty good function for this) and then read it back into the variable you want and update the user object with the vars you want. Cool scripts Deji!! I'm going to have to start crawling that site a bit more :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 5:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] home directory modifications Depending on how brave you are, one of these MAY help you. http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=35 http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=26 Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of James Payne Sent: Wed 7/21/2004 12:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] home directory modifications I have about 200 users setup to connect h: to \\goofy\home\username. I am moving the data on \\goofy\home\ to \\mickey\home\. Is there a script laying around somewhere that would allow me to change this path in everyone's profile at once? It should would beat doing this manually for every user. Thanks again for any help you guys can provide. James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Install MS Outlook Express
I am aware that with AD and GPO's I can create MSI packages and distribute software. But I am not sure where to begin on installing a built-in program such as Outlook Express. Initially I disabled the use of Outlook Express by not installing it on the client machines. Now I want to install it. Why? Because everyone in the network is on Exchange and something they help clients troubleshoot their email. Sometimes in order to troubleshoot they setup the clients email account on their local machine. What then happens is that all of the clients email ends up on the Exchange server vs a local PST file. I know that this can be changed within the options of MS Outlook to change the storage location of email messages, but this is not something that the support staff will do or change every time they need to test a remote server email account. So how can I install Outlook Express on every client machine without visiting each one individually? If there is documentation on the steps necessary to do this, I would greatly appreciate that information. Is there another, maybe better alternative? Thanks for your replies, Edwin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Install MS Outlook Express
David, I did this at home but it looks like it will work. I don't see why it wouldn't. But I was able to download IEAK SP1 and specify OE just like you said. The MSI package has been created and all looks good. I am going to test this on a workstation where it needs to be installed tomorrow when I get to work. Thank you. Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Tuesday, July 20, 2004 10:55 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Install MS Outlook Express Edwin, You can use the Internet Explorer Admin Pack to create a custome install. Then just choose the OE componenets. It will generate everything you need. Then just assign the MSI. Dave -- David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 [EMAIL PROTECTED] -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Tuesday, July 20, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Install MS Outlook Express I am aware that with AD and GPO's I can create MSI packages and distribute software. But I am not sure where to begin on installing a built-in program such as Outlook Express. Initially I disabled the use of Outlook Express by not installing it on the client machines. Now I want to install it. Why? Because everyone in the network is on Exchange and something they help clients troubleshoot their email. Sometimes in order to troubleshoot they setup the clients email account on their local machine. What then happens is that all of the clients email ends up on the Exchange server vs a local PST file. I know that this can be changed within the options of MS Outlook to change the storage location of email messages, but this is not something that the support staff will do or change every time they need to test a remote server email account. So how can I install Outlook Express on every client machine without visiting each one individually? If there is documentation on the steps necessary to do this, I would greatly appreciate that information. Is there another, maybe better alternative? Thanks for your replies, Edwin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Active Directory Browser History Files
In our domain we use roaming profiles. What I would like to know is if there is an easy way to monitor the web sites that end users are looking at while at their workstations. We have users that are going to site that may offend others and this needs to be addressed. I am aware of reviewing the Firewall logs but I was hoping that there would be an easier way since all the machines are connected to the domain. Thank you all for your replies. Edwin
RE: [ActiveDir] OT: Active Directory Browser History Files
Title: Message Well, it looks like SurfControl is the application that I am going to start looking into. I appreciate all of your responses. Thank you. Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Thursday, July 15, 2004 2:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files I have no idea what version of Websense you looked at but our installation of Websense Enterprise 5.2 IS on SQL. Since our database grows at least 40MB a day we didnt go with the option for MSDE. I positively love the reporting tools. Their Explorer is the main reason why I chose it over Surf Control after I did the evaluation of both products. It allows you to rapidly look at an overview of your data and then drill down on the subcategory of your choice (then to a subcategory of that subcategory.). Their Reporter give you the granular reports similar to what you get from Crystal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Thursday, July 15, 2004 10:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files The issue I had with Websense and Webtrends (and the like) are just that the time it takes to load firewall logs to do reporting and so forth. Surf Control uses SQL (or MSDE if you prefer) info is loaded almost instantly and the result sets are nearly as quick. I cant say enough (positive) about Surf Control. The canned reporting is pretty good - - and if youre running Crystal you can really get some granular result sets. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 15, 2004 1:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files Websense is also a good product which I have used for many years. It will work with Checkpoint firewalls directly or you can hook it into a proxy, i.e. ISA, Squid, etc. I personally prefer it to SurfControl, but that is just my opinion. Try them out. -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: 15 July 2004 17:49 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Active Directory Browser History Files In my opinion, you need an acceptable use policy, and you need to have all the users agree to it. You then need a product like surfCONTROL. They have versions for various proxy servers as well as firewalls mc From: Edwin [mailto:[EMAIL PROTECTED] Sent: Thursday, July 15, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Active Directory Browser History Files In our domain we use roaming profiles. What I would like to know is if there is an easy way to monitor the web sites that end users are looking at while at their workstations. We have users that are going to site that may offend others and this needs to be addressed. I am aware of reviewing the Firewall logs but I was hoping that there would be an easier way since all the machines are connected to the domain. Thank you all for your replies. Edwin This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
[ActiveDir] Disk Defragmenting
Would someone please be able to verify if defragmenting a disk is safe on a domain controller? I want to install and use Diskkeeper but would like to get some assurance of its use before its implementation. Thank you in advance for your replies. Edwin
RE: [ActiveDir] Disk Defragmenting
Title: Message OKThanks. I have it scheduled for 2:00am 4:00 am every day. There are only 2 people here at that time and they would have already logged into the domain hours before. Thank you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Thursday, July 08, 2004 8:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Disk Defragmenting It's safe.. I'd just recommend doing it in a quiet period. BR Rob -Original Message- From: Edwin [mailto:[EMAIL PROTECTED] Sent: 08 July 2004 13:51 To: Active Directory Subject: [ActiveDir] Disk Defragmenting Would someone please be able to verify if defragmenting a disk is safe on a domain controller? I want to install and use Diskkeeper but would like to get some assurance of its use before its implementation. Thank you in advance for your replies. Edwin This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] GPO question concerning LOCAL GPO
I just wanted to say that this is an
awesome reply!
