RE: [ActiveDir] OT Exchange question.
Or the reverse of that ;) Welcome back Joe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT Exchange question. (Gotta love how many Exchange questions get fielded to this list, isn't it?) A lot of us poor schmoes were handling AD so well someone started throwing Exchange at us to handle as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, April 08, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Exchange question. (Gotta love how many Exchange questions get fielded to this list, isn't it?) Rebuilding an Exchange 2000 server, and received the following error trying to install the post-SP3 roll-up: Setup has detected that the version of the service pack installed on your system is lower that what is necessary to apply this hotfix. At minimum you must have Service Pack 3 installed. (And yes, I have SP 3 installed. :-) Even reinstalled it once or twice for good measure.) Google is being uninformative. Has anyone run into this? - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Files missing from sysvol folder
You may additionally want to check the software running on the DC's in question if the files are copied and then deleted. Until replication I wouldn't expect the files to change on newly promoted dc. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Files missing from sysvol folder Is Sysvol properly replicating amongst your other DCs? The fact that your 2 DCs never got sysvol/netlogon means they never truly became DCs, this is something you should check every time you promote new DCs. It used to be a horrible pain back in early 2K days but is much better now. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, April 13, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Files missing from sysvol folder While attempting to complete an Exchange 2003 install on a W2K3 Server (not a dc), we have discovered that we have some AD problems with our W2K AD. It appears that 2 of our DC servers are missing the shared SYSVol and Netlogon folders. I have read numerous KB articles, but have found not solutions, as restoring is not a solution at this point. After looking at the actual Sysvol folder on these particular server, I noticed that several of the files/folders that should be present are not. I have tried all of the following: -Demoting the server and the re-running dcpromo. This was successfully run, but didn't help. -Copying the contents of the sysvol folder from a good dc to the bad dc. The files were there automatically deleted, by the OS (I am assuming). -Re-applying SP4 on the bad dc which is running W2K Server. -After running DCdiag, the only error that is reported is that the domain membership test failed: [Warning] the system volume has not been completely replicated to the local machine. This machine is not working properly as a dc. -I am also getting Event ID 13552 in the Event Viewer. The file replication service is unable to add this computer to the following replica set: Domain system volume (sysvol share) Any additional insight would be greatly appreciated! Thanks, Brenda Casey List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover exchange database file
Have you read the disaster recovery whitepaper about Exchange on Microsoft's site yet? My guess is that you don't have enough of the relevant information, but it's possible you can salvage some of it. There are also utilities out there that might be helpful if you really want that data. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik Sent: Thursday, April 14, 2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recover exchange database file Hi, anyone with experience on how to import edb files? I had a crash and the only thing i could get out was the edb and stm files. Regards, Daniel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS queries and actual trace
I don't believe I've seen something that will show that it performed the name resolution with local information other than a debug trace (OS debugger attached to winsock I would guess). Would be cool to have a tool that showed all of that though. Something that shows: SuperDupernamelookup.exe: looking for RR = name Checking local cache = not found Checking local hosts = not found Checking local lmhosts = not found (could be both) (may be fancy here and check the length of the query first; if more than 15 chars, skip this and wins since it won't be there anyway) Checking name server (wins) = not found Checking name server (dns) = found RR :: blah blah blah Something like that contained in one tool would be pretty cool. Today you can do some of that with several steps and deduction, but not in one tool. I'd love to hear differently. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, April 12, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS queries and actual trace I was wondering what tools/options are required to get an actual dns lookup trace, including internal machine cached/hosts file lookups and external requests to the dns server. Does such a beast exist? Murray Wall, MCSE, B.Ed CCNA/DA Master ASE Messaging [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Using net time
Wouldn't it make more sense to have the PDCe use the workstation as your reliable time source and let the rest of AD do it's thing? It has that built into the product because of how important time sync is to AD functionality. Just curious. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Wednesday, April 13, 2005 10:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Using net time Following on from my earlier question about time synchronisation, can anyone please tell me, when you type in the command net time, just where exactly how does the client determine where to pull this information from ? I ask because I assumed it would be querying its logon server by default, however in my case it is querying a DC from a sub-domain ?!?! Why on Earth is that ? The DC in question is not configured as a reliable time source (The AnnounceFlags value is 10 and not 4) I am confused and bewildered. Thanks again for any help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Wednesday, April 13, 2005 4:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time synchronisation in a W2K domain I was recently handed a new hardware clock to install into our domain. As the device needs to be placed in an area with good radio reception I decided to install it onto a PC. Our server farm is located in a secure bunker with no reception at all. I know the usual time sync model is for DC's to get the time from the PDC role holder and then the time filters down from there to members servers and workstations. However, my PC is running Windows XP. So the question is, is it possible to set the XP workstation (with hardware connected) as the reliable primary source for time in the domain ? Should the Windows Time service be disabled on the PC ? What changes need to be nmade to the PDC Role holder and other DC's in the domain to make sure they are forced to sync with the XP workstation. Or is it just not possible to use an XP workstation ? I have noticed that some of my machines are synching with the PC but others are not and I have not as yet determine why there is this erratic behviour. If I use the w32tm /resync command then on some machines it works and on others it doesn't. Do I need to manually configure all DC's t point to the XP machine ? Do members servers need special configuration ? Why are general user workstations not showing the same time as the Time PC ? Any advice greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
That's very interesting. Like I said, it's most interesting that the symptoms didn't occur for all users on that machine. Either way, glad you're making progress and thanks for posting the findings. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 12, 2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons No just these for now and should it occur on another machine then we know what the fix is. I believe that this is occurring because they have gigabit cards and are trying to find DC's across a VPN DSL Line and the computer is just trying to damn fast. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, April 11, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I find that fix fascinating mostly because the problem description mentions that other users that used these machines worked fine and because the problem followed the users. Does this mean that you applied this to the other machines as well? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, April 11, 2005 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons http://support.microsoft.com/default.aspx?scid=kb;en-us;326152 http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Following these articles and updating the drivers for the NIC cards worked. Thanks to everyone who helped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, April 11, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Justin, I posted to this thread on 4/6 with some steps. If you follow those steps and provide me with the data, it is likely I can at least provide some insight in to the problem if not a solution altogether. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, April 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I actually deleted the account and setup a new one and the same problem occurred. I need to enable logging on useenv to see what is happening, when I do I will report back. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 08, 2005 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I agree it is most likely anything else but DNS problem. If you are able to, copy one of those accounts and log in with the new copy. Does the problem follow the new account? Could you post back with your finding? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, April 08, 2005 8:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SLOWW Logons On Apr 8, 2005 10:38 AM, Dave A. Marquis [EMAIL PROTECTED] wrote: That's not right. I would look at the dns configuration. I had the same issue as a tech kept fat fingering the configs. If other users can log in to the same workstation with no delay then I would say that this is likely not a DNS config issue on the workstation. Definitely follow ~Erics advice on how to troubleshoot the issue and if you're still stuck after looking through the userenv log and the network trace then report back on your progress :) Actually, report back on the progress either way Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 1000 groups
This is probably what you're referring to: (1023 sid's) http://support.microsoft.com/default.aspx?scid=kb;en-us;322970 this: http://support.microsoft.com/kb/280830/ (much lower number) IIRC, 2003 domains can handle more, but I think ~Eric was the one that posted something about that. Maybe he or Dean will chime in? However, I can't think it would be very manageable to have users in that many groups in most organizations. Even with distribution groups, local groups, etc. It would seem to me that being a part of that many groups would set off all kinds of security and management issues as well as performance issues for the user. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer Sent: Tuesday, April 12, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian E-mail Full? Check out our Exchange Tools! Brian Fischer Microsoft Systems Consultant Quest Software 4320 Winfield Rd Suite 500 Warrenville, IL 60555 http://maps.yahoo.com/py/maps.py?Pyt=Tmapaddr=4320+Winfield+Rdcsz=Warrenv ille%2C+IL+60555country=us [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] tel: fax: mobile: 630-836-3160 949-754-8999 630-567-2825 Last year's email - today's key piece of evidence! Find it fast with Quest Recovery Manager for Exchange. Get your free Technical Brief on e-Discovery http://wm.quest.com/reg/marketing/landing/ediscoveryexchange/ . With Quest Software, you can expect more... more performance, more productivity, more value from your IT investments. Visit www.quest.com BLOCKED::http://www.quest.com/ to learn how. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VB Script and Group policy
I'm not a great vbscripter, but I play one on the internet sometimes :) Your script looks like this: Set objWSHNetwork = CreateObject(WScript.Network) 'create network object strConnectString = \\servername\Boston_IT2 strConnectString = \\servername\Boston_IT strResult =objWSHNetwork.AddWindowsPrinterConnection(strConnectString) Since vbscript runs in serial (that is, it executes top to bottom) you're setting the variable strConnectString first to \\Servername\Boston_IT2 and then overwriting it to \\Servername\Boston_IT. The result is that you are creating the printer last specified before the execution: strResult =objWSHNetwork.AddWindowsPrinterConnection(strConnectString) To do what you want, you need either a list to pull from (are you reading these printers in?) else you'll need to run it multiple times within the script. I'm assuming you already know what the printers are, so something like this would work: Set objWSHNetwork = CreateObject(WScript.Network) 'create network object 'Create First Printer strConnectString = \\servername\Boston_IT2 strResult =objWSHNetwork.AddWindowsPrinterConnection(strConnectString) 'Create Second Printer strConnectString = \\servername\Boston_IT strResult2 =objWSHNetwork.AddWindowsPrinterConnection(strConnectString) And so on... Not sure what value strResult and StrResult2 provide in this script exactly, but I left them as unique values so you could check that value later if you wanted to. Here's a reference to it on MSDN: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/wsmthaddwindowsprinterconnection.asp Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Tuesday, April 12, 2005 4:19 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] VB Script and Group policy Running Windows 2000 AD I'm looking to automate the installation of printers using a vb script and group policy. I found the script referenced below which works great for adding the printer and works great with GP. However, I can only add one printer. Every time I modify it to add additional printers it only adds one. Set objWSHNetwork = CreateObject(WScript.Network) 'create network object strConnectString = \\servername\Boston_IT2 strConnectString = \\servername\Boston_IT strResult =objWSHNetwork.AddWindowsPrinterConnection(strConnectString) Does anyone out there know a way of additional multiple printers with this script? I should mention I am not a vb person. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] systemFlags
You're just trying to understand it then? Sanity is not my strong point anyway :) To change that, IIRC some can be set directly, while others need to be set on the class etc. Looks like I munged the last post, so http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/a_systemflags.asp Enjoy. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Mayes Sent: Saturday, April 09, 2005 12:21 PM To: activedir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags Suspend all sanity for a moment. I'm not wandering down the route of trusted and untrusted administrators, that's just how I arrived at this point. Simply I'm just curious about the possibility of modifying systemFlags. If you try through ldp or adsiedit you get errors general around the point that it's a system attribute and you can't modify it. Now again make sure that your sanity switch is set to 0 for this as people are now going to start asking the question why and careful because you'll screw your AD. Well I'm wearing asbestos underpants at this point and I quite like the idea of breaking things in development. So trudging on For the permissions I can see that I have permissions to write the systemFlags attribute, but nothing is letting me, which I agree is quite sensible as I could be any old muppet. But what's getting in my way, the tools, the AD itself. something special which is hidden under the bonnet? And how do you then get around that, as I can buy a tool off the shelf that'll do it. I've not yet attempted to write code to fiddle, that'll be when I'm bored over the next few days. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 08, 2005 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags How'd you try to edit it? And why do you let admins have rights if you can't trust them? http://msdn.microsoft.com/library/default.asp?url=; http://msdn.microsoft.com/library/default.asp?url= List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT Exchange question.
Sounds familiar. Wasn't there something in the readme about that (post sp readme? ) You may also want to post which version of the post-sp3-roll-up you're trying to install (isn't it time to call it a service pack already???) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, April 08, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Exchange question. (Gotta love how many Exchange questions get fielded to this list, isn't it?) Rebuilding an Exchange 2000 server, and received the following error trying to install the post-SP3 roll-up: Setup has detected that the version of the service pack installed on your system is lower that what is necessary to apply this hotfix. At minimum you must have Service Pack 3 installed. (And yes, I have SP 3 installed. :-) Even reinstalled it once or twice for good measure.) Google is being uninformative. Has anyone run into this? - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
I find that fix fascinating mostly because the problem description mentions that other users that used these machines worked fine and because the problem followed the users. Does this mean that you applied this to the other machines as well? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, April 11, 2005 2:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons http://support.microsoft.com/default.aspx?scid=kb;en-us;326152 http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Following these articles and updating the drivers for the NIC cards worked. Thanks to everyone who helped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, April 11, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Justin, I posted to this thread on 4/6 with some steps. If you follow those steps and provide me with the data, it is likely I can at least provide some insight in to the problem if not a solution altogether. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, April 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I actually deleted the account and setup a new one and the same problem occurred. I need to enable logging on useenv to see what is happening, when I do I will report back. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 08, 2005 11:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I agree it is most likely anything else but DNS problem. If you are able to, copy one of those accounts and log in with the new copy. Does the problem follow the new account? Could you post back with your finding? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, April 08, 2005 8:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SLOWW Logons On Apr 8, 2005 10:38 AM, Dave A. Marquis [EMAIL PROTECTED] wrote: That's not right. I would look at the dns configuration. I had the same issue as a tech kept fat fingering the configs. If other users can log in to the same workstation with no delay then I would say that this is likely not a DNS config issue on the workstation. Definitely follow ~Erics advice on how to troubleshoot the issue and if you're still stuck after looking through the userenv log and the network trace then report back on your progress :) Actually, report back on the progress either way Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Export Security Mailbox Rights members
IIRC, that's information that's contained in the store and not in the directory. Have you checked the exchange tools to see what you can do with that? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, April 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Has anyone figured out how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Export Security Mailbox Rights members Is there an option for this in adfind? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Security Mailbox Rights members I have an account that has a few unknown SID's under the Security Tab Mailbox Rights. I can use psgetsid to get the names of these unknown SIDs, but I want to output these so I can copy and paste the SIDs. Is there any way to do this? -Devon __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] systemFlags
How'd you try to edit it? And why do you let admins have rights if you can't trust them? http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: Friday, April 08, 2005 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] systemFlags I want to prevent a collection of administrative users from deleting certain objects/containers etc now I could set up some more acl's on these objects or I suppose that I could wander off and buy a product off the shelf to offer that protection. But looking at it some of these products do some simple things within the directory. So I had a quick dig and found that in theory I could modify the systemFlags on an object to protect it from deletion. Like the flags that are sat on the builtin container 1 systemFlags: 0x8C00 = ( FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE ); Ahh but theory and practice become two different things. If you try and edit this attribute then pretty much every utility throws a wobbly. So now I'm curious... possibly a bad thing is there a way to actually modify the attribute?
