RE: [ActiveDir] Remote Exchange Access and Timing

[Robert Rutherford]

What element are you remotely accessing? 

I take it you mean a client at a remote site? 

Which version of Exchange?

 

I'm taking it that you mean an outlook client accessing an Exch2003 svr,
if so then an outlook over SSL connection will be fine, especially if
you cache locally... I've got clients out on lines 500ms +

 

Cheers,

 

Rob 

Robert Rutherford 
QuoStar Solutions Limited 

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

  



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 December 2006 17:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Exchange Access and Timing

 


All; 

This may be slightly off topic. 

Does anyone remember how fast Exchange needs the line speed to be for
remote access? I am working with a client that is having time out issues
with a 248ms (average) packet time. With some static routing I might be
able to get this number down to say 125ms but my fear is that will
likewise be too slow. From a networking (routing) side of things I can
see some peering loss in Europe so there is no really easy answer save
building special static routes or PPP connections, etc. 

Thanks! 



Brent Eads
Employee Technology Solutions, Inc.

Office: (312) 762-9224
Fax: (312) 762-9275


The contents contain privileged and/or confidential information intended
for the named recipient of this email. ETSI (Employee Technology
Solutions, Inc.) does not warrant that the contents of any
electronically transmitted information will remain confidential. If the
reader of this email is not the intended recipient you are hereby
notified that any use, reproduction, disclosure or distribution of the
information contained in the email in error, please reply to us
immediately and delete the document. 

Viruses, Malware, Phishing and other known and unknown electronic
threats: It is the recipient/client's duties to perform virus scans and
otherwise test the information provided before loading onto any computer
system. No warranty is made that this material is free from computer
virus or any other defect.

Any loss/damage incurred by using this material is not the sender's
responsibility. Liability will be limited to resupplying the material.

Message scanned by TrendMicro

 

RE: [ActiveDir] can not browse the internet after dcpromo

[Robert Rutherford]

Is this for the whole network or just the dc?

Are the clients looking to this DC for DNS resolution?

Can you resolve DNS names using nslookup?

Can you telnet out to a known external IP serving HTTP (80)?

 

It sounds like DNS.

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John
Sent: 11 December 2006 16:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] can not browse the internet after dcpromo

 

Hi,

 

The internet is not working after a sucessful DCPROMO. This is a
secondary DNS server. What are the things I need to check to
troubleshoot the problem.

 

Any suggetion is highly appreciated.

 

Thanks.

John


__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[ActiveDir] OT: Benefits of SBS2003 R2 over SBS2000

[Robert Rutherford]

Hi Guys,

Has anyone got a decent list of the benefits of SBS2003 R2 over SBS2000?
I cant find anything detailing the improvements/benefits.

Thanks,

Rob


 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AD with mixed DC

[Robert Rutherford]

Very straightforward... you need to do a domain and forest prep...
search the internet for loads of info... i.e. -

 

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci990371,00.html

 

 

Rob 

Robert Rutherford 
QuoStar Solutions Limited 

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

  



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: 06 December 2006 21:12
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD with mixed DC

 

I have an AD domain with 2 2k domain controllers.  I want to add a
thirds domain controller that has a 2k3 os.  I know there is something
that needs to be enabled or disable before having an AD with mixed DC.
What do I need to do before adding the third DC?

 

Thanks

 

Antonio Aranda

Network Analyst

UT-Permian Basin

432-552-2413 

 

RE: [ActiveDir] Missing Computer Account

[Robert Rutherford]

Drop it into a workgroup then try to add to the domain again I'd
also just delete the computer account  for good measure.

 

Rob 

Robert Rutherford 
QuoStar Solutions Limited 

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

  



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert
Sent: 24 November 2006 13:36
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Missing Computer Account

 

I shot myself in the foot and as a result need a little help. I have a
Win2003 Domain. I was setting up a new PC for a user and I thought I had
inadvertantly gave it the same computer name as the users existing
computer. I found it strange that it allowed me to do that, but I
changed the name of the computer and all seemed well. That is until the
user logged off of his computer. What actually happened was I named it
properly to begin with, then when I renamed it I gave it the same name
DOH!

 

Now I cannot get the users computer to log back into the domain. I have
removed the new PC from the domain, and have renamed the user PC a
couple of times but when logging on I get Windows cannot connect to the
domain either because the domain controller is down or otherwise
unavailable, or because your computer account was not found.

 

The computer account does appear in AD and the PC does have connectivity
and is able to see the domain controller.

 

Can anyone provide instructions how to get around this and get the
computer back in the domain?

 

Thanks

Todd

This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this e-mail and destroy any
copies. Any dissemination or use of this information by a person other
than the intended recipient is unauthorized and may be illegal.

RE: [ActiveDir] OT: M$

[Robert Rutherford]

Can we kill this thread now, please?





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 13 November 2006 11:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$







Clearly there are differing opinions about
whether it's merely slang or whether it's an inappropriate slur.
Simpler just not to use it, don't you think? I mean, I don't refer to the USAF
as the useless air farce and expect its members to think that's
funny. 











I don't take offense when people refer to
Microsoft as borg or talk about drinking the Kool-Aid;
in fact, I have been known to reference both myself. However, I remember the
origin of M$ (unlike, I suspect, some of those who use the phrase
and think it's funny), and I think it's ignorant and inappropriate for people
to use it on a Microsoft-centric list. 











Laura













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: Monday, November 13, 2006
5:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

You have to be able to laugh at
yourself. M$ is a tounge in cheek _expression_ and certainly a corporation
like Microsoft can laugh at itself when M$ is used as slang in its
reference. Thats why wenickname really big guys tiny.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro
Sent: Sunday, November 12, 2006
10:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: M$



being conciliatory is laudable, but I think you're missing the
point. It's not wether anybody is offended or not -- the question is why
does someone come into a peaceful gathering casting offense. Especially
when it's not necessary. If someone deliberately spits on the dinner
table, do you say 'oh, well, he didn't hit any plate, let's just forget it'
? or even worse, 'he hit someone else's plate -- no worries.'











- Original Message - 







From: [EMAIL PROTECTED]






To: ActiveDir@mail.activedir.org






Sent: Friday, November
10, 2006 9:08 AM





Subject: RE: [ActiveDir]
OT: M$











I highly doubt
that any MS employee takes offence at what is surely as tongue in cheek
_expression_.











Let's not get
_too_ PC please :/











neil





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of Laura A. Robinson
Sent: Thursday, November 09, 2006
6:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$



Just out of curiosity, whatmakes
people think it's appropriate to refer toMicrosoft as M$ on
an MS-focused mailing list whose participants include Microsoft employees,
Microsoft contractors, Microsoft MVPs and various other people who may have a
relatively positiveview of Microsoft?











Laura













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar
Sent: Thursday, November 09, 2006
10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Beginner's Book on Scripting - WSH or _vbscript_?



This is the link to M$ to start with...very good info











http://msdn.microsoft.com/library/default.asp?url="">












-- 
Sincerely,
J







On 11/9/06, Stu
Packett [EMAIL PROTECTED]
wrote: 

Hello everyone. After reading through a lot of the posts on this mailing
list, I realize I could make my job easier if I knew how to script. I
have no experience in scripting, but would like to know what books do you
recommend as a beginner's book on scripting? Also, I don't really know
the difference between WSH and _vbscript_, so if anyone could explain that, I'd
appreciate that. After browsing through Amazon, I saw several books on
WSH and _vbscript_, but don't know where I should focus on. I'm also open
to computer based training (CBT) videos of any exist. Thanks in advance. 













PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains view

RE: [ActiveDir] OT: M$

[Robert Rutherford]

;oP





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 13 November 2006 12:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$







There's a reason for the OT
portion of the subject line, you know. ;-)











Laura













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Monday, November 13, 2006
6:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

Can we kill this thread now, please?





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: 13 November 2006 11:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$







Clearly there are differing opinions about
whether it's merely slang or whether it's an inappropriate slur.
Simpler just not to use it, don't you think? I mean, I don't refer to the USAF
as the useless air farce and expect its members to think that's
funny. 











I don't take offense when people refer to
Microsoft as borg or talk about drinking the Kool-Aid;
in fact, I have been known to reference both myself. However, I remember the
origin of M$ (unlike, I suspect, some of those who use the phrase
and think it's funny), and I think it's ignorant and inappropriate for people
to use it on a Microsoft-centric list. 











Laura













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: Monday, November 13, 2006
5:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: M$

You have to be able to laugh at
yourself. M$ is a tounge in cheek _expression_ and certainly a corporation
like Microsoft can laugh at itself when M$ is used as slang in its
reference. Thats why wenickname really big guys tiny.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro
Sent: Sunday, November 12, 2006
10:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: M$



being conciliatory is laudable, but I think you're missing the
point. It's not wether anybody is offended or not -- the question is why
does someone come into a peaceful gathering casting offense. Especially
when it's not necessary. If someone deliberately spits on the dinner
table, do you say 'oh, well, he didn't hit any plate, let's just forget it'
? or even worse, 'he hit someone else's plate -- no worries.'