Thank you Darren.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, July 01, 2004 7:38
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
question concerning LOCAL GPO
A user-driven script is not likely to
work. These policies are set in HKCU but the keysinvolvedare
permissioned away from normal users by default--to prevent a normal user from
undoing a policy. There are a couple of ways you could skin this. If you want
to pay money, Full Armor has a tool called GPAnywhere that lets you do mass
manipulation of the local GPO. If you want to do it on the cheap then there is
another way, but it is abit tricky. Essentially, all Admin. Template
policy for the local GPO is stored in two files on the local drive. Any
machine-specific Admin. Template policy is stored in
%windir%\system32\grouppolicy\machine\registry.pol and any user-specific policy
is stored in %windir%\system32\grouppolicy\user\registry.pol. For the screensaver
policies you talk about below, these are user-specific and so would be stored
in the user-specific registry.pol file. If you are reasonably sure that all of
the affected machines have roughly the same local GPO, then you could pick one
of them, edit it to include your new screen saver settings, and then just copy
over that user registry.pol file on all the desired machines. Then, you have to
increment the version number of the local GPO, so that when the user logs on,
it knows there are new policy settings and it processes them. The version
number is stored in a file called GPT.ini, found in
%windir%\system32\grouppolicy. GPT.ini typically looks something like this:
[General]
gPCFunctionalityVersion=2
gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-F87571E3}]
Version=917538
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-F87571E3}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
You'll need to increment the Version= key
and, if there were no Admin Template policies formerly found in the local GPO,
you need to be sure the GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} is found in
the value gPCUserExtensionNames key, as it is above. The version number should
be incremented according to how many policy changes you make. If you want to
stick to Microsoft's byzantine versioning scheme for GPOs, then for each
user-specific change you make (which is what you'll be doing in this case), the
version number is increased by 65536. So three changes to user policy would
result in a version number increase of 65536 x 3 or 196608, which gets added to
the existing version number (so in the example above, 917538+196608=new version
number). So what you can do is copy the registry.pol file and an updated
gpt.ini (again this assumes thatall machines have the same
startinggpt.ini version number)to each of the target machines and
then the next time the user logs on, they should get the correct screen saver
policy. Like I said, tricky, but not impossible.
Darren
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, July 01, 2004 3:57
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO
question concerning LOCAL GPO
If the machine is standalone, you could
e-mail them a script that makes the proposed registry changes. How else are you
going to touch a machine that doesn't login regularly to have a GPO applied ?
Kevin Gent
Pearson Digital Learning
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cothern Jeff D. Team EITC
Sent: Thursday, July 01, 2004 6:49
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO question
concerning LOCAL GPO
We have identified an issue with a security policy (the
paper kind) that conflicts with how our current build is set on our
workstations. The workstations are running Windows 2000. I need to
see if there is a way to change the LOCAL GPO on say 2000+ machines on the
domain without having to remotely or sneaker login. Anyone know if a script
could be written that say changes the GPO so the screen saver activates in 600
seconds, password protected and the user doesnt see the screen saver
tab. I have already worked out the GPOs for users with these settings but
the question was posed to me what about if the machine is operating in a
standalone mode temporarily, IE laptop.
Any ideas or suggestions would be appreciated.