RE: [ActiveDir] SLOWWWWWW Logons
Certainly good advice ~Eric. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, April 06, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Staring a new thread from the original post, as I am going to address this from a troubleshooting methodology perspective, not a take a swing and perhaps one hit out of the park perspective. My approach to slow logon: 1) I always start with a userenv log (logging set to 10002). I then take the log, and begin looking for gaps of time in the log, to perhaps understand components that are being slow during user init. 2) If I don't immediately see an answer in the userenv, or at least a starting point (can go either way depending upon the case) I go with two pieces of data: userenv + network trace. Network trace can be tricky, given that you can't take it on the clientthe client hasn't logged on yet. :) Typically, I take the client machine and throw it on a silly little hub, and on that hub also place another machine which I take a trace from. Start the trace (some larger buffer, say 50MB or so), then boot the client + log on to the client, and I don't usually stop the trace until the logon is complete. From there, you can line up gaps of time in the userenv log to what was going over the wire. I find this approach more fruitful than just taking a trace and trying to guess where the problem is. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LAN Manger v2.1 Authentication
Internosis? Sounds familiar... Here's a starting point for that information: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKi t/b4001049-4dec-4f5b-a249-0f4dfd22c732.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Schmieder, Marc Sent: Thursday, April 07, 2005 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication Can anyone tell me what security template(s) I should use if I only wanted NTLMv2 and Kerberos authentication on in my environment? We have NT4, 2000, 2003 machines. Also, do I need to configure workstations, servers and dc's or just dc's? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, April 06, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication Yes, I have seen this document... Thank you so much for the suggestion, this may be a bug from doing an in place upgrade of an NT 4 domain. I'll try applying 2003 server sp1 and see if it fixes this. It's probably best to not use a LANMANGER boot disk and just go to a WINPE boot disk that supports NTLMv2 and SMB signing. Jose :-) --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 6:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LAN Manger v2.1 Authentication I assume you've seen this: http://support.microsoft.com/kb/325379 And since you've already disabled SMB signing the next step would be turn on auditing and check for and correct the errors you see. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, April 05, 2005 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LAN Manger v2.1 Authentication Greetings, We just upgraded out NT 4 servers to Windows 2003 server and the migration went as well as can be expected, however I am now trying to image several servers using Power Quest's drive image pro with a boot disk that uses LAN manger and I can no longer authenticate against AD. I changed the domain controller and domain security policy to allow LAN manager authentication and I disabled SMB signing. The server I am using for imaging is a 2000 member server to AD 2003 is and the AD controllers are in native mode. Would any one happen to know what else I need to disable in the domain controller security policy to allow a DOS boot disk to authenticate ? Also, I found that If I remove the imaging server from the domain authentication works with the boot disk. Any suggestions would be greatly appreciated. Sincerely, Jose Medeiros 408-449-6621 Cell MCP+I, MCSE, MCT NT Engineering Association SFNTUG www.ntea.net www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
It gets logged in the security log of the domain controller. Once you turn on this logging, it's a lot of events for every action, so be careful to ensure that your event logs can handle it. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve rHelp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx Event ID 624 = Create Success Audit Entry Event ID 630 = Delete Success Audit Entry It would be a good idea to undo any changes you've made up until now to be sure you're not confusing anything. Also, remember that this is a GPO setting so you'll want to be sure it applied to the domain controllers. Eventtriggers.exe might be useful for tracking this if you don't have something moving your log files over to another format. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, April 07, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Yes I saw Eric's post, which does make sense; my real problem is I have accounts once a week for the past 2 months that literally disappears from AD... I have removed everyone but myself from all privileged groups; I've had all my admins reset passwords, I've made sure no scripts are running that would cause this to happen. I've even removed all logon scripts. I've never seen user accounts just disappear like this... So I set up a few test account then deleted them, I want to see where this gets logged to help me troubleshoot why other accounts see to just vanish?!?! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 6:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] LAN Manger v2.1 Authentication
I assume you've seen this: http://support.microsoft.com/kb/325379 And since you've already disabled SMB signing the next step would be turn on auditing and check for and correct the errors you see. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, April 05, 2005 5:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LAN Manger v2.1 Authentication Greetings, We just upgraded out NT 4 servers to Windows 2003 server and the migration went as well as can be expected, however I am now trying to image several servers using Power Quest's drive image pro with a boot disk that uses LAN manger and I can no longer authenticate against AD. I changed the domain controller and domain security policy to allow LAN manager authentication and I disabled SMB signing. The server I am using for imaging is a 2000 member server to AD 2003 is and the AD controllers are in native mode. Would any one happen to know what else I need to disable in the domain controller security policy to allow a DOS boot disk to authenticate ? Also, I found that If I remove the imaging server from the domain authentication works with the boot disk. Any suggestions would be greatly appreciated. Sincerely, Jose Medeiros 408-449-6621 Cell MCP+I, MCSE, MCT NT Engineering Association SFNTUG www.ntea.net www.sfntug.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GroupBy type queries in LDAP
I see what you're saying now. Might be interesting, although seems a chatty way to do it. Should we mock it up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 3:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP LOL. The first pass through AD finds all possible values of attribute1 and stores them in the hash. The second pass goes through and requeries based on that hash that was built from the first pass. To put it another way. 1. Run a query against AD of attribute1=* 2. Parse the result set and populate the hash table with keys being the values of attribute1 and the values of the hash being the count of DNs with that specific key value as the value of attribute1. 3. Loop through the hash and generate a list of all attribute1 values that have multiple objects using that value. 4. Loop through the list from 3 and requery AD for each multiply used value with attribute1=somevalue This method would return each record with a duplicated attribute1 twice. However it has a much greater chance of being able to sit in memory while running when it is scaled up. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Maybe I'm missing something. How do you already know that attribute1 has a value of vala ? I mean, if you knew what the duplicate values were, couldn't you just query for them and return all the users that have that exact value specified and just fix it that way? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Goal is to find users (by DN) with dupe valued for attribute1 as I understand it. Basically what I described is a two pass setup. You first find which attribute values are duplicated, then go back and get the duped DNs. E.G. AD has Rdn attribute1 Cn=someuser1vala Cn=someuser2vala Cn=someuser3valc Cn=someuser4valf Cn=someuser5valc Cn=someuser6vala Cn=someuser7vald Cn=someuser8valz You would have a resulting hash of vala3 valc2 vald1 valf1 Valz1 You then go back and do a query of attribute1=3 and return DNs. Etc etc. That is where the additional network traffic and time come in Not sure where samaccountname came in, but I wouldn't use it as a unique key, I have seen it duped within a single domain and it can definitely be duped if this gets expanded to be forest wide[1]. Of course, if you know the scale and know it fits, pull all of the DNs and store them in one shot. This can be done by having the server sorting the result set or by using some associative array magic either in memory or on disk (I think this is done with perl tie but I haven't tried it). joe [1] Though that is a bad idea, don't dupe samaccountname's in a forest. Make samaccountname's unique within a forest, if not, it will bite you later. Even better, make samaccountname's unique in an org. Have one single authority granting them and keep them unique forever. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 11:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP ...that value and insert into the hash using it as the key... I think that would not work Joe. The reason being is that the original query was to ascertain which objects had duplicate values in attribute1. If your key were to have duplicates, that could be a problem. As for the SQL table, why go back and get the DN's (now that I reread it again?) Why not populate the table with attribute1 and DN's vs. samaccountname in the first place? Admittedly, it should be a much smaller subset of the population that you're reading that time through, but is it necessary? Just thinking of efficiency. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP I thought of a way last night that would do this ok[1] with hash objects unless the attribute was rather large though number of objects shouldn't be as big a factor. Basically it is more scaleable but not infinitely scaleable which can be said for anything. You would substitute speed and network traffic for reduced memory footprint. Basically you would dump all objects with attribute1=*, then simply pull off that value and insert into the hash using
RE: [ActiveDir] FW: Netlogon Event ID 5781
*Looks* like one of the hosts on the network is trying to use this server to register for the t. domain. You may want to look into which of the hosts would be doing that. '- DNS server(s) primary for the records to be registered is not running' would be applicable. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jared Taylor Sent: Wednesday, April 06, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FW: Netlogon Event ID 5781 I have been searching google and newsgroups for the following error but I cant seem to find anyone with a similar problem. I have 2 Server 2003 DC's, one is a GC and PDC emulator and the other has DNS and Exchange 2003. The server running DNS is showing Event 5781 Netlogon Warnings under the System Event Log. The warning is: === Event Type:Warning Event Source: NETLOGON Event Category: None Event ID: 5781 Date: 4/6/2005 Time: 5:58:32 AM User: N/A Computer: NJMAIL1 Description: Dynamic registration or deletion of one or more DNS records associated with DNS domain 't.' failed. These records are used by other computers to locate this server as a domain controller (if the specified domain is an Active Directory domain) or as an LDAP server (if the specified domain is an application partition). Possible causes of failure include: - TCP/IP properties of the network connections of this computer contain wrong IP address(es) of the preferred and alternate DNS servers - Specified preferred and alternate DNS servers are not running - DNS server(s) primary for the records to be registered is not running - Preferred or alternate DNS servers are configured with wrong root hints - Parent DNS zone contains incorrect delegation to the child zone authoritative for the DNS records that failed registration USER ACTION Fix possible misconfiguration(s) specified above and initiate registration or deletion of the DNS records by running 'nltest.exe /dsregdns' from the command prompt or by restarting Net Logon service. Nltest.exe is available in the Microsoft Windows Server Resource Kit CD. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp http://go.microsoft.com/fwlink/events.asp . Data: : 2a 23 00 00 *#.. === My problem is that I don't understand where it's getting t. from. I have search DNS and cant find anything similar. The warning happens every 24 hours. An ipconfig/all from the DNS server is provided below: === Windows IP Configuration Host Name . . . . . . . . . . . . : njmail1 Primary Dns Suffix . . . . . . . : accutest.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : accutest.com Ethernet adapter 100Mb NIC: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO Physical Address. . . . . . . . . : 00-0C-F1-80- DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.81.95.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.81.95.2 DNS Servers . . . . . . . . . . . : 192.81.95.1 Primary WINS Server . . . . . . . : 192.81.95.2 === Thanks Jared T List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GroupBy type queries in LDAP
Me? It was your idea G Besides, I'm having hard time feeling sorry for you if you'll be on the beach drinking frosty beverages lying in the sun. Good thing you're dark to begin with ;) Have fun! -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 06, 2005 10:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Yeah that is what I was saying, it would be chatty and slow compared to sucking the data into another store. Another implementation again would be to use a disk based hash (again I believe this is called a tye). I thought of another mechanism to do this last night that is a hybrid of the disk based hash This would be to write a serial text file of the data being returned (DNs and values) and maintain the hash in memory (as long as it fit and maybe go to a disk hash if needed). When done writing the file, sort by attribute1 values, and then cycle through the text file pulling the lines off as indicated by the dupe hash. This problem firmly fits into the TIMTOWTDI (Tim Toady) rule both in terms of using some SQL Server (My, MS, etc) or not using a real database. Anyway, you can mock up. I am going to a spot about an hour south of Cancun tomorrow morning for a week to lay on a beach drinking various good tasting beverages with some friends and visit Mayan Ruins. :o) The most technical thing I intend to do is read O'Reilly Active Directory 2e to figure out if there needs to be a 3e and if so, what it should say. In fact, if anyone has any ideas on things missing from that book or things that need to be corrected in it, send them to me and I will see what can be done. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP I see what you're saying now. Might be interesting, although seems a chatty way to do it. Should we mock it up? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 3:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP LOL. The first pass through AD finds all possible values of attribute1 and stores them in the hash. The second pass goes through and requeries based on that hash that was built from the first pass. To put it another way. 1. Run a query against AD of attribute1=* 2. Parse the result set and populate the hash table with keys being the values of attribute1 and the values of the hash being the count of DNs with that specific key value as the value of attribute1. 3. Loop through the hash and generate a list of all attribute1 values that have multiple objects using that value. 4. Loop through the list from 3 and requery AD for each multiply used value with attribute1=somevalue This method would return each record with a duplicated attribute1 twice. However it has a much greater chance of being able to sit in memory while running when it is scaled up. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Maybe I'm missing something. How do you already know that attribute1 has a value of vala ? I mean, if you knew what the duplicate values were, couldn't you just query for them and return all the users that have that exact value specified and just fix it that way? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Goal is to find users (by DN) with dupe valued for attribute1 as I understand it. Basically what I described is a two pass setup. You first find which attribute values are duplicated, then go back and get the duped DNs. E.G. AD has Rdn attribute1 Cn=someuser1vala Cn=someuser2vala Cn=someuser3valc Cn=someuser4valf Cn=someuser5valc Cn=someuser6vala Cn=someuser7vald Cn=someuser8valz You would have a resulting hash of vala3 valc2 vald1 valf1 Valz1 You then go back and do a query of attribute1=3 and return DNs. Etc etc. That is where the additional network traffic and time come in Not sure where samaccountname came in, but I wouldn't use it as a unique key, I have seen it duped within a single domain and it can definitely be duped if this gets expanded to be forest wide[1]. Of course, if you know the scale and know it fits, pull all of the DNs and store them in one shot. This can be done by having
RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan
http://www.microsoft.com/technet/prodtechnol/exchange/2000/deploy/upgrademig rate/series/planningguide/p_01_tt1.mspx#ENAA Might be of interest to you. Would need a few tweaks, but it's mostly what you need I would imagine. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Wednesday, April 06, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan Have you looked on the Microsoft web for this type of project plan? I think they have some of these already, but I've not looked for any (don't need them at this time). Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 06, 2005 10:02 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan I look through those and they are great information. My problem is that I need to turn that into a project document to give to my boss, review group and risk management. I was hoping someone else already did this so I could save some time in duplicating everything myself. Thanks. -Original Message- From: Stelley, Douglas [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 06, 2005 8:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan I get a lot of nice info from msexchange.org. A quick search in there brought up this one... http://msexchange.org/tutorials/Exchange-Migration-Wizard.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 06, 2005 9:51 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] OT: Exchange 5.5 to 2003 Migration Plan Group, Off topic. My organization is about to start an Exchange migration and I was wondering if anyone knows where I can get a migration plan that I can use as a shell for planning this upgrade. I know I can download all of the whitepapers and instructions for different methods, but I was wondering if there is a place I can grab a project plan from so I can save some time in drafting one from scratch. I think I have seen about three different ways of going about this and I believe I'm going to take the path of using the ADC but I have not seen this written up in any form other than white papers or notes on message boards. A bit of background, we will be conducting our migration in a parallel domain structure (we are just about done moving all of our other resources, machines and users out of our 5.5 domain). When we are done with this migration our 5.5 domain will go away. Thanks. Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SLOWWWWWW Logons
It might be worth your time to check with a network trace and compare one slow user to one regular speed. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I don't info but they only have three small policies applied to them -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons How much data are those two users pulling down from the domain controllers (network trace?) What's different about them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Wednesday, April 06, 2005 3:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SLOWW Logons I have two users amongst 50 in a remote site that no matter what PC they login to it takes forever, but if someone else logs into that PC, they log on quickly with no problems. I have already run netdiag and everything passed, I have deleted the local profile on the computer, disjoined and rejoined the domain, changed the network card, provided a different IP address, verified I can access \\domainname\sysvol\domainname and rebooted the PC as well as all the domain controllers and the routers inbetween the sites. No ports are being blocked by anything, no changes to policies have been done, no new servers have been made domain controllers and none have been demoted. There are two Global Catalogs in that AD Site, replications is working and I have not thrown the PC out the window yet. What else could be happening here? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD logging
Under diagnostics, there are many keys. Which one did you set? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GroupBy type queries in LDAP
For millions of records? Easier? Appropriate? Please note that the directory contains millions of objects and iterating through them will be painful. I wouldn't (could, but I wouldn't.) Why? I'd likely need this information on a repeatable basis maybe as some sort of grooming process for the accounts I manage. I suspect the right tool for the job would be a synchronization tool that syncs, or at least replicates the data to SQL from AD at a regular interval. Some stored query then spits out the report I'm looking for an I could take some sort of action based on that either automated or other. DB's do this type of query very well and I see nothing that would indicate to me that this would be a different kind of app. Like joe (or Joe in this case) I don't like putting things into SQL very often, if for no other reason than the added cost of licensing a SQL server for an application. That licensing needs to be fixed if you buy an app that requires SQL (think MIIS, SMS, MOM, etc), but in the end it comes down to the right tool for the job. A DB is the right tool for the problem stated in my humble opinion. That's me though. I can't script like Deji and joe(Joe). :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 04, 2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Would putting the output into a dictionary set and then sorting and writing them out not be feasible? Would this not be easier (and on-the-flyish) than dumping it into SQL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, April 04, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Can't do that in LDAP... About the best you can do is use the LDAP sort control to get a list of entries sorted by Attribute1, but that only gets you halfway to what you want. I suspect Al's strategy is the best way to go. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, April 04, 2005 2:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Is it just user objects? ((objectClass=User)(objectCategory=Person)(Attribute1=*)) Would return all user objects that have a value for Attribute1. If you only wanted all user objects where Attribute1 was a duplicate, I would *think* you have to query based on what's filled in there. i.e. Attribute1=someduplicatevalue or something similar. Might be more productive to bring all of the needed data into a SQL table and then do your query. LDAP isn't going to do that type of logic that I'm aware of. I'd love to hear differently though :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Palenchar Sent: Monday, April 04, 2005 5:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GroupBy type queries in LDAP OK, LDAP evangelists, I need to query our customer-facing AD for a list of all the users who share a particular attribute. Let's call that attribute Attribute1. So, if two people have the same value in Attribute1, I need their DN. The trick is, that I want the results for all possible values of Attribute1. In SQL, I would use group by Attribute1 having count(Attribute1) 1 to get a list of all Attribute1 values where more than one object had the same value. I would then join that back to the table to get a list of all the DN's with those values of Attribute1. Is there a way to do this with an LDAP query. Please note that the directory contains millions of objects and iterating through them will be painful. -Jeremy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GroupBy type queries in LDAP
