RE: [ActiveDir] [OT] Perc 5i and WinPE
Title: [OT] Perc 5i and WinPE Hi Neil We had the same problem previously while loading drivers for Backupexec system recovery (winpe based) but we uploaded the drivers found in dell downloads, also do note that the Broadcom drivers needs to be downloaded as well (not detectable via PE) Not sure if thats of any help.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Infrastructure Services Engineer International SOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 12:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] [OT] Perc 5i and WinPE Has anyone managed to locate drivers for the perc 5i (used by Dell PE servers) which can be used with WinPE? The build guys here are struggling to get WinPE working with this controller. Many thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Certificate Authority unable to publish certs in AD
Title: Certificate Authority unable to publish certs in AD Hi guys For some weird reason im getting the below errors on the certificate authority. CA is a one level issuing enterprise Ca, running on win2003 Enterprise Edition, with autoenrollment enable for a few usernames. GPO has been enabled for autoenrollment for both user and computer portion. Cert templates has been given the rights and is issuing User Certificate type successfully to the local machinesbut NOT publishing it to the usercertificate attribute... Eventlog 80 on the CA server: Certificate Services could not publish a Certificate for request 264 to the following location on server SINDC01.intlsos.com: CN=Oliva O.CUNTAPAY,OU=Users,OU=SIN,DC=intlsos,DC=com. Insufficient access rights to perform the operation. 0x80072098 (WIN32: 8344). ldap: 0x32: 2098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 Eventlog on the domain controller: Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Accesses: Write Self Properties: --- Personal Information userCertificate user Additional Info: Additional Info2: Access Mask: 0x8 Things ive verified so far: 1) the CA computer account is listed in Cert Publisher group 2) Have modified Cert Publisher group to be a domain local group (its an upgrade from 2000 domain) 3) Verified that Cert Publisher has Read/Write UserCertificate attrb Any suggestions? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Infrastructure Services Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question
Title: OT: Enterprise Terminal Server Licensing Server question Hi Mike I had the same problems in which I actually logged a pss call on, try using the windows 2000 resource kit version of lsview.exe and it works fine. Basically if i remember this correctly using the win2003 lsview.exe it will only detect it if your machine is in the same site as the tsls server, if you are running the lsview on a machine that is outside the site, it wouldnt detect it. No solution, fedup with the answers I was getting - closed the ticket (as I thought this only occurs in my ex company, apparently now im getting the same result as well) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Saturday, August 05, 2006 5:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi, This is not causing any issues that I am aware of, but something does not seem right. We set up two Enterprise Terminal Server Licensing Servers, both DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com under the attribute siteServer. When I run the GUI LSVIEW.EXE from the W2K3 ResKit, nothing populates but the spotlight icon shows green (ie, everything is hunky-dory). Some more research shows that the AD group Terminal Server License Servers has *no* members! Would it make sense to populate this group with the appropriate servers? Any idea why it wouldnt have been populated in the first place? TIA, Mike Thommes
RE: [ActiveDir] Multihomed Domain Controllers
Hi Jorge Aha, does that happen to be a link somewhere on the net that I can reference to? Personally for DC I never find a need for adapter teaming, if the nic dies and I get an alert from the monitoring server that's all good for me - clients should failover elsewhere anyway... So any bullets against teaming would be excellent! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 13, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers In the Windows Server System Reference Architecture (WSSRA) Microsoft states: At this time, Microsoft does not support load balanced network teams on domain controllers due to potential data corruption issues (Taken from the Directory Services Blueprint - page 29) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, July 13, 2006 13:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers We team everything. It seems stupid not too. Use fault tolerance only (as opposed to load balancing) and you've got additional resilliency. FT works fine with different paths, e.g. different switches. --Paul - Original Message - From: Freddy HARTONO [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 2:02 AM Subject: RE: [ActiveDir] Multihomed Domain Controllers Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. - - -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com - - -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows - - -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited
RE: [ActiveDir] Kerberos MaxTokenSize and too many groups issues
Thanks guys, really helpful didnt know how bad things can be with those huge groups...like poolpaged memory issues Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt HargravesSent: Wednesday, July 12, 2006 4:58 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Kerberos MaxTokenSize and too many groups issues Just noticed that we both referred to the same token limitation article. It's easy to find when you know what to look for. If you do a search in Google for "Token limitation" it's the first item that pops up.
RE: [ActiveDir] Multihomed Domain Controllers
Don't mean to hijack this thread but on a similar note - whats the downside for installing DCs with Adapter Teaming? All I know is that when adapter teaming is enabled, setting up WINS service will pops and error message (which can be ignored)...but anything else? I've always been a firm believer of one nic and no teaming... Any comments? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, July 12, 2006 11:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Multihomed Domain Controllers In the year 2006.. I hope we are still not making host file entries on servers and workstations :-) Peter Johnson wrote: You might want to then create entries in the host file on the backup server so that you guarantee that the backup server always uses the right network connection. -- -- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Robert Rutherford *Sent:* 12 July 2006 12:57 *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob *Robert Rutherford* *QuoStar Solutions Limited* The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH *T:* +44 (0) 8456 440 331 *F:* +44 (0) 8456 440 332 *M:* +44 (0) 7974 249 494 *E: * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *W: * www.quostar.com http://www.quostar.com -- -- **From:** [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff Green *Sent:* 12 July 2006 11:43 *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other gotchas ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows -- -- Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. -- -- -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Kerberos MaxTokenSize and too many groups issues
Title: Kerberos MaxTokenSize and too many groups issues Hi all Have a badly designed applications which is tapping on AD memberships for its grouping rights and user memberships to define their roles and permissions and today found out that one of the user is unable to access the application, but standard logon access to exchange mailbox etc are working fine. Digging further im seeing quite a few errors on eventlog (details below) - then did a registry key of MaxTokenSize as below and everything seems to works fine. Also prior to this, running gpresult on the machine doesnt give any result at all. Question - I was under the assumptions that this applies to Win 2000 only, not xp or 2003, but apparently this does? Also if I remembered correctly there's a command or tool to calculate the tokensize of a user anybody has that tool again pls? MaxTokenSize regkey http://support.microsoft.com/?id=263693 Event Type: Error Event Source: Userenv Event Category: None Event ID: 1000 Date: 7/7/2006 Time: 5:07:09 AM User: NT AUTHORITY\SYSTEM Computer: XX Description: Windows cannot determine the user or computer name. Return value (14). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
[ActiveDir] OT: Global Catalog languages Exchange 2003
Title: OT: Global Catalog languages Exchange 2003 Hi Apart from installing the language options in regional settings, do I still need to input the registry keys in the gc to reflect the languages? HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Ntds/Language Cant find the document for exchange 2003 but the 2000 is below.. http://support.microsoft.com/kb/325622/en-us Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Time Server for Forest Root PDC
Time lag can be a painful thing in certain applications, had an incident before where the payroll system which is linked to the accesscard system was getting out of sync, some factory production workers are getting free overtime pay due to a few mins out of sync with the realworld's time... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: Tuesday, June 13, 2006 6:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time Server for Forest Root PDC -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Teo De Las Heras Sent: 12 June 2006 18:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time Server for Forest Root PDC How have people on this list configured their Forest Root PDC to synchronize the time service? Is it O.K. to use an internal time server on a firewall? Is it best to point to tick.usno.navy.mil or time.windows.com? I'm coming late to this party but that hasn't stopped me throwing in my two pennies worth before... We have our own atomic / radio clock here, physically attached to a DC. The DC it is connected to syncs to this hardware and all our other servers sync to this DC. My feeling is that while having the correct time is obviously a very good thing, what is more important is that all your nodes are consistent with each other; in other words, I think that what source you pick is less important than picking just one source and making damn sure every node uses time that is based off this source. -- Robert Moir Microsoft MVP for Windows Servers Security Senior IT Systems Engineer Luton Sixth Form College Right vs. Wrong | Good vs. Evil God vs. the devil | What side you on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server
The only comments to the wmi below is that it will dump every network cards that you have, is there a way that you could do it for the primary network card (the one on top of the binding list?) As for registry key it will be NameServerList value but still binds to the transport id..(which is different for all servers) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard KlineSent: Tuesday, June 13, 2006 6:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS - How to tell the static DNS IP-addresses per server This came from MSDNs Scriptomatic 2.0. It dumps everything! Remove the many many lines which you dont need. Edit the constant SERVERNAME to machine in question. Ive not tried it but I think that you can put in multiple names separated by commas. Rich On Error Resume Next Const wbemFlagReturnImmediately = h10 Const wbemFlagForwardOnly = h20 arrComputers = Array("SERVERNAME") For Each strComputer In arrComputers WScript.Echo WScript.Echo "==" WScript.Echo "Computer: " strComputer WScript.Echo "==" Set objWMIService = GetObject("winmgmts:\\" strComputer "\root\CIMV2") Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration", "WQL", _ wbemFlagReturnImmediately + wbemFlagForwardOnly) For Each objItem In colItems WScript.Echo "ArpAlwaysSourceRoute: " objItem.ArpAlwaysSourceRoute WScript.Echo "ArpUseEtherSNAP: " objItem.ArpUseEtherSNAP WScript.Echo "Caption: " objItem.Caption WScript.Echo "DatabasePath: " objItem.DatabasePath WScript.Echo "DeadGWDetectEnabled: " objItem.DeadGWDetectEnabled strDefaultIPGateway = Join(objItem.DefaultIPGateway, ",") WScript.Echo "DefaultIPGateway: " strDefaultIPGateway WScript.Echo "DefaultTOS: " objItem.DefaultTOS WScript.Echo "DefaultTTL: " objItem.DefaultTTL WScript.Echo "Description: " objItem.Description WScript.Echo "DHCPEnabled: " objItem.DHCPEnabled WScript.Echo "DHCPLeaseExpires: " WMIDateStringToDate(objItem.DHCPLeaseExpires) WScript.Echo "DHCPLeaseObtained: " WMIDateStringToDate(objItem.DHCPLeaseObtained) WScript.Echo "DHCPServer: " objItem.DHCPServer WScript.Echo "DNSDomain: " objItem.DNSDomain strDNSDomainSuffixSearchOrder = Join(objItem.DNSDomainSuffixSearchOrder, ",") WScript.Echo "DNSDomainSuffixSearchOrder: " strDNSDomainSuffixSearchOrder WScript.Echo "DNSEnabledForWINSResolution: " objItem.DNSEnabledForWINSResolution WScript.Echo "DNSHostName: " objItem.DNSHostName strDNSServerSearchOrder = Join(objItem.DNSServerSearchOrder, ",") WScript.Echo "DNSServerSearchOrder: " strDNSServerSearchOrder WScript.Echo "DomainDNSRegistrationEnabled: " objItem.DomainDNSRegistrationEnabled WScript.Echo "ForwardBufferMemory: " objItem.ForwardBufferMemory WScript.Echo "FullDNSRegistrationEnabled: " objItem.FullDNSRegistrationEnabled strGatewayCostMetric = Join(objItem.GatewayCostMetric, ",") WScript.Echo "GatewayCostMetric: " strGatewayCostMetric WScript.Echo "IGMPLevel: " objItem.IGMPLevel WScript.Echo "Index: " objItem.Index strIPAddress = Join(objItem.IPAddress, ",") WScript.Echo "IPAddress: " strIPAddress WScript.Echo "IPConnectionMetric: " objItem.IPConnectionMetric WScript.Echo "IPEnabled: " objItem.IPEnabled WScript.Echo "IPFilterSecurityEnabled: " objItem.IPFilterSecurityEnabled WScript.Echo "IPPortSecurityEnabled: " objItem.IPPortSecurityEnabled strIPSecPermitIPProtocols = Join(objItem.IPSecPermitIPProtocols, ",") WScript.Echo "IPSecPermitIPProtocols: " strIPSecPermitIPProtocols strIPSecPermitTCPPorts = Join(objItem.IPSecPermitTCPPorts, ",") WScript.Echo "IPSecPermitTCPPorts: " strIPSecPermitTCPPorts strIPSecPermitUDPPorts = Join(objItem.IPSecPermitUDPPorts, ",") WScript.Echo "IPSecPermitUDPPorts: " strIPSecPermitUDPPorts strIPSubnet = Join(objItem.IPSubnet, ",") WScript.Echo "IPSubnet: " strIPSubnet WScript.Echo "IPUseZeroBroadcast: " objItem.IPUseZeroBroadcast WScript.Echo "IPXAddress: " objItem.IPXAddress WScript.Echo "IPXEnabled: " objItem.IPXEnabled strIPXFrameType = Join(objItem.IPXFrameType, ",&q
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
I think now I have around 3500+ groups that has way long CN and displayname mostly created by ADC, so in the samaccountname its only taking the first 20 characters... Personally i prefer shortnames as exchange only uses displayname for address book so it doesnt matter whats the samaccountname or the cn for the group. I'm thinking of writing a script that renames the long cn and samaccountname of the groups created by ADC to incremental groups - such as example singroup1, singroup2, singroup3 (sin = singapore) Any comments whether it will break any functionality... or is this a bad idea? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, June 08, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I have a customer with tens of thousands of what I would call long group names (=50 chars because of a bug in the app that owns them) and I havent seen any group name related issue I also havent fully followed this thread so I may not be understanding the issue. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, June 07, 2006 11:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Well for normal AD there is no reason to handle them unless for some reason you don't want them anymore. As for the ADC... It is a temporary POS... I am not sure how much changing of the environment I would do to support it. I would start looking at telling it to stop dorking with things. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, June 07, 2006 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting read... So since i have thousands of groups with pretty long names - any suggestions on how do you handle long groupnames? Do you create a short groupname and put the long description on it...? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 08, 2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Here is the most recent... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 23, 2006 11:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely re