Jeff
[ActiveDir] Folder Redirection Errors
Error 1: The Group Policy client-side extension Folder Redirection was passed flags (0) and returned a failure status code of (1307). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Error 2: Failed to perform redirection of folder Application Data. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\mydomainname.com\sharedfiles$\User Profiles, the final expanded path was \\ mydomainname.com \sharedfiles$\User Profiles. The following error occurred: This security ID may not be assigned as the owner of this object. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I have a Win2K3 DC with Win2K Pro clients. I have roaming profiles setup with the Application Data, Desktop and My Documents forwarded to a UNC path. Every time a user logs in, they receive the above errors. For Error 2 an error is generated for each forwarded folder. I have read and applied KB #274443 but no changes in the Event Logs occurred. As far as I can tell, I do not see any problems when saving data to the Roaming Profile or Forwarded folders so I am not sure why the error is being generated. I would appreciate any suggestions as to how to correct these errors. Thank you in advance for your replies. Edwin
RE: [ActiveDir] Folder Redirection Errors
Option #1 I will hold off on trying because as you mentioned, it is not an acceptable solution. Unfortunately, KB #274443 was of no use in this case since the errors did not change. I am not sure if it makes a difference but the errors mentioned are being recorded on the Win2K Pro client and not on the DC itself. Thank you for your reply. Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seyboldt, Volker Sent: Thursday, July 01, 2004 10:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder Redirection Errors Hi Edwin, we had a similar problem. We found two solutions: 1. If you set the redirection to the networkshare manually on the client it works and after doing that one time the policy will also work perfect. But this is not acceptable in a large environment. So one customer sets the path for redirection manually by script (it's just one registry entry) and then it works fine and the user cannot change it in future because now the policy works as it should do. 2. If you add the User as Owner on NTFS level to the share it will work also... But I think this is mentioned in the KB you refer to Volker From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, July 01, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Folder Redirection Errors Error 1: The Group Policy client-side extension Folder Redirection was passed flags (0) and returned a failure status code of (1307). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Error 2: Failed to perform redirection of folder Application Data. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\mydomainname.com\sharedfiles$\User Profiles, the final expanded path was \\ mydomainname.com \sharedfiles$\User Profiles. The following error occurred: This security ID may not be assigned as the owner of this object. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I have a Win2K3 DC with Win2K Pro clients. I have roaming profiles setup with the Application Data, Desktop and My Documents forwarded to a UNC path. Every time a user logs in, they receive the above errors. For Error 2 an error is generated for each forwarded folder. I have read and applied KB #274443 but no changes in the Event Logs occurred. As far as I can tell, I do not see any problems when saving data to the Roaming Profile or Forwarded folders so I am not sure why the error is being generated. I would appreciate any suggestions as to how to correct these errors. Thank you in advance for your replies. Edwin
RE: [ActiveDir] Folder Redirection Errors
Each folder has ownership under their respective user. I have deleted and then recreated my profile both the local cached copy and roaming. My profile directory get recreated with me as the owner but the errors are still generated in the event logs. Within the GPO I have it set to: Basic Redirection Redirect to the following location From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Thursday, July 01, 2004 12:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder Redirection Errors I had a problem with redirecting My Docs. The user was not the owner of the folder. Deleting the folder and allowing the folder to be created at login corrected it for me. For XP clients at least, there is a Group Policy to disable the folder ownership requirement. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, July 01, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder Redirection Errors Option #1 I will hold off on trying because as you mentioned, it is not an acceptable solution. Unfortunately, KB #274443 was of no use in this case since the errors did not change. I am not sure if it makes a difference but the errors mentioned are being recorded on the Win2K Pro client and not on the DC itself. Thank you for your reply. Edwin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seyboldt, Volker Sent: Thursday, July 01, 2004 10:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Folder Redirection Errors Hi Edwin, we had a similar problem. We found two solutions: 1. If you set the redirection to the networkshare manually on the client it works and after doing that one time the policy will also work perfect. But this is not acceptable in a large environment. So one customer sets the path for redirection manually by script (it's just one registry entry) and then it works fine and the user cannot change it in future because now the policy works as it should do. 2. If you add the User as Owner on NTFS level to the share it will work also... But I think this is mentioned in the KB you refer to Volker From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Thursday, July 01, 2004 4:45 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Folder Redirection Errors Error 1: The Group Policy client-side extension Folder Redirection was passed flags (0) and returned a failure status code of (1307). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Error 2: Failed to perform redirection of folder Application Data. The new directories for the redirected folder could not be created. The folder is configured to be redirected to \\mydomainname.com\sharedfiles$\User Profiles, the final expanded path was \\ mydomainname.com \sharedfiles$\User Profiles. The following error occurred: This security ID may not be assigned as the owner of this object. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. I have a Win2K3 DC with Win2K Pro clients. I have roaming profiles setup with the Application Data, Desktop and My Documents forwarded to a UNC path. Every time a user logs in, they receive the above errors. For Error 2 an error is generated for each forwarded folder. I have read and applied KB #274443 but no changes in the Event Logs occurred. As far as I can tell, I do not see any problems when saving data to the Roaming Profile or Forwarded folders so I am not sure why the error is being generated. I would appreciate any suggestions as to how to correct these errors. Thank you in advance for your replies. Edwin
RE: [ActiveDir] Application Log Event Errors
Thank for the reply.
I am only getting the error on the DC. I have two DCs
with the FSMO roles divided. The DC that I am getting the errors on is
the one configured to be the RID Master and PDC Emulator.
The DCs are both Win2K3. All workstations in
the building are Win2K Pro with the exception of on WinXP Pro machine that I am
testing for potential upgrades to the existing Win2K Pro machines.
I thought that it was because of the test WinXP Machine with
reference to KB #810907, but I powered it down, cleared the
event logs and waited. The error returned again. So I feel that it
should be safe to rule this out.
But the article does reference MS Office. I asked a
separate question in a different thread about *.pst files and roaming
profiles. Could the use of *.pst files and the error below be related?
I did read an article (I cant remember which one) on the
dfsutil /purgemapcache but I was confused by it because I did not see the
switch as an available option when running dfsutil /?. I
tried to run it anyways and received an error:
Unrecognized option purgemapcache
System error 87 has occurred.
The parameter is incorrect.