...that value and insert into the hash using it as the key... I think that would not work Joe. The reason being is that the original query was to ascertain which objects had duplicate values in attribute1. If your key were to have duplicates, that could be a problem. As for the SQL table, why go back and get the DN's (now that I reread it again?) Why not populate the table with attribute1 and DN's vs. samaccountname in the first place? Admittedly, it should be a much smaller subset of the population that you're reading that time through, but is it necessary? Just thinking of efficiency. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP I thought of a way last night that would do this ok[1] with hash objects unless the attribute was rather large though number of objects shouldn't be as big a factor. Basically it is more scaleable but not infinitely scaleable which can be said for anything. You would substitute speed and network traffic for reduced memory footprint. Basically you would dump all objects with attribute1=*, then simply pull off that value and insert into the hash using it as the key with the count as the value of that entry. Once you build that, you cycle through looking for any entries that have a count 0 and reissue a query for that exact attribute value and output those results directly. You could have it watching the amount of data it is holding and once you surpass a specific level, have it use a simple little text file DB that perl does as well. Heck if you don't mind the disk i/o hit you could do that from the start and maintain the DNs as well. Obviously these solutions are stretching so you don't have to buy, and worse yet, set up and maintain, a SQL Server which is just one more security risk. If you already have a SQL Server laying around being maintained, the easiest solution as Al mentions is to use it. Hmm another off the wall solution would be to spin up AD/AM. Set up an object for every new value of attribute1 and then set up a link (FL/BL) relationship with the attribute objects and the user objects. Then when you want to know what users are using what attribute, you just dump the link values. Still not an LDAP query only solution but kept up to date in real time if you are constantly syncing with no additional query time needed. joe [1] Ok being entirely relative. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP For millions of records? Easier? Appropriate? Please note that the directory contains millions of objects and iterating through them will be painful. I wouldn't (could, but I wouldn't.) Why? I'd likely need this information on a repeatable basis maybe as some sort of grooming process for the accounts I manage. I suspect the right tool for the job would be a synchronization tool that syncs, or at least replicates the data to SQL from AD at a regular interval. Some stored query then spits out the report I'm looking for an I could take some sort of action based on that either automated or other. DB's do this type of query very well and I see nothing that would indicate to me that this would be a different kind of app. Like joe (or Joe in this case) I don't like putting things into SQL very often, if for no other reason than the added cost of licensing a SQL server for an application. That licensing needs to be fixed if you buy an app that requires SQL (think MIIS, SMS, MOM, etc), but in the end it comes down to the right tool for the job. A DB is the right tool for the problem stated in my humble opinion. That's me though. I can't script like Deji and joe(Joe). :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 04, 2005 6:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Would putting the output into a dictionary set and then sorting and writing them out not be feasible? Would this not be easier (and on-the-flyish) than dumping it into SQL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, April 04, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Can't do that in LDAP... About the best you can do is use the LDAP sort control to get a list of entries sorted by Attribute1, but that only gets
RE: [ActiveDir] SSL on OWA to change password
Why would you not want to use it on the entire site (for the sake of argument?) I'm not sure I get it. Wouldn't you want it for all of owa? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, April 05, 2005 12:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SSL on OWA to change password Guys, I sent this to a different list but also wanted to bounce it off of you. Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 11:10 AM To: [EMAIL PROTECTED] Subject: [Exchange2000] SSL on OWA to change password Please check my logic here. TO enable SSL on only the IISADMPWD virtual Directory I do the following steps Create the IISADMPWD Virtual Directory Ensure proper rights and authenticated access are set on that directory Apply the hotfixes described in the KB Articles for Windows 2003 Run asutil.vbs script to set the PasswordChangeFlag to 0 Generate the SSL Certificate Apply the SSL Certificate Set the IISADMPWD Virtual Directory to require SSL Modify the Registry to show the Change Password button http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 http://support.microsoft.com/kb/833734/EN-US/ http://support.microsoft.com/kb/327134/ I only want to use HTTPS on the change password screen, not the entire OWA Site. Thanks Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] Post message: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] Exchange 2000 FAQ: http://www.exchange-mail.org/faq.html Yahoo! Groups Links * To visit your group on the web, go to: http://groups.yahoo.com/group/Exchange2000/ * To unsubscribe from this group, send an email to: [EMAIL PROTECTED] * Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GroupBy type queries in LDAP
Maybe I'm missing something. How do you already know that attribute1 has a value of vala ? I mean, if you knew what the duplicate values were, couldn't you just query for them and return all the users that have that exact value specified and just fix it that way? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP Goal is to find users (by DN) with dupe valued for attribute1 as I understand it. Basically what I described is a two pass setup. You first find which attribute values are duplicated, then go back and get the duped DNs. E.G. AD has Rdn attribute1 Cn=someuser1vala Cn=someuser2vala Cn=someuser3valc Cn=someuser4valf Cn=someuser5valc Cn=someuser6vala Cn=someuser7vald Cn=someuser8valz You would have a resulting hash of vala3 valc2 vald1 valf1 Valz1 You then go back and do a query of attribute1=3 and return DNs. Etc etc. That is where the additional network traffic and time come in Not sure where samaccountname came in, but I wouldn't use it as a unique key, I have seen it duped within a single domain and it can definitely be duped if this gets expanded to be forest wide[1]. Of course, if you know the scale and know it fits, pull all of the DNs and store them in one shot. This can be done by having the server sorting the result set or by using some associative array magic either in memory or on disk (I think this is done with perl tie but I haven't tried it). joe [1] Though that is a bad idea, don't dupe samaccountname's in a forest. Make samaccountname's unique within a forest, if not, it will bite you later. Even better, make samaccountname's unique in an org. Have one single authority granting them and keep them unique forever. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 11:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP ...that value and insert into the hash using it as the key... I think that would not work Joe. The reason being is that the original query was to ascertain which objects had duplicate values in attribute1. If your key were to have duplicates, that could be a problem. As for the SQL table, why go back and get the DN's (now that I reread it again?) Why not populate the table with attribute1 and DN's vs. samaccountname in the first place? Admittedly, it should be a much smaller subset of the population that you're reading that time through, but is it necessary? Just thinking of efficiency. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GroupBy type queries in LDAP I thought of a way last night that would do this ok[1] with hash objects unless the attribute was rather large though number of objects shouldn't be as big a factor. Basically it is more scaleable but not infinitely scaleable which can be said for anything. You would substitute speed and network traffic for reduced memory footprint. Basically you would dump all objects with attribute1=*, then simply pull off that value and insert into the hash using it as the key with the count as the value of that entry. Once you build that, you cycle through looking for any entries that have a count 0 and reissue a query for that exact attribute value and output those results directly. You could have it watching the amount of data it is holding and once you surpass a specific level, have it use a simple little text file DB that perl does as well. Heck if you don't mind the disk i/o hit you could do that from the start and maintain the DNs as well. Obviously these solutions are stretching so you don't have to buy, and worse yet, set up and maintain, a SQL Server which is just one more security risk. If you already have a SQL Server laying around being maintained, the easiest solution as Al mentions is to use it. Hmm another off the wall solution would be to spin up AD/AM. Set up an object for every new value of attribute1 and then set up a link (FL/BL) relationship with the attribute objects and the user objects. Then when you want to know what users are using what attribute, you just dump the link values. Still not an LDAP query only solution but kept up to date in real time if you are constantly syncing with no additional query time needed. joe [1] Ok being entirely relative. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, April 05, 2005 9:28 AM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] Branch Office Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB- 9FA7-3A95C9540112displaylang=en -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, March 31, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Guide Thanks you much. That link did not work yesterday when I tried it. -- nme From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, March 31, 2005 11:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Guide http://tinyurl.com/2qr55 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, March 31, 2005 1:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Branch Office Guide Hi - Am I correct that the most recent AD Branch Office Guide from Microsoft is the Windows 2000 version? I could not find a 2003-specific guide. Thanks. -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Orphaned SIDs
I'm trying to figure out why you wouldn't want to assume that the accont is either gone or tombstoned? Why the verification step of looking for tombstoned items? In any event, it takes different rights and settings to see those tombstoned objects. I wouldn't guess that Zeffy would care about those since they're tombstoned. Also, if the object is listed incorrectly or referenced by something other than the proper dir object, then what would be the point of keeping it in the ACLs? There's obviously something wrong at that point right? Help me understand the logic/business drivers for this... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, IvorSent: Friday, April 01, 2005 11:41 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Orphaned SIDs Ive seen quite a bit of info on this subject but would like to get a firm grip on the situation. I recently deleted a bunch of disabled users from my directory. However, Im left with quite a few orphaned SIDs in the ACLs and User Rights policies, etc. I would like to clean these up with VERIFICATION, i.e. I would like to know which user SID Im deleting before ripping the SID out of the ACL. I encountered a few tools on the web but they dont really help in this situation. http://www.petri.co.il/obj_sid.htm - This is a cool applet that allows you to do a SID lookup or a reverse SID lookup. If the object doesnt exist in the directory, it doesnt access the tombstone information for a match. Then theres tombstone-user.exe. This util will dump all the tombstone objects from a particular DC. I dumped the tombstones from a DC (it displays SIDs only) and did a find on a couple of the SIDs I see tombstoned in the directory but it doesnt find the SIDs? Yes, its still within 60 days of the objects being deleted. Any help on this issue will be appreciated. Ivor This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.
RE: [ActiveDir] Orphaned SIDs
I understand that very well. I'm looking to find the meaning and perspective behind the request. Even a transient error could be problematic if you *could* match it to the tombstoned object because the same issue could still exist. To prevent the transient errors from occuring, one approach would be to build the userid to sid mapping table in a separate store outside of the AD and local to the application. Another would be to run the app on the DC. With the off-line version you would be able to input logic that ensures you either have all relevant information or you don't have anything. But again, what is the value of matching a SID to a tombstoned object? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, IvorSent: Friday, April 01, 2005 2:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Orphaned SIDs Agreed. It would be great to be able to confirm which user the SID belonged to before deleting the SID. Ivor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, April 01, 2005 1:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Orphaned SIDs Al, you know that a resolution problem will sometimes prevent SID translations. So, the mere fact that you see SIDs (rather than names) listed in your ACL does not necessarily indicate that those accounts are dead. So, verification is in order here, IMO. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, April 01, 2005 10:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Orphaned SIDs I'm trying to figure out why you wouldn't want to assume that the accont is either gone or tombstoned? Why the verification step of looking for tombstoned items? In any event, it takes different rights and settings to see those tombstoned objects. I wouldn't guess that Zeffy would care about those since they're tombstoned. Also, if the object is listed incorrectly or referenced by something other than the proper dir object, then what would be the point of keeping it in the ACLs? There's obviously something wrong at that point right? Help me understand the logic/business drivers for this... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, IvorSent: Friday, April 01, 2005 11:41 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Orphaned SIDs Ive seen quite a bit of info on this subject but would like to get a firm grip on the situation. I recently deleted a bunch of disabled users from my directory. However, Im left with quite a few orphaned SIDs in the ACLs and User Rights policies, etc. I would like to clean these up with VERIFICATION, i.e. I would like to know which user SID Im deleting before ripping the SID out of the ACL. I encountered a few tools on the web but they dont really help in this situation. http://www.petri.co.il/obj_sid.htm - This is a cool applet that allows you to do a SID lookup or a reverse SID lookup. If the object doesnt exist in the directory, it doesnt access the tombstone information for a match. Then theres tombstone-user.exe. This util will dump all the tombstone objects from a particular DC. I dumped the tombstones from a DC (it displays SIDs only) and did a find on a couple of the SIDs I see tombstoned in the directory but it doesnt find the SIDs? Yes, its still within 60 days of the objects being deleted. Any help on this issue will be appreciated. Ivor This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies
RE: [ActiveDir] WINS topic
I see no particular reason that WINS should care what domain it's in. WINS job is to do name resolution similar to the function of DNS. Neither really cares where it lives as long as it lives. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Wednesday, March 30, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WINS topic I know there has been some debate in this group recently about WINS in AD but I wanted to get your feedback regarding an empty root domain: Do you need a WINS server in an empty root domain? If so, would pointing WINS back to the child domain WINS server be a bad idea? Other than AD traffic nothing should be happening at the root level (other than DNS forwarding) so I'm not sure I understand why WINS would be needed... We have Exchange 2003 running (which I realize has somewhat of a dependency on WINS) but the Exchange server(s) are in the child domain where we have WINS already running. Any insight would be greatly appreciated! Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
They make perfect sense, Joe. Cheers, -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, March 30, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compelling arguments? Ah not really for hire. Well unless someone wants to hire me away from my current employer which I am sure they wouldn't be happy about. I am not saying it can't be done, I will do all sorts of things for good money and a fun position. My main requirements are being very well paid, very little travel, work from home, you get a hold of me via email - not pager, not cell. I am in a pretty comfy spot right now for all of that. I actually had a headhunter who claimed he represented Dell emailing me a month or three ago. I asked to hear the ball park number and the headhunter just kept saying call me I was being asked for by name. I don't like phones, ask anyone who knows me. Phones are archaic sync'ed communications devices that do not scale well globally (you think otherwise, try getting US East Coast, US West Coast, England, Germany, Singapore, Australia, and New Zealand easily onto a single con call). I spend enough time on con calls, I try to avoid it all the rest of the times. My home phone has the ringer off, my personal cell phone usually isn't anywhere near me, my work cell phone is only near me during business hours and someone has to have the number given to them or they need to open the full properties of my GAL entry. Anyway, Al, let me know if the reasons given for regional in the previous email make sense or not. I agree, company goals would be paramount. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compelling arguments? Phil, you know he's for hire right? He has a p*mp and everything last I heard. :) That said, it is interesting to see a regional specific approach to name resolution. Some like it, some don't. I'd be interested to hear why, Joe because I think it would depend on the company goals whether or not that would make sense. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland [EMAIL PROTECTED] wrote: As always, thanks for the thorough reply, mate... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WINS topic
I would argue that WINS is required when setting up some applications. SMS and Exchange come to mind. Using the child WINS servers is more than enough for what you're talking about. I wouldn't take them away completely, but rather just use the existing. I do that now and don't usually recommend deploying WINS into an empty root domain. Too much unneeded overhead in my opinion. At 1:1 objects for a WINS server, it doesn't make a lot of sense unless I sell hardware :) I wouldn't get rid of it in your environment Joe. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Wednesday, March 30, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WINS topic Your assumptions are correct... thanks to all who posted. I am going to try and stop the WINS service and see if that breaks anything. Otherwise I can just point it back to the child WINS server. Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. From: Beelders, Ivor [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 30, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WINS topic Joe, Your initial posting stated that your root domain is empty. I assume that there are no applications or users in the domain beside the admin users, i.e. service administrators. I also assume that you're using W2K or later to administer this domain. If this is the case, use DNS for name resolution only. WINS is not required. Ivor From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Wednesday, March 30, 2005 10:01 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WINS topic WINS like DNS, is domain agnostic. You may host a DNS zone abc.com (corresponding to AD domain abc.com) on a UNIX server, which exists in some Kerberos realm, perhaps. Similarly, WINS may be hosted on a Windows NT server which is not part of any Windows domain. In answer to your question therefore, simply use your existing WINS servers. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: 30 March 2005 14:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WINS topic I know there has been some debate in this group recently about WINS in AD but I wanted to get your feedback regarding an empty root domain: Do you need a WINS server in an empty root domain? If so, would pointing WINS back to the child domain WINS server be a bad idea? Other than AD traffic nothing should be happening at the root level (other than DNS forwarding) so I'm not sure I understand why WINS would be needed... We have Exchange 2003 running (which I realize has somewhat of a dependency on WINS) but the Exchange server(s) are in the child domain where we have WINS already running. Any insight would be greatly appreciated! Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute,
RE: [ActiveDir] AD Site Confusion
Always good advice. You can read some details and the registry keys about it here (for 2000 in this case): http://www.microsoft.com/technet/archive/windows2000serv/technologies/active directory/deploy/adguide/adplan/adpch02.mspx I would have to say to the original poster's question that the likely failure results more from lack of DNS resolution than lack of a DC/GC since one exists in site B or C most likely (that should be checked of course). Which leads to an interesting design issue that often gets missed. If you configured your clients to only use the local AD integrated DNS thinking you were saving bandwidth, then you would fail if the DC were down. That would be self-defeating although you would technically be saving bandwidth. I think as David points out, it's best to configure some controls in there and cause it to use a known path vs. using something in a different site that may be across a slow link, if possible. My $0.04 worth anyway. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Wednesday, March 30, 2005 4:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion A common thing to do in a 'hub and spoke' network is to configure the DCs in 'spoke' sites to NOT register domain-wide SRV records. That way, if the DC in a spoke site goes down, the client will discover domain-wide SRV records for only DCs in the hub site. This prevents the client from authenticating to a DC in some other spoke site. If the hub-to-spoke links are relatively slow, this can make a big difference, as it has to traverse only one slow link instead of two. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 29, 2005 11:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Jorge keeps saying it in different ways and I think people are missing the point... The coverage of neighboring sites occurs when there is no DC in the site, it doesn't occur when a site's DCs are down. This is all keyed off of the site containers in the configuration. I have seen DCs being promoed into a Domain in a site and the DCs from other sites unregistering their records in that site before the DC is even promoed up, all because the server object in the site already replicated around. So as Jorge as said Look up local site DCs by DNS queries to Site based entries for the domain. If none of those DCs are cool, ask for the global list of all DCs for the domain and use one of those. It isn't the most efficient and you will find odd things like clients in Florida hitting DCs in Seattle when there is another DC in another city in Florida that would be better to use. The idea seems to be if you can't use a DC in your site, screw it, use any DC that responds. This is one of the reasons why Exchange doesn't really use the standard mechanism for DC/GC service location. They walk the metrics of the site connections trying to find the closest. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, March 29, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Hi Neil, Presuming the clients somehow have access to DNS (preferred or alternate) they will first try to reach the DCs in their own site (site A). As all DCs are down in site A the clients then will ask for all DCs in the domain that have registered the domain specific DNS records. For more info on this see: * http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935 Authentication Topology by Gil Kirkpatrick * http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html Designing for DC Failover by Sean Deuby Autositecoverage only works for DC-less sites. So yes, it behaves differently for situation 1 (autositecoverage will occur) and 2 (no autositecoverage will occur) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: dinsdag 29 maart 2005 11:56 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage.
RE: [ActiveDir] Accounts disappearing from AD
Is it possible that the accounts were deleted during the replication issues and are now being propagated? Have you checked the deleted objects container to see if it exists there on any of the DC's (since replication was indicated, it might not hurt to check multiple DC's)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, March 29, 2005 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts disappearing from AD I only know because people come tell me that they loose connection to e-mail or they cant login. Example: yesterday a user logged in the AM then by mid-morning couldnt access his exchange account, having seen a few account disappear I did a search in AD and his account didnt come up but his exchange account obviously still existed. Recreated the acoutn and re attached the Mailbox and hes off and running again. If this were exchange Id look at the SA and the Mailbox management tool ant the times they run to see if they were related but its not related to Exchange Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts disappearing from AD How do you know when the accounts when missing? Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard. You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6. I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, March 29, 2005 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts disappearing from AD In the past 2 months Ive had 4 accounts that have just disappeared without a trace from AD. Ive turned up auditing on all my Domain controllers but I havent been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also dont have a lot of group policies running or scripts that run (I just recently inherited this environment) also Ive made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
RE: [ActiveDir] Compelling arguments?