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Interesting read... So since i have thousands of groups with pretty long names - any suggestions on how do you handle long groupnames? Do you create a short groupname and put the long description on it...? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 08, 2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Here is the most recent... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 23, 2006 11:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Wednesday, June 07, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length" Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I don't have the links handy, those are from a search of my personal archives. HTH From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 6:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.) Interesting. On 6/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts o
RE: [ActiveDir] Resizing issue
Diskpart.exe Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Boris Demirov Sent: Monday, June 05, 2006 8:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Resizing issue Hello everybody, I got this problem: I am trying to resize a partition on fileserver running on Windows 2003 Enterprise . I got 1TB in raid 5, and my system partition is 40GB and I have 500 GB for storage. So is there a way to resize this 500 GB partition and extend it with the rest unallocated free space without formating or loosing any information? greetings db List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
How do I test that? I'd love to change all of these to match the samaccountname to the objectcn = as its showing half complete on the samaccountname for those adc created objects and is not neat... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, June 05, 2006 10:55 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? I wonder if they do work? or if some of them don't because only the first 20 chars are being looked at/returned by the api's that consume them? Interesting. That variable is a 20 char variable so I don't see why a loophole of 64 is allowed? Any thoughts? On 6/4/06, Joe Kaplan [EMAIL PROTECTED] wrote: My understanding is that the DS enforces a limit of 64 char forsAMAccountName for groups, but 20 for users.I know we have thousands of groups with sAMAccountName longer than 20.They still work and the DSdoesn't balk.:)These are all created programmatically through tools though and are notcreated or modified with ADUC.There might be some behavior difference there.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Sunday, June 04, 2006 11:58 AMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?That's on the target? Or that's in the source?On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote:Hi AlI have one of this group with way more than 20charsamaccountnameAKL.AST.Assistance Management.Assistant GM- Assistance ServicesThank you and have a splendid day!Kind Regards, Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9785List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Title: OT: Samaccountname attribute (20 char limit) not applicable to groups? Hi all Just wondering, ADC was just installed on the environment and now am seeing quite a bit of naming hoohas - such that ADC creates groups with samaccountname chopping off names only to 20 characters, but apparently samaccountname for groups can hold way more than 20. Is the 20 charlimit for user object not applicable to group object? If so what is the limit for groups? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
[ActiveDir] OT: Changing OEM to VLK productID - really really impossible?
Title: OT: Changing OEM to VLK productID - really really impossible? Hi guys, Just realised some of the DCs in my environment is built with OEM version and now am having problem upgrading them to R2 using vlk keys... is there any way at all to change it to vlk, unsupported way maybe? Any help at all would be nice otherwise had to wiped out and rebuild 12 DCs because of this :( Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Hi Al I have one of this group with way more than 20char samaccountname AKL.AST.Assistance Management.Assistant GM- Assistance Services Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, June 04, 2006 10:23 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Sam-account-name is a mandator attribute of the Group class. Sam-account-name is limited to 20 characters. What makes you say that samaccountname for a group can hold more than 20 chars? On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi all Just wondering, ADC was just installed on the environment and now am seeing quite a bit of naming hoohas - such that ADC creates groups with samaccountname chopping off names only to 20 characters, but apparently samaccountname for groups can hold way more than 20. Is the 20 charlimit for user object not applicable to group object? If so what is the limit for groups? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Hi Al, The below is on AD attribute for one of the groups im having, is it normal? Apparently ADC only populates the first 20 char of the groupname, while actually it is allowing for longer than 20 characters even. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Monday, June 05, 2006 12:59 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? That's on the target? Or that's in the source? On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi Al I have one of this group with way more than 20char samaccountname AKL.AST.Assistance Management.Assistant GM- Assistance Services Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Sunday, June 04, 2006 10:23 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Sam-account-name is a mandator attribute of the Group class. Sam-account-name is limited to 20 characters. What makes you say that samaccountname for a group can hold more than 20 chars? On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi all Just wondering, ADC was just installed on the environment and now am seeing quite a bit of naming hoohas - such that ADC creates groups with samaccountname chopping off names only to 20 characters, but apparently samaccountname for groups can hold way more than 20. Is the 20 charlimit for user object not applicable to group object? If so what is the limit for groups? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Hi Joe Thanks for the reply, just tested this myself and ADUC even allows creating more than 20char of samaccountname for groups... Does anyone know how to make ADC puts more than 20char? As obviously for groups 20 is not the limit Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Monday, June 05, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? My understanding is that the DS enforces a limit of 64 char for sAMAccountName for groups, but 20 for users. I know we have thousands of groups with sAMAccountName longer than 20. They still work and the DS doesn't balk. :) These are all created programmatically through tools though and are not created or modified with ADUC. There might be some behavior difference there. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Sunday, June 04, 2006 11:58 AM Subject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? That's on the target? Or that's in the source? On 6/4/06, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi Al I have one of this group with way more than 20char samaccountname AKL.AST.Assistance Management.Assistant GM- Assistance Services Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Slow Boot Up
How long is the processing? 5mins? - try gptime Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, May 25, 2006 10:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Slow Boot Up Morning everyone, Recently all my wkstns are taking up to 5 minutes to log in after a restart. Stuck at Applying Computer Settings and Applying Security Settings. Only change to GPO is offline files options are all disabled. While from the desktop it takes up to 30 seconds to load and open up AD snap-in to add a user to a group. Doesn't matter if firewall is turned on or off. No weir logs on DC. DCDIAG and NetDiag showed no errors. My FSMO roles are spread between two DC in two separate subnets. Schema Master, Domain Naming Master, and GC are on the same DC. RID, Infras, and PDC is on the other DC. I thought about promoting another server to a DC. Any thought or idea where to check and look? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD DNS along with Bind
Hi Mike, Thanks but personally I don't see why its not delegated to all DNS DCs, kind of limits off the load spreading and redundancy for the name resolution portion. Unless you are only running one dns on the dc, in which again same as above. Im guessing if your dc is down (the one running the dns) clients are somehow using the cache ttl of it - otherwise im sure pretty there'll be lotsa complain :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 3:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS
RE: [ActiveDir] AD DNS along with Bind
Mike, Just read it properly now, the bind dns are secondary dns of your _msdcs.domain.com? That's interesting.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Thursday, May 25, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Importance: Low Hi Mike, Thanks but personally I don't see why its not delegated to all DNS DCs, kind of limits off the load spreading and redundancy for the name resolution portion. Unless you are only running one dns on the dc, in which again same as above. Im guessing if your dc is down (the one running the dns) clients are somehow using the cache ttl of it - otherwise im sure pretty there'll be lotsa complain :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 3:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation
RE: [ActiveDir] Naming conventions (quasi-OT)
Title: Naming conventions (quasi-OT) I'm assuming with this every person has their own workstation? Or how would it be named for shared workstation.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za VueSent: Thursday, May 25, 2006 2:10 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Naming conventions (quasi-OT) All workstations are named according to building, room, and staff's initials. Chemistry Building Room 5 and user John Doe- CB-005JD-Z.V.Brian Desmond wrote: {I,A}Unit#{W, L, M}# I/A is specific to us, it differentiates subnet and function Unit # is the location (four digit number) W = Workstation L = Laptop M = Macintosh # = 9 digit asset tag If I need to figure out a users PC name I just ask for the asset tag number and I can figure the rest out. This works for 95K machines in 750 facilities Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian ClineSent: Wednesday, May 24, 2006 1:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Naming conventions (quasi-OT) I'm curious to see how some of you (especially at the larger corporations) name your domain-joined computers. At my company we've got about 110 computers in roughly , and for the longest time they've been named after the logon name of the user who primarily operates the PC. (Not a fan of that method myself.) However, when naming or renaming a PC there are cases (such as preparing a replacement PC for a user) where there's already one with the desired name. Our network admin has a horrible habit of putting random numbers at the end when he runs into this problem, rather than using ADUC to remove a ghost computer object (or renaming the existing one when a new one is being prepared for said user). Of course this constantly frustrates me as I can never correctly guess a user's PC name when trying to remote control it during a support call. I've had several ideas in the past, the most favorable being naming them by location then department, then numbering them (for example, CHS-DISP-01 would represent the first dispatcher PC at our Charleston terminal), and automagically renaming the "My Computer" icon on the user's desktop at startup time to reflect the computer name. This way we'd never have to worry about renaming a computer when an employee is terminated, and when I've got a user on the phone I can simply ask them to read the computer name to me. But I was curious to see how you guys go about naming your PCs and how you deal with problems similar to this. -- Brian A. Cline Internet Applications Developer GP Trucking Company, Inc. Direct: 803.936.8595 Toll Free: 800.922.1147 x8595
RE: [ActiveDir] AD DNS along with Bind
Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the Responsible person field has the correct e-mail address (with the @ replaced with .). In the Name Servers tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain A records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain A record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a hidden master. It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS Bible - DNS and BIND 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in DNS on Windows Server 2003. Both are O'Reilly books. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
RE: [ActiveDir] OT: Self grown AD webtool sample output - any tak ers in joint dev ?
Hi Carlos Cool, are you guys building ADST similar clones? :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Wednesday, May 17, 2006 5:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Self grown AD webtool sample output - any takers in joint dev ? Hello Freddy, Interesting post I am (with a few others) building the same type of tool: http://blogs.dirteam.com/blogs/carlos/archive/2006/04/26/891.aspx this tool is built in .net though. One of the outputs we where going to be HTML (I like what you have done) maybe you want to integrate we can get the data via .net 2.0 and expose it via HTML. What you think let me know. Carlos Freddy HARTONO wrote: Hi guys *Sample web output* Output as attached in MHT - mostly are mouseovers as well as can be clicked for more info to open newpage. (not attached here) Domain Controller Status.zip *Background* Started up as a for fun thing - year and a half back on my prev job, which then becomes a personal hobby and sort of a good to have tool for viewing all DC tools results in one page (can be published on intranet) Havent had time to develop this anymore since a few months back, (too darn busy now), anybody interested in join dev or at least help out in improving the codes? *Yes it is in batch files* Around 1000 lines of BATCH scripts so far (sorry dudes, im too dumb to understand other scripting language), using tools such as support tools, resource kit, psexec/rcmd, logparser, joeware etc etc. I'm hoping to keep most of it still in batch otherwise I wouldn't understand any of it. Please note some of these are very site specifics, such as im using SAV all along, so wouldn't work in Trend/Mcafee environment for example. And some requires changing the variables manually - such as DN etc etc (too difficult for me to make it very generic) also comments are minimal. Agentless, query over the network (requires rcmdsvc.exe resource kit to be installed though), runs on a scheduled basis (depending on network speed), on a server (must be 2003). *Bugs?* Yeah Of course! LOTS of minor bugs (fair warning) and those of you that are experts in codes will definitely laugh at my lines :) Contact me offline if you are interested in joint effort or reviewing - [EMAIL PROTECTED] Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Self grown AD webtool sample output - any tak ers in joint dev ?