- Original Message - 







From: [EMAIL PROTECTED]






To: ActiveDir@mail.activedir.org






Sent: Friday, November
10, 2006 9:08 AM





Subject: RE: [ActiveDir]
OT: M$











I highly doubt
that any MS employee takes offence at what is surely as tongue in cheek
_expression_.











Let's not get
_too_ PC please :/











neil





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of Laura A. Robinson
Sent: Thursday, November 09, 2006
6:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: M$



Just out of curiosity, whatmakes
people think it's appropriate to refer toMicrosoft as M$ on
an MS-focused mailing list whose participants include Microsoft employees,
Microsoft contractors, Microsoft MVPs and various other people who may have a
relatively positiveview of Microsoft?











Laura













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar
Sent: Thursday, November 09, 2006
10:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Beginner's Book on Scripting - WSH or _vbscript_?



This is the link to M$ to start with...very good info











http://msdn.microsoft.com/library/default.asp?url="">












-- 
Sincerely,
J







On 11/9/06, Stu
Packett [EMAIL PROTECTED]
wrote: 

Hello everyone. After reading through a lot of the posts on this
mailing list, I realize I could make my job easier if I knew how to
script. I have no experience in scripting, but would like to know what
books do you recommend as a beginner's book on scripting? Also, I don't
really know the difference between WSH and _vbscript_, so if anyone could explain
that, I'd appreciate that. After browsing through Amazon, I saw several
books on WSH and _vbscript_, but don't know where I should focus on. I'm
also open to computer based training (CBT) videos of any exist. Thanks in
advance. 













PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your sys

RE: [ActiveDir] how to access blocked site.

[Robert Rutherford]

Hi Ajay,



This isnt the right forum for such a
request, I suggest you go onto google and type proxy avoidance



Cheers,



Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar
Sent: 13 November 2006 13:18
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] how to access
blocked site.







Hi all,



It could be wrong question but I want to know

about how toacess the restricted or blocked
site, which is access denied from office.

I know some tools work like K-PROXY, but it woks on
some internet site.

So please suggest me how to access blocked site.



which can work well.

















Thanks  Regards,





Ajay pardeshi

RE: [ActiveDir]AD SECURITY.Run As command used - to impersonate Administrators

[Robert Rutherford]

Could be a backup system or something like
that kicking off a run as looks like it. I dont know
the product though.





Rob 

Robert Rutherford 
QuoStar
Solutions Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E:
 [EMAIL PROTECTED] 
W:
 www.quostar.com 

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ramon Linan
Sent: 13 November 2006 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]AD
SECURITY.Run As command used - to impersonate Administrators 





Hi, 

So I decided to try out GFI event monitor, I am loving it so
far, but I am not a security expert so I am easy to impress.

Anyway, I got a bunch of emails like the one below. Have you
guys seen something similar in your logs? Is this someone trying to hack
ora service trying to run something?



Thanks





Subject:
11/12/2006 12:28:38 PM Run As command used - to impersonate
Administrators - outside work hours - Critical - servername - 552

Logon
attempt using explicit credentials:

Logged
on user:

User
Name: administrator

Domain:
domain

Logon
ID: (0x2,0x9D018B17)

Logon
GUID: {ec9c7758-8375-8064-3e03-8e860a568322}

User
whose credentials were used:

Target
User Name: administrator

Target
Domain: domain.com

Target
Logon GUID: {13d439ef-0597-c23e-aa24-8ca92f9e7730}

Target
Server Name: server.domain.com

Target
Server Info: cifs/server.domain.com

Caller
Process ID: 1620

Source
Network Address: -

Source Port: -

.org/ 

RE: [ActiveDir] Restrict CD rom, floppy and USB via group policy?

[Robert Rutherford]

Title: Restrict CD rom, floppy and USB via group policy?








Depends on your exact requirements as the
standard settings arent too flexible youll probably find
out you need a 3rd party tool, such as :- http://www.gfi.com/endpointsecurity/



Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Conrad
Sent: 10 November 2006 14:40
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restrict
CD rom, floppy and USB via group policy?





HOWTO: Use Group
Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

http://support.microsoft.com/kb/555324



Ryan







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ
Sent: Friday, November 10, 2006
9:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restrict CD
rom, floppy and USB via group policy?







Hi everyone 

Is there a way to use group policy to disable the CD rom, floppy and USB
drives? 

Thanks 

Russ 

RE: [ActiveDir] Decommissioning a DC

[Robert Rutherford]

No worries. Demote her, remember
the good times, shed a tear, crack on.





Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: 07 November 2006 21:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]
Decommissioning a DC





We have several DCs in our environment all of
which are 2003 SP1 servers except for one. I am preparing to demote this
one through DCPromo this weekend. All of our DCs are also
GCs, including this last remaining 2000 server. It does not own
any FSMO roles. The Exchange RUS services are not using this DC. We
are a single site and domain.



Is there anything unique about demoting the last 2000
DC, given there are plenty of other 2003 DC/GCs available?



Bryan Lucas

Server Administrator

Texas
 Christian University

RE: [ActiveDir] Why we go for exchange 2003 server

[Robert Rutherford]

Hi,



I suggest you google this type of request
before posting loads of resource around 



http://support.microsoft.com/kb/816888



Thanks,





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar
Sent: 30 October 2006 13:36
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Why we go for
exchange 2003 server







Hi,











Can any one pls tell me why Ishould implement exchange 2003 enterprise server instead of 2000 enterprise server In my
organization.





BecozExchange 2000 having Messenging
serivces but 2003 doesn't have.





Actually My main intention is why I go for 2003 exchagne server.





Pls suggest me.

















Regards,





Ajay pardeshi

RE: [ActiveDir] A few things [List Admin]

[Robert Rutherford]

Tony,



Ive moved
in and out of the group since 2000, and just wanted to thank you for all your
effort keeping this beast going over the years. The list made a real difference
to my career over the years, and I still cant pull myself away from
keeping up-to-date (to a degree) with AD.



This community is
now second to none I dont get the time Id like to contribute,
but thanks are due to all the guys that do.



Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: 27 October 2006 22:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] A few things
[List Admin]







Hi all











Just a couple of things.










 I will be out of the country for three weeks
 from tomorrow, with only intermittent access to email. While I am
 away Matty Holland will be looking after the list. If you see any
 problems or need help with unsubscribing, etc. then Matty is your man ([EMAIL PROTECTED]). Please
 play nicely while I'm away or I won't bring you a present. ;-)
 I am aware of the ongoing list latency problems
 and am awaiting a response from my ISP. Hopefully it will be
 resolved shortly. I suspect it might be related to volume as we the
 number of subscribed users has grown quite sharply over the past few
 months.
 You may have noticed the recent time-out issues
 with the archive hosted at ActiveDir.org. The experiment we had with
 using Mhonarc for archiving largely
 failed due to the poor performance. We are working on a new archive
 using a different method and this should be available shortly. In
 the meantime, please use the off-site archive at http://www.mail-archive.com/activedir@mail.activedir.org/
 Finally, a reminder that you can subscribe to
 the list with the No mail (aka post-only)option, which
 is useful if you have a public folder subscribed to the list but also want
 to be able to post (but not receive mail) using your own address. If
 you want me to set you up for this, just let me know (but bear in mind
 that I may not get around to it immediately, because I'll be on the beach
 - ha ha ha).




Tony





ActiveDir.org general dogsbody.

RE: [ActiveDir] Latency in List

[Robert Rutherford]

Yeah, I get an average of 20 mins delay... it does mess with the flow of
threads.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 17 October 2006 22:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Latency in List

I initially sent a reply with to this thread (below) at 19:43 BST yet I
only
receive it back at 21:37 BST nearly two hours later, is anyone else
experiencing latency or is just me?

Let's see what this message does!

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 17 October 2006 19:43
To: ActiveDir.org
Subject: Re: [ActiveDir] The remote computer has ended the connection.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Test Lab Naming Conventions

[Robert Rutherford]

Id say that if you are looking to
fully mirror your production environment and it will not be connected to the
production network - then use the same convention.



It will probably make it marginally easier
in the test and documentation process.



Cheers



Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Patton
Sent: 03 October 2006 16:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Test Lab
Naming Conventions







Im trying to complete a plan for a fully
isolated, permanent test lab. I intend to fully mirror our current production
environment. The primary purpose will be to test disaster recovery and other
procedures before production implementation. I dont intent to establish
any domain trusts or other connections between the lab and production.



The one question I have regards server and domain
naming conventions. For those of you that have setup labs that mirror your
production environments, did you use the same domain and server names in your
test lab?



Thanks

RE: [ActiveDir] RPC Over HTTPS Problem....