Phil, you know he's for hire right? He has a p*mp and everything last I heard. :) That said, it is interesting to see a regional specific approach to name resolution. Some like it, some don't. I'd be interested to hear why, Joe because I think it would depend on the company goals whether or not that would make sense. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland [EMAIL PROTECTED] wrote: As always, thanks for the thorough reply, mate... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP search filter
Yes. When you create the query, choose the OU you want. Then use a custom query and use an LDAP filter search filter on the advanced tab. Make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP search filter Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP search filter
The filter I used was ((objectClass=User)(objectCategory=Person)) and I set the filter to the OU I wanted (it's on the first panel of the query editing). The query was entered into the custom search | advanced tab section. That returns all the user objects at the level in the tree specified. In your case from the OU level down. I get one that looks like this: Better? If not, create the Query and then export it and send it offline if you're able. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP search filter I end up with something like this but get no information (((ou=)(name=Comit*))(objectClass=user)(name=*)) This is not a filter from what I can tell Mulnick, Al [EMAIL PROTECTED] 03/29/05 03:46PM Yes. When you create the query, choose the OU you want. Then use a custom query and use an LDAP filter search filter on the advanced tab. Make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP search filter Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD Ithink it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Kerberos and proxy servers
Title: Kerberos and proxy servers Are you trying to auth to the proxy server itself with IE? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 3:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos and proxy servers Hello, I was wondering if anyone knows why Microsoft removed kerb auth to a proxy from Internet Explorer. I believe that they did support it with the early versions of IE5. Here's the MS explanation (which really isn't an explanation) http://support.microsoft.com/kb/321728/EN-US/ What possible reason could exist for them to remove this feature? Does anyone know if there's a way to make it work? Thanks
RE: [ActiveDir] Recover DL membership
Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon [EMAIL PROTECTED] wrote: I had a user that was moved from one child domain to another. The user was deleted and added. Is there any way to recover the group membership of that user in the old domain? -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
There are some new migration tools that are aimed at moving users between sites (5.5 term) which is the lowest common denominator in a mixed mode org. They're better than exmerge or admt, but not a lot different under the covers (it takes care of a lot of the other housekeeping that would otherwise be needed if you used one of the other non-specific tools such as public folders and so on). Thanks Guido, I was about to have to rewrite a lot of migration information relating to strategies :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 4:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Oops - sorry guys - ofcourse everything changes with Exchange in native mode - I'm still so much used to global-never-ending Exchange Migrations (i.e. mixed mode Orgs), where you can only move the mailboxes around within the same AG/site - correct me if I'm wrong, but I believe even this has changed with E2k3 SP1 (I think you're now even able move single mailboxes accross AGs/Sites in mixed mode...). But Devon's Org is E2k anyways and who knows, maybe it's still running in mixed mode as well. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 28. März 2005 16:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Yeah I belive in Native mode there should be no issues in cross-AG mailbox moves. I am sure I have done this at least in test and probably in production. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon [EMAIL PROTECTED] wrote: I had a user that was moved from one child domain to another. The user was deleted and added. Is there any way to recover the group membership of that user in the old domain? -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
RE: [ActiveDir] Track Network Logins
Can you give some more background about what they want to see? When you say logon duration, what does that mean to the managers and is there some other reason they want to see that information other than for reporting? I ask that because some users don't logout, but rather lock the workstations. That might throw the reporting off. If they don't do that, you may get away with doing this in logon and logoff scripts easier than any other method. Some of that logon information is collected in the audit log settings, but that could be a pain to get to. It's also kept in the lastlogon attribute for logon. Logoff is not currently implemented last I checked (haven't checked in a while, but..) but could still be used I would imagine depending on the environment. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Monday, March 28, 2005 4:03 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Track Network Logins Ad 2000, I've had a request from management to log how long someone is logged into the domain. Can this be done without a third party utility? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT (sort of) ADC entry in Active Directory
There's no point in deleting it either. You could, but why mess with it? In native mode, it won't matter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (sort of) ADC entry in Active Directory Not sure if you can delete it or not, however a raw forest with Exchange loaded without ever using ADC will have the Active Directory Connections container. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Friday, March 25, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT (sort of) ADC entry in Active Directory Everyone, We recently switched over to Exchange 2000 Native mode (successfully) making sure to remove config_ca, srs databases, and then uninstalling the Active Directory Connector from all the servers within our organization. Switched to Exchange 2000 Native mode and waited for replication and all of the features of Exchange 2000 Native mode are present ie everything is running smoothly. I was using ADSI Edit to check some things in the configuration container and noticed we still have a container called Active Directory Connections under Services\Microsoft Exchange. In the container there is one object called Default ADC Policy. I figured when we switched over it would be removed, nope. Anyone have any ideas as to what I should do? Delete it? Leave it? It does not seem to be bother anything within our Exchange organization just bother me :^) Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAPS part 2
Which LDAP traffic are you thinking of? Typically LDAP traffic is passed by an application/client for the purpose of either white pages type lookup or for identification and authentication. LDAP authentication, by it's nature is unsecure. It passes credentials in the clear on the wire. Did you have some other communication in mind? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, March 22, 2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAPS part 2 I am feeling lost right now. Without LDAP over SSL enabled, does AD pass LDAP traffic around in plain text? If so, exactly what information would that be (that is being passed in clear text)? I have been wondering if I should implement a CA and LDAP over SSL, but I guess I don't know all the implications. If anyone knows of a good document, that should suffice. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration
And when you say duplicates names, are they representing different users or the same users from different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration Yes, all of these domain are in the same forest. We have an empty root domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest functional level is Windows 2000 while the domain functional level of MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows 200 Native after the upgrade. The accounts all follow the same naming standard across all domains. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 10:21 Handling Duplicate Accounts During AMdomain Migration Please respond to [EMAIL PROTECTED] tivedir.org Are they all in the same forest? You mentioned child domains so I assume they are, but I just wanted to check. Do the accounts follow the same naming standard across all the domains? You mention the target domain is Windows 2003 Native, I assume this means Windows 2003 in Win2k Native mode? Phil On Wed, 23 Mar 2005 10:00:06 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We are currently trying to migrate all of our child domains into one single domain. There are 3 child domains, 2 of which are Windows 2000 native and 1 is Windows 2000 Mixed. The target domain is Windows 2003 Native. We plan to use ADMT v2 for the planned migrations. There were many different project teams, each with a hand in AD, before I arrived. When an account was needed in a particular domain it was just created, even though there were obviously trusts in place. Now I have 1,000's of duplicate user ID's in the target domain. How would I go about merging the accounts in the child domains with the accounts in the target domain? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration
So merge is the correct term then? It's been a while, but I was thinking that ADMT could handle that. Have you checked the help files for merging source to target? al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration These are the same users in the same forest, but in different domains. Mulnick, Al [EMAIL PROTECTED] T.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] [Active Dir] 03/23/2005 12:06 Handling Duplicate Accounts During PMd omain Migration Please respond to [EMAIL PROTECTED] tivedir.org And when you say duplicates names, are they representing different users or the same users from different forests? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 11:23 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During domain Migration Yes, all of these domain are in the same forest. We have an empty root domain, MSROOT.domain and one tree in the forest, DOMAIN.com and 3 child domains, FM.domain.com, MI.domain.com and RA.domain.com. The forest functional level is Windows 2000 while the domain functional level of MSROOT.domain and DOMAIN.com is Windows 2003. I raised it from Windows 200 Native after the upgrade. The accounts all follow the same naming standard across all domains. Phil Renouf [EMAIL PROTECTED] m To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] [Active Dir] 03/23/2005 10:21 Handling Duplicate Accounts During AMdomain Migration Please respond to [EMAIL PROTECTED] tivedir.org Are they all in the same forest? You mentioned child domains so I assume they are, but I just wanted to check. Do the accounts follow the same naming standard across all the domains? You mention the target domain is Windows 2003 Native, I assume this means Windows 2003 in Win2k Native mode? Phil On Wed, 23 Mar 2005 10:00:06 -0500, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: We are currently trying to migrate all of our child domains into one single domain. There are 3 child domains, 2 of which are Windows 2000 native and 1 is Windows 2000 Mixed. The target domain is Windows 2003 Native. We plan to use ADMT v2 for the planned migrations. There were many different project teams, each with a hand in AD, before I arrived. When an account was needed in a particular domain it was just created, even though there were obviously trusts in place. Now I have 1,000's of duplicate user ID's in the target domain. How would I go about merging the accounts in the child domains with the accounts in the target domain? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com
RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration
According to the docs they do work for intraforest as well. It's just been so long since I've used it I can't remember exactly which path you want in this situation. ADMT is a valid tool for domain consolidation (which is essentially what you're doing). The naming conflicts settings are possibly what you're looking for. Rings a bell. But it's been a while. What you really really want is something that can look at the samaccountnames and merge the settings together in a smart way (vs clubbing it right?) It's possible you should check with management and the consultant to make sure you're all seeing the same things. :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 4:23 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration As does ADMT and NetIQ, but does that apply for Intraforest migrations as well? Phil On Wed, 23 Mar 2005 12:59:48 -0800, Nathan Casey [EMAIL PROTECTED] wrote: Quest's Domain Migration Wizard has options to handle duplicate accounts. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SYSVOL Question
That's an awesome explanation, but I think there is still the bit about how to tell what sysvol the client ended up using. Funny thing is, outside of a trace, I don't see that as information that's accessible. At least not easily. I'm still curious however. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 21, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SYSVOL Question Domain controllers generate SYSVOL and NETLOGON referrals each time a client requests a referral. By default, the list of domain controllers listed in a SYSVOL or NETLOGON referral are sorted as follows: All domain controllers in the client's site are grouped in random order at the top of the list. Domain controllers outside of the client's site are listed in random order. It is possible to configure DFS to sort the domain controllers outside of the client's site in order of lowest cost. You can enable this feature by adding the SiteCostedReferrals registry entry on each domain controller and then restarting the DFS service on each domain controller. The DFS service then obtains site cost information for all domain controllers and stores this information in its site cost cache. SiteCostedReferrals Registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs\Parameters\ Version Domain controllers running Windows Server 2003. When set to 0 (the default), SYSVOL and NETLOGON referrals contain domain controllers in the client's site listed first in random order, followed by a random list of domain controllers. When set to 1, SYSVOL and NETLOGON referrals sort domain controllers in order of lowest cost. Domain controllers in the client's site are at the top of the referral list, followed by domain controllers sorted by lowest cost. Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Tuesday, March 15, 2005 21:31 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SYSVOL Question I have a question... When a user is authenticating to AD, what mechanism directs him to a particular instance of SYSVOL? And is there some way to actually see which DC the client will be preferring? I ask this because Microsoft has recently told me that in certain circumstances, clients will always choose a different DC for SYSVOL than the one they choose for authentication. But I don't know how to actually see that list so I'll know which ones are being preferred. Thanks in advance, Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Expiration Prompt
I've used this in that situation. You can change it from the three days on there to whatever you like and since it uses subtree search, you can use either a specific OU or the entire domain directory if you want. It is per domain. The script will email a notification with a link to the web page vs. doing a popup (so email is important right?) You would also have to turn off the notification in the domain to prevent the confusion. I use this script for users in a different forest than the one their workstation is in. http://www.houseofqueues.com/CodeSamples/PassCheck.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 22, 2005 9:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Expiration Prompt In our environment we use a product called Passport to synchronize password changes across multiple accounts. Our users are aware of this product and the procedures required for making a password change, however, the Default Domain GPO specifies that the user will be notified to change their password 5 days before expiration. When a user logs in and sees this message they become confused and frustrated because they think this change will apply to all accounts and passwords, which it does not. Is there a script or setting I can change that will notify the user it is time for a password change and take them directly to the Passport website to change their password? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password Expiration Prompt
Probably the only other way to manage that would be to change the GINA (write a custom GINA) which is usually not manageable. In this case, I would have guessed that the lengthy leave of absence cases would be manageable or at least acceptable. To recap what you have: 1) you've disabled the native notification 2) you send a message to the user letting them know their password is about to expire in x days 3) you have a central password management tool product 4) exceptions such as lengthy absence are directed the helpdesk for further action It also seems that the user *could* change their password natively and then have to change it at the central password tool. That would be to grant them access to the other non-AD controlled systems. That password change would then flow back to AD, so they would have to log out and back in with the new credentials but have the downside of changing the password twice. Outside of a different architecture for that type of solution (integration with a single, most commonly used directory for example) or rewriting the GINA on the desktops (what a PITA to manage), I would say process is the only thing left to use that might help to better manage. Playing the odds, you would want to have a long password expiration time with strong passwords and enough retry attempts to keep that number to a manageable/acceptable level of helpdesk calls. You may also want to consider allowing the changes to process and policy to get the desired result. My $0.04 anyway. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Tuesday, March 22, 2005 10:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password Expiration Prompt We're running a similar product and are looking at what options are available to us. An email script is good, but hypothetically, a user could come back from vacation or from maternity leave, not check their email and still get the pop up box to change their password when they come back. In our testing we found that you set the password to never expire, but actually expire the account, they will get a prompt that their account has expired when they try to log in, but need to contact their SA for assistance, or something to that effect. At that point, there is an escape sequence that the user can do to get to the password management system, answer some challenge questions, and then change their password. This will also unexpire their account. Or they would contact our help desk for instructions. We're still using a script to email notifications to the user, but actually using the same script to expire the account instead of the native GINA. I know it sounds like a hassle, and probably a whole bunch of calls to the help desk, but that appears to be the only way we can get them to use a single point for their password management. If anyone can think of a better way to do this, definitely let me know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 22, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password Expiration Prompt I've used this in that situation. You can change it from the three days on there to whatever you like and since it uses subtree search, you can use either a specific OU or the entire domain directory if you want. It is per domain. The script will email a notification with a link to the web page vs. doing a popup (so email is important right?) You would also have to turn off the notification in the domain to prevent the confusion. I use this script for users in a different forest than the one their workstation is in. http://www.houseofqueues.com/CodeSamples/PassCheck.txt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 22, 2005 9:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password Expiration Prompt In our environment we use a product called Passport to synchronize password changes across multiple accounts. Our users are aware of this product and the procedures required for making a password change, however, the Default Domain GPO specifies that the user will be notified to change their password 5 days before expiration. When a user logs in and sees this message they become confused and frustrated because they think this change will apply to all accounts and passwords, which it does not. Is there a script or setting I can change that will notify the user it is time for a password change and take them directly to the Passport website to change their password? Thanks, Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
RE: [ActiveDir] DHCP Authorization Issue
Start by looking at the event log on the machine. From there, can you remote to the machine? If so, try looking at the MMC from that machine's perspective. You may also want to look at replication and make sure that it's consistent (AD repl). Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, March 22, 2005 11:50 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] DHCP Authorization Issue I am trying to authorize a DHCP server at one of our remote locations (256K connection) after having completed an AD 2003 migration last night however I keep receiving the error that the server is not authorized. However, it is in the list of my authorized DHCP servers (if you use the DHCP MMC to add an authorized server it does appear in that list) however I still get the red arrow when I look at the MMC. I have verified all of my network settings and I was using an Enterprise account to add the server. Does anyone have any suggestions on what I might look for to get this service running? Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:RPC over HTTP vs OWA
I wouldn't say either was more secure than the other. I haven't used it in a while, but last I checked the client didn't support two-factor authentication unlike putting some other authentication in front of the OWA server. Other than that, I would view the two as being equal in terms of security risk to the infrastructure since they both use HTTP/SSL to communicate. One just encapsulates RPC in the HTTP stream while the other is HTTP. I think the RPC/HTTP is more usable to the end user and certainly more feature rich. I won't lie to you, I wasn't a big fan of it when it first came out. But I've since been persuaded that RPC/HTTP offers some tangible benefits. ;) In either case, I'd still want to use a layer-7 device in front of it to terminate the SSL and to check the intent of the requests/responses and to control the traffic. Something like ISAServer 2004 would come to mind. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Tuesday, March 22, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT:RPC over HTTP vs OWA Hey all - I was wondering what everyone's thoughts were about using RPC over HTTP vs Outlook Web Access...? Is one more secure than the other? What were the reasons you implemented one and not the other? Any insight is always much appreciated! Thanks! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
Can't imagine why that wouldn't be possible. NTDSUTIL is similar to NETSH in that you can run the commands from a single call. i.e. ntdsutil command command command command. Etc http://www.jsifaq.com/SUBJ/tip4600/rh4675.htm And http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan dard/proddocs/en-us/sag_ntdsutil_using.asp Will give some information about what that looks like. You can even abbreviate it. My advice for this though? Practice it several times before actually relying on it. As for Scripting it, I suppose you could, but it would likely be less effort to write it manually once. I mean, you don't build your infrastructure on roller-skates anyway right? :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 8:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Continuity planning and AD