Title: OT: Self grown AD webtool sample output - any takers in joint dev? Thanks Dean, ive sent it to you guys via my other mail account. let me know offline if you have problems on it, cheers Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Wednesday, May 17, 2006 6:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] OT: Self grown AD webtool sample output - any takers in joint dev ? I'd be happy to take a look Freddy, I'm permanently on-site now so my joint dev. efforts would be sporadic at best but I would hope I'll have something of value to contribute. Nice work! --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, May 17, 2006 4:47 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Self grown AD webtool sample output - any takers in joint dev ? Hi guys Sample web output Output as attached in MHT - mostly are mouseovers as well as can be clicked for more info to open newpage. (not attached here) Domain Controller Status.zip Background Started up as a for fun thing - year and a half back on my prev job, which then becomes a personal hobby and sort of a good to have tool for viewing all DC tools results in one page (can be published on intranet) Havent had time to develop this anymore since a few months back, (too darn busy now), anybody interested in join dev or at least help out in improving the codes? Yes it is in batch files Around 1000 lines of BATCH scripts so far (sorry dudes, im too dumb to understand other scripting language), using tools such as support tools, resource kit, psexec/rcmd, logparser, joeware etc etc. I'm hoping to keep most of it still in batch otherwise I wouldn't understand any of it. Please note some of these are very site specifics, such as im using SAV all along, so wouldn't work in Trend/Mcafee environment for example. And some requires changing the variables manually - such as DN etc etc (too difficult for me to make it very generic) also comments are minimal. Agentless, query over the network (requires rcmdsvc.exe resource kit to be installed though), runs on a scheduled basis (depending on network speed), on a server (must be 2003). Bugs? Yeah Of course! LOTS of minor bugs (fair warning) and those of you that are experts in codes will definitely laugh at my lines :) Contact me offline if you are interested in joint effort or reviewing - [EMAIL PROTECTED] Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: Overriding local computer logon scripts - any way to do it?
Hi guys Just wondering is there a techie solutions to this, example like putting on a logon script for the domain admins or any other priv accounts - that pauses any logon scripts or override local scripts. Logon scripts are still performed LSDO (local site domain ou) models isnt it? So Local logon scripts will be performed first nevertheless?... Or another simpler workaround would be to query remote servers for logon scripts before ts to them... Of course like mentioned below, if you don't trust the machines don't login with DA accounts - its always the safest. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, May 18, 2006 8:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? Wasn't one of the infamous Dr. J stories about how they had attempted to gain access to one of the msn servers by having a boobie trap script like that. If a person had logged in with certain creds it was indeed set to fire off a script? Pen test proof of concept story? joe wrote: Absolutely concur. In fact, one of my recommendations to Microsoft for the RODCs that get admin delegation is to disallow domain admin interactive logons to them once the administrator delegation is enabled. Anyone who allows non-DAs onto a DC and then still logs on with their DA ID is asking to be burned at some point. Even if MSFT does that, there is still a possible chance the simple attempt at logging on will give the bad guy all the info they need to become Enterprise gods which is the whole point of protecting against with RODCs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, May 16, 2006 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). The same thing that prevents them from installing a keylogger or modifying any code on the system to do their nefarious deeds when a high level account runs them - absolutely nothing. Login scripts are just one of many possible attack vectors. The point is, if you don't trust the code on a box or the admins that can put code on a box, then you should NEVER use your high-level accounts for accessing that box. _ From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Tue 5/16/2006 3:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Overriding local computer logon scripts - anyway to do it? Hi all, I had just logged in one of a printserver in my remote site, out of my usual scope - but the point is that the server has some logon scripts (local) associated with it. Just concerned about the security aspect of it - what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). I know the usual rule was to not login to untrusted boxes... but is there a way to overcome such? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Overriding local computer logon scripts - anyway to do it?
Title: OT: Overriding local computer logon scripts - anyway to do it? Hi all, I had just logged in one of a printserver in my remote site, out of my usual scope - but the point is that the server has some logon scripts (local) associated with it. Just concerned about the security aspect of it - what is stopping some server admins to put in some logon scripts that adds a certain account as enterprise admin (boobietrap). I know the usual rule was to not login to untrusted boxes... but is there a way to overcome such? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] DHCP migration(OT)
It will migrate the leases as well, but not sure if it will merge or overwrite though. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, May 16, 2006 9:36 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DHCP migration(OT) Will netsh overwrite the scopes already exisitng on the target? Also, does netsh migrate leases or just the scope and scope options? Thanks On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: look into netsh. might be of use.On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote: I want to migrate DHCP(scopes,scope options,leases) from one win2k box to another. My issue is, the target server is running DHCP with scopes,etc already configured. Is there anyway to migrate the source DHCP server to the target without overwriting the target's settings? I just want to merge the 2- move the source info over while keeping the target DHCP info intack as well. Is this possible? Thanks
RE: [ActiveDir] Is there a way to force users to logon to domain?
Even if that is possible by any means - what are you going to do if the computer falls out of the domain. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Tuesday, May 16, 2006 11:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC.
That will trigger most tools/scripts for replication errors wouldnt it. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Wednesday, May 17, 2006 4:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re : [ActiveDir] Lag site- disabling auth on Lag DC. hi Iain, Unfortunately, i have no way to avoid this but enabling my NIC card *ONLY* during the replication windows scheduled . The other time, my NIC card will be disable. I don't know right now how to do this. I was thinking about scheduling (AT)a script (via netsh ??)that will enable my NIC when my replication windows starts and then will disbale my NIC when the replication stops. Yann [EMAIL PROTECTED] a écrit: Yann, How are you planning on protecting your lag site DCsfrom aforced replication? Regards, Iain | IT Services | Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: 15 May 2006 21:49To: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] Lag site- disabling auth on Lag DC. Understood ! We will followyour advices. Cheers, Yann- Message d'origine De : "Almeida Pinto, Jorge de" [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Lundi, 15 Mai 2006, 10h21mn 54sObjet: RE: [ActiveDir] Lag site- disabling auth on Lag DC. SRV records* make sure the DC only registers the CNAME SRV record which is used for replication* don't assign the lag site DCs WINS servers, otherwise these will register the 1Ch record in WINS* make sure the site link cost between the main site and the lag are higher than any other site links that also links to the main sitefor the lag to work properly make sure you have at least one DC from each domain, because of eventual cross domain links (e.g. group memberships)Met vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80* E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of YannSent: Mon 2006-05-15 21:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Lag site- disabling auth on Lag DC.hello all,We are about to build a lag site for our AD recovery strategy.We schedule replication Prod Sites -Lag Sites one time a week.We have one forest with a Root and Child domain.The lag site will contain only one DC. We would like to disable clientsauth on this DC. So I found 2 ways to do this:1) Configuring the "DC Locator DNS Records" via a gpo.or2) Stop and disable the netlogon service.What will be the best choice ? 1) or 2) ?Shall i also disable the service server to avoid replication of sysvol too ?Thanks for input.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. * This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. * Faites de Yahoo! votre page d'accueil sur le web pour retrouver directement vos services préférés : vérifiez vos nouveaux mails, lancez vos recherches et suivez l'actualité en temps réel. Cliquez ici.
RE: [ActiveDir] Is it important to keep correct timezone settings on DC?
Hi Susan Do you happen to know if it's a known problem? Im getting reports of a similar problem, basically I setup one of the remote dc with about 20ppl on site, and they have reported the time sync issues in which in the end ticking that (daylight savings) box somehow fixes the issue. Unfortunately I didn't went to see the workstation end to see the before and after..but is interesting if that is the case. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, May 11, 2006 10:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it important to keep correct timezone settings on DC? This is an issue that has nailed me to the point where I'm gp'ing that setting ...you can get yourself in a situation where the workstations get an hour off because they don't recognize that tickbox. Freddy HARTONO wrote: Hi all, Does the client takes timezone and daylight savings changes from the DC? I was under the impression that timezones and daylight savings changes are local to the pc and the dc ntp server runs on a Zulu timezone? Just curious as I had an issue with a remote site today due to daylight savings tickbox. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Is it important to keep correct timezone settings on DC?
Title: Is it important to keep correct timezone settings on DC? Hi Ulf Exactly my point - it doesnt make sense, but it does happens apparently, still trying to get some answers on what oses those are and what broke during that time. As for the below, which specific GPO settings can adjust automatic timezone - am curious in finding this out? what happens in the case ofundefined subnets, which timezone would it automatically adjusts to? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Monday, May 15, 2006 1:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Is it important to keep correct timezone settings on DC? Hi Freddy, it doesn't make any sense to retrieve the timezone settings from the DC, since the clients may be on other timezones than the DC they are authenticating against. And speaking about traveling users, they may want to adjust the timezone to their current location, which would keep international invitations and appointments happy. The time timezone need to be set correctly, so that all machines in the domain are about the same time with respect to the timezone. Speaking about GPOs - for international or cross-timezone organisations you may want to set those based on the site (considering the best practices when it comes to GPOs linked to sites), however to enable traveling users to adjust their timezone I'd recommend setting the time correctly automatically and disabling the users to change the time, but allow them to adjust the timezone. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications:http://mvp.support.microsoft.com/profile=""> Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Thursday, May 11, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Is it important to keep correct timezone settings on DC? Hi all, Does the client takes timezone and daylight savings changes from the DC? I was under the impression that timezones and daylight savings changes are local to the pc and the dc ntp server runs on a Zulu timezone? Just curious as I had an issue with a remote site today due to daylight savings tickbox. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
[ActiveDir] Is it important to keep correct timezone settings on DC?
Title: Is it important to keep correct timezone settings on DC? Hi all, Does the client takes timezone and daylight savings changes from the DC? I was under the impression that timezones and daylight savings changes are local to the pc and the dc ntp server runs on a Zulu timezone? Just curious as I had an issue with a remote site today due to daylight savings tickbox. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Thanks guys pretty much a gui to most of the tools, but nevertheless gave me some additional ideas for modding own script. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, May 09, 2006 5:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? Jef Kazimer wrote: Hmm.reading the PDF at : http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8 a8f6bbfe1f4/ADRAP_Datasheet_v1.0t_English.pdf Is this something to have running where MOM is not running? It seems alot of his can be done via MOM, thought not as slick of a consolidated interface. Sort of like a all in one package? Believe me or not - not everybody runs MOM :) ADST was built for different purpose - to provide a way to gather data from current state of AD (snapshot) to perform further (maybe offline) analysis and build report. Off course it may be used as ad-hoc monitoring tool. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Title: AD Snapshot Tool (ADST) - how useful is it? Is it useful at all? We are doing the ad risk assessment from microsoft (adrap) - anyone has experiences or is using them extensively? Seems to be gui mode only? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Title: AD Snapshot Tool (ADST) - how useful is it? http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8a8f6bbfe1f4/ADRAP_Datasheet_v1.0t_English.pdf or http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8a8f6bbfe1f4/Active%20Directory%20Health%20Check%20Program.pdf Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, May 08, 2006 5:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? What is this tool and risk assessment, to which you refer? I'm intrigued ... :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: 08 May 2006 09:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?Importance: Low Is it useful at all? We are doing the ad risk assessment from microsoft (adrap) - anyone has experiences or is using them extensively? Seems to be gui mode only? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Title: AD Snapshot Tool (ADST) - how useful is it? The one provided to you if you have some spare PSS hours for msft engineer to be onsite and do healthcheck on your ad.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, May 08, 2006 5:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? What is this tool and risk assessment, to which you refer? I'm intrigued ... :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: 08 May 2006 09:42To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?Importance: Low Is it useful at all? We are doing the ad risk assessment from microsoft (adrap) - anyone has experiences or is using them extensively? Seems to be gui mode only? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] R2 Upgrade or install?