[Robert Rutherford]

The usual issue with that is that the url u r connecting to matches the
name on the cert. 

This must match on internal and external, i.e. u must use split brain or
you must config ur firewall to accept that connection on the WAN
interface.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 16 September 2006 00:00
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] RPC Over HTTPS Problem

Hi,

I am facing a weird problem here is some required information.

Frontend - Backend Structure.
Exchange with SP2 on Win2k3 SP1 on all Servers.
FE1 and BE1 is on a different site,
BE2 is on my Site.
Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine.

Now here is the situation:-
I have configured my client for RPC over Https. When client machine
tries to establish connection with my Exchange Server it prompts me
for User Name and Password.

When i am providing my credentials it is not accepting and keeps me
prompting for same.

Also while doing this when i use Ctrl + Right click on Outlook icon on
rightside of taskbar and then selecting connection it never shows me
established. It remains on Connecting and tries to connect my BE2
server where my mailbox resides.

What could be the possible reason for this? If any other information
is required please let me know.


-- 
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] RPC Over HTTPS Problem....

[Robert Rutherford]

Hi Ravi,

The certifcate does needs to match the name of the site... i.e.
mail.comp.com . If it doesn't then it wont work. There are numerous
reasons why it fails but that is the first.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 16 September 2006 01:36
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] RPC Over HTTPS Problem

Hi Bob,

Can you please explain how it should be. because i think i have
something wrong here related to certificate.

Thanks
Ravi Dogra


On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote:
 The usual issue with that is that the url u r connecting to matches
the
 name on the cert.

 This must match on internal and external, i.e. u must use split brain
or
 you must config ur firewall to accept that connection on the WAN
 interface.

 Rob

 Robert Rutherford
 QuoStar Solutions Limited

 T:+44 (0) 8456 440 331
 F:+44 (0) 8456 440 332
 M:+44 (0) 7974 249 494
 E:[EMAIL PROTECTED]
 W:www.quostar.com




 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
 Sent: 16 September 2006 00:00
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] RPC Over HTTPS Problem

 Hi,

 I am facing a weird problem here is some required information.

 Frontend - Backend Structure.
 Exchange with SP2 on Win2k3 SP1 on all Servers.
 FE1 and BE1 is on a different site,
 BE2 is on my Site.
 Configured RPC Over Https on Frontend Server. OWA (SSL) is working
fine.

 Now here is the situation:-
 I have configured my client for RPC over Https. When client machine
 tries to establish connection with my Exchange Server it prompts me
 for User Name and Password.

 When i am providing my credentials it is not accepting and keeps me
 prompting for same.

 Also while doing this when i use Ctrl + Right click on Outlook icon on
 rightside of taskbar and then selecting connection it never shows me
 established. It remains on Connecting and tries to connect my BE2
 server where my mailbox resides.

 What could be the possible reason for this? If any other information
 is required please let me know.


 --
 Ravi Dogra
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



-- 
Ravi Dogra
9899647200
This e-mail, together with any attachments, is confidential. It may be
read, copied and used only by the intended recipient. If you have
received it in error, please notify the sender immediately by e-mail
or telephone. Please then delete it from your computer without making
any copies or disclosing it to any other person.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Protecting against Spyware/Adware

[Robert Rutherford]

Controlled user access, i.e. no admin rights, and use a good class
firewall with spyware/av protection on the gateway... no issues.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 14 September 2006 20:11
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware

Nonadmin

I peronally have had way less issues when users that don't need admin 
rights don't have them.

Chinnery, Paul wrote:
 We're using CounterSpy Enterprise from Sunbelt Software.  Like you, we

 have seen aperformance hit* on computers with just 128 meg of memory 
 but that goes away when we add more memory.  The only issue I ran 
 into, other than performance, was it blocked a cookie that was 
 necessary for our payroll department.  However, once I okayed that 
 cookie, it was fine. 
  
 *According to Sunbelt, the next version is supposed to reduce the 
 performance impact.

 -Original Message-
 *From:* [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of *Chris
 Pohlschneider
 *Sent:* Thursday, September 14, 2006 10:44 AM
 *To:* ActiveDir@mail.activedir.org
 *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware

 Just curious what other people are using for protecting against
 adware/spyware? We are using Webroot Spysweeper right now, but I
 see some performance hits on computers running this software and
 it does work, but it causes headaches will installing some apps
 that we approve. Any suggestions are appreciated.

  

 Chris Pohlschneider

 Holloway Sportswear IT

 937-494-2559

 937-497-7300 (Fax)

 [EMAIL PROTECTED]

  

  


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DNS Entries --Laptop Users--

[Robert Rutherford]

Confusing...

Please keep the thread going when you reply so we can look back
through...

1) If your VPN device is giving the windows client machines connecting a
DNS server setting of your internal DNS server, then the client will
update its records with the IP address allocated by the VPN device.

2) You can see 2 records for the same host name within the DNS manager?

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 08 September 2006 01:24
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS Entries --Laptop Users--

Jolly,

I was not sure abt how VPN Box was configured and as i had a word with
Prashant boss, it is not configured for updating records to our DNS.

I will talk to Prashant boss abt ths.

But the thing is i can see 2 DNS records for one host. One is for VPN
and the other one is for Wireless IP Address for the Host.

Al,

It is letting the device update their own record to DNS.

Thanks
Ravi Dogra
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DNS Entries --Laptop Users--

[Robert Rutherford]

What is the VPN device?

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra
Sent: 06 September 2006 00:15
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Entries --Laptop Users--

Hi,

Problem is i have 2 different records of each laptop (Using VPN
Connection) in my DNS. I have secure updates configured in my DNS
Conf.

we are using DHCP. Laptop users getting a specific VLAN IP Address for
there wireless connection which is getting registered in my DNS. This
is good.

But the Problem is that when these Laptop users login from home using
VPN, they get a new IP Address from my VPN Box which is also getting
registered in my DNS.

I have no clue why this is happening.

i m suspecting on DNS conf on local machine under Advanced Tcp Ip
settings. I am not sure i am heading right way or not. here is the
snapshot attached for same.

-- 
RD
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT]The last departmental picnic [list owner]

[Robert Rutherford]

Heheh. I'll be there.. You'll know who I am as I'll be the first to be man 
handled out of the door for trying to touch the living legend

Rob Hoff it's me ..
Hoff  Who are you?
Rob Your number 1 fan... come here you big hunk 'o' love

I know we are going to be reprimanded for this outburst... OK joking's over :) 
I'm sorry but I couldn’t resist a follow up.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 06 September 2006 14:47
To: ActiveDir.org
Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner]

David Hasselhoff - will be at Borders Books on Oxford Street, London on Monday 
at 12,

Wear Leather and lots of it.



-Original Message-
From: Laura A. Robinson [EMAIL PROTECTED]
Date: Wed, 06 Sep 2006 09:36:20 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner]

Given that the culprit hasn't received any of the backlash, my guess is that 
it was still an accident. Can't anybody just cut the guy some slack? Yeesh.
 
 

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Wednesday, September 06, 2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner]

 
 
 
My guess – the second was on purpose after all the backlash 
 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, September 05, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner]
 
 
 
Yeah, I just let him know he messed up on this one.  Can't argue with banning 
him after 2 messups. :(


 
 
On 9/5/06, Tony Murray  [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED]  wrote:
 
Not sure what's going on so I have temporarily suspended his subscription. 

Tony
List owner and humourless [EMAIL PROTECTED]





Sent via the WebMail system at mail.activedir.org 
  : http://mail.activedir.org 




List info   : http://www.activedir.org/List.aspx: 
http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
  : http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.activedir.org/ml/threads.aspx: 
http://www.activedir.org/ml/threads.aspx 
 
 
.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š
§²rz§Ã¶v®—­±
[EMAIL PROTECTED])

RE: [ActiveDir] Sharepoint access after user AD migration

[Robert Rutherford]

Hmm wasnt that then



Quite a bit on Google grabbed this 
http://www.sharepointblogs.com/dustin/archive/2004/09/10/756.aspx



Cheers



Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
Sent: 06 September 2006 17:04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Sharepoint access after user AD migration







Hi Rob,











I've been told that the Sharepoint install is SP2. Not aware of
which hotfixes are on it yet. I've got aconference call scheduled
in an hour to discuss it.











Thanks,





Mike







On 9/5/06, Robert Rutherford [EMAIL PROTECTED]
wrote: 







What Sharepoint servicepack are you running? You need at
least one and a hotfix.. cant remember which. I'll look through my old KB to
see if I can find the hotfix. 



Cheers





Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E:  [EMAIL PROTECTED] 
W:  www.quostar.com 

 











From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Mike Baudino
Sent: 05 September 2006 21:58
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sharepoint
access after user AD migration











Apologies
if this is not the most appropriate forum for this question.