You can pull the disaster docs at Microsoft (should be off of http://www.microsoft.com/ad ) and re-use a lot of that. There are KB articles as well. As for the original poster's question, The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! That is great for things such as physical site issues but doesn't cover any issues with logical corruption. You may want to include that in your scenario. Another thought is one that has been kicked around a lot. Since you need system state to get your DC back up and running, and since system state restores almost require you to use duplicate hardware, have you considered what a virtual instance can do for you? You could introduce a second DC running in a virtual instance and then your hardware issues are abstracted. So when you do the restore, you would have two choices: put back the entire virtual machine (binary blob that you backed up (shut down the VM instance, backup the blob, restart sort of thing) and restore the blob in your DR site. Perform metadata cleanup, seize the roles, and move ahead. Or you could restore the data via tape to a VM instance. Either way, your duplicate hardware requirement goes away because virtual server technology abstracts the hardware from the physical hardware you use. Can be much faster, more reliable, and easier under pressure. Just wanted to throw that out there. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, March 18, 2005 8:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Continuity planning and AD My organization just moved to a W2K3 AD and we have one of our offsite DR tests coming up. I was wondering if someone wouldn't mind sharing any step by step documentation that you have generated to perform this restore (basically so I don't have to go and draft one from scratch)? If not, is there any other interesting tid-bits that we need to know. (I will probably end up restoring two Domain Controllers, one for the Forest and one for my domain during this test plan) so any and all help will be nice. Thanks. -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I run into this a lot; we go to Sungard twice a year to do DR testing and we never -ever- get identical hardware. It becomes a voodoo dance of running a repair, occasionally doing an in-place upgrade, and getting rid of now-extinct metadata and replication entries with ntdsutil and repadmin. FWIW, it works better on 2003 than 2000, since sometimes the TCP/IP stack gets hosed and it's easier to delete/recreate in 2003 than 2000 - it's a 3-step KB article instead of a 3 -page- one. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 5:37 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Continuity planning and AD Hi Johnny In theory, you should be able to do your restore to the different hardware, and then boot to the CD, choose setup, and choose repair existing version of Windows to redetect all hardware. I am not sure this is supported but we were able to do it in our forest recovery test with no real problems besides time time time and more time. Make sure you test the solution well before deciding that an identical box is not the answer. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] jonny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] Continuity planning and AD tivedir.org
RE: [ActiveDir] Continuity planning and AD
Wouldn't it just be easier to expect them to put that ESX functionality in virtual server? ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I am 150% behind this mechanism. Your up and functioning again time is drastically reduced as you can recover to any machine that has your virtualization software up and running. This is technology that I have been recommending to the list for probably a couple of years now along with many others. Basically you spin up a little site with virtuals of all of your domains, you script their daily (or more often) shutdown and backup. If you get really cute you have multiple DCs of each domain and stagger their shutdown and backup times and maybe even their replication schedules. This also helps with establishing lab forests or safe harbor (aka Life Boat) forests to do real data tests for things like schema updates and such. If MS would get off their butt and support VMWARE ESX officially as a hardware platform this would open up even more possibilities such as near immediate full forest recovery even with X domains where X is some crazy number like 20+. In fact, now that I have heard of Server Foundation Architecture at DEC[1] from Stuart Kwan, my battle with IE on DCs is pretty much wrapped up (unless I hear the idea dying) and I appear to have won so I am going to see if I can take on getting MS to support ESX since they have no competing product. I believe the idea is as solid and just as the idea to get IE/GUI off of servers if you want to run that way. So anyway, if this is something you are interested in as well, getting ESX server supported as a hardware platform, feel free to ping me offline about it and let me know the kind of business you represent (size, how much MS, etc) so when I start my email compaign and start making a nuisance of myself in the various forums and face to face times with MS Execs I have some numbers and company names behind me. Virtualization is truly where we are going and MS and Virtual Server is no where near the capability of ESX and I haven't heard anything that would lead me to believe MS is anywhere near to announcing anything like that. This seems to be good for everyone from what I can see, good for the customer as their life will probably become easier and more secure, good for MS because people will buy more product licenses because they can fit more in the data center, good for hardware vendors because they sell better higher end hardware instead of a bunch of the lower end small margin stuff. Some very large orgs (no names please) I talked to at DEC are all moving forward with ESX solutions even though MS doesn't officially support the platform. They have looked at it and determined that the solution justifies going outside the realm of guaranteed MS Support. That doesn't look good for MS, it is inability to admit to reality. Sure don't support vmware workstation or GSX, we understand, it competes with your own productlines, but you don't have a product like ESX... period. And larger customers are going to want to go ESX versus GSX or Virtual Server. Heck if you really look at it, you could come up with some pretty good cookie cutter Small Business ESX solutions as well. joe [1] When Stuart announced having a DC up and running in the lab on this platform with no GUI/IE there was big time applause from the audience and a tear came to my eye. People were buzzing about it the whole rest of the week. Rick tried to get me in trouble by indicating I could now drop death threats I had out against various MS people which was completely untrue and of course he was only joking. Luckily he only embarassed me as I got a shout out from Stuart from the podium, I don't think many people really knew who he was referring to though because most people don't know my full name. Anyway, I have been exceedingly vocal about this issue to every level of MS Management I have come into contact with for some time now. I mentioned it a little here occasionally but that wasn't even the tip of the iceberg because I didn't think this list had much power to invoke that change. I was sending notes to folks like Allchin and Nash about it and posting heavily on an MS and MSMVP Security DL about it and was a broken record at the MVP Security Summit last fall and tended to bring it up in nearly every session for several days. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD You can pull the disaster docs at Microsoft (should be off of http://www.microsoft.com/ad ) and re-use a lot of that. There are KB articles as well. As for the original poster's question, The plan is this at the moment: when our
RE: [ActiveDir] User Migration...twice
To answer both questions: Yes, sidHistory is supposed to be temporary but for some that's the lifetime of the product. It's all temporary in the scheme of things right? As for can you hold more than one sid in the sidHistory attribute, yes you can. Additional sIDHistory Information The sIDHistory is a multivalued attribute of security principals in the Active Directory that may hold up to 850 values (I believe it's gone up hasn't it?) http://support.microsoft.com/default.aspx?scid=kb;en-us;322970Product=winsv r2003 Next logical question to ask: Is it a good idea? I don't think so. Makes troubleshooting a nightmare to say the least. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Friday, March 18, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Migration...twice Raymond, I apologize in advance for... a) not answering your question b) selfishly replying with another question for my own benefit Along these lines, is the premise behind sidHistory that it should be somewhat temporary in nature? Shouldn't the organization go back and redo all ACLs (if possible!) and then clean out sidHistory afterwards? Or have I got the concept all wrong and the notion of fixing up so many ACLs absurd? Thanks! -DaveC Reuters CIO Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Migration...twice Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can you expire a computer account in AD
I suppose the limitations should be pointed out, so here goes. The reason you wouldn't want just lastlogontimestamp is something that was discussed here a little while back. Basically, it's that as a datapoint, it's not enough information to accurately figure out which objects are not being used. To make it worse, LLTStamp is a replicated and latent attribute. Put another way, it's accuracy is only within 7 days which is the replication schedule for that attribute. Comp accounts are 30 day intervals, but you run the risk of disabling/removing something that is a valid account if you rely on this soley. Using this in conjunction with password last set should reduce the error rate exponentially as it's yet another indicator of activity. Keep in mind that a valid computer account neither has to log on nor change their password on that schedule to be valid. Consider laptops as an example, especially laptops that stay off the network for long periods of time (year at a time?). I can honestly say that I think it's ridiculous to have a corporate resource that stays off the network for extended periods, but they do exist and have to be accounted for in some fashion. I believe that's why the requirement to disable vs. remove entirely came into the picture. Just something to be aware of when using this information. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, March 17, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD it is in oldcmp: oldcmp -llts [EMAIL PROTECTED] wrote: I read this somewhere and had to confirm. Looks like if you're 2003 domain functional - lastLogonTimestamp works for computers as well. Unfortunately, it's not exposed in tools like DSGET. Maybe joe will add this as a switch to oldcmp - as well as user accounts. -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of P West Sent: Tuesday, March 15, 2005 3:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD That's exacctly what i intend to do. Disable those suckers. thanks all - Original Message - From: Mulnick, Al [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, March 15, 2005 2:44 PM Subject: RE: [ActiveDir] Can you expire a computer account in AD Because it derives from the User class, I can't think of a reason why you couldn't set that value. I'm not sure (and have no way to test at the moment) if that value would be valid for what you're doing however. You could just disable the computer accounts vs. expire them. That's available from the GUI if you want to access it that way else it's scriptable. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of P West Sent: Tuesday, March 15, 2005 2:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD thanks AL thanks Tom Ok i used oldcmp. among others and the pwdlastset (oldcmp works great) came back feb 2000 even though the password expiration says march 20 2005. i dont think theres an issue with locating old accounts with pwdlastset the thing is what's up with a password expiration date of march 20 2005 if the pwdlastset is feb 2000. this password for pc account should get reset every 30 days. The ping was a great idea, we were planning on doing it. But our dns records are not so clean so u can ping a pc and get a response but its a different pc name when you ping -a ip address. DNS scavenging is getting turned on , but i think the issue may still exist. One last point. Can u or cant you expire a computer account in ad? i dont think you can , i tried to google it , next im callin ms to ask ,.but wanted to know what u folks opinion on it was. - Original Message - From: Mulnick, Al [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, March 15, 2005 2:10 PM Subject: RE: [ActiveDir] Can you expire a computer account in AD He beat me to it ;0) You may also want to couple that with a simple ping method to validate if the machine actually exists or not. Might cross reference it with DHCP/DNS if ping is too much overhead. Just some thoughts. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, March 15, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD P West wrote: We are trying to clean up old AD pc accounts. Have used every tool under the sun to come up with the pwdlastset to show old accounts. example One pc says the pwdlast set is feb 2000 when our ad guy looks at password expiration the dates are say march 20 2005. but the pwdlastset date is feb 2000. For some
RE: [ActiveDir] Event Log
So something like MOM is not being used? WMI scripts would be another avenue to pursue that may solve your problem. Something that listens for trigger of the event and if it matches sends the email via SMTP. Is that what you had in mind? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Tuesday, March 15, 2005 12:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Event Log I want the windows to send me warning when special events are logged to the event viewer, I have Servers Alive now to monitor some servers and services, I am planning to get a traffic analyzer and I need an alert when something wrong goes in the Event Viewer, I have many servers and can't login to each server daily to check the event log, or should I? thanks, rc On Mon, 14 Mar 2005 09:00:49 -0500, Mulnick, Al [EMAIL PROTECTED] wrote: What'd you have in mind? What's the solution you're looking to accomplish, because I can think of several ways to achieve such a thing. Some easy and some more involved. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, March 14, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event Log Please is there any way to make the event viewer trigger an email? Thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: vbs help
I don't have 10.0 installed, but if it's like 9.0 there is no value there and the error would be expected. The value is in the registration key below that. If you really want to know what is installed, you may want to look at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\PlayerUpgrade\PlayerVersio n value and compare it against what you are installing similar to how it does so internal to the application. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, March 15, 2005 9:07 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: vbs help That is what I have been trying to do, but there is no value set for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\10.0 So I get the error This is the code I'm trying Set WSHShell = WScript.CreateObject(WScript.Shell) WScript.Echo WSHShell.RegRead(HKLM\SOFTWARE\Microsoft\MediaPlayer\10.0) And I get the error: install_media_10.vbs(49, 1) WshShell.RegRead: Unable to open registry key HKLM\SOFTWARE\Microsoft\MediaPlayer\10.0 for reading. Thanks,jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 14, 2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: vbs help I believe this is what you're looking for: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/wsmthregread.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Monday, March 14, 2005 3:05 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: vbs help I'm trying to check the registry if windows media player 10 is installed, if not I'm going to install it. I found command line install options for WMP, but I want to check the registry so I don't re-install it. The key I want to look for is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\10.0 If that key exist it's a pretty good chance version 10 is installed. Thanks,jb List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: vbs help
http://www.jansfreeware.com/articles/asp-string-literals.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, March 15, 2005 10:42 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: vbs help Thank you the playerupgrade\playerversion will work great Here's what I have so far ' Create the WScript Shell Object, which contains the Registry methods Set WSHShell = WScript.CreateObject(WScript.Shell) Set inshell = WScript.CreateObject(WScript.Shell) sValue = WSHShell.RegRead(HKLM\SOFTWARE\Microsoft\MediaPlayer\PlayerUpgrade\PlayerVe rsion) If Left(sValue,2) 10 Then inshell.Run \\ghris\install$\WMP10MP10Setup.exe /q:A /c:setup_wm.exe /Q /R:N /P:#e, 2, True End If But I think the double quotes within the run string are causing me issues. But WMP10MP10Setup.exe /q:A /c:setup_wm.exe /Q /R:N /P:#e is what I found on microsoft's site. Thanks,jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 15, 2005 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: vbs help I don't have 10.0 installed, but if it's like 9.0 there is no value there and the error would be expected. The value is in the registration key below that. If you really want to know what is installed, you may want to look at the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\PlayerUpgrade\PlayerVersio n value and compare it against what you are installing similar to how it does so internal to the application. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, March 15, 2005 9:07 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] OT: vbs help That is what I have been trying to do, but there is no value set for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\10.0 So I get the error This is the code I'm trying Set WSHShell = WScript.CreateObject(WScript.Shell) WScript.Echo WSHShell.RegRead(HKLM\SOFTWARE\Microsoft\MediaPlayer\10.0) And I get the error: install_media_10.vbs(49, 1) WshShell.RegRead: Unable to open registry key HKLM\SOFTWARE\Microsoft\MediaPlayer\10.0 for reading. Thanks,jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 14, 2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: vbs help I believe this is what you're looking for: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/wsmthregread.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Monday, March 14, 2005 3:05 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: vbs help I'm trying to check the registry if windows media player 10 is installed, if not I'm going to install it. I found command line install options for WMP, but I want to check the registry so I don't re-install it. The key I want to look for is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\10.0 If that key exist it's a pretty good chance version 10 is installed. Thanks,jb List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Retrieving changes using the uSNChanged property
I take you have already seen this doc, correct? http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/examp le_code_to_retrieve_changes_using_usnchanged.asp One reason I can think of that would explain why no results is that there are no changes that meet that criteria. Have you checked to see that the uSNChanged Value of some test user object is greater than your highestcommittedusn value?? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Håkansson Sent: Tuesday, March 15, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Retrieving changes using the uSNChanged property Hi I´m trying to retrieve only changes from active directory by using the uSNChanged property in my query. However, even if a manually change an object and verify that the uSNChanged is changed, I still don´t get any results back from my query. Sample query: ((objectClass=user)(objectCategory=person)(uSNChanged=value)) where value is taken from the highestCommittedUSN property of the RootDSE object the first time the application runs. Does anyonw know why I´m not getting any results back? Maybe this cannot be done using the .NET directoryservices?? //Mikael List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can you expire a computer account in AD
I'm just curious why you would want to expire a computer account? I would guess you could if you really set your mind to it, but not sure what advantage that would provide. ?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, March 15, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD P West wrote: Hey people I know you can expire a user account. Is there anything like expire a computer account in AD. There is no expiration date but unused computer account will expire after some time period becouse will get out of sync with its domain account password -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can you expire a computer account in AD
He beat me to it ;0) You may also want to couple that with a simple ping method to validate if the machine actually exists or not. Might cross reference it with DHCP/DNS if ping is too much overhead. Just some thoughts. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, March 15, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD P West wrote: We are trying to clean up old AD pc accounts. Have used every tool under the sun to come up with the pwdlastset to show old accounts. example One pc says the pwdlast set is feb 2000 when our ad guy looks at password expiration the dates are say march 20 2005. but the pwdlastset date is feb 2000. For some reason the pwdlastset is not updating or at least thats what im thinking. try to use Joe's oldcmp tool: http://www.joeware.net/win/free/tools/oldcmp.htm -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hard setting Global Catlogs
Sounds like your site settings are not working as expected. Have you verified your AD sites are correct? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 15, 2005 2:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hard setting Global Catlogs We recently integrated with another company, now I'm seeing issues like my Exchange server is looking to GC in the other sites as are users for Authentication instead of locally. Can I hard set the GC list for all users in my site to use the GC here and users in the other site to use the GC There? I know you can hard set the GC in exchange but it's not recommended. Can I set this VIA Group policy or would this need to be scripted and with a logon script? As always any help, pointers are greatly appreciated Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hard setting Global Catlogs
You would want to make sure that your sites are properly defined and that your DNS is properly configured. Netdiag and dcdiag can be useful here as well. As for making it one large site, that's something you'll have to decide based on your requirements. But if that's an option, does it matter what site the workstations and servers use? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 15, 2005 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hard setting Global Catlogs Correct meaning, does each site have a subnet associated with it and have automatically generated connection objects? I've run replmon against it to force replication and removed the auto-generated connections then let AD recreate them, what else should I be looking for? Or better yet since we are connected with a high speed connection should I remove the sites and let everything fall under one site? Thx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 15, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hard setting Global Catlogs Sounds like your site settings are not working as expected. Have you verified your AD sites are correct? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 15, 2005 2:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Hard setting Global Catlogs We recently integrated with another company, now I'm seeing issues like my Exchange server is looking to GC in the other sites as are users for Authentication instead of locally. Can I hard set the GC list for all users in my site to use the GC here and users in the other site to use the GC There? I know you can hard set the GC in exchange but it's not recommended. Can I set this VIA Group policy or would this need to be scripted and with a logon script? As always any help, pointers are greatly appreciated Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: vbs help
I believe this is what you're looking for: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/wsmthregread.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Monday, March 14, 2005 3:05 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: vbs help I'm trying to check the registry if windows media player 10 is installed, if not I'm going to install it. I found command line install options for WMP, but I want to check the registry so I don't re-install it. The key I want to look for is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\10.0 If that key exist it's a pretty good chance version 10 is installed. Thanks,jb List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY OT -WAS Binding to ldap process..- NOW is De ji Rants