Theres quite a few behaviours that are different when SP1 is slipstreamed and isnt, found out a few things on IIS behaviour with Integrated Authentication for example. http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5 23ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true Does anyone has a complete list of differences? Been wanting to have it for quite sometime.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, May 01, 2006 5:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Upgrade or install? Is there any reason for your preference to use R2 disk 1 for a fresh install, rather than installing from a 2003 CD and then loading the Service pack? If I understand correctly the R2 disk 1 is just 2003 with SP1 slipstreamed into it, am I correct? Thanks, Nate Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, April 28, 2006 7:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Upgrade or install? I do option 2 for existing installs that need it and option 3 for anything that needs a rebuild excuse or is fresh. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Friday, April 28, 2006 1:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Upgrade or install? Hey all, I am having a debate and wondering if the following is true: 1)You must upgrade your 2003 servers to SP1 before going to R2. 2)You can upgrade a existing 2003 server to SP1 and then load the components from R2 onto it from R2 disk 2. Or 3)Must you load the R2 disk 1 2003 Operating System disk with SP1 embedded and then load R2 disk 2 onto it. Just trying to figure out if we need to upgrade to SP1 and then we can load the components of R2 onto our existing 2003 servers, or if we need to load the R2 disk 1 operating system, which contains SP1 already, and then R2 disk 2. Does anyone have any ideas? Thanks, Nate Bahta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Speaking of Adminsdholder...
I usually reset via gui - (Default button under advanced) or I believe dsacls /s should do it as well Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, April 25, 2006 3:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Speaking of Adminsdholder... Thats what I thought. But I have a admin who is an Account Operator and in a group which has Exchange Full Admin rights on the Org who gets an access denied error when trying to delete an exchange mailbox The user he is trying to delete used to be an Account Op but I took him out of the group days ago and set perms to inherit on his account. This admin can delete the mailbox of anyDomain User account but not this one. This account is a member of 2 other groups which are just regular global groups and are not nested into any of the protected groups. In fact the groups are not nested in any groups. What could be preventing him from deleting his mailbox? This admin is not a member of any groups which have denies(explicit or inherited) that i can see. Thanks On 4/24/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The behavior is not due to their being in a group given "Exchange Full Admin"rights. The behavior is due to those accounts belonging to groups that are protected by adminsdholder. The default protected groups (in 2K3, 2K-SP4, and2K-with-KB327835 AD environments) are:* Administrators* Account Operators* Server Operators* Print Operators * Backup Operators* Domain Admins* Schema Admins* Enterprise Admins* Cert PublishersSincerely,_(, /|/) /) /) /---| (/___ ___// _ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)(/Microsoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com- we know ITwww.akomolafe.com http://www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 4/24/2006 10:15 AM To: activedirectorySubject: [ActiveDir] Speaking of Adminsdholder...Does this affect users who have been delegated Exchange Full Admin access? I have a admin who can only delete mail attributes of regular users but not users who are in the group given Exchange Full Admin rights.Is this the adminSDHolder?The admin in question is an Account Operator. The users he can't delete mail attribs from are just members of Domain Users and the Exchange Full Admin group.ThanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time Service Errors
Stupid question, ntp port is opened between them? Since this is the only two servers in the site, is there any ipsec rules etc? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Feigin, AndrewSent: Saturday, April 15, 2006 1:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Time Service Errors Im having a problem with time services in a particular root domain on 2003 sp1. Initially, all 4 dcs were not advertising as time servers, I was able to fix that issue. The 3 dcs will not do a resync with the pdc emulator when I run w32tm /resync C:\w32tm /resync Sending resync command to local computer... The computer did not resync because no time data was available. When I do the below monitor command, I get: C:\w32tm /monitor /domain:r2 LIVP3R2RDOM01.r2.xxx.net [172.20.225.239]: ICMP: 0ms delay. NTP: -6.5469435s offset from FTWP3R2RDOM02.r2.xxx.net RefID: 'LOCL' [76.79.67.76] LIVP3R2RDOM02.r2.xxx.net [172.20.225.240]: ICMP: 0ms delay. NTP: -5.9396763s offset from FTWP3R2RDOM02.r2.xxx.net RefID: 'LOCL' [76.79.67.76] FTWP3R2RDOM01.r2.xxx.net [10.175.36.11]: ICMP: 39ms delay. NTP: -0.685s offset from FTWP3R2RDOM02.r2.xxx.net RefID: 'LOCL' [76.79.67.76] FTWP3R2RDOM02.r2.xxx.net *** PDC *** [10.175.36.17]: ICMP: 39ms delay. NTP: +0.000s offset from FTWP3R2RDOM02.r2.xxx.net RefID: FTWP3R2RDOM01.r2.aig.net [10.175.36.11] The PDC is in synch with the other server in its site, the 2 not in its site will not sync, all get the error on a resync. I have a case open with MS, however they cant find a way to fix it. Help, Andrew
RE: [ActiveDir] Deleting default-first-site-name site
Title: RE: [ActiveDir] Deleting "default-first-site-name" site Woozzah.. stupid laggyexchange server. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 13, 2006 11:26 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Deleting "default-first-site-name" site I think you must have missed the answer in the follow-up reply ... that response contained - paste No, IIRC it defaults to the site of the DC from which the directory was sourced. /paste ... let me know if that doesn't cover your question. Hope it's helpful! --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, April 12, 2006 10:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting "default-first-site-name" site just curious, if this is deleted - where would a new dc with nosubnet mapping be dropped to Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: Steve Rochford [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Wednesday, April 12, 2006 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting "default-first-site-name" site Thanks; that's what I expected but I wanted to check before I deleted something crucial :-) Steve From: [EMAIL PROTECTED] on behalf of Dean WellsSent: Wed 12/04/2006 14:27To: Send - AD mailing listSubject: RE: [ActiveDir] Deleting "default-first-site-name" site Since replication takes place between DCs which logically exist in logicalsites, no, ... not at all -- there's nothing to replicate with. Regardingthe deletion question; I've deleted it more times than I can count,sometimes I rename it if I need a new site ... there's nothing "special"about that object outside of its name (and that _should_ also prove a mootpoint. This of course depends upon the developer, good coding vs. badcoding ... deleting it may break some joeware tools though -- haha, justteasing :0)--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Rochford Sent: Wednesday, April 12, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deleting "default-first-site-name" site We no longer have any servers in the "default-first-site-name" site; should I delete that site? I hadn't really thought it mattered until I was looking at the latency figures with repadmin (shown below for one server). Does it matter that no replication has taken place to a site without servers? Steve Replication Latency for site willesden (wstud3.student.cnwl.ac.uk): Originating Site Ver Time Local Update Time Orig. Update Latency Since Last == = === === == Default-First-Site-Name 50 2004-04-07 08:25:58 2001-07-26 15:39:10 23656:46:48 17644:21:27 wembley 58498 2006-04-12 12:25:57 2006-04-12 12:25:55 00:00:02 00:21:28 kilburn 5 2006-04-12 12:10:56 2006-04-12 12:06:52 00:04:04 00:36:29 willesden 59228 2006-04-12 12:09:50 2006-04-12 12:09:50 00:00:00 00:37:35 Madhouse 13173 2006-04-12 12:25:57 2006-04-12 12:22:40 00:03:17 00:21:28 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] No Terminal License Server available
Hi James If i remember correctly you'd have to setup a new one, reactivate server (call clearinghouse) - reactivate cals, then deactivate the other ones. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, April 13, 2006 4:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "No Terminal License Server available" Thanks for your response, I think keeping if I keep the old DC as a member server,it will be apaintohave tomanually configure every workstation server to discover the existinglicense server. Having the TS licensing server on a DC appears to make the discovery alot more automated. So if I want to move the TS licensing server to a newdomain controller, does anyone know what the procedure is for this? I was thinking about backing up the LServer folder on the old DC and then restoring it onto the new DC. Sorry, this appears to be going off topic,[EMAIL PROTECTED] wrote: FYI: The landscape changed somewhat with w2k3 TS.Excerpt fromhttp://download.microsoft.com/download/2/f/2/2f2dc861-d567-4492-ae88-81afafa2d08d/Terminal%20Server%20Licensing.doc"Although it is possible for non-domain controllers to be licenseservers in Windows Server 2003, it is important to note that domainlicense servers are not automatically discovered. You must configure apreferred license server on all terminal servers that need tocommunicate with non-Domain controller license servers configured asdomain license servers. Enterprise domain license servers deployed onnon-domain controllers are automatically discovered. "Hth,neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: 13 April 2006 07:58To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] "No Terminal License Server available"Let me guess because the DC you demoted is your Terminal ServiceLicense server in the domain?It's been a while since I last baby-sat a TS issue, but I believe thatif the Site license service is not installed on a DC, then you will haveto manually tell EACH TS in your environment how to locate the sitelicense server. You do this through the registry. I don't have a TSserver/environment handy to tell you exactly where the key is located.You can, however search the registry for "DomainLicenseServer" (I think)and this should be where you specify the name of the TS License server.HTHSincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize thatToday is the Tomorrow you were worried about Yesterday? -anonFrom: [EMAIL PROTECTED] on behalf of James CarterSent: Wed 4/12/2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] "No Terminal License Server available"Hi,Single Windows 2003 domainI demoted our DC to a member server and now we have an issue wherebywhen Iopen Terminal Server Licensing manager, I get a message "No TerminalServerLicense Server is available in the current domain or workgroup"Anyone know why I receive this from demoting a DC and how to fix this!?How low will we go? Check out Yahoo! Messenger's low PC-to-Phone callrates.m/evt=39663/*http://voice.yahoo.com List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instrume
RE: [ActiveDir] Deleting default-first-site-name site
Title: RE: [ActiveDir] Deleting "default-first-site-name" site just curious, if this is deleted - where would a new dc with nosubnet mapping be dropped to Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: Steve Rochford [mailto:[EMAIL PROTECTED] On Behalf Of Steve RochfordSent: Wednesday, April 12, 2006 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Deleting "default-first-site-name" site Thanks; that's what I expected but I wanted to check before I deleted something crucial :-) Steve From: [EMAIL PROTECTED] on behalf of Dean WellsSent: Wed 12/04/2006 14:27To: Send - AD mailing listSubject: RE: [ActiveDir] Deleting "default-first-site-name" site Since replication takes place between DCs which logically exist in logicalsites, no, ... not at all -- there's nothing to replicate with. Regardingthe deletion question; I've deleted it more times than I can count,sometimes I rename it if I need a new site ... there's nothing "special"about that object outside of its name (and that _should_ also prove a mootpoint. This of course depends upon the developer, good coding vs. badcoding ... deleting it may break some joeware tools though -- haha, justteasing :0)--Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Rochford Sent: Wednesday, April 12, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Deleting "default-first-site-name" site We no longer have any servers in the "default-first-site-name" site; should I delete that site? I hadn't really thought it mattered until I was looking at the latency figures with repadmin (shown below for one server). Does it matter that no replication has taken place to a site without servers? Steve Replication Latency for site willesden (wstud3.student.cnwl.ac.uk): Originating Site Ver Time Local Update Time Orig. Update Latency Since Last == = === === == Default-First-Site-Name 50 2004-04-07 08:25:58 2001-07-26 15:39:10 23656:46:48 17644:21:27 wembley 58498 2006-04-12 12:25:57 2006-04-12 12:25:55 00:00:02 00:21:28 kilburn 5 2006-04-12 12:10:56 2006-04-12 12:06:52 00:04:04 00:36:29 willesden 59228 2006-04-12 12:09:50 2006-04-12 12:09:50 00:00:00 00:37:35 Madhouse 13173 2006-04-12 12:25:57 2006-04-12 12:22:40 00:03:17 00:21:28 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming DCs via netdom - a no no or painless?