The
situation is an NT4.0 domain with 18,000 users. Migrating to AD
Win2k. Two-way trust and sIDHistory filtering is disabled. There's
a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users can
access the Sharepoint just fine. The users, after being migrated, are not
able to access the Sharepoint using their new AD accounts until after the
Sharepoint admins add their new AD account to the Sharepoint security.
Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if
so, is there some setting we need to change? 

















Thanks,
Mike

RE: [ActiveDir] Rid Master recovery

[Robert Rutherford]

Hi,



Use NTDSUTIL



http://support.microsoft.com/kb/255504/





Cheers



Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 05 September 2006 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rid Master
recovery 






Guys , another question 

One
of My RID master is crashed before transfering of FSMO role to other DC on the
network , is that any possiblities to make an another domain as RID
master ( backup is failed so i can not restore the failed RID master DC now)


Thanks
in advance 






 
  
  Almeida Pinto, Jorge
  de [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED] 
  09/04/2006 11:18 AM 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org


   
   

cc




   
   

Subject


RE: [ActiveDir] Rid Master

   
  
  
  
   






   
  
  
  
 





also see: 
RID Master FSMO explained 
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx


cheers,jorge 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, September 04, 2006 18:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rid Master 


Guys explain me , The functions of RID master , how does i display RID of
object created in AD 

Thanks in advance 




 
  
  joe
  [EMAIL PROTECTED] 
  Sent by: [EMAIL PROTECTED] 
  09/04/2006 08:36 AM 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org


   
   

cc




   
   

Subject


RE: OT - RE: [ActiveDir] W. in hell

   
  
  
  
   






   
  
  
  
 






While I wouldn't want this to become a humour list, I saw the email and laughed
and figured the same thing Laura figured, that Outlook autofill bit the guy
(which is funny all by itself because we have all seen it happen if not had it
happen to ourselves) and then I moved on. I find all of the additional
attention even more humourous including the value judgements of the quality of
the joke and analysis of words. 

I classify the message as OT with the droves of other messages that come
through the list that are OT[1] and being sent here because of a tenous
relationship of being about technologies that utlitize AD[2] though the
question itself has nothing to do with AD or simply folks forgoing it all and
just saying WTF, I'll give it a shot and ask you guys because you seem helpful.
If you get a whole day of many of those coming through it is a bit annoying.
More annoying, at least to me, are questions that are ON TOPIC but someone
didn't take time to look at the archives or google and asking like it was the
first time it was asked versus maybe revisitng the previous discussion in new
light. However, unless the list goes moderated which no one wants or at least a
vast majority of the someone's don't want, the list is just the way it is and
will be and you read the messages if you want and blow by them otherwise. 

Overall I would hate to lose the jocularity and casualness of the list. It is
one of the things that make it worth reading. :) There have been quite a
few times subjects have drifted off topic only to expose something in the
monkeying around or what not based on something not everyone understood or knew
that we wouldn't have otherwise found out that immediately snaps it all back on
topic and of great use. 

 joe 


[1] Though this was funnier than most OT stuff.There is my value judgment on
the quality. :) 

[2] Versus actually being AD Technology. Examples of tech that utilize AD include
but are not limited to GPOs, DNS, Exchange, print queues, clustering, file
server manipulations (copying files, home drives, management, etc), etc. Not
saying questions about all of those are automatically OT, but we tend to get
quite a few questions in those areas that aren't about AD or the interaction
with AD but about the non-AD aspects of the tech. Examples being a question
about how to do something in a GPO versus say OU strategies for applying GPOs
or the permissions on the GPO objects and how AD interprets them. Or a general
question about DNS like what is returned in a query or how it is managed versus
what records need to be in DNS for AD to work or how its app NC replicates. 

-- 
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Monday, September 04, 2006 10:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: OT - RE: [ActiveDir] W. in hell

I have

RE: [ActiveDir] Rid Master recovery

[Robert Rutherford]

To seize the role.





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: 05 September 2006 13:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Rid
Master recovery 





Hi,



Use NTDSUTIL



http://support.microsoft.com/kb/255504/





Cheers



Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 05 September 2006 13:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rid Master
recovery 






Guys , another question 

One
of My RID master is crashed before transfering of FSMO role to other DC on the
network , is that any possiblities to make an another domain as RID
master ( backup is failed so i can not restore the failed RID master DC now)


Thanks
in advance 




 
  
  Almeida Pinto, Jorge de
  [EMAIL PROTECTED] 
  Sent by:
  [EMAIL PROTECTED] 
  09/04/2006
  11:18 AM 
  
   

Please respond
to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org 

   
   

cc




   
   

Subject


RE: [ActiveDir] Rid Master

   
  
  
  
   






   
  
  
  
 





also see: 
RID Master FSMO explained 
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx


cheers,jorge 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, September 04, 2006 18:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rid Master 


Guys explain me , The functions of RID master , how does i display RID of
object created in AD 

Thanks in advance 




 
  
  joe
  [EMAIL PROTECTED] 
  Sent by: [EMAIL PROTECTED] 
  09/04/2006
  08:36 AM 
  
   

Please respond
to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org 

   
   

cc




   
   

Subject


RE: OT - RE: [ActiveDir] W. in hell

   
  
  
  
   






   
  
  
  
 






While I wouldn't want this to become a humour list, I saw the email and laughed
and figured the same thing Laura figured, that Outlook autofill bit the guy
(which is funny all by itself because we have all seen it happen if not had it
happen to ourselves) and then I moved on. I find all of the additional
attention even more humourous including the value judgements of the quality of
the joke and analysis of words. 

I classify the message as OT with the droves of other messages that come
through the list that are OT[1] and being sent here because of a tenous
relationship of being about technologies that utlitize AD[2] though the
question itself has nothing to do with AD or simply folks forgoing it all and
just saying WTF, I'll give it a shot and ask you guys because you seem helpful.
If you get a whole day of many of those coming through it is a bit annoying.
More annoying, at least to me, are questions that are ON TOPIC but someone
didn't take time to look at the archives or google and asking like it was the
first time it was asked versus maybe revisitng the previous discussion in new light.
However, unless the list goes moderated which no one wants or at least a vast
majority of the someone's don't want, the list is just the way it is and will
be and you read the messages if you want and blow by them otherwise. 

Overall I would hate to lose the jocularity and casualness of the list. It is
one of the things that make it worth reading. :) There have been quite a
few times subjects have drifted off topic only to expose something in the
monkeying around or what not based on something not everyone understood or knew
that we wouldn't have otherwise found out that immediately snaps it all back on
topic and of great use. 

 joe 


[1] Though this was funnier than most OT stuff.There is my value judgment on
the quality. :) 

[2] Versus actually being AD Technology. Examples of tech that utilize AD
include but are not limited to GPOs, DNS, Exchange, print queues, clustering,
file server manipulations (copying files, home drives, management, etc), etc.
Not saying questions about all of those are automatically OT, but we tend to
get quite a few questions in those areas that aren't about AD or the
interaction with AD but about the non-AD aspects of the tech. Examples being a
question about how to do something in a GPO versus say OU strategies for
applying GPOs or the permissions on the GPO objects and how AD interprets them.
Or a general question about DNS like what is returned in a query or how

RE: [ActiveDir] Distribution list Maintenance. Policy dilemma

[Robert Rutherford]

This is more of an internal policy/procedure
thing than anything else.. in my view.



I have seen packages which Brian mentioned
but cannot remember a name of a single one.



Useful am I not? J



Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: 05 September 2006 21:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Distribution list Maintenance. Policy dilemma





Thats an idea
although I am not very concern about getting the request for adding a new
account/contact to a DL.

My concern is to maintain
the DL, in most of the cases the DL would have contacts not AD users, and you cant
put expiration on contacts.

So, how do I force/remind
the managers to notify me whenever a contact should not longer be in the DL?



Rezuma











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, September 05, 2006
1:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Distribution list Maintenance. Policy dilemma





Youve got to use an automated system (web based
usually) where an employee requests the contractor account/contact and puts an
expiration on it. 





Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ramon Linan
Sent: Tuesday, September 05, 2006 12:26
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Distribution
list Maintenance. Policy dilemma







Hi,



I have Department
managers asking me to create DL in exchange of people who dont work in
the company



There is not technical
problem to do that, but I am finding out, that the previous guy was doing that
via contacts in AD. The problem is that in this business, a consultant will
work one day for you and next to your competitor.



My question is, what is
the common practice in terms DL. Does anyone know a good way of maintaining
them? Most of the time, I dont get notified when we no longer work with
a consultant.



How do you guys deal with
DL maintenance? .Any suggestion?

RE: [ActiveDir] Sharepoint access after user AD migration

[Robert Rutherford]

What Sharepoint servicepack are you
running? You need at least one and a hotfix.. cant remember which. Ill
look through my old KB to see if I can find the hotfix.



Cheers





Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino
Sent: 05 September 2006 21:58
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sharepoint
access after user AD migration







Apologies if this is not the most appropriate forum for this question.