You could add FUD to that list for many orgs. There was also a time where MBA/MGMT wanted to outsource for best in class focus (think Brightmail). Those days are behind us with the concept of black-box implementations and such, but that doesn't change the mindset. FWIW, I don't buy the lowered bandwidth concept that comes across unless they can guarantee that I won't lose VALID mail. Not having a tech involved would be intriguing; I'd want to see the level of service they actually get vs. what they perceive that they get. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, March 11, 2005 2:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] VERY OT -WAS Binding to ldap process..- NOW is Deji Rants Hi Deji, I've been on both sides of the fence in the past year. Ultimatly the main reason for this was the time required by the admins to implement this solution which was minimal. They (the powers that be) found that outsourcing the tech was way cheaper than paying for an appliance etc... They thought that they could save some bandwith this way and put some stress out of our mail servers So, cost and administration overhead were probably the major factors behind this. Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 11 mars 2005 13:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] VERY OT -WAS Binding to ldap process..- NOW is Deji Rants Something tells me I shouldnt be asking this, but the phrase outsource Anti-SPAM and the recent news about MCDonald OUTSOURCE drive-through order processing just make the question irresistible. Why would anyone outsource Anti-SPAM? If your mail service is outsourced, too, that would be somewhat understandable, although not justifiable, IMO. If you host and manage your mail infrastructure, what is the logic behind outsourcing Anti-SPAM? I realize that you guys may not be responsible for making the calls on this, but I am also interested in knowing the reasoning that drove the final decision maker into making that decision. Is it the administration overhead? Is it the cost? Is it the effectiveness? For the record, I am an Anti-SPAM solution provider, and it bothers me that people would give control of their mail-infrastructure out to an external party for such simple task as SPAM protection. Could this be because most of the solutions out there suck in one form or another? What is it? Deji [getting off his soap-box now] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Friday, March 11, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Binding to ldap process.. While we haven't outsourced our anti-spam stuff, we're in the same boat with the AD address validation. We're likely going to spin up an ADAM instance and have the queries run against that, so that 1) we can control what information the anti-spam software has access to and 2) it's not directly touching our DCs/GCs. It also lets you keep your DCs out of the DMZ. Something you may want to consider... Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, March 11, 2005 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Binding to ldap process.. Thanks for the reply Joe! The url provided was extremely helpful. The reason I'm asking all of this is because the management has decided to outsource anti-spam technology to a 3rd party that uses our AD to validate e-mail addresses. Unfortunately their "security through obscurity" methods are scaring the crap out of me. They won't disclose the type of bind they are doing agains't one of our GC in the DMZ. I guess I could sniff the incomming traffic and figure out what type of bind they are doing? Thanks, Francis From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 11 mars 2005 12:17To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Binding to ldap process.. Depends on the auth options chosen. By default, ldp will use kerberos as will my adfind. The auth option iscalled LDAP_AUTH_NEGOTIATE which is a generic security services (GSS - SPNEGO) provider and will try different mechanisms starting out with kerberos but NTLM is also an option there. You can force it to bind with a simple bind though which is clear text passwords. See http://msdn.microsoft.com/library/default.asp?url="">and look in the remarks section. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Friday, March 11, 2005 11:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Binding to ldap process.. Thanks for the reply joe, however one last questions remains: Is the process of binding to the GC (in the case I'm connecting to port 3268) different from say: A user authentication to AD when logging on
RE: [ActiveDir] OT: Command shell under RUNAS
I do this, but I hadn't notice that behavior. What situation are you seeing this with? Any particular app? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, March 09, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command shell under RUNAS For those that run command shells under different security contexts with RUNAS...(XP SP2) ...do you notice that interrupt handling does not work as expected (CTRL-C/BREAK)? -DaveC Reuters Infrastructure - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Command shell under RUNAS
I hadn't noticed this before but I can confirm that with the ping test. Not a XP SP2 issue though, that was on W2K workstation. Likely a runas issue. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, March 09, 2005 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Command shell under RUNAS To give two examples...I started a continuous ping within one of them and a w32tm -stripchart in the other. Since I didn't specify a finite count in either, they ran forever, and CTRL-C or CTRL-BREAK had no effect. -DaveC Reuters AITS Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, March 09, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Command shell under RUNAS I do this, but I hadn't notice that behavior. What situation are you seeing this with? Any particular app? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, March 09, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command shell under RUNAS For those that run command shells under different security contexts with RUNAS...(XP SP2) ...do you notice that interrupt handling does not work as expected (CTRL-C/BREAK)? -DaveC Reuters Infrastructure - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP dir syncproduct to AD
I think Murray brings up some good points. What are your requirements exactly? To differentiate between the products (or others) you'll need to understand what the ultimate goal is and what you have to work with. For example, is this a RACF sync? Or LDAP or ?? What exactly needs to sync? Passwords? Accounts? Questions like that should help to differentiate. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, March 08, 2005 6:45 AM To: ActiveDir@mail.activedir.org; Nicolas Blank Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Nic, we have implemented Simple Sync, for roughly about 12 connectors and are pleased with the tool. It is syncing roughly 3 LDAP entries between exchange 5.5, 2000 and 2003 organizations with the exchange 5.5 organization being the root forest. In my mind, it would depend on your needs, and if you require a more advanced 'meta' directory. Simple Sync is a FIFO sync utility not a download all the updates to a meta dir, process them, then resync out (sounds like a description for msmail t1, t2 sync processes!) We are very pleased with the product and the support we get from them. I have no experience with the Imanami product. If you are looking for a LDAP in, LDAP out with transposing, or what have you, I would definitely recommend the Simple Sync. Murray Wall [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 1:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP dir syncproduct to AD Hi all Anyone ever have to choose between Simple Sync and Imanami Directory Transformation Manager ? I'm talking to a mainframe via LDAP going to AD and on paper Imanami looks the better choice. Anyone have any recommendations either way? I've seen simple sync mentioned at least once on this list and also know it's maybe not the best product out there, even though it does the job and am keen to get any feedback on anything else? Thanks in advance for any feedback Nic List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
:: Horribly OT :: RE: [ActiveDir] Active Directory and LDAP
1,000,000.00 - 3.00 = the first step taken and a down payment on a Starbuck's coffee :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, March 08, 2005 9:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Joe - Write. A. Book. Your own. I'll buy it, if no one else will :p Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 07, 2005 9:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP What can I say... I didn't win the Lotto. :) It seems more and more like I am going to have to actually earn my first million. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, March 07, 2005 10:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP The Cat Book rocks. Actually I should get royalties for that one too, I have made a bunch of people buy it Here we go again -rtk P.S :p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 07, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Hey now... Don't forget about Alistair. He did that first edition himself and did it well. :) The Cat Book rocks. Actually I should get royalties for that one too, I have made a bunch of people buy it and have bought and given away multiple copies myself. I still have my first copy though it is quite dog-eared and I put laminating plastic on the covers so they wouldn't get too torn up. Here is the actual AD Org Books link - http://www.activedir.org/Books.aspx , actually it would be kind of cool if we could rate them. How about it Tony? Have a couple of fields for each, number of people who have the book, number of people who recommend it, number of people who don't recommend it. I am surprised AD Developers Reference Library by Iseminger is on the list. That is a great book but wouldn't expect a lot of the list users to have read it. I recall reading it back in like 2001 or so and getting a bit scared at what a really pissed off AD programmer could pull off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing
RE: [ActiveDir] LDAP dir syncproduct to AD
I agree with Phil about cleaning up prior if possible. The less confusion you have during a migration scene the better. I've done many both ways (at customer's insistence and after a fight most often) and I can honestly say that the clearer the playing field the better. If nothing else, you can resolve issues that much faster during migration. As for the sync, I wish I wasn't as familiar with mainframe ldap as I am; ignorance can truly be a happy place :) Knowing the type and how it's configured (is it just a gateway to a different authentication system or a fully populated LDAP instance? Both? If not RACF, what is the mainframe auth system then?? (that's just curiousity on my part but might make a difference when it comes to how you want to deploy a solution)) is going to greatly enhance your ability to get the right solution. As an example I could have several mainframe based LDAP stores. Some would be populated with user accounts while others are a gateway to a different authentication store. Weird to say the least, but I see why IBM did that. Drop me a note offline if you want to know more about what I've seen so far with mainframe implementations of LDAP. I don't see a reason to bore the socks off the rest of the folks with the petty b.s. that mainframe ldap can introduce. NOTE: If it's already online, you can connect to the mf ldap and find out what it is by looking at the rootdse information as long as you can get to it (you may need credentials etc depending on configuration). Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Tuesday, March 08, 2005 11:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP dir syncproduct to AD I am a much bigger fan of either cleaning up the NT domains prior to migration, or getting a list of current active users from the mainframe and only migrating those users from the NT domains. In both those situations you end up and only the active users in AD which I prefer to do since I don't want to migrate junk from old domains into my newly created and clean AD environment. Not much help on your dirsync issues, but I have't worked with either so I won't bother to comment on that part. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: Tuesday, March 08, 2005 10:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Good question. At this stage this is what I've been made aware of: No RACF (phew) LDAP Connector to mainframe - I haven't been told what version yet User and Attribute sync to AD from the mainframe is the primary goal. The business centres around mainframe existance. If you don't exist on the mainframe - you don't exist. This means that user provisioning AND identity currently happens there as a start. At this point there's a TON of NT4 domains (around 600) that will be switched off. Users used to be created automagically via a process from mainframe to NT 4 domains, however users were never killed off the NT domains when they died on the mainframe. Going forward, this means that users will be synced from the mainframe via LDAP - ergo the sync tool requirement to AD to a dump container. Users from the NT domains will be merge migrated to a sepparate container, and whatever is left behind will be investigated and killed. Migration tools are in place to do this, that the easy bit. The unknown entity is talking to a mainframe via LDAP with no knowledge at this point of what flavour of LDAP it's talking. The Imanami product looks really fine on paper - generic ldap connectivity, attribute transformation, supports schema extensions, etc, however I've never met anyone who's used it in anger. I'm trying to stay away from a scripted solution, since object colision resolution, attribute transformation, object matching, delta syncing, etc are pretty standard in the tool world, without having to re-script the weel. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 08 March 2005 04:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP dir syncproduct to AD I think Murray brings up some good points. What are your requirements exactly? To differentiate between the products (or others) you'll need to understand what the ultimate goal is and what you have to work with. For example, is this a RACF sync? Or LDAP or ?? What exactly needs to sync? Passwords? Accounts? Questions like that should help to differentiate. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, March 08, 2005 6:45 AM To: ActiveDir@mail.activedir.org; Nicolas Blank Subject: RE: [ActiveDir] LDAP dir syncproduct to AD Nic, we have implemented Simple Sync, for roughly about 12 connectors and are pleased with the tool. It is syncing roughly 3 LDAP
RE: [ActiveDir] Users leaving
Why are you changing the password for the account and then later deleting it? Isn't that redundant? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Monday, March 07, 2005 7:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users leaving Hey all! Over the next few weeks we've got quite a few users leaving but as we're only a small office we don't have a set procedure for what happens to their account, PCs and mail etc etc ... I think I've just volunteered myself to right one! Has anyone got any good suggestions / links that could help me out a bit? So far I'm going with: 1) remove user from all groups other than domain users and change password 2) take an image of their pc then reissue the standard one back on 3) exmerge a copy of their mailbox to CD, move all job related emails to relevant public folders 3) copy docs to CD and alert their superior of what's been left 4) delete user account, redirect their email to a different user Have I missed anything? Cheers, folks. :) For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.TBandA.com http://www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client=none lang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jladdr3=ad dr1= Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WINS
To be fair, Exchange setup requires WINS. Without it, setup fails. Outside of that, Exchange requires shortname resolution, but the only answer to verify that you have shortname resolution is to use WINS/Netbios resolution. Can you run without it? Yep. Is it supported? Not currently. Older versions of Outlook require it, but 2003 can use FQDN (which is needed for remote access situations). Short version? You really should maintain WINS in your Microsoft environment especially for cases not covered by Exchange. SQL, SMS, MOM etc will need it. Legacy apps will depend on it as well. If you know you only need shortname resolution and can get away with it, you *could* run Exchange/AD in a non-WINS environment, but just don't run into any problems where you need to get support. :) -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Sunday, March 06, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WINS Both Outlook and Exchange are users of NetBIOS name resolution - to wit, in the general case, WINS. Outlook uses it to determine where to find its Exchange server to connect to and sometimes for what DC to use (GC information comes from DNS unless overridden by a registry item). Outlook will normally fall back to DNS except in some pathological conditions. Documented, but not public I don't think (my copy is dated during OL 2003 beta testing and it could've changed since then - I haven't run a network trace like joe probably has). The easiest thing to note about Exchange is that Exchange servers (take a look at them in your CN=Servers,CN=Administrative Group,CN=Administrative Groups,CN=Organization Name,CN=Microsoft Exchange,CN=Services,CN=Configuration,domain) aren't known by a FQDN or DN or GUID back into the A/D. Do some searching with ADSIedit for yourself on that topic. :-P Since Exchange is a forest-wide entity, hostnames could be duplicated in the DNS (note: I didn't say FQDN's - I said hostnames), but they can't be duplicated in WINS. -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: Sun Mar 06 12:55:30 2005 Subject: [ActiveDir] WINS Is WINS still needed for exchange 2003? Some have said outlook still needs WINS. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Users leaving
Just curious. Seems that you're changing the password and then deleting the account. If you need to access that information using that account, I can understand. Just figured I'd check. Other than that, it seems like when you're done, you'll have an archive of the users mail and desktop configuration/data and will have removed that user account. That sounds like the goals are being met to me. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Monday, March 07, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users leaving Not if it's a user assigned one. I'm changing them to a password I know and it also means that any of his / her friends won't be tempted to use that account for things. For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] W: www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: 07 March 2005 14:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Users leaving Why are you changing the password for the account and then later deleting it? Isn't that redundant? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: Monday, March 07, 2005 7:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Users leaving Hey all! Over the next few weeks we've got quite a few users leaving but as we're only a small office we don't have a set procedure for what happens to their account, PCs and mail etc etc ... I think I've just volunteered myself to right one! Has anyone got any good suggestions / links that could help me out a bit? So far I'm going with: 1) remove user from all groups other than domain users and change password 2) take an image of their pc then reissue the standard one back on 3) exmerge a copy of their mailbox to CD, move all job related emails to relevant public folders 3) copy docs to CD and alert their superior of what's been left 4) delete user account, redirect their email to a different user Have I missed anything? Cheers, folks. :) For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.TBandA.com http://www.TBandA.com Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client= none lang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jladdr3 =ad dr1= Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Groupshield 6.0 - Troup Bywaters Anders Privilege and Confidentiality Notice This email and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and / or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU's listed
I haven't done it lately, but I would assume you can bind to the root and iterate the children looking for OU objects. You could also create a query that searches the domain for objectClass of organizationalUnit and then add each of the ones you find to the application nodes. An example ldap query that would do it would be: ((objectClass=organizationalUnit)(objectCategory=CN=Organizational-Unit,CN= Schema,CN=Configuration,DC=root_domain,DC=com)) Ask for just the names or the DN's to be returned. LDAP dialect is more familiar to me than SQL, but I would imagine either could be done. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, Douglas Sent: Monday, March 07, 2005 11:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU's listed Is there a way to query Active Directory and return all OU's? perhaps a SQL query? I can use dsquery ou I suppose, but I'm writing a .net that can be a front end for our help desk in easing simple user management tasks. I have a hard coded version, but I'd like to have a query that will return all available OU's in a drop down select box for user moves within this domain. Thanks Doug Stelley This time, like all time, is a very good one if we but know what to do with it. - Ralph Waldo Emerson Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and LDAP
Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing a search with the word 'book' gives a ton of irrelvent searches in the archives. I saw one book but it's out of print. Kenny Mann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and LDAP
Didn't forget, just haven't heard of it. I will remember now though :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 07, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Hey now... Don't forget about Alistair. He did that first edition himself and did it well. :) The Cat Book rocks. Actually I should get royalties for that one too, I have made a bunch of people buy it and have bought and given away multiple copies myself. I still have my first copy though it is quite dog-eared and I put laminating plastic on the covers so they wouldn't get too torn up. Here is the actual AD Org Books link - http://www.activedir.org/Books.aspx , actually it would be kind of cool if we could rate them. How about it Tony? Have a couple of fields for each, number of people who have the book, number of people who recommend it, number of people who don't recommend it. I am surprised AD Developers Reference Library by Iseminger is on the list. That is a great book but wouldn't expect a lot of the list users to have read it. I recall reading it back in like 2001 or so and getting a bit scared at what a really pissed off AD programmer could pull off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing a search with the word 'book' gives a ton of irrelvent searches in the archives. I saw one book but it's out of print. Kenny Mann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Renaming Accounts
I assume you're talking about this? http://support.microsoft.com/?kbid=248793 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone Sent: Monday, March 07, 2005 11:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Renaming Accounts Last week there was a thread about renaming accounts. I did this over the weekend for an assistant that was replaced. Everything is fine except for the following. When you go into Outlook the top level folder (if you want to call it a folder) for the users mailbox has the old person's name. When you right click it and select properties the field where this name appears is read only. Does anyone know where this information is stored and can it be modified. Windows Server 2003 with Exchange 2003. I don't see anything in ADUC or Exchange Manager. I'm not really sure where this would be found so I'm having a hard time finding info on Google or Technet. Thanks. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and LDAP
The one that's out of print? http://www.amazon.com/gp/product/product-description/0672315874/103-8355416- 0173405?_encoding=UTF8n=283155 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, March 07, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Aww, man... How come my book isn't up there? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 07, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Hey now... Don't forget about Alistair. He did that first edition himself and did it well. :) The Cat Book rocks. Actually I should get royalties for that one too, I have made a bunch of people buy it and have bought and given away multiple copies myself. I still have my first copy though it is quite dog-eared and I put laminating plastic on the covers so they wouldn't get too torn up. Here is the actual AD Org Books link - http://www.activedir.org/Books.aspx , actually it would be kind of cool if we could rate them. How about it Tony? Have a couple of fields for each, number of people who have the book, number of people who recommend it, number of people who don't recommend it. I am surprised AD Developers Reference Library by Iseminger is on the list. That is a great book but wouldn't expect a lot of the list users to have read it. I recall reading it back in like 2001 or so and getting a bit scared at what a really pissed off AD programmer could pull off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing a search with the word 'book' gives a ton of irrelvent searches in the archives. I saw one book but it's out of print. Kenny Mann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and LDAP