Edwin.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, June 24, 2004 2:40
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]
Application Log Event Errors
Edwin-
Where exactly are those errors appearing?
On the DC or the clients that are processing GPO? Also, what version of DC are
you running and what version of client?
The dfsutil /purgemupcache will work on
Server 2003 DCs only.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Edwin
Sent: Thursday, June 24, 2004 9:42
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Application
Log Event Errors
I am getting numerous errors in the
Application Event logs that are provided below.
Windows cannot query for the list of Group
Policy objects. Check the event log for possible messages previously logged by
the policy engine that describes the reason for this.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Windows cannot access the file gpt.ini for
GPO
cn={4A2B990D-CE94-4AF6-BB85-5521AAEEE954},cn=policies,cn=system,DC=mydomain,DC=com.
The file must be present at the location \\mydomain.com\SysVol\mydomain.com\Policies\{4A2B990D-CE94-4AF6-BB85-5521AAEEE954}\gpt.ini.
(Access is denied. ). Group Policy processing aborted.
According to the error the system cannot
find the gpt.ini file in the path \\mydomain.com\SysVol\mydomain.com\Policies\{4A2B990D-CE94-4AF6-BB85-5521AAEEE954
because permission is denied.
NTFS permissions on the directory have not
been modified. The permissions defined on the directory mentioned above
are:
Authenticated Users:
Read Execute
List Folder Contents
Read
Creator Owner
Special Permissions
Domain Admins
Full Control
Enterprise
Admins
Full Control
Enterprise
Domain Controllers
Read Execute
List Folder Contents
Read
System
Full Control
Primary DC
Read Execute
List Folder Contents
Read
Secondary DC
Read Execute
List Folder Contents
Read
I have read KB Ariticle #810907 but I would rather not install a Hotfix
if not absolutely necessary. Has anyone else experienced this? If
so, were you able to remedy the error without the Hotfix? If so, how.
Thank you.
[ActiveDir] Application Log Event Errors
I am getting numerous errors in the
Application Event logs that are provided below.
Windows cannot query for the
list of Group Policy objects. Check the event log for possible messages
previously logged by the policy engine that describes the reason for this.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Windows cannot access the file gpt.ini for
GPO
cn={4A2B990D-CE94-4AF6-BB85-5521AAEEE954},cn=policies,cn=system,DC=mydomain,DC=com.
The file must be present at the location
\\mydomain.com\SysVol\mydomain.com\Policies\{4A2B990D-CE94-4AF6-BB85-5521AAEEE954}\gpt.ini.
(Access is denied. ). Group Policy processing aborted.
According to the error the system cannot
find the gpt.ini file in the path \\mydomain.com\SysVol\mydomain.com\Policies\{4A2B990D-CE94-4AF6-BB85-5521AAEEE954
because permission is denied.
NTFS permissions on the directory have not
been modified. The permissions defined on the directory mentioned above
are:
Authenticated Users:
Read
Execute
List
Folder Contents
Read
Creator Owner
Special
Permissions
Domain Admins
Full
Control
Enterprise
Admins
Full
Control
Enterprise
Domain Controllers
Read
Execute
List
Folder Contents
Read
System
Full
Control
Primary DC
Read
Execute
List
Folder Contents
Read
Secondary DC
Read
Execute
List
Folder Contents
Read
I have read KB Ariticle #810907 but I would rather not install a Hotfix
if not absolutely necessary. Has anyone else experienced this? If
so, were you able to remedy the error without the Hotfix? If so, how.
Thank you.
[ActiveDir] Roaming Profiles and Exchange
Title: Message According to MS documentation, it is not a good idea to put Outlook *.pst files in a remote location such as a UNC path. So what is the alternative if you are using roaming profiles? The *.pst file does not seem to get copied over into the users Application Data folder when logging off or when moving to another computer. At one point, I had the GPO set to delete locally cached copies of profiles but because of the above mentioned had to disable this option. Thank in advance for your responses, Edwin
RE: [ActiveDir] Roaming Profiles and Exchange
Title: Message Well, I definitely do not want to have the PST file cause a slower logon time. I am aware of the consequences of using a PST file in a remote location which is why I question it. By that same token, I guess that is why it is not carried over into the users roaming profile. I got the opinion of the list I was looking for. Thank you for your responses. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, June 23, 2004 9:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and Exchange Jack- You have a perfectly valid point and yet, millions of people live and die by PSTs, even in large corporations that should know better. The reasons vary from inadequate central storage for Exchange to just plain old user preference. Hell, even I keep emails forever in PSTs--yea they're bad but it beats the heck out of having to groom my info store every week or month, and I have a wonderful history of my life in email that I can refer to at any time :-). In any case Edwin, to answer your question--yes you should try avoiding PSTs altogether. Failing that, try to avoid having to roam them--its just messy. Finally, if you have to make them available from anywhere then I have used mapped drives to store PSTs before (e.g. the user's home directory). It isn't the greatest idea, especially when they get very large, but it is do-able--just be prepared for the occasional corrupted PST and you get issues with being able to back those PSTsup on the server if the user has them open (i.e. they've left Outlook open). You probably don't want to do anything to make them roam with the profile because any reasonably sized PST will cause the logon and logoff process to take forever--esp. when the user is remote to their server. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 23, 2004 6:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Roaming Profiles and Exchange H how about. DON'T USE PST's!! THEY ARE BAD!! Does that cover it? If you have an Exchange Server, and judging by your subject I'm ass-u-me-ing that you do then use the Information Store - it's what it's designed for.. Centralised Backups, Single Instance Storage, etc. If you're in any doubt about how bad PST's are, sign up to the Exchange list that Sunbelt software hosts and Post something along the lines of I like PST's, what does the rest of the group think? (remember to put on a flame retardant jacket and duck before you hit send :-) You can find the list here: http://www.sunbelt-software.com/community.cfm Or try reading this: http://snipurl.com/7a0f Full link is here: http://www.swinc.com/resources/exchange/faq_db.asp?status=questionsfaqID=1000faqname=Exchange%205.5sectionID=1013sectionName=Why%20PST%20=%20BAD(watch for wrapping) HTH Jack From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: 23 June 2004 14:07 To: [EMAIL PROTECTED] Subject: [ActiveDir] Roaming Profiles and Exchange According to MS documentation, it is not a good idea to put Outlook *.pst files in a remote location such as a UNC path. So what is the alternative if you are using roaming profiles? The *.pst file does not seem to get copied over into the users Application Data folder when logging off or when moving to another computer. At one point, I had the GPO set to delete locally cached copies of profiles but because of the above mentioned had to disable this option. Thank in advance for your responses, Edwin
RE: [ActiveDir] Quick Launch Bar
Ha ha!! I think that I may have figured out my problem. In the GPO I am forwarding My Documents, Application Data and Desktop. We all know that the Quick Launch bar is located in the Application Data folder. When configuring the GPO, I set the forwarding option to be for all of the above to Create a folder for each user in the root path. As a value, I provided a UNC path to the server in which I would like the data to be stored. After only having too much time wasted on the stupid Quick Launch Bar, I then reviewed the GPO again today with a fresh pair of eyes and a rested brain. I changed the forwarding option to be from what it was above to, Redirect to the following location using the same UNC path. This seems to have worked for me so far and now this sort of makes sense. I take the above as with the first option, the UNC path is being used but a copy of the file being copied on remote server, sort of like FTP'ing the file. With the second option, I am using a Virtual Directory type file storage which is why I believe that I am no longer being prompted to download items from the Quick Launch Bar. At least at the very beginning, the options within the Folder Redirection were a bit confusing. If I am correct, I may have solved my dilemma. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 12:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quick Launch Bar Hey Edwin... If you don't roam it, it will still use the local one, not go away. From the way i understand it. This is from the GPO... Lets you add to the list of folders excluded from the user's roaming profile. This setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers. By default, the History, Local Settings, Temp, and Temporary Internet Files folders are excluded from the user's roaming profile. If you enable this setting, you can exclude additional folders. If you disable this setting or do not configure it, only the default folders are excluded. Note: You cannot use this setting to include the default folders in a roaming user profile. John |-+-- | | Edwin| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/17/2004 10:34 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Quick Launch Bar | --- ---| Hin addition to my previous question about the Quick Launch bar, I am not able to delete any shortcuts that I place there. It is weird how I can add a new shortcut to the Quick Launch bar but I cannot remove it. Also, the new shortcuts ask me to DL the file just like the default icons. When checking the properties of the shortcut on the Quick Lauch, the path shows the UNC path to the roaming profile directory which is the exact same as when checking the properties for the shortcut on the start menu. Okay. So now I see where John was going with the buggy Quick Launch bar, but I don't believe that the end users will appreciate it going away as was suggested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 8:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quick Launch Bar Hey Edwin... Without looking at it, and i can't really test here...I have to assume it's the path somehow. Would be odd for them to lose the file association, but not impossible...heheheheh Perhaps it's looking to the server for the program, which doesn't exist there? John |-+-- | | Edwin| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/17/2004 06:41 AM| | | Please respond to | | | ActiveDir
[ActiveDir] Software Restriction Policy
I have a GPO to prevent all types of MMC's to be opened by anyone other than an administrator. This works well except that we have a Enterprise Manager installed on workstations to communicate with live SQL Servers. MSSQL uses a MMC to open Enterprise Manager. How can I allow the technical support department to open EM on their workstations without removing the snap-in policy or prohibiting each snap-in individually within the policy? It seems like I would have to install EM on the DC in order for it to recognize the EM MMC Snap-in so that I could exclusively allow it. I would think that there is another way. I have removed the GPO policy for the snap-in's since I don't believe that a non-privileged user will be able to do anything except view information. Am I right in saying that the software has to be installed on the DC in order to recognized the MMC filename? If so, is there no other alternative? Thank you. Edwin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quick Launch Bar