Thanks Bob! Am in the midst of testing this out on my testlab, the link definitely helps out. Cheers Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Saturday, April 08, 2006 3:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Renaming DCs via netdom - a no no or painless? I asked a similar question back in 05/2005 which should be in the archives. In hindsight, it was quite painless though I was rather nervous at the time. I didn't have any problems at all however the issue below that Jorge pointed out at the time did apply in my particular case. You Must Rename the SYSVOL Member Object to Rename a Windows Server 2003 Domain Controller http://support.microsoft.com/default.aspx?scid=kb;en-us;316826 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Thursday, April 06, 2006 5:14 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Renaming DCs via netdom - a no no or painless? Hi Any downside of renaming dc via netdom below instead of demoting one by one (ouch!) http://technet2.microsoft.com/WindowsServer/en/Library/aad1169a-f0d2-47d 5-b0ea-989081ce62be1033.mspx http://technet2.microsoft.com/WindowsServer/en/Library/aad1169a-f0d2-47 d5-b0ea-989081ce62be1033.mspx Any side effects to those remote slow link sites when im doing this or will be transparent to them...comments plueasee. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain
if getsid doesnt work (if i remember correctly this is only for user accounts not comp)- try psgetsid or newsid.exe Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasingheSent: Tuesday, April 04, 2006 10:40 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Use getsid.exe of the support tools. How come you are using regmon. I thought sysinternals was a no no :0)M@ On 02/04/06, Rodrigo Blanco [EMAIL PROTECTED] wrote: Freddy,is there any stadard way (tools included in the W2K3 OS) to verify theSID of a machine? I am not allowed to install or use any external software, such as sysinternals, for instance.Joe,I believe that the application is using the wINSOCK API too. TCP/IP isworking fine and the setting are just are they should be... :-/ So Iwill do a regmon on a good machine and extract the differences with mine.Thank you very much,Best regards,Rodrigo.On 02/04/06, joe [EMAIL PROTECTED] wrote: I believe that tool is using the gethostname WINSOCK API call, I expect you are hitting an error and it isn't handling it gracefully. Is TCP/IP working properly on that machine? Are all of the TCP/IP settings correct? If everything looks ok, I would recommend running regmon on a known good machine and then do the same on the troublesome machine and see what the differences are in the requests, you might get a hint there.joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rodrigo Blanco Sent: Tuesday, March 28, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Hello list, I am currently having a problem with a Windows 2003 server inside a Windows 2003 server-based Active Directory domain. The problem is that when I run the "hostname" command, it is empty: C:\hostname C:\ I suspect this happened after doing a clone of the VM machine and, by error, starting it and changing its name in the same network of the original one (this should have happened in an off-line network). I have tried to take it out from the domain and register it again in it, but his will not help. There is no conflict between the DNS and the local hosts file on the server. The server is registered in both the direct and inverse DNS lookup zones. If I look in System Properties Computer Name, everything looks fine: hostname and domain are correctly configured. Any help will more than welcome. Thanks in advance and best regards, Rodrigo. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Quiet? DEC? Related?
Any group photos with activedir nick labelling around? :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Thursday, March 30, 2006 7:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain
Since you mention it's a vm clone - is the computersid duplicated? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodrigo Blanco Sent: Tuesday, March 28, 2006 7:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Hello list, I am currently having a problem with a Windows 2003 server inside a Windows 2003 server-based Active Directory domain. The problem is that when I run the hostname command, it is empty: C:\hostname C:\ I suspect this happened after doing a clone of the VM machine and, by error, starting it and changing its name in the same network of the original one (this should have happened in an off-line network). I have tried to take it out from the domain and register it again in it, but his will not help. There is no conflict between the DNS and the local hosts file on the server. The server is registered in both the direct and inverse DNS lookup zones. If I look in System Properties Computer Name, everything looks fine: hostname and domain are correctly configured. Any help will more than welcome. Thanks in advance and best regards, Rodrigo. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New DC with old DC name...
Title: New DC with old DC name... Usually this happens when your demotion takes place within a remote site and the computer account is still registers in your pdce? When this happens joining the computer to the domain usually gives lots of errors - one of it is during joining "User already exist" error or it could be the dropout issues you mentioned. It is in my environment at least.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RMSent: Saturday, February 25, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] New DC with old DC name... Got some weirdness here We decided to nuke-n-pave a 2000 DC and bring it back up as 2003. I DCPROMO'd itdown to a member server and shut it down. I deleted its computer account andDNS records. I checked thedc_msdcs gc tcp blah blah DNSrecords to verify that there was no trace of this old DC and that the appropriate DC's were providing site coverage in the interim (they were). I thenformatted it, installed 2003, named it withthe old DC name, and joined it to the domain. That's when the trouble started. First the computer account was spontaneously deleted. I joined it again and saw dnsapi, netlogon, and userenv errors in the event log. %LOGONSERVER% was the wrong DC andgpresult was giving the wrong site name. I then lost the computer account again. I finally gave up and selected a new name for the machine and all was well. I had thought that after a successful downward DCPROMO, all traces of the old system would be gone from AD. What step did I miss? RM
[ActiveDir] Replication traffic monitoring accounting
Title: Replication traffic monitoring accounting Hi all, Our network guys posted an interesting stats today, one of the DC in the remote site was using 40MByte of bandwidth over 3 hours in total. The dcs are plain dc with wins service installed (but the wins arent replicating to that particular dc) - the only thing is that one of the dc is running msmq with public queues on it. Since the two DCs are rather standard, im wondering how do I do accounting on my end if possible to find out what could possibly be wrong - 40Mbyte of data over 3 hours is rather huge and choking up one of our slow 128k lines (sucky I know) Without doing sniffing or on the network end etc, is there a way I could count replication traffic over to particular DC (perfmon maybe?) - not sure if inbound dra etc counters are related... Anyone went down similar track before? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Poweruser addition
If you put that into the computer startup script that would work as it will be run under system context Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: Sunday, February 12, 2006 4:03 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Poweruser addition Hi, I want to add a particular user in the power users group of all the computer in the domain. I have tried the commandnet localgroup "power users" helpdesk /addBut this command can not be used when the logging user is having restriced access.I have also seen usrtogroup utility also.Is there any options in the Group policy so that I can do that in a efficient way.Regards,Senthil
RE: [ActiveDir] Delegating attribute in property Set (Personal In formation set)
Title: Delegating attribute in property Set (Personal Information set) Thanks Jorge, Joe, Dean! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Tuesday, February 07, 2006 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Delegating attribute in property Set (Personal Information set) If for some reason you want to delegate the use of some attribute and that attribute is not listed in the in the property/attribute specific list, then that attribute is hidden from being viewed. To be able to use that attribute in the delegation of control wizard on THAT SPECIFIC DC, open DSSEC.DAT in %WINDIR%\SYSTEM32, search for the attribute you want to use (make sure you are making changes under the correct [OBJECT]) and change the value 7 to a value 0 (zero). Save DSSEC.DAT and RE-OPEN Active Directory Users and Computers. Before doing this make copy of the original DSSEC.DAT (e.g. DSSEC.DAT.ORG) and after doing this make a copy of the changed DSSSEC.DAT (e.g. DSSEC.DAT.CUST) (if for some reason a hotfix or SP replaces the file you have lost your changes)In your case look for physicalDeliveryOfficeName=7 under [user]after setting this to 0 you will see it in the deleg wizard. jorge From: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Tue 2006-02-07 02:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Delegating attribute in property Set (Personal Information set) Hi all, Im trying to delegate the "Office" field shown in aduc - which actually maps to "physicalDeliveryOfficeName" field in AD. However via the gui this options seems to be hidden and seems like its part of a Personal Information property set. Would dsacls does delegation for this particular attribute only? Been trying it but getting errors :) Some lights to sheds perhaps? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] AD Web Interface
Someone pointed me to this earlier on - http://www.namescape.com/ Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Wednesday, February 08, 2006 5:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Web Interface AD Gurus, Anyone know of a web interface for somebasic AD administration preferably acheap or free solution. Basically, this webinterfacewill be provided to the heldesk to perform tasks like unlock account, move account, check group membershipetc. By googling arround I found PHP based AdLDAP http://adldap.sourceforge.netand I am able to make a web interface with it (that website designing hobby finally paid off)however, I found it to be very slowinthe production environment.Just wondering if anyone out there has had need for such tool. -Adeel
[ActiveDir] Delegating attribute in property Set (Personal Information set)
Title: Delegating attribute in property Set (Personal Information set) Hi all, Im trying to delegate the Office field shown in aduc - which actually maps to physicalDeliveryOfficeName field in AD. However via the gui this options seems to be hidden and seems like its part of a Personal Information property set. Would dsacls does delegation for this particular attribute only? Been trying it but getting errors :) Some lights to sheds perhaps? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: SP1 and VMware
Interesting read, but doesn't really states under what circumstances it fails... Obviously it doesn't fails on all.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, February 07, 2006 10:53 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: SP1 and VMware The operating system stops responding when you run Windows Server 2003 SP1 in a VMware environment: http://support.microsoft.com/?kbid=910048 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Delegating Netlogon share files
Title: Delegating Netlogon share files Hi Just curious how do you guys delegate netlogon shares as part of OU_Administrator role, whats the good way of doing so? Basically even if I grant them rights to a certain folder or scripts, they wouldn't be able to edit it via \\domain.tld\netlogon\ path and only via the %windir%\sysvol\sysvol\scripts (Shares ntfs rights thingy) Any suggestions? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
[ActiveDir] OT: AD Search via web
Title: OT: AD Search via web Hi guys, Just trying to generate some basic searches of AD for the extranet users to access via webpage - say for example for phone or email directories. Found this software below, but is there any better ones out there which doesn't cost much of a bomb :) http://www.extsoft.com/products/extview/index.asp Simply for view only directory not for adding or removing objects such of what Quest Activeroles kind.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: AD Search via web
Title: OT: AD Search via web Ah splendid :) Thanks Jerry! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry WelchSent: Wednesday, February 01, 2006 7:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: AD Search via web Try Namescape ( www.namescape.com ) https://www.iowaonline.state.ia.us/rdirectory/rDirectory.aspx is a good example of product in action. FREE version provides basic web lookup, as you describe. Co$t version provides for editing, with group policies. Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net ) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, February 01, 2006 6:18 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] OT: AD Search via web Hi guys, Just trying to generate some basic searches of AD for the extranet users to access via webpage - say for example for phone or email directories. Found this software below, but is there any better ones out there which doesn't cost much of a bomb :) http://www.extsoft.com/products/extview/index.asp Simply for view only directory not for adding or removing objects such of what Quest Activeroles kind.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [SPAM?] RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation ?
Title: Net localgroup limitation? Hi Joe In terms of net localgroup its no good of course, had to rename the long groupname to a shorter one in the end. :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 25, 2006 3:10 PMTo: ActiveDir@mail.activedir.orgSubject: [SPAM?] RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? So I am confused, are you good now? The 57 characters sounds familiar to me, that might be the limit I hit when migrating in Domain Local groups into 2K several years ago. I would have to look at some standards docs I wrote for that company to be sure. I ended up just saying, ok for now on, max length of a group is X where X was the length of the user definable part of the group name plus the part we required for it to be in AD (basically a building suffix and a dash for a prefix). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Tuesday, January 24, 2006 5:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation? Hi Joe, Yeah thanks for that, I was scratching my head trying to add a new admin group with 57 characters long. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, January 24, 2006 12:35 PMTo: ActiveDir@mail.activedir.orgSubject: [SPAM?] RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Friday, January 20, 2006 12:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? Hi, In AD: the sAMAccountName must be between 0 and 256 characters long thecn must be between1 and64 characters long I guess the NET commands are still using legacy methods When creating a group in a NT4 the limit was 20 char when you used the user manager for domains. However, using other methods (scripting or third party tooling) it was possible to pass the limit of user manager for domains. Don't remember what the real limit was/is Jorge From: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Fri 2006-01-20 08:48To: activedir@mail.activedir.orgSubject: [ActiveDir] Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators "domain\12345678910123456789" /ADD This doesn't work Net localgroup Administrators "domain\123456789101234567890123456" /ADD Anyone else comes up wit
RE: [SPAM?] RE: [ActiveDir] Net localgroup limitation?