Great way to do it. For what it's worth, anytime you're trying to decide between SQL-type DB's and LDAP, the usual differentiator is how you intend to use it. LDAP is highly-optimized for read access. SQL db's typically are more read/write (compared) optimized since you inject data into them and then process it. SQL db's also are useful for reporting and such. They're both DB's in the truest sense of the word. Different intended uses. Good luck, Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 12:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Ahh, thank you very much (both of you). Strange. Ad.org's site seems to noe be responding. Here's the story. As a personal hobby I run a a few domains. I used the Gentoo Virtual Hosts setup. I'm currently writing my own but that's besides the point. It uses MySQL as a database. I get curious and start poking around LDAP wondering if LDAP would be better than MySQL. I have a Windows 2003 AD at my place of employment, so I start poking around to see some stuff and realize that any changes I make could break things. So, I'm going to setup a Linux and Windows 2k3 test lab at home to play with it. Now I know I should get books on both LDAP and AD. Since I have some LDAP, I'll start looking at AD books. I really don't know what career I want in life, so I'm currently poking and stabbing thigns just to learn and see what I like. I really appreicate your advice! Kenny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 07, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Hey now... Don't forget about Alistair. He did that first edition himself and did it well. :) The Cat Book rocks. Actually I should get royalties for that one too, I have made a bunch of people buy it and have bought and given away multiple copies myself. I still have my first copy though it is quite dog-eared and I put laminating plastic on the covers so they wouldn't get too torn up. Here is the actual AD Org Books link - http://www.activedir.org/Books.aspx , actually it would be kind of cool if we could rate them. How about it Tony? Have a couple of fields for each, number of people who have the book, number of people who recommend it, number of people who don't recommend it. I am surprised AD Developers Reference Library by Iseminger is on the list. That is a great book but wouldn't expect a lot of the list users to have read it. I recall reading it back in like 2001 or so and getting a bit scared at what a really pissed off AD programmer could pull off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing
RE: [ActiveDir] Active Directory and LDAP
Certainly didn't want to imply... Maybe it's time for the next book? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, March 07, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Yeah, well there's that... But that doesn't mean it isn't *good* :) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP The one that's out of print? http://www.amazon.com/gp/product/product-description/0672315874/103-8355 416-0173405?_encoding=UTF8n=283155 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, March 07, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Aww, man... How come my book isn't up there? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 07, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Hey now... Don't forget about Alistair. He did that first edition himself and did it well. :) The Cat Book rocks. Actually I should get royalties for that one too, I have made a bunch of people buy it and have bought and given away multiple copies myself. I still have my first copy though it is quite dog-eared and I put laminating plastic on the covers so they wouldn't get too torn up. Here is the actual AD Org Books link - http://www.activedir.org/Books.aspx , actually it would be kind of cool if we could rate them. How about it Tony? Have a couple of fields for each, number of people who have the book, number of people who recommend it, number of people who don't recommend it. I am surprised AD Developers Reference Library by Iseminger is on the list. That is a great book but wouldn't expect a lot of the list users to have read it. I recall reading it back in like 2001 or so and getting a bit scared at what a really pissed off AD programmer could pull off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing a search with the word 'book' gives a ton of irrelvent searches in the archives. I saw one book but it's out of print. Kenny Mann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] Active Directory and LDAP
Potatoe/Potato sort of thing. It is LDAP and it is an upgrade path from legacy systems such as WINNT. How you use it plays a part. If you use it as a LDAP directory, then it *is* a LDAP directory right? If you use it as a WINNT 5.x domain, then it *is* a WINNT 5.x domain. To say it's a GUI for ldap is one way to look at it as Gil alluded to; you can maintain AD 95% of the time with command line (using built in tools) vs. GUI. It is LDAP at it's core with a lot of other features added on to make it useable for new as well as legacy apps. Kind of like Apple OS is a GUI for BSD ;) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, March 07, 2005 12:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP joe wrote: O'Reilly's Active Directory book is a good primer. That is the first AD book I read (it was first edition back then though). Once you have the basics down I would recommend moving into Active Directory Cookbook also by O'Reilly and Inside Active Directory, 2e from Addison-Wesley; both excellent books with very different goals. The cookbook gives you recipes for getting common tasks done. Inside AD is a great book for understanding a lot of the details. It is probably the only book I have tech reviewed where I was often saying... Wow, I didn't know that followed quickly by, How did Mika and Sakari get this info?. It was my impression that AD is MS's version of a ldap dir sevice with certain properitary schema to allow for MS specific objects/attributes and Kerberos realms in place of domains to allow for transisitve trusts and mutal auth with support for external domain trusts and ntlm only for backwards compatibilty. And aside from the schema additions and a different replication topolgy and the way the dir is sliced and diced(config namming context,domain namming context,etc), its a true ldap server no different from NDS or Open-LDAP. Esp since win2k3 and the InterOrgPerson. Am I totally off base here? Its def not a gui for ldap but just a ldap server with those changes/mods Active Directory is the implementation of the Windows Domain environment. It incorporates Kerberos and LDAP and other technologies to provide domain and directory services. I guess I can see where people could come to the same conclusion that AD is simply a GUI, but it is much more than that and in fact, you don't even have to use GUI tools to work on it, though for many it is much easier to do so. I spend most of my AD time not in the GUI, though others spend all of their AD time in the GUI. Depends on the person and what they have to accomplish and what tools they have in their toolbox to accomplish it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing a search with the word 'book' gives a ton of irrelvent searches in the archives. I saw one book but it's out of print. Kenny Mann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and LDAP
is on the list. That is a great book but wouldn't expect a lot of the list users to have read it. I recall reading it back in like 2001 or so and getting a bit scared at what a really pissed off AD programmer could pull off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Personally? I like to think of AD as a GUI to Microsoft's implementation of LDAP. That simplifies a lot of things for me. However, there is more to it than that and the books you ordered should help in clarifying that. You don't need to know LDAP to make AD work, but it helps. It's a great help to me to understand the differences between Microsoft's AD and Sun's implementation of LDAP or IBM's implementation or any of the others for the basics. When you start getting into managing the directory and the objects in the directory, Microsoft really differentiates itself with GPO's and the multi-master replication and the tools to support the infrastructure. As you're looking at this, remember that name resolution is one of the most important things you can deal with when making AD a solid enterprise app. The book from O'Reilly sounds like Robbie's book. I haven't read it, but have heard good things about it (what can I say Robbie, I don't have a budget for it :) If it's not Robbie's book for AD, then it would be a good idea to grab that one as well. http://www.amazon.com/exec/obidos/ASIN/0596004664/103-8355416-0173405 Sakari Kouti also has written a good book, called, Inside Active Directory that would be worth picking up. http://www.kouti.com/ You should be able to find some other information about books at http://www.activedir.org Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenny Mann Sent: Monday, March 07, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory and LDAP I don't understand LDAP and Active Directory as much as I should. So, I've ordered 2 LDAP books (O'Reilly and another) to learn. I'm curious as to how much LDAP and Active Directory have in common. Is AD just a GUI for LDAP? Perhaps there is a book everyone here recommends or will my LDAP books hopefully cover enough so I could be able to feel my way around Active Directory good enough? Doing a search with the word 'book' gives a ton of irrelvent searches in the archives. I saw one book but it's out of print. Kenny Mann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing Prompt user to change password before e xpiration notification
Wouldn't it make more sense to just turn that off and send them a notification via the third-party app? What's their recommendation? al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Monday, March 07, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing Prompt user to change password before expiration notification Is it possible to change the text for the security setting Interactive logon: Prompt user to change password before expiration The reason we're looking to do this is that we have a 3rd party password management application, and we still want to use the windows notification for password aging, but instead of having them changing their password within the pop-up box that comes up, we want them to send them to a link, or give them step by step instruction on what to do. Alan Olegario Lead Analyst, Systems Engineering Tiffany Co. 973-254-7253 [EMAIL PROTECTED] The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Changing Prompt user to change password before e xpiration notification
You might take a look at the platform SDK and see if there is anything in there about it. Be aware that if you have multiple desktops, there may be multiple places to make changes. I'd be more of a fan of writing a script to notify users of password expiration than I would of re-writing, deploying, and supporting custom code to the desktops. IIRC, the information for that notification is received by the workstation with parameters but the text and facility to change the text lives on the workstation not on the servers. One example of a script that uses email to notify (there are many) can be found here http://www.houseofqueues.com/CodeSamples.html There is plenty of room for improvement in that script as well ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Monday, March 07, 2005 4:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Prompt user to change password before e xpiration notification What I'm told (InfoSec is checking on this) is that the application does not handle notification. I was thinking about just writing a script to check when the user's passwords will expire and then shoot them over an email but figured I'd try to see if there's any easy way to change the text first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 07, 2005 4:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Changing Prompt user to change password before e xpiration notification Wouldn't it make more sense to just turn that off and send them a notification via the third-party app? What's their recommendation? al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Monday, March 07, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Changing Prompt user to change password before expiration notification Is it possible to change the text for the security setting Interactive logon: Prompt user to change password before expiration The reason we're looking to do this is that we have a 3rd party password management application, and we still want to use the windows notification for password aging, but instead of having them changing their password within the pop-up box that comes up, we want them to send them to a link, or give them step by step instruction on what to do. Alan Olegario Lead Analyst, Systems Engineering Tiffany Co. 973-254-7253 [EMAIL PROTECTED] The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADAM - Clarification
I wouldn't use SASL for this myself. I don't believe I'd want my customer data in the windows SAM as that could run into scalability issues (that's why we went with AD in a distributed fashion vs. local SAM right?) From your description, a simple bind is the way to go. You'll want to secure the transmission of course and lock down which machines can gain access to the server/port hosting the ADAM instance. For what it's worth, this would be the same as in the case of using SunLDAP or OpenLDAP because they are just doing a bind to an identity store and then possibly looking at the group membership for authorization purposes. My $0.04 anyway, al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 05, 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM - Clarification All - We have a Web Portal solution that has the option to use LDAP v3 for AuthN calls. Obviously, we want to use AD for our internal customers, and implement user objects that would not reside in AD for our external customers. In my mind, this screams ADAM. I can create the user objects in ADAM for the external customers. And, I've read thoroughly the Tech Refs and some other words from Joe Kaplan on the subject. I also took a look at ~Eric's blog for a post or two, which were helpful. The problem - to the point - is this. The Portal web server, where the LDAP AuthN calls come from is in the external perimeter. There are four options that are indicated in the docs: # Anonymous bind (no password) # Simple LDAP bind (ADAM security principal with password) # SASL binding (Windows security principal in local computer or AD) # Bind redirection (security principal is in ADAM, but has a reference to an AD security principal) Bind redirection (userProxy) has a domain membership requirement for the machine on which ADAM resides. Given that the security requirements won't allow this, this one is out. However, I can't seem to find anything that indicates the requirements for SASL bind. Is this an option? The bottom line is that I want to use ADAM, but have run into this brick wall. What options do I have, as I've exhausted the resources that I have at my disposal, at this point in time at least :) Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADAM - Clarification
Nuts! I had to go back and read the part about the internal users also gaining access with internal credentials. So to me this screams multiple instances of a directory 1 for internal and one for external users. The internal users DB would use SASL bind techniques and would have to be able to talk to the AD for authentication. The external users would only use simple bind techniques. Saying that, I haven't tried it, but I'm wondering if you could mix and match: some that are AD proxy objects (I know you said it's out, but..) and some that are not. What would the messy code look like then? Another option is to use password synchronization. The downside is that you would be putting passwords for internal resources into the DMZ under the current concept. The identity store is not the important factor here; the solution requirements and your security policy are what will likely drive this to some sort of unique solution. ADAM is just a lot easier and more integrated to work with than the other identity stores. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Sunday, March 06, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM - Clarification I wouldn't use SASL for this myself. I don't believe I'd want my customer data in the windows SAM as that could run into scalability issues (that's why we went with AD in a distributed fashion vs. local SAM right?) From your description, a simple bind is the way to go. You'll want to secure the transmission of course and lock down which machines can gain access to the server/port hosting the ADAM instance. For what it's worth, this would be the same as in the case of using SunLDAP or OpenLDAP because they are just doing a bind to an identity store and then possibly looking at the group membership for authorization purposes. My $0.04 anyway, al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 05, 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM - Clarification All - We have a Web Portal solution that has the option to use LDAP v3 for AuthN calls. Obviously, we want to use AD for our internal customers, and implement user objects that would not reside in AD for our external customers. In my mind, this screams ADAM. I can create the user objects in ADAM for the external customers. And, I've read thoroughly the Tech Refs and some other words from Joe Kaplan on the subject. I also took a look at ~Eric's blog for a post or two, which were helpful. The problem - to the point - is this. The Portal web server, where the LDAP AuthN calls come from is in the external perimeter. There are four options that are indicated in the docs: # Anonymous bind (no password) # Simple LDAP bind (ADAM security principal with password) # SASL binding (Windows security principal in local computer or AD) # Bind redirection (security principal is in ADAM, but has a reference to an AD security principal) Bind redirection (userProxy) has a domain membership requirement for the machine on which ADAM resides. Given that the security requirements won't allow this, this one is out. However, I can't seem to find anything that indicates the requirements for SASL bind. Is this an option? The bottom line is that I want to use ADAM, but have run into this brick wall. What options do I have, as I've exhausted the resources that I have at my disposal, at this point in time at least :) Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP and related Exchange question
Cool. Didn't mean to imply that you were slacking in your reading duties :) Some thoughts that come to mind with this: Some methods I've seen or considered using to deal with a multiple identity store infrastructure (AD or other) that are used in the same organization where unique identification is a good idea. I see this is as a requirement in environments where people move around and where you would need to track this identity at a later time either for historical or compliance reasons or possibly some other reason. 1) Using a pseudo-random-generated-unique id and maintain that db for the life of the systems in place Pros: All systems that use this will have unique ids, and there will be an easier time of deploying simplified sign-on later Cons: Could become a large db and application itself. It's difficult to maintain an id that works across all systems. I.e. some authentication systems have character limitations for legacy reasons etc. 2) Using AD's ObjectGUID. Put another way, using one directory as the authoritative source for a unique identifier and letting that information flow to the rest of the identity stores Pros: let's you maintain uniqueness to identify users across identity boundaries Cons: With just this as a solution, you lose historical data if the user leaves. If you base your solution on this attribute, because it is system generated, if the user leaves and returns, or just changes id's in any way, then you lose that as your key. You could shove it into another attribute, but now your logic becomes much more complex as you try to determine which attribute uniquely identifies that user AND you have to maintain that GUID somewhere in a second location to be able to persist over time. Some systems won't be able to handle the size and type of data (128-bit size is not going to fit in all identity stores by default). For a lot of people AD came later. They already have a directory service that's authoritative for their environment before AD showed up. 3) Using mail address as the unique identifier across identity stores Pros: This is expected to be unique globally (literally) with no two being identical for functioning mail domains. Cons: Still needs to be recorded somewhere as in #1 and #2. Not all identity and authentication systems can handle storing the mail addresses; modification to existing systems may have to occur. It's possible to have duplicate mail addresses, although they won't function in a mail system the way you intend them to. (There can't be two [EMAIL PROTECTED] 's if we expect for the mail to make it to the intended destination.) Not all users do nor should receive an email address. Email addresses are sometimes reused in some domains, so this would require a change in the process, behavior and expectations. With all the fuss about compliance issues in the US, Canada, and EuroUnion, why is it that companies don't make an id manufacturing program that's vendor-agnostic, unique across it's defined realm (the organization), stores 100 years of id's, and ties in with leading HR and ERP packages? Is it because such things are considered in place already? Too difficult? I'm sure a metadirectory eco-system could be used to help smooth this out, but the unique seed is still left to be built for some reason. My thoughts anyway. I'd appreciate it if somebody would blow holes in those thoughts :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 04, 2005 9:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question You guys make it sound like I pop in and out of this list. I read religiously. :) Thanks again... I do have multiple identity stores, most of which is kept in sync by MIIS and force-fed to AD. However, in this unique instance, we're using keeping a few attributes of each user object in sync between directories. Problem is their directory is flat and doesn't work very well in multiple domain scenarios so really the whole problem is their directory can't handle the duplication of samAccountName. This is problematic if they present a logon dialog to the user (directory handles permissions for other applications). Since they want to try to maintain that one logon type of goal (lofty in this case) they were hoping that samAccountName was unique even though I told them many, many, many times that it was not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 4:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I think you interpreted it better than I did. He wrote back and said he was going to investigate the objectGUID path. I read it that he had multiple identity stores and need a global solution. He'll still need a way to record user habits i.e. a user leaves and returns and gets
RE: [ActiveDir] OT: VBScript Question
Thank you for the explanation! That is one reason I hadn't seen before, that's for sure. Did you get a chance to look at the link that Marcus sent and decide if that would do what you want or not? Or do you need something different? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Friday, March 04, 2005 6:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: VBScript Question The issues that I am referring to are security violations which are instances where someone as violated the proper handling of data. The Navy, Department of Defense requires that we defrag the exchange information store. Moving user mailboxes is not an option. The reason I am creating this script is I have been all the departments in separate information stores. I am hoping that when one of these violations occur I can just dismount that departments store, defrag, then mount again. This will allow me to keep every other department up and running. Currently we stop all Exchange services, defrag the one store, then start the Exchange services effectively bringing everyone on that server down. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 03, 2005 10:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: VBScript Question Figured the Navy was still part of the government :) I asked the question because the only time I would *ever* want to defrag a db in Exchange 200x is because I was forced to. Otherwise, I would prefer to move the user mailstores to an alternate db on the same server instead. It would be a) safer and b) faster and c) just generally a better idea than defragging a db in place and taking those kinds of chances. It's not like 5.5 when you had only one store instance. You can move the user mail stores around almost at will (as long as they're not logged on of course) and clients don't even have to update at this point. They'll get the new (be default defragged) db, and you'll have made the problem that drove you there go away. I'm interested in issues that would cause you to want to defrag as I just plain don't understand at this point and hate to offer advice without full understanding of the possible ramifications and issues that may be present. I think Marcus posted some useful coding techniques that should help you recapture the command line information. From there you should be able to push it to a log file, which I think is what you were after in the first place (vs. piping it from the command line to the text file). Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Thursday, March 03, 2005 6:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: VBScript Question I work for the government and we have to run offline defrags after hours for issues that arise. In the past we just had a batch file that stopped all exchange services on a machine and then ran the offline defrag then restarted the services. We want to streamline the process. Jeremy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 03, 2005 5:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: VBScript Question Before getting to a better idea to automate, I have to ask is this something to automate? What drives you to want to automate the off-line defragmentation in Exchange 2000 and what makes you want to do that in the first place? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Thursday, March 03, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: VBScript Question Everyone, I am creating a VB script that is dismounting, defraging, then mounting exchange information stores on an exchange server. My script is complete but I want to improve it. The problem I am having is that I build a command line to run eseutil and call it using WshShell Object Run Method which is appended to a file using the sign(s) with the bWaitOnReturn set to True (see link for more info). Unfortunately, this causes my script to wait as it should but I have no idea what is going on since the log file is not written to until eseutil completes its pass. So the commandline just sits there while my script and eseutil run in the background. Is there anyway to output to both the command line and the output file the progress of eseutil? Better ideas for providing more information on the script running to the user? TIA. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/ht ml/wsmthrun.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/h tml/wsmthrun.asp Jeremy