The situation is an NT4.0 domain with 18,000 users. Migrating to
AD Win2k. Two-way trust and sIDHistory filtering is disabled.
There's a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users
can access the Sharepoint just fine. The users, after being migrated, are
not able to access the Sharepoint using their new AD accounts until after the
Sharepoint admins add their new AD account to the Sharepoint security.
Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if
so, is there some setting we need to change? 

















Thanks,
Mike

RE: [ActiveDir] Completely OT: Maroons

[Robert Rutherford]

Come through fine on mine Laura.

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: 04 September 2006 15:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Completely OT: Maroons

Has anybody figured out what's causing the blank posts, or is it just me
who
got blank replies from Mark and Neil?

Thanks,

Laura 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Monday, September 04, 2006 4:15 AM
 To: ActiveDir.org
 Subject: Re: [ActiveDir] Completely OT: Maroons
 
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Rid Master

[Robert Rutherford]

 as the tumbleweed blows on through the
group, Rob peers over to Joe, tilts his hat, and gives a knowing nod ;)





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 04 September 2006 17:11
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Rid Master 






Guys explain me , The functions of RID master , how
does i display RID of object created in AD 

Thanks
in advance 






 
  
  joe
  [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED] 
  09/04/2006 08:36 AM 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org


   
   

cc




   
   

Subject


RE: OT - RE: [ActiveDir] W. in hell

   
  
  
  
   






   
  
  
  
 





While I wouldn't want this to become a humour
list, I saw the email and laughed and figured the same thing Laura figured,
that Outlook autofill bit the guy (which is funny all by itself because we have
all seen it happen if not had it happen to ourselves) and then I moved on. I
find all of the additional attention even more humourous including the value judgements
of the quality of the joke and analysis of words. 
 
I classify the message as OT with the droves of other
messages that come through the list that are OT[1] and being sent here because
of a tenous relationship of being about technologies that utlitize AD[2] though
the question itself has nothing to do with AD or simply folks forgoing it all
and just saying WTF, I'll give it a shot and ask you guys because you seem
helpful. If you get a whole day of many of those coming through it is a bit
annoying. More annoying, at least to me, are questions that are ON TOPIC but
someone didn't take time to look at the archives or google and asking like it
was the first time it was asked versus maybe revisitng the previous discussion
in new light. However, unless the list goes moderated which no one wants or at
least a vast majority of the someone's don't want, the list is just the way it
is and will be and you read the messages if you want and blow by them
otherwise. 
 
Overall I would hate to lose the jocularity and casualness of
the list. It is one of the things that make it worth reading. :) There
have been quite a few times subjects have drifted off topic only to expose
something in the monkeying around or what not based on something not everyone
understood or knew that we wouldn't have otherwise found out that immediately
snaps it all back on topic and of great use. 
 
 joe 
 
 
[1] Though this was funnier than most OT stuff.There is my
value judgment on the quality. :) 
 
[2] Versus actually being AD Technology. Examples of tech
that utilize AD include but are not limited to GPOs, DNS, Exchange, print
queues, clustering, file server manipulations (copying files, home drives,
management, etc), etc. Not saying questions about all of those are automatically
OT, but we tend to get quite a few questions in those areas that aren't about
AD or the interaction with AD but about the non-AD aspects of the tech.
Examples being a question about how to do something in a GPO versus say OU
strategies for applying GPOs or the permissions on the GPO objects and how AD
interprets them. Or a general question about DNS like what is returned in a
query or how it is managed versus what records need to be in DNS for AD to work
or how its app NC replicates. 
 
-- 
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino
Sent: Monday, September 04, 2006 10:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: OT - RE: [ActiveDir] W. in hell

I have a hell of a sense of humor (as Im sure a lot of geeks
here do) this just isnt the place for it when people come here for help.

 
/just sayin 
 










From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Sunday, September 03, 2006 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: OT - RE: [ActiveDir] W. in hell 
 
Nah.it
looks more like the sender mistook this list for some other lists. On other
lists, this would have been a engendered more rapid-fire flame war to the
sender's satisfaction, even though the joke itself is very old and has outlived
its useful shelf life. 
 
I'm
sure he's disappointed that this list is so geeky and full of maroons with no
sense of humors. 
 

Sincerely, 
 _ 
  
(, / | /)/)
  /)  
 /---| (/_ __  ___// _  // _ 
) /  |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/  
/)   
  
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know
IT
-5.75, -3.23
Do you now realize

RE: [ActiveDir] OT: Servers rebooting, etrust antivirus

[Robert Rutherford]

Absolutely Shocking!

Rob

Robert Rutherford
QuoStar Solutions Limited

T:+44 (0) 8456 440 331   
F:+44 (0) 8456 440 332   
M:+44 (0) 7974 249 494   
E:[EMAIL PROTECTED] 
W:www.quostar.com   

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 01 September 2006 17:46
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Servers rebooting, etrust antivirus


CA eTrust Antivirus flagging lsass.e x e
http://isc.sans.org/diary.php?nstoryid=1665
Unsubscribe: http://isc.sans.org/notify.php


Yup

Kevin Brunson wrote:

 Anyone else out there dealing with the Computer Associates eTrust 
 Antivirus signature thing this morning?

 Symptoms: The system process C:\Windows\System32\lsass.exe 
 terminated unexpectedly with status code 0. The system will now shut 
 down and restart.

 After the reboot, it once again gives the same message, over and over.

 Resolution: Update to the latest eTrust Antivirus signatures. The 
 version ending in .3056 is known stable.

 Details: Apparently the signatures are detecting lsass.exe as a virus 
 and trying to rename or delete it. Windows File Protection kicks in 
 and says no. They then argue for a bit and neither wins so the server 
 gives up and reboots.

 Hopefully no one else has experienced this, but if you are running ca,

 this should solve your problem. Almost all of my customers are running

 eTrust Antivirus, so it has been a very long morning.

 Kevin


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Site down for 36 hours so far - anything proactive to do?

[Robert Rutherford]

No, it will sort itself out.. if its
a big operation then you may want to shape the IP traffic to give the AD some
priority on reconnect.





Rob 

Robert Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: 29 August 2006 15:50
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Site down for
36 hours so far - anything proactive to do?





One of our sites has been without power for over 36 hours now. Is there
anything that I should do in AD if the site could potentially be down for the
another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. 

Thanks,

...D

-- 
CPDE - Certified Petroleum Distribution Engineer
CCBC - Certified Canadian Beer Consumer 

RE: [ActiveDir] OU tareq

[Robert Rutherford]

Create a group in AD and add the users to
it. Then use restricted groups (via group policy) to add that group into local
admin on the PCs.



Cheers



Rob 

Robert
 Rutherford 
QuoStar Solutions
Limited 

T: +44 (0) 8456 440
331 
F:
+44 (0) 8456 440 332 
M:
+44 (0) 7974 249 494 
E: 
[EMAIL PROTECTED] 
W: 
www.quostar.com 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tareq ttt
Sent: 24 August 2006 15:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OU tareq







dears,





How i can build a group policy that permit normal account in
the active directory to login as Local Admin for any computer in one OU.











tareq



 







All-new
Yahoo! Mail - Fire up a more powerful email and get things done faster.

RE: [ActiveDir] Restoring RID

[Robert Rutherford]

Hi Lucia,



You can seize the roles via NTDSUTIL.



http://www.petri.co.il/seizing_fsmo_roles.htm










 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucia Washaya
Sent: 14 August 2006 09:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Restoring
RID






How do I move the RID role when that server is already
crashed? I want to recover from the loss of the RID master, so I canot move it
since it is not available. Or there is a way to do it? 



Lucia
Washaya
CITS UNIOSIL
Tel.: 022-295-526 xtn. 5497
Int'l Tel.: Via Italy
+ (39) 083123-5497
Via USA
+1(212) 963-9588 (after audio response dial 174-5497)



==

The cobra will bite whether you call it Cobra or Dear Mr. Cobra.

== 




 
  
  Matt Hargraves
  [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED] 
  14/08/2006 03:43 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org 

   
   

cc




   
   

Subject


Re: [ActiveDir] Restoring RID

   
  
  
  
   






   
  
  
  
 





I always recommend transferring FSMO roles from a box before upgrading it, then
moving it back after the upgrade is completed successfully.

If you've got enough DCs to justify splitting FSMO roles, you've got enough to
move it to another box for a week to upgrade the box. 


On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] wrote: 
When the RID flexible single-master operations DC is restored, it may use old
RID pool values, and it can cause the restored RID flexible single-master
operations DC to begin issuing duplicate SIDs. 
 
The best way is: 
 
- to use another DC to seize the RID master role. 
- Rebuild the OS on crashed DC and promote it back as Domain Controller 
- transfer the RID master role back to the rebuild DC. 
 