Title: Net localgroup limitation? Hi Joe, Yeah thanks for that, I was scratching my head trying to add a new admin group with 57 characters long. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, January 24, 2006 12:35 PMTo: ActiveDir@mail.activedir.orgSubject: [SPAM?] RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Friday, January 20, 2006 12:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? Hi, In AD: the sAMAccountName must be between 0 and 256 characters long thecn must be between1 and64 characters long I guess the NET commands are still using legacy methods When creating a group in a NT4 the limit was 20 char when you used the user manager for domains. However, using other methods (scripting or third party tooling) it was possible to pass the limit of user manager for domains. Don't remember what the real limit was/is Jorge From: [EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Fri 2006-01-20 08:48To: activedir@mail.activedir.orgSubject: [ActiveDir] Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators "domain\12345678910123456789" /ADD This doesn't work Net localgroup Administrators "domain\123456789101234567890123456" /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
[ActiveDir] Net localgroup limitation?
Title: Net localgroup limitation? Hi Just curious is there a 19 characters limit for net localgroup commands? Just realised after trying to script a couple of things - that adding this doesn't work This works Net localgroup Administrators domain\12345678910123456789 /ADD This doesn't work Net localgroup Administrators domain\123456789101234567890123456 /ADD Anyone else comes up with this limitation? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Way OT: DC Server monitoring tools
Title: Way OT: DC & Server monitoring tools Hi Neil Just standard system availability checks and alerting, simple sms or email would do. Monitor things like 1) Availability - ping test (packet latency) etc, port availability, ldap binding tests (how long it takes to makes ldap object query) 2) Eventlog - eventlog searches and triggers (no need for consolidation - such as what Intrust is doing) 3) Reporting - monthly or management type of reporting or trending, say disk space utilization over the past few months trends 4) Performance counters - perfmon counters to monitor other things such as Exchange queue length etc 5) Email Round trip test - sends smtp mails or mapi mails to a destination, opens it with pop3 or mapi and check if emails receives within x amount of minutes. Things like that, am using Argent currently (cost a bomb) - was evaluating SiteScope (quite user friendly) but the pricing model of per points monitoring may be a disadvantage... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 05, 2006 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Way OT: DC Server monitoring tools What do you mean by "monitoring"? I normally split this into several sub categories: 1. System 2. Security and Vulnerability 3. Audit and Compliance 4. Archival A few suggestionsbelow: MOM (MS) [cat1]; App Manager [cat1], Vulnerability Manager[cat2] and Security Manager [cat2](NetIQ); Intrust [cat 34] and Reporter [cat3] (Quest); SecurityManager [cat 23] (NetPro) neil ___Neil RustonGlobal Technology InfrastructureNomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: 05 January 2006 02:55To: activedir@mail.activedir.orgSubject: [ActiveDir] Way OT: DC Server monitoring tools Hi all Just looking for some advice on server monitoring tools, and for DC monitoring as well as exchange monitoring I'm currently using Argent but found it much of a hassle to setup and the predefined rules out of the box is very standard and is much more expensive than others as well. Tried installing MOM but the gui isnt easy (havent have time to play around much)... Any suggestions or experience on good monitoring products - preferred agentless.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
[ActiveDir] Way OT: DC Server monitoring tools
Title: Way OT: DC Server monitoring tools Hi all Just looking for some advice on server monitoring tools, and for DC monitoring as well as exchange monitoring I'm currently using Argent but found it much of a hassle to setup and the predefined rules out of the box is very standard and is much more expensive than others as well. Tried installing MOM but the gui isnt easy (havent have time to play around much)... Any suggestions or experience on good monitoring products - preferred agentless.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Event 2069 - AD Quota tracking table?
Ah what an excellent info, thanks Steve! Will try semantic on the server and monitor for that event, next week that is..:) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, December 29, 2005 10:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? Personally, I don't think I'd trust a DC that I inherited if on the first dayI got it, it exhibits issues and I don't have a known state for it. Maybe I'm superstitious or maybe I've been bit a few too many timesin similar situations. Thanks for the explanation though, that helps a great deal. -ajm On 12/28/05, Steve Linehan [EMAIL PROTECTED] wrote: This error is benign as long as you are not enforcing quotas for Active Directory objects and if you are the only downside is that a user may be able to create more or lessobjects than they should. The issue can occur on a DC or a GC and one of the ways it occurs is when SDProp fixes-up missing or corrupt security descriptors on objects. To correct the problem you can boot the machine into Directory Service Restore Mode and then run the following commands from ntdsutil: Semantic database analysisrebuild quotaOnce done, reboot back to DS check for 2065 which signals a successful rebuild of the table. Thanks, -Steve From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 9:29 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? Hard to say how much of a problem that is. I've seen references to it being a problem with the GC which is why I asked. It would be something where you'd want to remove the GC role, and then re-add it/rebuild it based on what I've seen. I wouldn't have expected it to go away completely unless it only occurs at specific times such as during backup (not that it would be triggered that way in this case). Given the timing, it might be a good idea to schedule it for rebuild at some point in the future post holiday season. If for nothing else to ensure it is in a known good state and has no legacy issues. Al On 12/28/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi Al Yup this is a GC. Frankly I'm not sure what has been done to this DC as I just started to takeover the DC yesterday. One of the things that was done most probabbly was to standardize antivirus to SAV 9 - thats pretty much it. Seems like after another reboot this error doesnt appear yet (only 1 event in the log). Should this be a major alarm - is it recommended to demote and re-promote? (I hate to do this at holiday season :) Thanks Al! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 10:08 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? Freddy, is this also a global catalog server? It is a concern as this should not be something you see on normal servers. Also, can you describe what changed in the environment recently and what else is running on that server? Al On 12/28/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi all Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well. Is this much of a concern? Event Type: Error Event Source: NTDS General Event Category: (9) Event ID: 2069 Date: 12/28/2005 Time: 12:58:28 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: SELSOS01 Description: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
[ActiveDir] Event 2069 - AD Quota tracking table?
Title: Event 2069 - AD Quota tracking table? Hi all Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well. Is this much of a concern? Event Type: Error Event Source: NTDS General Event Category: (9) Event ID: 2069 Date: 12/28/2005 Time: 12:58:28 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: SELSOS01 Description: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Event 2069 - AD Quota tracking table?
Hi Al Yup this is a GC. Frankly I'm not sure what has been done to this DC as I just started to takeover the DC yesterday. One of the things that was done most probabbly was to standardize antivirus to SAV 9 - thats pretty much it. Seems like after another reboot this error doesnt appear yet (only 1 event in the log). Should this be a major alarm - is it recommended to demote and re-promote? (I hate to do this at holiday season :) Thanks Al! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, December 28, 2005 10:08 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Event 2069 - AD Quota tracking table? Freddy, is this also a global catalog server? It is a concern as this should not be something you see on normal servers. Also, can you describe what changed in the environment recently and what else is running on that server? Al On 12/28/05, Freddy HARTONO [EMAIL PROTECTED] wrote: Hi all Found an interesting events, havent been able to find any additional info on this yet, but from the look of it its only happening in this domain controller and it seems to be responding well. Is this much of a concern? Event Type: Error Event Source: NTDS General Event Category: (9) Event ID: 2069 Date: 12/28/2005 Time: 12:58:28 PM User: NT AUTHORITY\ANONYMOUS LOGON Computer: SELSOS01 Description: Active Directory detected corrupt counts in the quota-tracking table. Quota enforcement may not behave correctly until the quota-tracking table is rebuilt. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] ID Locket Out when Accessing DC
Could be due to a difference in ntlm or ntlm v2 policy Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, December 28, 2005 8:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ID Locket Out when Accessing DC With my consulting hat on, I have the following questions: Do you only have problems with this one user account? What is your account lockout policy set to? What are the Domain and Forest functional levels? Are you having any replication problems with the DC you are connecting to? Is the machine you are using to connect to the DC joined to the domain? Have you reviewed the security logs on the DC after this has happened? Have you performed a network trace o understand what transactions are taking place between the client system and the DC? Answer to these will help in diagnosing your issue. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Tuesday, December 27, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ID Locket Out when Accessing DC I have a situation, where i am using my enterprise admin id to access my DC through UNC Path. But everytime i try to do so this enterprise admin id gets locked out. Wht could be the possible reason for this. I have win2k3 enviornment. -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] last dhcp question
Is this a 2000 dhcp server or 2003? in 2000 server, you can use dhcpexim (gui not sure if you can script it) in 2003 you can use "netsh dhcp server export filename.txt all" Links http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Tuesday, December 20, 2005 4:01 AMTo: activedirectorySubject: [ActiveDir] last dhcp question Is there a way to backup the dhcp db from the comand line while dhcp service is running? I know ntbackup can't do it as the db is locked when in use. also, i know dhcp makes a backup of the mdb and trans logs and other files every 60mins to the backup folder but is there a way via the command line to get the most up to date backup without stopping the service? Thanks guys
RE: [ActiveDir] Active Dir web based management
Still prefers the look of Quest AR compared to the dotnetfactory ones but thanks for the link! Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Sunday, December 18, 2005 2:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Dir web based management Hey now, careful... Jason, depending upon what you're after, you might want to check out these guys for a simple web-based AD management product: www.thedotnetfactory.com. No idea on relative cost however. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Saturday, December 17, 2005 9:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Dir web based management I think usually the word cheap doesn't ties along with Quest tools :) Pretty much what Jason was trying to say perhaps..right? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 17, 2005 9:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Dir web based management You probably should define your definition of relatively cheap. To some of the folks on this list, $100,000-$500,000 would be considered relatively cheap. I expect your definition may vary. If you mean in the $1000 or less range I would have to say I can't think of anything but possibly there are some open source projects available you could glom onto. Building a web system specific to a single company tends to be considerably easier than building a generic product that would work well for anyone trying to use it to capture any possible eventuality/configuration/work stream. That extra work is usually why people start charging coin for something. Possibly though, you should look at the official commercial products, there might be more there that you need that you aren't thinking about at the moment. Usually anytime mentions a need for something in this area I say build it yourself or look at something like ActiveRoles Server from Quest. That has wrapped in the capability of the former Enterprise Directory Manager tool. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Yaremchuk Sent: Friday, December 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Dir web based management I am currently looking at creating a web page that allows onsite tech admin to create and alter user/group info in Active directory. I want to have delegated control of a OU but I am looking at a web form so I can apply some sort of input masks to ensure data consistency when new users are added. Our onsite techs have little knowledge of Active directory so I want to have a lot of control on how and what they can enter. Before I start developing all this I was wondering is anyone has seen free or relatively cheap products already on the market. Any ideas or comments appreciated. Thanks, Jason List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Dir web based management
I think usually the word cheap doesn't ties along with Quest tools :) Pretty much what Jason was trying to say perhaps..right? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 17, 2005 9:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Dir web based management You probably should define your definition of relatively cheap. To some of the folks on this list, $100,000-$500,000 would be considered relatively cheap. I expect your definition may vary. If you mean in the $1000 or less range I would have to say I can't think of anything but possibly there are some open source projects available you could glom onto. Building a web system specific to a single company tends to be considerably easier than building a generic product that would work well for anyone trying to use it to capture any possible eventuality/configuration/work stream. That extra work is usually why people start charging coin for something. Possibly though, you should look at the official commercial products, there might be more there that you need that you aren't thinking about at the moment. Usually anytime mentions a need for something in this area I say build it yourself or look at something like ActiveRoles Server from Quest. That has wrapped in the capability of the former Enterprise Directory Manager tool. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Yaremchuk Sent: Friday, December 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Dir web based management I am currently looking at creating a web page that allows onsite tech admin to create and alter user/group info in Active directory. I want to have delegated control of a OU but I am looking at a web form so I can apply some sort of input masks to ensure data consistency when new users are added. Our onsite techs have little knowledge of Active directory so I want to have a lot of control on how and what they can enter. Before I start developing all this I was wondering is anyone has seen free or relatively cheap products already on the market. Any ideas or comments appreciated. Thanks, Jason List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Failed DC
Can I also have the info pls :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, December 17, 2005 4:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Failed DC you could still use another workaround method to boot the server into normal mode without starting AD and then remove AD. But since it's no longer the preferred method and PSS stopped handing out the information on how to achieve this (now that you have support to forcedemote a DC ... when it's running), I'll send you the infos offline. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Freitag, 16. Dezember 2005 09:47 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Failed DC Had a problem with a DC (2K3; SP1) earlier this week which wouldn't boot - came up with an error message about AD being unable to start and suggesting restart in directory services restore mode. This DC doesn't desperately matter; it holds no FSMO roles; there's no data on it so I can live without it for a while so I've been trying to fix it and failing miserably! My initial idea was to just run dcpromo to remove AD and then put it back cleanly but I can't do this in DS restore mode - I get an error that I'm running in safe mode and can't use DCPromo. I found a KB article about using ntdsutil and esentutl to perform a lossy repair of the database; I disconnected the server from the main network (didn't want any losses propagating!) and tried repairing but this also failed to give me a working server. I tried doing a repair install - I hoped that that would take me back to a server without AD but it doesn't - it leaves AD installed and not functioning. I've now used ntdsutil on a working DC to remove all traces of this (so that I don't get error messages about replication with a dead server) I can just format the disc and start again but I'm in a stubborn mood :-) Is there any way I can remove AD from a server like this? (one last thing - I don't have a good system state backup for this machine otherwise I'd have used that...) Steve List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Way OT] DNS MX load balancing questions...