Hin addition to my previous question about the Quick Launch bar, I am not able to delete any shortcuts that I place there. It is weird how I can add a new shortcut to the Quick Launch bar but I cannot remove it. Also, the new shortcuts ask me to DL the file just like the default icons. When checking the properties of the shortcut on the Quick Lauch, the path shows the UNC path to the roaming profile directory which is the exact same as when checking the properties for the shortcut on the start menu. Okay. So now I see where John was going with the buggy Quick Launch bar, but I don't believe that the end users will appreciate it going away as was suggested. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 8:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quick Launch Bar Hey Edwin... Without looking at it, and i can't really test here...I have to assume it's the path somehow. Would be odd for them to lose the file association, but not impossible...heheheheh Perhaps it's looking to the server for the program, which doesn't exist there? John |-+-- | | Edwin| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/17/2004 06:41 AM| | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: RE: [ActiveDir] Quick Launch Bar | --- ---| John, I will take your response with great consideration. I appreciate your response. But I would still like to know why it is that the Quick Launch bar will prompt you to open a default standard shortcut such as the IE or Windows Media Icon. Also, now that I have installed MS Office, I get the same prompt now that the Outlook shortcut was added. What can I do to prevent this from happening when using a roaming profile? Thanks, Edwin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 16, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Quick Launch Bar Hey EdwinWe haven't been using roaming profiles here, but what i can tell you is that the quick launch is in the Application Data directory. We experminted with redirecting it here so the quicklaunch would follow users around, but ran into many problems with it. Lots of slowness in office as it wanted to write temp files up to the server, etc. You can exclude directories from roaming with a GPO, and this is one i would strongly suggest you consider. John |-+-- | | Edwin| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/16/2004 01:46 PM| | | Please respond to | | | ActiveDir | | | | |-+-- --- -| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: [ActiveDir] Quick Launch Bar | --- -| I am trying to use roaming profiles on a Win2K3 domain with XP Professional as client. Roaming profiles seem to be working great except that when you click on the Windows Media Player or Internet Explorer icon, you get a prompt asking if you want to open this file. This is similar to trying to download an executable via a web site when you get a warning about its potential contents. What can I do to get rid of this? Thank you in advance for your replies. Edwin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
[ActiveDir] Quick Launch Bar
I am trying to use roaming profiles on a Win2K3 domain with XP Professional as client. Roaming profiles seem to be working great except that when you click on the Windows Media Player or Internet Explorer icon, you get a prompt asking if you want to open this file. This is similar to trying to download an executable via a web site when you get a warning about its potential contents. What can I do to get rid of this? Thank you in advance for your replies. Edwin
[ActiveDir] Remove Exchange Store
I will try to explain this as best as I can. We were in the process of migrating an Exchange server from one domain to another. We put up a temporary Exchange server where we could make some required changes without affecting the original Exchange server. This would also be our back out plan in the event of some type of failure. Once our work was done on this temporary server we began migrating the data again to a new Exchange Server. For internal configuration reasons, the name of the Exchange server was preserved when moving to the new domain which is why the temporary server could not be used. (Explaining this part of the story would be too difficult and only add to the confusion.) Now that everything is all said and done, the temporary Exchange server is no longer needed. Everything went well during the migration and we are all pleased with the results. So what is the problem? After the migration was complete we decided to use the temporary Exchange server for another purpose. The problem is that we forgot to remove the temporary exchange server from the new domain. Therefore we have two Exchange servers configured in Active Directory, but one of them that is not valid. My question is, how can I remove the temporary Exchange Server within the new domain that is no longer in existence without affecting any of our current settings? Thank you all in advance for your replies. Edwin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Roaming Profile Permissions
I would like to be able to view the files contained within a users roaming profile but keep getting a permission denied error. I have a Windows 2003 DC and testing on a Windows XP machine. I have enabled Computer Configuration\Administrative Templates\System\User Profiles\Add the Administrators Security Group to the roaming user profiles but that only allows be to go into the root directory of the user profile but not into other directories such as the Desktop or My Documents. I know that I can update the NTFS permissions to the sub directories but I am not sure if this is wise to where it may affect the user. I am sure that there have been required investigations in the past by an Administrator. What is the recommended solution for this without affecting the user? Thank you all for your responses in advance. Edwin
RE: [ActiveDir] MS Exchange Tools on Domain Controller
Thats it? Cool. Okay..I will give it a try. Thank you again for the reply. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, May 21, 2004 1:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS Exchange Tools on Domain Controller Yes, just install the ESM on the DC -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Friday, May 21, 2004 1:54 PM To: Active Directory List Subject: [ActiveDir] MS Exchange Tools on Domain Controller I have an Exchange server and would like to know if it would be possible to have the properties menus available when logged into the domain controller? The domain and the exchange server are two separate machines. Is this possible? Thank you all for your replies in advance.