Regards, 
 
Ai Chung 


On 8/14/06, Lucia Washaya [EMAIL PROTECTED] wrote: 

Colleagues, 

We have a server which crashed during upgrade (2000 to 2003). Now we want
to restore it. 
Problem is this server is the RID holder and the documentation on the technet
says 


 
  
  
  
   

Restoring the RID Master can result in Active
Directory data corruption, so it is not recommended. So what is the
best way to restore this server? 

Thank you in advance for your assistance 

Regards, 

   
  
  
  
 




Lucia Washaya
CITS UNIOSIL
Tel.: 022-295-526 xtn. 5497 
Int'l Tel.: Via Italy
+ (39) 083123-5497
Via USA
+1(212) 963-9588 (after audio response dial 174-5497)



==

The cobra will bite whether you call it Cobra or Dear Mr. Cobra. 

== 

RE: [ActiveDir] Password resets

[Robert Rutherford]

Heheh... had this come in on Silicon's round-up of the week :)


snip
And finally, Microsoft - everybody's favourite love-hate tech titan -
has been up to its old tricks of late with a botched live demo of new
voice recognition software, which will be included in its Vista launch,
in front of media and analysts at its Redmond headquarters.

A Microsoft employee bravely took to the stage, no doubt with the same
kind of trepidation felt by the world's first parachute jumper or the
person who discovered 'yes, you can eat snails'.

Dear mom comma, he began speaking purposefully into a headset
microphone positioned just a few millimetres from his lips with all the
pace and clarity of an English tourist trying to order Two... pints...
of... lager... please...  in a foreign country.

At which point Dear aunt, appeared on the big screen for all to see,
followed by some much-to-be-expected chortling from the audience who no
doubt fear the day a Microsoft demo runs smoothly.

Fix aunt, said the slightly embarrassed Microsoft man.

Dear aunt, let's set, read the screen.

Delete that, delete that, delete that... he said.

Dear aunt, let's set so, said the big screen.

I think it's picking up a bit of an echo, he told the guffawing
audience.

Delete, select all, he added.

Dear aunt, let's set so double the killer delete select all,
came the response on the screen.

By which point the audience was laughing so hard the Round-Up suspected
an accident of a toilet nature may befall at least a few of its members.

I'm glad you're enjoying this, offered the Microsoft man, realising he
may have seen his demonstration go horrendously wrong but he'd at least
made them laugh and doubtless left them eager for more.

The comedy could only have been heightened if at that point Mr Clippy
announced his return by popping up and saying: It looks like you're
writing a letter.

Or perhaps even: It looks like you're making a right old balls up of
this my friend.

However, it seems the problem may have been down to some background
noise at the demonstration and not - the Round-Up repeats 'not', you
understand - any crappy software.

snip-

BR

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 11 August 2006 03:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password resets

Well all I can say is that we have several partners that have built
password and pin reset capabilities on top of Microsoft Speech Server
2004 and have customers that are very satisfied with them:
http://www.microsoft.com/speech/solutions/password/default.mspx .  It is
something that I get asked about a lot and was a requested feature for
the password reset capabilities that are being planned for Active
Directory.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, August 10, 2006 7:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password resets

Love that movie.

(Sneakers with Robert Redford)

I'd like world peace   We're the government, we don't do that 
kind of thing!

As an off topicif you get the Director's edition you get the info
about how the code speech done by the character Gunther was actually
augmented and reviewed by the guy who is the A in RSA.

(okay okay I need a life, I know...)

Passwords are one of the most challenging aspects of security and
networks because they impact so closely with the human element.  There
is studies on how brains process numbers and how much we can remember.

Amazon.com: Perfect Passwords: Selection, Protection, Authentication: 
Books: Mark Burnett,Dave Kleiman:
http://www.amazon.com/gp/product/1597490415/sr=8-2/qid=1155257055/ref=pd
_bbs_2/103-7791739-9887065?ie=UTF8

This one has a chapter on passwords:
Amazon.com: Protect Your Windows Network: From Perimeter to Data
(Microsoft Technology): Books: Jesper M. Johansson,Steve Riley:
http://www.amazon.com/gp/product/0321336437/sr=1-1/qid=1155257102/ref=pd
_bbs_1/103-7791739-9887065?ie=UTF8s=books


The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: Security 
Management - October 2004:
http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx

The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3:
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoin
t100504.mspx

The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet 
Column - Security Management - December 2004:
http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx


David Adner wrote:
 Wait, I've seen this one before.  My voice is my

RE: [ActiveDir] Password resets

[Robert Rutherford]

I understand that... just thought it was a funny read.

Being a techie... I'm sure we have all been in these red-face situations
:)



Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 11 August 2006 14:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password resets

The two products are actually quite different especially since one
relies on the sampling frequency of a phone versus any microphone an end
user may have.  Anyway the story you reference below actually has a much
more interesting background and the developer responsible for the issue
blogged about it here:
http://blogs.msdn.com/larryosterman/archive/2006/07/31/684327.aspx. It
is always interesting to see how software bugs manifest themselves in
real life. 

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: Friday, August 11, 2006 7:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password resets

Heheh... had this come in on Silicon's round-up of the week :)


snip
And finally, Microsoft - everybody's favourite love-hate tech titan -
has been up to its old tricks of late with a botched live demo of new
voice recognition software, which will be included in its Vista launch,
in front of media and analysts at its Redmond headquarters.

A Microsoft employee bravely took to the stage, no doubt with the same
kind of trepidation felt by the world's first parachute jumper or the
person who discovered 'yes, you can eat snails'.

Dear mom comma, he began speaking purposefully into a headset
microphone positioned just a few millimetres from his lips with all the
pace and clarity of an English tourist trying to order Two... pints...
of... lager... please...  in a foreign country.

At which point Dear aunt, appeared on the big screen for all to see,
followed by some much-to-be-expected chortling from the audience who no
doubt fear the day a Microsoft demo runs smoothly.

Fix aunt, said the slightly embarrassed Microsoft man.

Dear aunt, let's set, read the screen.

Delete that, delete that, delete that... he said.

Dear aunt, let's set so, said the big screen.

I think it's picking up a bit of an echo, he told the guffawing
audience.

Delete, select all, he added.

Dear aunt, let's set so double the killer delete select all,
came the response on the screen.

By which point the audience was laughing so hard the Round-Up suspected
an accident of a toilet nature may befall at least a few of its members.

I'm glad you're enjoying this, offered the Microsoft man, realising he
may have seen his demonstration go horrendously wrong but he'd at least
made them laugh and doubtless left them eager for more.

The comedy could only have been heightened if at that point Mr Clippy
announced his return by popping up and saying: It looks like you're
writing a letter.

Or perhaps even: It looks like you're making a right old balls up of
this my friend.

However, it seems the problem may have been down to some background
noise at the demonstration and not - the Round-Up repeats 'not', you
understand - any crappy software.

snip-

BR

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 11 August 2006 03:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password resets

Well all I can say is that we have several partners that have built
password and pin reset capabilities on top of Microsoft Speech Server
2004 and have customers that are very satisfied with them:
http://www.microsoft.com/speech/solutions/password/default.mspx .  It is
something that I get asked about a lot and was a requested feature for
the password reset capabilities that are being planned for Active
Directory.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, August 10, 2006 7:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Password resets

Love that movie.

(Sneakers with Robert Redford)

I'd like world peace   We're the government, we don't do that 
kind of thing!

As an off topicif you get the Director's edition you get the info
about how the code speech done by the character Gunther was actually
augmented and reviewed by the guy who

RE: [ActiveDir] Password resets

[Robert Rutherford]

I can almost hear a tumbleweed blow
through .



Ive never seen an effective voice
recognition system work in the real world but would love to if anyone
has?



Would it not be easier to go for a simpler
auth method, i.e. RSA, mobile (cell phone), finger, token, etc? You shouldnt
have to worry about lockout issues. 








 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny
Sent: 10 August 2006 22:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Password
resets







There is talk about using a home grown speech recognition
system to reset a user's password. You would need to enroll, the system would
recordyour voice and if you ever wanted to reset your password, it would
ask you to repeat a word of its choice.











The system would use a service account with the ability to
reset passwords and turn on the option to force the user to reset the password
at logon.











Iam just sending this out to get somefeedback.
Iwould have a challengetrying to excludecertain groups from being
able to do this, like IT folks with elevated credentials. Unfortunately those
IT folks are in the same OU as the users that want this functionality.











Thoughts on any part of this?











Thanks









Johnny
Figueroa
Supervisor Network Operations  Support
Network Services
Banner Health
Voice (602) 747-4195
Fax (602) 747-4406

WARNING: This message, and any attachments, are intended only for the use of
the individual or entity to which it is addressed and may contain information
that is privileged, confidential and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient or
employee/agent responsible for delivering the message to the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of the communication is strictly prohibited. If you receive this
communication in error, please notify us immediately

RE: [ActiveDir] machine GP load

[Robert Rutherford]

Have you performed the usual gpresult, modelling,
etc?