Ah another one of those I wish I had F5 or foundry..nope sadly no have to rely on the fake load balancing of MX in my case... :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Tuesday, December 13, 2005 3:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... Are both (all) of your mailservers at the same location? If so, you can do a better job of load balancing or failover using a router. Cisco IOS lets you fine-tune it pretty well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, December 11, 2005 9:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... In the first scenario, all 3 servers CAN be used at any time. In the second scenario, mail3 will be used ONLY if mail1 and mail2 stop responding. Scenario 1 balances the load (not evenly, mind you) across the 3 servers. Keep in mind that the balancing act only means that IF 3 external servers asks for your MX, they will see that all 3 are of equal weight and MAY choose any one of the 3 to send to. In an ideal world, externalserver1 will choose mail1, externalserver2 will choose mail2 and externalserver3 will choose mail3 and the load will be truly balanced. Well, we are not there yet. In reality, nothing stops all 3 external servers from sending to mail1 or mail2 all at the same time. Also, bear in mind that, although you have 3 equally-weighted MX, an external server will choose one of the 3 and continue to send to that chosen one until that one stops responding. The fact that you have 3 equally-weighted servers does not mean that the external server will use each of them equally or sequentially. Wrt the issue I mention, it is NOT an Exchange problem per se. It is an MS SMTP issue. Here's a reference http://support.microsoft.com/default.aspx?scid=kb;en-us;837993. Can't find a more detailed discussion of it at this time. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Sat 12/10/2005 5:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... Hi Deji Thanks for the replies That means it makes no sense to invest in having 1 backup MX of lower priorities? So basically what I need is as below? MydomainMX 10 mail1.mydomain.com MX 10 mail2.mydomain.com MX 10 mail3.mydomain.com Instead of MydomainMX 10 mail1.mydomain.com MX 10 mail2.mydomain.com MX 100 mail3.mydomain.com? Since with all 3 of the same priorities, if any of the mail is down (mail2) for example, it will retry to mail1 and mail3 automatically according to RFC? Do you happen to have the KB of the exchange issue mentioned below, just wanted to readup on that bug somehow :) Basically we're trying to purchase spam/virus gateways in front of exchange, and I had the idea that it needs to be 3 appliances (2 for load balancing, 1 for backup). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, December 11, 2005 12:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... RFC 2821 requires a mail server to choose MX records randomly when the records are the same priority, but to try all if the initial one chosen doesn't work (until it finds one that does work or the pool is exhausted). Correct. There was, however, an issue early this year (or was it late last year?) where 2K3 SMTP servers were failing to fail over to the next available SMTP servers on the list they receive from a target DNS server. I think this was corrected with a hotfix, but the issue will still exist in a gold, un-hotfixed version. The above means it will try MX of other priorities right (not the other of the same priorities correct?) - sorry just not having a clear word by word answer in the RFC document itself. It will continue to use the highest one, until that one stops responding. As long as the highest-prioritized one continues to accept emails, the originating server will have no need to try another one. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP
RE: [ActiveDir] [Way OT] DNS MX load balancing questions...
Title: [Way OT] DNS MX load balancing questions... Hi Michael Thanks for the quick reply. RFC 2821 requires a mail server to choose MX records randomly when the records are the same priority, but to try all if the initial one chosen doesnt work (until it finds one that does work or the pool is exhausted). The above means it will try MX of other priorities right (not the other of the same priorities correct?) - sorry just not having a clear word by word answer in the RFC document itself. One of my vendor is giving me a whitepaper from barracuda appliance that explains how its done, but mentioned that with MX listing below it will provides load balancing AND redundancy (crap to me but now im getting confused myself) http://www.barracudanetworks.com/ns/downloads/Barracuda_WP_MX_Load_Balancing.pdf Is it recommended that the TTL for the domain be set to 0 when using this MX load balancing method? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, December 09, 2005 8:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... You should have two separate MX records @ IN MX 10 mail1.mydomain.com. @ IN MX 10 mail2.mydomain.com. Mail1 IN A 10.1.1.1 Mail2 IN A 10.2.2.2 RFC 2821 requires a mail server to choose MX records randomly when the records are the same priority, but to try all if the initial one chosen doesnt work (until it finds one that does work or the pool is exhausted). Your proposal below has the problem you describe. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Friday, December 09, 2005 7:43 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] [Way OT] DNS MX load balancing questions... Hi All Was just trying to understand something and am getting conflicting results.. If I set the following (or 2 mx of the same priority with 2 differnet a records) Mydomain.com MX 10 mail.mydomain.com Mail.mydomain.com A 10.1.1.1 Mail.mydomain.com A 10.2.2.2 I understand that will provide dns roundrobin but what happened if I shutdown 10.2.2.2, will I lose (logically) 50% of my mail as I do not have another fallback MX?? My understanding is that it does so as the sender mail server will cache the MX record and A record and will only send to there, am I right or am I getting this wrong? If I'm shutting down 10.2.2.2, will the sender mail server retries to 10.1.1.1? (lets assume there's no ttl reconfig to zero) Thanks lots Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] [Way OT] DNS MX load balancing questions...
Hi Deji Thanks for the replies That means it makes no sense to invest in having 1 backup MX of lower priorities? So basically what I need is as below? MydomainMX 10 mail1.mydomain.com MX 10 mail2.mydomain.com MX 10 mail3.mydomain.com Instead of MydomainMX 10 mail1.mydomain.com MX 10 mail2.mydomain.com MX 100 mail3.mydomain.com? Since with all 3 of the same priorities, if any of the mail is down (mail2) for example, it will retry to mail1 and mail3 automatically according to RFC? Do you happen to have the KB of the exchange issue mentioned below, just wanted to readup on that bug somehow :) Basically we're trying to purchase spam/virus gateways in front of exchange, and I had the idea that it needs to be 3 appliances (2 for load balancing, 1 for backup). Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, December 11, 2005 12:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... RFC 2821 requires a mail server to choose MX records randomly when the records are the same priority, but to try all if the initial one chosen doesn't work (until it finds one that does work or the pool is exhausted). Correct. There was, however, an issue early this year (or was it late last year?) where 2K3 SMTP servers were failing to fail over to the next available SMTP servers on the list they receive from a target DNS server. I think this was corrected with a hotfix, but the issue will still exist in a gold, un-hotfixed version. The above means it will try MX of other priorities right (not the other of the same priorities correct?) - sorry just not having a clear word by word answer in the RFC document itself. It will continue to use the highest one, until that one stops responding. As long as the highest-prioritized one continues to accept emails, the originating server will have no need to try another one. HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Sat 12/10/2005 7:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... Hi Michael Thanks for the quick reply. RFC 2821 requires a mail server to choose MX records randomly when the records are the same priority, but to try all if the initial one chosen doesn't work (until it finds one that does work or the pool is exhausted). The above means it will try MX of other priorities right (not the other of the same priorities correct?) - sorry just not having a clear word by word answer in the RFC document itself. One of my vendor is giving me a whitepaper from barracuda appliance that explains how its done, but mentioned that with MX listing below it will provides load balancing AND redundancy (crap to me but now im getting confused myself) http://www.barracudanetworks.com/ns/downloads/Barracuda_WP_MX_Load_Balancing . pdf Is it recommended that the TTL for the domain be set to 0 when using this MX load balancing method? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Friday, December 09, 2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Way OT] DNS MX load balancing questions... You should have two separate MX records @ IN MX10 mail1.mydomain.com. @ IN MX10 mail2.mydomain.com. Mail1IN A 10.1.1.1 Mail2IN A 10.2.2.2 RFC 2821 requires a mail server to choose MX records randomly when the records are the same priority, but to try all if the initial one chosen doesn't work (until it finds one that does work or the pool is exhausted). Your proposal below has the problem you describe. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, December 09, 2005 7:43 AM To: activedir@mail.activedir.org Subject: [ActiveDir] [Way OT] DNS MX load balancing questions... Hi All Was just trying to understand something and am getting conflicting results.. If I set the following (or 2 mx of the same priority with 2 differnet a records) Mydomain.com
[ActiveDir] [Way OT] DNS MX load balancing questions...