RE: [ActiveDir] Active Directory and Bastion Hosts
Well, the problem is that our network may be integrated with another network. The other network has Active Directory and we do not. We have other methods in place of managing the servers as needed. They use Active Directory for whatever reasons that they do previous to our relationship with each other. Now, I fear that the higher ups will want to use their network model and integrate our existing servers into their AD Structure. The relationship between the two networks is because of a company acquisition. I am part of that company that does not have the say so in how things are handled ( I was part of the acquired company). This is why I was hoping to find a strong clear to the point article as to why AD should not be used on bastion hosts. I feel that if I can make a strong enough argument with supporting documentation, I can at least convince the higher ups to at least leave good enough alone and maybe consider our method of managing the servers. The systems in which we may be integrated with, currently has over 1000 servers. Our network has around 250 servers. With response to what Roger mentioned, I do not know completely if their internal domain is separate or integrated with the bastion hosts. My opinion to that however, would still remain the same. If the domain, separated or integrated with the internal domain, were to be compromised I believe that all servers within that domain are at risk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 23, 2004 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory and Bastion Hosts I agree with Roger on that. Active Directory *can* be used, hardened etc. (see the nsa docs for hardening guides as well as the Microsoft stuff on the subject). But why? Why do you need the overhead of Active Directory as a bastion host? Answer that question and you can decide if it fits. Couple that with the questions at the bottom of Roger's email and you can see a decision pattern. My preference is to not use it in that environment unless I need something from it I can't get elsewhere. I can get the directory service in ADAM but there are other pieces of Active Directory I may also need for some applications. Al From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 12:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Bastion Hosts Its quite possible to use AD on bastion and DMZ hosts. It just shouldn't be the same forest as your production internal systems. It strikes me that using the Federated Forests concepts in ADv2 (ie Win2k3) you can deploy a bastion AD that trusts your internal forest using a one way cross forest trust. There still is an inherent security risk there, but its then hacking two forests instead of one. I really, REALLY don't think this is worth it unless there are sufficient numbers of systems for which a unified authentication domain makes sense. For instance, if you ran a 50 server webfarm, it might make sense, but for 2-3 boxes, local accounts tend to make more sense. If what the bastion hosts need to access in AD is a set of attributes (via LDAP), it makes more sense to turn up an instance of ADAM and use MIIS to one way replicate data to it, at which point you're only exposing exactly the data that's required. Can you describe the goal/business need that's trying to be addressed here? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Edwin [mailto:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 11:17 AM To: Active Directory List Subject: [ActiveDir] Active Directory and Bastion Hosts Active Directory is a great tool for managing systems, I am sure that we can all agree. However a topic of discussion has come up raising the question, should AD be used on Bastion Hosts? My opinion is no, it should not. AD is perfect for a secured internal network environment but not for servers that are constantly being accessed by the anonymous user. Aside from the anonymous user, you have those users that have configured web sites on the server that have a foot in the door towards direct access to the machine. With AD, in my opinion, if one machine were to be compromised or some other vulnerability discovered, the potential for all machines connected to the domain to be affected are much greater. In a network without AD, the compromise of one machine will generally suggest an isolated machine because it is not connected to other machines by some means of a trusted connection. One DLL installed that was not properly reviewed before install, a security update that was overlooked or not known about, or any other compromise to the machine could potentially affect the entire domain. The above reflects my general opinion about
[ActiveDir] Authoritative Domain Problem
I have my DC setup as a DHCP Server as well as a DNS Server. I work for a company that has public DNS records (mycompany.net) that are used to reference servers that are accessed daily. I setup the DC to use mycompany.net as the domain name and now I am having troubles resolving DNS for these daily accessed servers. So for example, if I needed to access a server I would normally reference it by calling servername.mycompany.net. I should have used a 3rd level domain for the DC but that is too late to argue about or change now. Since I have Win2K3 as my DC I tried to do a domain rename. As I started reading the documentation, I quickly learned that I could not do this because the client machines already on the DC are running Win2K Professional ( easy fix ), but more importantly the MS Exchange Server we have online would not support the domain name change. Therefore, because of the Exchange server I could not risk performing this task a second time since the Exchange Server was just recently moved to this new domain in question and I received a lot of grief because of the migration process. So here is my question. Is it possible to have the DNS server of the DC forward an authoritative request to a public nameserver? I have tried doing this by configuring the Forwarders tab under the DNS propertied without success. The workaround being used right now is to change the DHCP server order by having the public nameservers listed first and then the DC DNS server listed last. This of course doesnt sound like a good solution. If forwarding is not an option, then is it possible for the internal DC DNS server to query the external public nameserver and then pull the data that it does not currently have? If so, can you please lead me in the right direction? I hope that I have made my question clear. If anyone is able to help, I will be more than happy to answer any and all questions that I can.
RE: [ActiveDir] Authoritative Domain Problem
Our public nameserver is running Linux and we could enable it for use on the DC but that would mean we would have to punch a hole in the firewall. But putting a hole in the firewall is not something that will be approved. Doing something with ADSI programming seems to be the only logical solution at this point but my experience just doesnt take me there yet. I am doing a lot of reading now but need a quicker solution. I would think that M$FT had some kind of tool already that would query a remote nameserver and import those setting for a domain. Would I be correct? If not, M$FT, does anyone know of another tool maybe from a 3rd party developer? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, March 10, 2004 9:47 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authoritative Domain Problem Since your DC (rightly) believes it is authoratative for mycompany.net, it won't matter what you have set up for forwarding. Any request coming to your DC for resolving *.mycompany.net is going to get answered by the DC. It will either return the requested information or say that the information doesn't exist. What you'll need to do is manually add in the records for the daily accessed servers. Or, if those servers are joined to your Win2k3 domain and you have dynamic DNS enabled, the servers can register themselves. As a sidenote, take a look at http://support.microsoft.com/default.aspx?scid=kb;en-us;255134. Not sure if this has changed for Win2k3, but definitely worth following up. From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 10, 2004 7:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authoritative Domain Problem I have my DC setup as a DHCP Server as well as a DNS Server. I work for a company that has public DNS records (mycompany.net) that are used to reference servers that are accessed daily. I setup the DC to use mycompany.net as the domain name and now I am having troubles resolving DNS for these daily accessed servers. So for example, if I needed to access a server I would normally reference it by calling servername.mycompany.net. I should have used a 3rd level domain for the DC but that is too late to argue about or change now. Since I have Win2K3 as my DC I tried to do a domain rename. As I started reading the documentation, I quickly learned that I could not do this because the client machines already on the DC are running Win2K Professional ( easy fix ), but more importantly the MS Exchange Server we have online would not support the domain name change. Therefore, because of the Exchange server I could not risk performing this task a second time since the Exchange Server was just recently moved to this new domain in question and I received a lot of grief because of the migration process. So here is my question. Is it possible to have the DNS server of the DC forward an authoritative request to a public nameserver? I have tried doing this by configuring the Forwarders tab under the DNS propertied without success. The workaround being used right now is to change the DHCP server order by having the public nameservers listed first and then the DC DNS server listed last. This of course doesn't sound like a good solution. If forwarding is not an option, then is it possible for the internal DC DNS server to query the external public nameserver and then pull the data that it does not currently have? If so, can you please lead me in the right direction? I hope that I have made my question clear. If anyone is able to help, I will be more than happy to answer any and all questions that I can.