Anything in the event logs?

Is this a new policy or new machines (to
the domain), or both in fact?



Cheers



Rob








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: 09 August 2006 21:53
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] machine GP
load





I have a few machines
that will not load the machine GP. Im pretty sure that its
an issue with the workstations but just to cover butt, is there any thing that
on the GP or AD that would prevent the GP from loading?



Antonio





Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] Moving Sysvol .

[Robert Rutherford]

http://support.microsoft.com/?kbid=842162










 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: 08 August 2006 13:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Moving Sysvol
.







Hello :)











I have my ADw2k3sp1 hard disk configured as this:





hdd1: AD logs.





hdd2: ntds.dit + sysvol.











I would like to change my hdd2, so i move the ntds.dit in hdd1 and
that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do
this ?











Thanks for your replies.











Yann









  







Découvrez un nouveau moyen de poser toutes vos questions quelque soit
le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos
opinions et vos expériences. Cliquez ici.

RE: [ActiveDir] OT: SBS question

[Robert Rutherford]

You should only have one SBS per domain, and also per subnet. You should
be able to get round this by disabling DHCP on the new server... or
putting it on a different subnet, etc. 

SBS is by it's nature a DC. You can go around hacking bits out of the
registry but you will end up violating the EULA.

The migration method entirely depends on the size and complexity of the
install. You might be better off with a scratch build and build it back,
again it depends on the state of play in the domain as it stands, i.e.
is it clean?

Also, if it's a dev box and they develop for external customers on MS
products, then he may be eligible for the Microsoft Action Pack
subscription. You can then get a cleaner setup with a 2003 member server
loaded with SQL... for a small annual fee.


Cheers

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: 03 August 2006 10:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: SBS question

I've never seen SBS, but my younger brother has just started a new job 
(first one since leaving Uni) and bought a new server and it came with
SBS. 
When he built it it appeared he had no choice but to make it a DC, even 
though he only wanted it as a member server -there's already an SBS box 
there.

Anyway, we didn't know at the time (this was a phone conversation) so I
told 
him to go ahead with the promotion (thinking it was just a stupid Dell 
wizard) and demote it later.  He did this and now it reboots every day.

So, I think I know the answer to this from the tidbits of info. I've
seen in 
the groups and forums, etc. but can the 2nd SBS box be added to the
domain 
with the first SBS or does he need to get a k3 Std. license instead?
All he 
wants at this point in time is a SQL and file server.

(As you can guess, this is a small company, he's one of three dev guys 
there).

And, if they wanted to replace the existing SBS box with this new one,
how 
do they go about that if you can't have more than one SBS box?  I doubt
they 
want to migrate...

Thanks,


--Paul

- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 3:45 AM
Subject: Re: [ActiveDir] Information about lingering objects in a
Windows 
2000-based forest or in a Windows Server 2003-based forest:


 You know us blondes

 With barely a twig, let alone a tree in our forest...and I'll have you

 know this twig is clean installed 2k3 domain (I strongly believe in no

 inplace even in our twig domains down here).

 (and for the record for everyones trivia tonightwhile I choose to
have 
 a single DC (at this time) ... SBS can support additional DCs in our 
 domain hey.. I've even used ntdsutil and ADSIedit even down here
;-)

 Brett Shirley wrote:
 Susan, how on earth could _you_ get a lingering object?  Seems
impossible
 with only one DC, oh wait did you just forget to delete it?

 From The Love,
 -B

 On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
wrote:


 Information about lingering objects in a Windows 2000-based forest
or in 
 a Windows Server 2003-based forest:
 http://support.microsoft.com/?kbid=910205

 -- 
 Letting your vendors set your risk analysis these days? 
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man
... I 
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx



 -- 
 Letting your vendors set your risk analysis these days? 
 http://www.threatcode.com

 If you are a SBSer and you don't subscribe to the SBS Blog... man ...
I 
 will hunt you down...
 http://blogs.technet.com/sbs

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Remove Defunct domains..

[Robert Rutherford]

If you use WINS check for them in there
and delete if required.



Cheers,



Rob








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: 02 August 2006 22:46
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remove
Defunct domains..





Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way to
remove these domain/domain entries manually ?

ADSI edit ?



-- 
HBooGz:\ 

RE: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Robert Rutherford]

Loads of tools as Susan says, but just to note the GFI one no longer
works - one of my engineers tried it a couple of months ago.

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: 02 August 2006 22:21
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

RedEarth Software policypatrol.com

Wizard and GUI

The SBS way

There are instructions at www.smallbizserver.net (I think they are still

in the free docs) ...but I'm blonde and GUI and policy patrol works.

If you are cheap GFI's mail scanner ...install the trial version and 
when it expires the disclaimer stays (or last I heard)

Bart Van den Wyngaert wrote:
 Hi guys,

 I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
 I'm using the EventSink with a .vbs to add the disclaimer. The box is
 configured with a default SMTP server and a SMTP connector which
 forwards all external email to the SMTP of the ISP.

 Anybody who has done the trick already? If so, can you please tell me
 the little secret for this? *g*

 Many thanks to all,
 Bart
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DC Can't Handle DNS Pointed to Self

[Robert Rutherford]

Sounds like its not replicating. When you
say non-domain firewall, what do you mean? You dont want any firewall on it
unless you have a specific need.



If you strip the firewall off, where does
that leave you?



If you use dcdiag and netdiag they should
also give you an idea about whats going on. If you like, feel free to mail
them to me.



Cheers,



Rob








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: 28 July 2006 07:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Can't
Handle DNS Pointed to Self





Hello:



This is sort of a follow up to two recent postings.
Any thoughts are welcome as I have now been trying to figure this one out for
about a week.



I have DC running as a virtual machine under (host
W2k3 SP1 w/ VS 2005 R2; guest: W2k3 ENT R2). This machine was recently
promoted. When its local DNS points to itself, the machine does not logon to
the domain. It appears to not even know about itself. No one can get to it
because it loads the non-domain firewall GPO (enabling the full firewall). 



When I point DNS across the WAN, it loads  though
interestingly it does not become visible on the network until I log into it
(via the VS management tools). I can then log out and it stays visible. It then
appears to function correctly.



Any thoughts greatly appreciated.



-- nme








--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/399 - Release Date: 7/25/2006
 

RE: [ActiveDir] DC Can't Handle DNS Pointed to Self

[Robert Rutherford]

Also, whats your DNS setup?








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: 28 July 2006 07:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Can't
Handle DNS Pointed to Self





Hello:



This is sort of a follow up to two recent postings.
Any thoughts are welcome as I have now been trying to figure this one out for
about a week.



I have DC running as a virtual machine under (host
W2k3 SP1 w/ VS 2005 R2; guest: W2k3 ENT R2). This machine was recently
promoted. When its local DNS points to itself, the machine does not logon to
the domain. It appears to not even know about itself. No one can get to it
because it loads the non-domain firewall GPO (enabling the full firewall). 



When I point DNS across the WAN, it loads  though
interestingly it does not become visible on the network until I log into it
(via the VS management tools). I can then log out and it stays visible. It then
appears to function correctly.



Any thoughts greatly appreciated.



-- nme








--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/399 - Release Date: 7/25/2006
 

RE: [ActiveDir] Multihomed Domain Controllers

[Robert Rutherford]

Jeff,

If you back them up over the client-facing LAN conn or over your Gb
back-end I wouldn't have any concerns. If you want to just standardise
your setup then just go for it.

Cheers.

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green
Sent: 13 July 2006 12:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multihomed Domain Controllers

 
Well, I don't think the driving factor is the size of the IT operation
in terms of # DC's necessarily.

In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x
Sharepoint), the factors are

My client facing network is 100 Mbs Ethernet
Major vendor's servers have come with inbuilt dual GbE NICs for
the last 3+ years
GbE switches are now ridiculously cheap
Backup software supports this configuration (some vendors
recommend this config, as noted by other replies)
Uniform configuration, I backup Exchange, file servers, etc
using this configuration.

So I guess you could look at as a poor man's SAN.

From my perspective it seems a reasonable thing to do.
 
---
Jeff Green
Network Support Manager
SAPIENS (UK) Ltd
t: +44 (0)1895 464228 f: +44 (0)1895 463098

I dream of hover cars and old transistor radios ... she dreams of
flowers in a field of sunny bungalows


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde
Sent: 12 July 2006 16:59
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Multihomed Domain Controllers

So how many DC's do you have? What is your DIT size like to warrant
going through all this trouble? Are there other applications that you
need to backup on the DC's that are requiring full backups of all your
DC's.  With most environments getting the system state from a DC/GC in
each domain should be enough to allow you to do whatever authoritative
restores that you need. Now if you have other apps that you need to do a
large data backups of then this may be required.  Yes you can do
multiple nic's on DC's and quite a few organizations do however it
definitely would not fall under best practices for Domain Controllers.