Title: [Way OT] DNS MX load balancing questions... Hi All Was just trying to understand something and am getting conflicting results.. If I set the following (or 2 mx of the same priority with 2 differnet a records) Mydomain.com MX 10 mail.mydomain.com Mail.mydomain.com A 10.1.1.1 Mail.mydomain.com A 10.2.2.2 I understand that will provide dns roundrobin but what happened if I shutdown 10.2.2.2, will I lose (logically) 50% of my mail as I do not have another fallback MX?? My understanding is that it does so as the sender mail server will cache the MX record and A record and will only send to there, am I right or am I getting this wrong? If I'm shutting down 10.2.2.2, will the sender mail server retries to 10.1.1.1? (lets assume there's no ttl reconfig to zero) Thanks lots Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] Getting computer name from a username
Hi Mike Interested in your method as well, appreciate if you have something on this :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan Sent: Friday, December 02, 2005 9:22 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting computer name from a username Since we dont use the webpage in the user account properties, we have a startup script that puts the username into the webpage properties. Wherever the user has logged in from, it will enter the computer name in the webpage box. It changes with each login. Let me know if you/anyone else is interested Mike O'Sullivan IT Expert College of Veterinary Medicine 352.392.4700x4343 [EMAIL PROTECTED] 12/1/2005 4:49:39 AM Hi, Is there a way you can tell which computer a user has logged onto just from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Getting computer name from a username
reg query \\pcname\HKLM\software\microsoft\windows nt\currentversion\winlogon /v defaultusername reg query \\pcname\HKLM\software\microsoft\windows nt\currentversion\winlogon /v altdefaultusername Provided the lastloggedon key is not removed by gpo Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager Sent: Thursday, December 01, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Getting computer name from a username Hi, Is there a way you can tell which computer a user has logged onto just from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC list
To find all DCs in forestdsquery server -forest -o rdn that wouldnt work if you have biztalk msmq services (sadly i do)... so its faster via netdom if its all dc within the domain only netdom query dc Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Wednesday, November 30, 2005 9:40 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] GC list Since no one has mentioned, I will put extra one...I am a fan of DS* commands...soTo find all DCs in forestdsquery server -forest -o rdnTo find all GC in forestdsquery server -forest -isgc -o rdn--Kamlesh On 11/30/05, Tomasz Onyszko [EMAIL PROTECTED] wrote: Harding, Devon wrote: What's the easiest way to get a list of ALL my DC's and GC's in my forest along with IP address?Quickest way will be to use nslookup:nslookup -q=SRV _ldap._tcp.dc._msdcs.domain - for DCs nslookup -q=SRV _ldap._tcp.gc._msdcs.domain - for GCs--Tomasz Onyszkohttp://www.w2k.plList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~"Fortune and Love befriend the bold"~~~
RE: re[2]: [ActiveDir] Getting computer name from a username
Hi Shane Ah you are looking the other way round, sorry not aware of anything is stored in the ad on this info. You could though on a stupid workaround method, create a simple batch file - attach it to all users via gpo logonscript - things like below @echo off Echo [%date% %time%]: [EMAIL PROTECTED] logged on \\yourdomain.com\netlogon\pclist.txt Run it in a week and you have that list of users..again this isnt something fun to be done.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shane De Jager Sent: Thursday, December 01, 2005 12:08 PM To: ActiveDir@mail.activedir.org Subject: re[2]: [ActiveDir] Getting computer name from a username nt\currentversion\winlogon /v defaultusername Thats not exactly what I was looking for. I have no idea what the computer name the user has logged onto. Can you get this from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange now supported on virtual hardware
What about virtualizing DCs - say ESX farm with DCs - whats the downside and things to watch out for? Basically I've taken over support of DC for a company, but hardware specs are in a mess - dell,compaqs,hp,ibm and now seems like some of them are even on ESX farm. Just like to know if I should get rid of these remote domain controllers and buy a real server or leave things as it is and kill myself with the different hardware bundles alltogether :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Monday, October 31, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange now supported on virtual hardware Oh I agree...I'd be the first person to say that my position was a negative view of virtualization based on historical experiences. The problem really comes down to comfort in dealing with the technology and whether its supported or not. I think its obvious that I work for a company that is quite comfortable with the technology, but I personally (as things are now) am not comfortable in using virtualized hosts for database servers. For expendable services like FE servers or bridgehead servers...now that it is proven to work quite well after some tweaking I am more then willing to put them in that spot. I am not, however, ready to commit to putting my any one of my 650gb clustered mail servers on a virtualized host just yet. It's based less on a technological reason and more for a comfort reasons. Would it work with the current state of virtualization technology? Probably, but I am not ready to make that leap yet. Some times what we have to go off is our experience until something motivates us to look at it again. When I looked at virtualizing my bridgehead servers at first it did not work well at all and I personally got VERY frustrated with it and was calling it a failure (which is what I expected due to past experience). But I was convinced by the folks who manage our VMWare stuff that they could get it to work and so we looked at it further and did some tweaks and now its working just right. I would not say that its a no-no by default, but I have to understand the technology, be comfortable with it if I am going to put my many terabytes of mail stores on it, and it HAS to be supported. When we put out BR and FE servers on VM it was still a grey area when it came to support and I suspect officially it still may be, but we have not had any problems so far when it comes to support. If we had a support case and Microsoft would state that they could not help because its a VM...if its a bridgehead or FE server we can just turn it off or remove it with not harm done and then troubleshoot the problem (part of what makes these easy to virtualized is that they are expendable). This is not the same situation with a clustered mail store server. I think this is my main stumbling block with even considering a virtualized mail host the more I think of it. I am not comfortable, as things are today, with the level of support being offered for this type of setup. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, October 30, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange now supported on virtual hardware Perhaps some day I'll have time to run JetStress on an clustered Exchange server on ESX attached to a SAN to see how it performs. Which is a good thing to do before concluding that virtualizing exchange is a no-no. I'm jetstressing, and doing the old, trusted loadsim (albeit without access to a SAN) and I can't see a diff in performance. It's easy to based our conclusions on prior (bad) experiences and start telling people not to virtualize exc. But, until we can see any conclusive study of a performance lag, such advice is technically unsound and indefensible. Virtualization has evolved. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Presley, Steven Sent: Sun 10/30/2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange now supported on virtual hardware We are quite a large ESX shop (number of guest OS's are in the 1000's I believe) and while I fought it for quite some time we have ended up using ESX for our 5 front-end servers and our 3 bridgehead servers. Most ESX guest OS's don't require much tweaking, but Exchange certainly does (at least the bridgehead servers). Once we got the settings right
RE: [ActiveDir] OT: Technet movie (fun!) ;-)
Title: OT: Technet movie (fun!) ;-) haha, let me write a script to do multi-jab...:) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Friday, October 21, 2005 8:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Technet movie (fun!) ;-)Importance: Low For those interested Goto: http://www.microsoft.com/netherlands/technet/itsshowtime/sessionh.aspx?videoid= Sign in with your passport if needed Click on the text "Bekijk de hele voorstelling" (top-right) (MOVIE IS IN ENGLSIH HOWEVER!) New feature for vista / longhorn? ;-)) Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __ LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (IDT) Kennedyplein 248, 5611 ZT, Eindhoven . Postbus 7089 5605 JB Eindhoven ( Tel : +31-(0)40-29.57.777 2 Fax : +31-(0)40-29.57.709 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " http://www.logicacmg.com/ - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Veritas and DC backup
Hi Charlie Thanks for that, yeah basically it works under DA/EA but that's an overkill as I only want to delegate basic stuff to site admins (yeah problem with distributed control :( Any suggestions...of course other than buying quest adrestore (wishlist)..otherwise ill most probabbly backup to a remote disk and get veritas to backup that as a file (two step troublesome)... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Charlie Kaiser [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Veritas and DC backup One of my peeves with BE; it requires domain admin rights to completely back up a DC. You can't get system state without it. http://seer.support.veritas.com/docs/243033.htm ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, October 18, 2005 3:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Veritas and DC backup Hi all, Just a quick question, is anyone using Backupexec to backup domain controllers - remotely perhaps? Basically we have a distributed model here and we are trying to let the site admins manage the domain controllers (in terms of restarting the server) - yeah I know this is bad - and do backup but without the ability of Domain Admins. The only problem that we have is that we are unable to backup using Backup Operators rights via Veritas 9 - for some reason. And even if we comes to that part - Backup Operators will have logon rights to all machines in the domain (on default)... which is bad Any ideas please? Sort of bad as we do not have a 24/7 domain admins on rotates.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] rebooting a patched, but stubborn DC
Patched another one of my production DC yesterday via windows update instead of updateexpert and - same issues with the dell server (strangely). Had to do shutdown /r /f via rcmd to get it back online. However the other domain controller with updateexpert is rebooting fine.. Will be doing mass patching soon, hopefully this isnt going to be reoccuring :( Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Monday, October 17, 2005 10:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Steven/Freddy/Douglas, This time the server is a Compaq, running with an Intel(R) PRO/1000 XF Server Adapter, no DRAC-type cards, RAID-controller is builtin. Some Googling did bring up some hits regarding Exchange and I wonder what kind of communication breakdown happens between a GC that wants to shutdown and an Exchange client (ie, Outlook) that is currently using this GC for GAL information. Maybe our AD/Exchange experts can throw some light on this. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven Sent: Sunday, October 16, 2005 11:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Well you are definitely not alone. Something like this just happened to me while patching my Exchange clusters (only happened to 1 out of 18, so its pretty rare). After patching and telling the passive node to reboot it was completely inaccessible even after 15 minutes (normally it does not take this long to reboot). I could not ping or TS into the box. iLO was my life saver though. Connected with iLO and no hung services, nothing funny in the event log...just was not network accessible (even on the private network with its partner node). Had to reboot it via iLO (using the standard start\shutdown procedure..no cold boot required) and it eventually went down and came back up happy. I hope there is not some gremlin in the recent round of patches that is going to stick its head out when the clock strikes midnight. Best regards, Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Sunday, October 16, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] rebooting a patched, but stubborn DC
Hi Mike, I had the same issue when patching this month's patch on my dell test dc using 3rd party patch software (st bernards' updateexpert) - it just doesn't reboot! (one whole day) Upon going into dell drac - it reboots without actually pressing anything...wierd but true.. Do you happen to be on dell? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Sunday, October 16, 2005 7:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
*raises hand* sid of the last modify-er would be just nice for me. Usually we just want to know which admin is the culprit without analyzing 30gig of DC security log (one day log) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 11:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the "administrators group" nonsense, it points to a specific security principal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Friday, October 14, 2005 3:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I dont think you can find it without the auditing. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Yann [mailto:[EMAIL PROTECTED] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Adding local admin rights to non english native o s?
Thanks for the replies guys Joe, converting the administrator wellknown sid to user seems like a great idea - but then involves copying the .exe into the local machines first and executing it? Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done like below but just aint working out :( perhaps some variables like set L is not avail yet on startup? for /F tokens=2 delims== %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy \\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe for /F tokens=3 %%i IN ('sid2user 5 32 544 ^|qgrep Name') do set gpoadminvar=%%i net localgroup %gpoadminvar% /add domain\OUAdmins Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Better make that Powerum Tripum Maximum or else Laura might get on your about only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 07, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Powerus Tripus Maximus ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Friday, October 07, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? What is Administrators in Latin? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!(tm) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? This is when your high school language classes come in handy. You will need to know what administrators translates to in the target language. For example, in German, it's administratoren, so your code will look like this: net localgroup administratoren blah blah blah HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 10/7/2005 8:51 AM To: 'activedir@mail.activedir.org' Subject: [ActiveDir] Adding local admin rights to non english native os? Hi all, Usually net localgroup administrators xxx /add would work fine on computer startup gpo - but how about on non english native oses? Would this work as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] report on permissions of files and folder
cacls.exe? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp From: Senthil Kumar [mailto:[EMAIL PROTECTED] Sent: Monday, October 10, 2005 6:24 PMTo: Active directory groupSubject: [ActiveDir] report on permissions of files and folder Hi, Basically I want to take report on the permissions given to the users in the File and printer server.Does windows 2000 serverhave the inbuilt tools or does any third part tools satisfy my requirement. Regards, Senthil Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
[ActiveDir] Adding local admin rights to non english native os?
Title: Adding local admin rights to non english native os? Hi all, Usually net localgroup administrators xxx /add would work fine on computer startup gpo - but how about on non english native oses? Would this work as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp
[ActiveDir] dcgpofix and default GPO
Hi all, Seems like my Default Domain GPO has went through tons of changes (historical reason). If I were to rename Default Domain GPO to say for example Modified Domain GPO and run dcgpofix - will it overwrite my Renamed Modified Domain GPO or will it just recreate the Default Domain GPO? Appreciate your replies in advance. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Dcdiag errors help needed
Hi guys, I'm having this strange errors - have tried troubleshooting the norm way but havent manage to find a cure yet. DC=2003, domain=2003, forest=2000 Starting test: MachineAccount * SHASOS01 is not a server trust account * SHASOS01 is not trusted for account delegation . SHASOS01 failed test MachineAccount Starting test: Services RPCLOCATOR Service is stopped on [SHASOS01] --- why does it need to be started? TrkWks Service is stopped on [SHASOS01] --- so does DLT Tracking? TrkSvr Service is stopped on [SHASOS01] --- so does DLT Tracking? user account control shows that its a normal standard dc value userAccountControl: 532480 [DC(8192);TRUST_DELEG(524288)] Also in this strange DC - i'm having an event logging on eventid 11 KDC errors (the usual duplicate serviceprincipalname issue). However searching high and low for the duplicatenames via LDP.exe for serviceprincipalname=cifs/SHASOS01 returns one value only. So does serviceprincipalname=host/SHASOS01* - one value only. Setspn.exe -L SHASOS01 also do not list down any cifs value. dcdiag /fix /fixcomputeraccount wasnt much of a help There are multiple accounts with name cifs/SHASOS01 of type DS_SERVICE_PRINCIPAL_NAME. Source: KDC EventID: 11 Computer: SHASOS01 Something wierd...any suggestions other than demoting? Firewall service is disabled. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/