RE: [ActiveDir] Authoritative Domain Problem
Title: Message If the zone had minimal changes, that would definitely be an option. But this zone can be edited a number of times a day as more servers are added to our network. But a way is needed to have one update done for both servers or have the DC poll the Linux server and get the information that it does not have. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, March 10, 2004 1:31 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authoritative Domain Problem Why not open the port between DC and the outside server long enough to pull a single secondary transfer, then close it and change the zone in AD to AD integrated? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 10, 2004 12:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authoritative Domain Problem vague recollectionProgrammatically managing DNS in Win2000 was/is klunky. The WMI DNS provider in Win2k3 is much better, and may offer a good path for you. I seem to recall Robbie posting on this a while back, but I could be wrong. /vague recollection Short term, you can probably build a duct tape and baling wire solution using a combination of nslookup to dump the information from your Linux DNS server, vbscript or perl to modify the dumped DNS information if necessary, and a batch file with dnscmd.exe (Windows Support Tools) to add the records in your Win2k3 DNS Hunter From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 10, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Authoritative Domain Problem Our public nameserver is running Linux and we could enable it for use on the DC but that would mean we would have to punch a hole in the firewall. But putting a hole in the firewall is not something that will be approved. Doing something with ADSI programming seems to be the only logical solution at this point but my experience just doesn't take me there yet. I am doing a lot of reading now but need a quicker solution. I would think that M$FT had some kind of tool already that would query a remote nameserver and import those setting for a domain. Would I be correct? If not, M$FT, does anyone know of another tool maybe from a 3rd party developer? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, March 10, 2004 9:47 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Authoritative Domain Problem Since your DC (rightly) believes it is authoratative for mycompany.net, it won't matter what you have set up for forwarding. Any request coming to your DC for resolving *.mycompany.net is going to get answered by the DC. It will either return the requested information or say that the information doesn't exist. What you'll need to do is manually add in the records for the daily accessed servers. Or, if those servers are joined to your Win2k3 domain and you have dynamic DNS enabled, the servers can register themselves. As a sidenote, take a look at http://support.microsoft.com/default.aspx?scid=kb;en-us;255134. Not sure if this has changed for Win2k3, but definitely worth following up. From: Edwin [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 10, 2004 7:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Authoritative Domain Problem I have my DC setup as a DHCP Server as well as a DNS Server. I work for a company that has public DNS records (mycompany.net) that are used to reference servers that are accessed daily. I setup the DC to use mycompany.net as the domain name and now I am having troubles resolving DNS for these daily accessed servers. So for example, if I needed to access a server I would normally reference it by calling servername.mycompany.net. I should have used a 3rd level domain for the DC but that is too late to argue about or change now. Since I have Win2K3 as my DC I tried to do a domain rename. As I started reading the documentation, I quickly learned that I could not do this because the client machines already on the DC are running Win2K Professional ( easy fix ), but more importantly the MS Exchange Server we have online would not support the domain name change. Therefore, because of the Exchange server I could not risk performing this task a second time since the Exchange Server was just recently moved to this new domain in question and I received a lot of grief because of the migration process. So here is my question. Is it possible to have the DNS server of the DC forward an authoritative request to a public nameserver? I have tried doing this by configuring the Forwarders tab under the DNS propertied without success. The workaround being used right now is to change the DHCP server order
[ActiveDir] Roaming Profile Synchronization
I recently setup Active Directory for the first time and decided to use roaming profiles. I have two Domain Controllers setup at the present = moment using Windows 2003 Enterprise Edition. All client machines are using Windows 2000 Professional. What I am noticing is that at random times, = if not most of the time, within the systray an icon appears that allows the user to synchronize their files. It seems to me that their workstation = is not always making the connection to the network share where their files = are stored. Right now, Application Data, My Documents and Desktop are being forwarded to a UNC path on the DC. I have my machine on the domain controller using Windows 2003 Standard Edition and I do not seem to have this problem. Is this a version difference? I have checked the GPO that I set up and = it appears to be correct to not allow the user to control synchronization = but that only applies from what I understand if the user makes a successful connection to the network location in which their files are stored. Otherwise it uses the temporary profile. I would appreciate any guidance that can be offered. Thank you in advance. [EMAIL PROTECTED]