RE: [ActiveDir] LDAP and related Exchange question
GUID is likely NOT an option in a multiple forest scenario or multiple identity stores. But the concept can be applied to the sphere of identity stores you have responsibility for. It's just that the system won't do it for you out of the box. So one thought that comes to mind is to inject a Cox-specific GUID into each identity store from the authoritative source(s) and then use that to find what you need programmatically. That's a bigger undertaking than you may be able to go after, but it ultimately solves the issues that are so troublesome. Some where, you have to have a unique identifier that identifies consumers of your systems. Even if it's pay codes and PO numbers (non-employees), something will need to exist at some point in the lifecycle to identify the objects uniquely. That make sense or am I way off base in understanding your problem? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 04, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Thanks for the responses guys. I wonder if using GUID is an option. :/ marcus c. oh \\.\core technologies\cox communications, inc. \\.\mvp\windows server systems\management [v] 404.847.6117 [c] 404.391.7097 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 03, 2005 10:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question LOL. Yeah this is my life lately. :oP I actually just submitted a couple of bugs over legacyExchangeDN uniqueness possible issues with ADUC and a bug with one of the major tool makers as well which has a similar issue. The issues are unlikely but if you have enough mailboxes, the chances are you will hit issues that are simply improbable. One customer of mine did in in fact hit a dupe from something that is simply improbable. It is kind of silly because the value was never tested for uniqueness, it was just assumed because it was an unusual value. Mailbox enable a user in ADUC and set your mailNickname (alias) to something with a $ in it or any of the following chars - $^#\;/= -, you will notice that the legacyExchangeDN will have a value of blahblah/cn=user. The is a random number, user is the word user. ADUC never checks that value for uniqueness. There is another case where this occurs as well and involved when it does do a ledn uniqueness check and fails and generates a new ledn. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 03, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Right, and although it's possible that cdoexm has some of this built in, it's not likely (and not something I've seen in there before, although I could have missed it). As for uniqueness, the only value that's guaranteed to be unique in a forest is the GUID. If you're stepping outside of the forest boundaries, there is nothing that is guaranteed to be unique unless you made it that way via process and code. SMTP address should be unique, but it's not guaranteed that it will be when you try to sync, just that you'll know because you'll have a non-functioning SMTP recipient if it is non-unique. If you need to find something to use to sync with, you'll have to analyze all of the directory data in your scope and either pick something or modify some of the directories and processes to uniquely identify the wetware. Joe's up on all of this Exchange directory stuff, he should be weighing in shortly I would imagine ;) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 03, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I haven't read the blog yet - I will - but uniqueness is enforced by ADUC (or any other provisioning mechanism that has the intelligence built into it). You can certainly shove colliding values into this attribute by other means. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 03, 2005 5:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP and related Exchange question I was going through the You Had Me At Ehlo blog and ran across the most recent post which describes in some detail about how uniqueness is maintained in the proxyAddresses attribute. I'm curious though... does this only apply for changes made through ADUC or does it apply to changes made through any mechanism (e.g. scripts, ldp, etc)? Here's the link: http://blogs.msdn.com/exchange/archive/2005/01/10/350132.aspx http://blogs.msdn.com/exchange
RE: [ActiveDir] LDAP and related Exchange question
Good catch :) In a multiple forest scenario it would likely work. In a multiple identity store scenario (i.e. not all AD technology), likely not. It won't necessarily exist in those other stores driving you to need another unique identifier. Unless you had something else in mind that might help him? -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, March 04, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Why wouldn't objectGuid be appropriate? AD generates the objectGuid attribute using UuidCreate() (or some variation) that is guaranteed with reasonable certainty to generate values that are unique across all machines, not just DCs in the forest. If you need a globally unique, immutable identifer, the objectGuid attribute should do the trick. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question GUID is likely NOT an option in a multiple forest scenario or multiple identity stores. But the concept can be applied to the sphere of identity stores you have responsibility for. It's just that the system won't do it for you out of the box. So one thought that comes to mind is to inject a Cox-specific GUID into each identity store from the authoritative source(s) and then use that to find what you need programmatically. That's a bigger undertaking than you may be able to go after, but it ultimately solves the issues that are so troublesome. Some where, you have to have a unique identifier that identifies consumers of your systems. Even if it's pay codes and PO numbers (non-employees), something will need to exist at some point in the lifecycle to identify the objects uniquely. That make sense or am I way off base in understanding your problem? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 04, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Thanks for the responses guys. I wonder if using GUID is an option. :/ marcus c. oh \\.\core technologies\cox communications, inc. \\.\mvp\windows server systems\management [v] 404.847.6117 [c] 404.391.7097 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 03, 2005 10:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question LOL. Yeah this is my life lately. :oP I actually just submitted a couple of bugs over legacyExchangeDN uniqueness possible issues with ADUC and a bug with one of the major tool makers as well which has a similar issue. The issues are unlikely but if you have enough mailboxes, the chances are you will hit issues that are simply improbable. One customer of mine did in in fact hit a dupe from something that is simply improbable. It is kind of silly because the value was never tested for uniqueness, it was just assumed because it was an unusual value. Mailbox enable a user in ADUC and set your mailNickname (alias) to something with a $ in it or any of the following chars - $^#\;/= -, you will notice that the legacyExchangeDN will have a value of blahblah/cn=user. The is a random number, user is the word user. ADUC never checks that value for uniqueness. There is another case where this occurs as well and involved when it does do a ledn uniqueness check and fails and generates a new ledn. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 03, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Right, and although it's possible that cdoexm has some of this built in, it's not likely (and not something I've seen in there before, although I could have missed it). As for uniqueness, the only value that's guaranteed to be unique in a forest is the GUID. If you're stepping outside of the forest boundaries, there is nothing that is guaranteed to be unique unless you made it that way via process and code. SMTP address should be unique, but it's not guaranteed that it will be when you try to sync, just that you'll know because you'll have a non-functioning SMTP recipient if it is non-unique. If you need to find something to use to sync with, you'll have to analyze all of the directory data in your scope and either pick something or modify some of the directories and processes to uniquely identify the wetware. Joe's up on all of this Exchange directory stuff, he should be weighing in shortly I would imagine ;) From: [EMAIL
RE: [ActiveDir] LDAP and related Exchange question
How did they handle people changing their names? I see the ID, but does that ID make sense when the user changes their name from Joe to 'They' or something along those lines? That goes back to the idea of coming up with a unique identifier that expands the horizon beyond the AD forest(s) and into the rest of the realm. I maintain that at some point in just about every country and every company, there is a unique identifier that ensures that person gets their proper compensation. Not that it couldn't be messed up, but you'd know quickly if your paycheck were lower than expected or paid to you in Yuan vs. Rubles if that's what you expected. This needs to stretch beyond AD from what I can tell. Is that an incorrect assumption Marcus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I would tend to agree, I think objectGUID would be fine though it is a pain to deal with since it is binary. Another thing to consider is to stop the random wonton creation of samaccountnames. When someone gets hired, they get assigned from one source their ID for use within the company. That ID is used everywhere and forever identifies that person and is never reused anywhere else in that company. Someother company gets merged in, everyone gets new SAM IDs from the same source. One company I worked for I am the only and will always be the only jricha34 to ever be there. If I somehow for some reason go work on that network again I will get spun up a jricha34 ID for use. This is a company with hundreds of thousands of users and huge turnover every year and they still maintain all of those unique identifiers even if the actual NT or mainframe IDs are deleted so I know it is feasible for smaller companies. There was another single source for UIDS if you needed them and if you lost and got access to UNIX again, it would be with the same UID. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, March 04, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Why wouldn't objectGuid be appropriate? AD generates the objectGuid attribute using UuidCreate() (or some variation) that is guaranteed with reasonable certainty to generate values that are unique across all machines, not just DCs in the forest. If you need a globally unique, immutable identifer, the objectGuid attribute should do the trick. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 10:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question GUID is likely NOT an option in a multiple forest scenario or multiple identity stores. But the concept can be applied to the sphere of identity stores you have responsibility for. It's just that the system won't do it for you out of the box. So one thought that comes to mind is to inject a Cox-specific GUID into each identity store from the authoritative source(s) and then use that to find what you need programmatically. That's a bigger undertaking than you may be able to go after, but it ultimately solves the issues that are so troublesome. Some where, you have to have a unique identifier that identifies consumers of your systems. Even if it's pay codes and PO numbers (non-employees), something will need to exist at some point in the lifecycle to identify the objects uniquely. That make sense or am I way off base in understanding your problem? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 04, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Thanks for the responses guys. I wonder if using GUID is an option. :/ marcus c. oh \\.\core technologies\cox communications, inc. \\.\mvp\windows server systems\management [v] 404.847.6117 [c] 404.391.7097 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 03, 2005 10:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question LOL. Yeah this is my life lately. :oP I actually just submitted a couple of bugs over legacyExchangeDN uniqueness possible issues with ADUC and a bug with one of the major tool makers as well which has a similar issue. The issues are unlikely but if you have enough mailboxes, the chances are you will hit issues that are simply improbable. One customer of mine did in in fact hit a dupe from something that is simply improbable. It is kind of silly because the value was never tested for uniqueness, it was just assumed because
RE: [ActiveDir] LDAP and related Exchange question
Understood. I'm just asking questions actually. I've worked for some companies that had a unique db, similar to what Joe is talking about for linking ID's etc. Worked fine for 100K + users, but could easily become an animal in its own right. I've also worked in some companies where there were far fewer consumers, but many systems that had a much harder time dealing with the situation. Not technical, but more of a layer-8 issue. In Marcus' case, it still boils down to a unique and authoritative identifier, which it sounds like he doesn't have. It also has to flow back up to the MAD process (mergers, acquisitions, and divestitures) to make sure that those processes can absorb the process. I would expect that it would be more for the mergers/acquisitions, and divestitures would cause the unique id's to be archived permanently. This allows for searches etc at a later time as well as users coming back onto the mother ship. It boils down to a unique identifier to represent wetware whether FTE, contract, or other cases not covered that persists and transcends name changes, job changes, and so on. In a mixed environment, AD GUID won't always work in some cases (field's too long for some systems oddly enough and may require a lot of reworking of code to make it work.) Tougher to deal with if that process infrastructure is not in place and you already have many identity stores. Doesn't help if your process is whacked as well, trust me :| Interesting thread... -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, March 04, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question One of the companies that I worked at in the not too distant past keyed all of that off the Employee number. When they created accounts in AD the EmployeeID was included somewhere in the user setup so that it was veiwable in the ADUC GUI and was queryable using management tools. It didn't matter what the user changed their name to everything went back to the HR database which held the employee number. This also let them update the information in various repositories based on the UserID (including AD), but it meant that the provisioning process required a valid EmployeeID in order for an account to be setup. That also meant that there was an EmployeeID scheme for Contractors and other non-permanent employees was devised. Not a bad approach, it worked fairly well and like Joe's company this was a fairly large employee base (60k) so it should work ok in other companies. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question How did they handle people changing their names? I see the ID, but does that ID make sense when the user changes their name from Joe to 'They' or something along those lines? That goes back to the idea of coming up with a unique identifier that expands the horizon beyond the AD forest(s) and into the rest of the realm. I maintain that at some point in just about every country and every company, there is a unique identifier that ensures that person gets their proper compensation. Not that it couldn't be messed up, but you'd know quickly if your paycheck were lower than expected or paid to you in Yuan vs. Rubles if that's what you expected. This needs to stretch beyond AD from what I can tell. Is that an incorrect assumption Marcus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I would tend to agree, I think objectGUID would be fine though it is a pain to deal with since it is binary. Another thing to consider is to stop the random wonton creation of samaccountnames. When someone gets hired, they get assigned from one source their ID for use within the company. That ID is used everywhere and forever identifies that person and is never reused anywhere else in that company. Someother company gets merged in, everyone gets new SAM IDs from the same source. One company I worked for I am the only and will always be the only jricha34 to ever be there. If I somehow for some reason go work on that network again I will get spun up a jricha34 ID for use. This is a company with hundreds of thousands of users and huge turnover every year and they still maintain all of those unique identifiers even if the actual NT or mainframe IDs are deleted so I know it is feasible for smaller companies. There was another single source for UIDS if you needed them and if you lost and got access to UNIX again, it would be with the same UID. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil
RE: [ActiveDir] LDAP and related Exchange question
Depends on the country and the local culture. Some countries, men do change their names based on marital events. In the US for example, I've seen it. The bigger question would be why Joe would want to marry family what would that do to the whole unique naming thing when Eliza found out and, er changed him? :) This might make a good soap opera though. We'll just have to make sure that Joe stays unique so we can identify when he comes back from the corrective actions applied. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 04, 2005 2:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Let's say after a few years I marry Denise Richards... While you are still married to Eliza Dushku ???. That would cause a lot of complications. For example, it would be UNIQUE across the North American Realm, but not in, say, African Realm. It will create illegal GUIDs in a lot of Realms, while it will be VALID in a lot of other Realms. That would lead to more collision. We don't want that now, do we? Then I go back to jricha34 Last time I saw you, you WERE male? I didn't think males last names change based on their marital statuses. You are not implying a surgical operation, here, are you? See, this is indeed causing a lot of collisions. ROFLM(F-ing)AO Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question Assign a new unique name and link it to the old name and the old name is still never reused except in the case that the person's name changes back which has happened. Say if I got married to Eliza Dushku, my new ID would be something like jdushku3 or something. Let's say after a few years I marry Denise Richards... Then I go back to jricha34. However jdushku3 would always still only reference me. Their biggest issue is that they are currently limited to 3-8 characters. At some point they will have to expand that range. I think it depends on what systems it has to go onto, what the flexibility is of those systems, and what you want to be the master of the whole thing. If you can make AD the master source and the other directories/stores/etc can accept a guid then it would work. Otherwise, you are correct, you need to come up with some other unique mechanism. Basically look at the least flexible piece that has to stay long term and build from there. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 04, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question How did they handle people changing their names? I see the ID, but does that ID make sense when the user changes their name from Joe to 'They' or something along those lines? That goes back to the idea of coming up with a unique identifier that expands the horizon beyond the AD forest(s) and into the rest of the realm. I maintain that at some point in just about every country and every company, there is a unique identifier that ensures that person gets their proper compensation. Not that it couldn't be messed up, but you'd know quickly if your paycheck were lower than expected or paid to you in Yuan vs. Rubles if that's what you expected. This needs to stretch beyond AD from what I can tell. Is that an incorrect assumption Marcus? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP and related Exchange question I would tend to agree, I think objectGUID would be fine though it is a pain to deal with since it is binary. Another thing to consider is to stop the random wonton creation of samaccountnames. When someone gets hired, they get assigned from one source their ID for use within the company. That ID is used everywhere and forever identifies that person and is never reused anywhere else in that company. Someother company gets merged in, everyone gets new SAM IDs from the same source. One company I worked for I am the only and will always be the only jricha34 to ever be there. If I somehow for some reason go work on that network again I will get spun up a jricha34 ID for use. This is a company with hundreds of thousands of users and huge turnover every year and they still maintain all of those unique identifiers even if the actual NT or mainframe IDs are deleted so I know it is feasible for smaller companies. There was another single source for UIDS if you needed them and if you lost and got access to UNIX again, it would be with the same UID
RE: [ActiveDir] User moves in a large environment
15000 users on the move at any given time? Anyway, for the move between OU's, have you considered a self-serv app or something that's (semi)automated inside of the move process? I haven't been in that large environment in a while, but seems that might make sense for between OU movement at the least. That would take the process rights from the OU owners up to another level for workflow etc. I would guess that something that had an approval process would work (i.e. Request to move user1 from OU1 to OU2 - ask OU2 owners for approval first) and so on. Might be controlled by your move coordinators or however that fits in your process. Domain moves: I could see using an automated or semi-automated process vs. the current hand-off process if your structure is stable enough to do so. It might be that it removes the account object and moves it to the staging OU in the target domain and sends a task, email or whatever if that's what you need. Workflow checks and balances for this as well. You will want to capture mail data and attributes I would guess but that depends on the move criteria and depth I would imagine. Automating it would make much more sense and you could orchestrate a series of events that are automated and checked to gather the appropriate information (files, attributes you intend to keep, etc) and move it where it belongs. Some of this would depend on the current provisioning processes you keep as to how you integrate it. These are the fun types of problems to solve :) My $0.04 anyway, Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Friday, March 04, 2005 2:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User moves in a large environment To All: (Sorry for the long post) I was wondering what everyone uses to facilitate user moves in a large environment? Scenario: Root domain with six (6) child domains. Each child domain has between thirty (30) to sixty (60) OUs. These OUs are geographic locations spread around a region. Each OU is managed by an IT Team that only has rights to their OU, IT Teams do not cross manage to other OUs. I need to develop or discover a way to facilitate user moves from one (1) OU to another in the same domain and to another domain. Our environment should have about 300,000 users and about five (5) percent is on the move from one (1) OU to another or from one (1) domain to another. In the old days, pre-2000, the process was to delete the user when they departed and recreate the user when they arrived. We do not yet have Exchange 2003 deployed but I can see it happening very very soon. Using a whiteboard (allows lots of erasing) I devised a OU structure that allowed the departing IT Team to place the user into an OutProcessing OU once the departing user fully outprocessed their current home. (I figure the departing user is removed from every domain security group except the Domain Users group). ATAMO The user is moved from the OutProcessing OU in one domain to the InProcessing OU of another domain. The user arrives at their new location, the local IT Team retrieves the user from the Inprocessing OU and places them in their new Home OU. Now, my PHBs have freaked out because we are not staffed for this kind of mission but, the customers are screaming at us to provide this service. I know I can permission the OUs to allow SOMEONE the rights to move users from one OU to another, even if the OU resides in a different domain. But the PHBs are screaming they do not want to take on this kind of mission, their thought is to continue to do things like we did in the past. I guess my main question is this: is anyone else required to move users around in a large environment and if so, how are they doing it? TIA Daniel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