Kurt Falde
Premier Field Engineer
Northeast Region
Microsoft Corporation

[deleted]

Confidentiality Note: The information contained in this email and
document(s) attached are for the exclusive use of the addressee and may
contain confidential, privileged and non-disclosable information. If the
recipient of this email is not the addressee, such recipient is strictly
prohibited from reading, photocopying, distribution or otherwise using
this email or its contents in any way.

Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail
immediately at [EMAIL PROTECTED], if you have received this
email in error.

Disclaimer: The views, opinions and guidelines contained in this
confidential e-mail are those of the originating author and may not be
representative of Sapiens (UK) Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Multihomed Domain Controllers

[Robert Rutherford]

Title: Multihomed Domain Controllers



No issues, if you...

Go to the TCP/IP settings of the backup network card, click 
advanced, goto the DNS tab and untick register the connection in 
DNS.

Cheers,

Rob





  
  



  Robert 
  RutherfordQuoStar 
  Solutions Limited
  

  The 
  Enterprise PavilionFern 
  BarrowWallisdownPooleDorsetBH12 5HH


  


  T:
  +44 
(0) 8456 
440 331

  F:
  +44 
(0) 8456 440 332

  M:
  +44 
(0) 7974 
249 494

  E: 

  [EMAIL PROTECTED]

  W: 

  www.quostar.com













From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain 
Controllers

Hi, 
 First posting to this list 
but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
My question is regarding the advisability of having 
multihomed DCs. Basically I want to run 
backups over a separate GbE and as my servers have dual inbuilt NICs this 
seems an obvious route to take. I know there are 
some issues with DNS (I have a DNS integrated 
AD). 
Would this cause replication problems, etc ? 

Any other "gotchas" ? 
 
 
 Many 
Thanks, 
--- Jeff 
Green Network Support Manager 
SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 
"I dream of hover cars and old transistor radios ... 
She dreams of flowers in a field of sunny bungalows" 
Confidentiality 
Note: The information contained in this email and document(s) attached are for 
the exclusive use of the addressee and may contain confidential, privileged and 
non-disclosable information. If the recipient of this email is not the 
addressee, such recipient is strictly prohibited from reading, photocopying, 
distribution or otherwise using this email or its contents in any 
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this email in 
error.Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) 
Ltd. 

RE: [ActiveDir] Multihomed Domain Controllers

[Robert Rutherford]

Title: Multihomed Domain Controllers



Ive used the same configuration ina number of 
relatively sizeablesites (2000+ user base) with no issues as the guys 
state.. just trial it.

Cheers

Rob





  
  



  Robert 
  RutherfordQuoStar 
  Solutions Limited
  

  The 
  Enterprise PavilionFern 
  BarrowWallisdownPooleDorsetBH12 5HH


  


  T:
  +44 
(0) 8456 
440 331

  F:
  +44 
(0) 8456 440 332

  M:
  +44 
(0) 7974 
249 494

  E: 

  [EMAIL PROTECTED]

  W: 

  www.quostar.com











From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
GreenSent: 12 July 2006 13:03To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed 
Domain Controllers

Hi Guys,


 
Many thanks to all that have responded 
(and so quickly !)

Points / clarifications / additional Qs

 a) DNS multihomed 
issues

 
Yes, found that in the MS KB about not 
"registering this connection in DNS" on the second NIC.

 
Also leave the gateway / DNS TCP/IP 
settings blank on the second NIC.

 b) Browser 
Issues

 
Several things in MS KB about this and 
fixes (including hackinga registry if I remember 
correctly)
 

 
But would Browser issues affect AD 
operations - I'm talking about replication issues here ?

 c) Currently running W2K SP4 + 
rollups on all DCs - but moving to W2K3.

Sorry 
should have stated this.


 d) Backup

 
Using BackupExec, which allows binding of remote agents to specific 
NICs


Have I got everything covered - I can't believe this is an 
unusual configuration ?


 

 
Many Thanks
 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
GreenSent: 12 July 2006 11:43To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain 
Controllers

Hi, 
 First posting to this list 
but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
My question is regarding the advisability of having 
multihomed DCs. Basically I want to run 
backups over a separate GbE and as my servers have dual inbuilt NICs this 
seems an obvious route to take. I know there are 
some issues with DNS (I have a DNS integrated 
AD). 
Would this cause replication problems, etc ? 

Any other "gotchas" ? 
 
 
 Many 
Thanks, 
--- Jeff 
Green Network Support Manager 
SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 
"I dream of hover cars and old transistor radios ... 
She dreams of flowers in a field of sunny bungalows" 
Confidentiality 
Note: The information contained in this email and document(s) attached are for 
the exclusive use of the addressee and may contain confidential, privileged and 
non-disclosable information. If the recipient of this email is not the 
addressee, such recipient is strictly prohibited from reading, photocopying, 
distribution or otherwise using this email or its contents in any 
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this email in 
error.Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) 
Ltd. 
Confidentiality 
Note: The information contained in this email and document(s) attached are for 
the exclusive use of the addressee and may contain confidential, privileged and 
non-disclosable information. If the recipient of this email is not the 
addressee, such recipient is strictly prohibited from reading, photocopying, 
distribution or otherwise using this email or its contents in any 
way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail 
immediately at [EMAIL PROTECTED], if you have received this email in 
error.Disclaimer: The views, opinions and guidelines contained in this 
confidential e-mail are those of the originating author and may not be 
representative of Sapiens (UK) 
Ltd. 

RE: [ActiveDir] Multihomed Domain Controllers

[Robert Rutherford]

I guess that is very true... on reflection I was using the 
separate connection situation on satellite sites, where the DC did have backup 
exec loaded.. I hear you*gasp*

Cheers





  
  



  Robert 
  RutherfordQuoStar 
  Solutions Limited
  

  The 
  Enterprise PavilionFern 
  BarrowWallisdownPooleDorsetBH12 5HH


  


  T:
  +44 
(0) 8456 
440 331

  F:
  +44 
(0) 8456 440 332

  M:
  +44 
(0) 7974 
249 494

  E: 

  [EMAIL PROTECTED]

  W: 

  www.quostar.com











From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 12 July 2006 14:36To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed 
Domain Controllers

Personally, I've never used that configuration for a DC. Since being 
bit in the nt4.0 days (before that really, but hate to show the age :) I've had 
architectural reasons to not do that. Since AD is made up of a 
multi-master fabric, I have had no reason at all to require an isolated network 
dedicated to backups. I get the feeling in your case it's just a nice to 
have vs. a requirement since you have the hardware and figure why not put it to 
use. You'd be a rare exception if the size of the dit is large enough to 
require such a configuration. Saying that, is it possible? Most 
likley. Will it be difficult when/if you call for support for some other 
issue to explain to the engineer that you have a mutli-homed DC? Most 
likely. Does it break the "keep it as simple as possible while meeting the 
requirements?" rule? Most likley. 

When you test this, as the others have mentioned, be sure to test the 
recoverability and the gotchas that come along with bringing up a recovered DC 
on a multi-homed machine. You'll want to have that documented and 
thouroughly tested so as not to have to deal with that when under 
pressure. You may also want to consider an alternative backup method that 
doesn't require a dedicated network to the DC's. 

Just some random thoughts and my $.04 (USD) worth. 

Al
On 7/12/06, Jeff 
Green [EMAIL PROTECTED] 
wrote: 

  
  
  Hi 
  Guys,
  
  
   
  Many thanks to all that have responded 
  (and so quickly !)
  
  Points / 
  clarifications / additional Qs
  
   a) DNS multihomed 
  issues
  
   
  Yes, found that in the MS KB about not 
  "registering this connection in DNS" on the second NIC.
  
   
  Also leave the gateway / DNS TCP/IP 
  settings blank on the second NIC.
  
   b) Browser Issues
  
   
  Several things in MS KB about this and 
  fixes (including hackinga registry if I remember 
  correctly)
   
  
   
  But would Browser issues affect AD 
  operations - I'm talking about replication issues here ?
  
   c) Currently running W2K SP4 + rollups 
  on all DCs - but moving to W2K3.
  
  Sorry 
  should have stated this.
  
  
   d) Backup
  
   Using 
  BackupExec, which allows binding of remote agents to specific 
  NICs
  
  
  Have I got 
  everything covered - I can't believe this is an unusual configuration 
  ?
  
  
   
  
   
  Many Thanks
   
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Jeff 
  GreenSent: 12 July 2006 11:43
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Multihomed Domain 
  Controllers
  
  
  
  Hi, 
   First posting to this list 
  but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. 
  My question is regarding the advisability of having 
  multihomed DCs. Basically I want to run 
  backups over a separate GbE and as my servers have dual inbuilt NICs this 
  seems an obvious route to take. I know 
  there are some issues with DNS (I have a 
  DNS integrated AD). 
  Would this cause replication problems, etc ? 
  
  Any other "gotchas" ? 
   
   
   Many 
  Thanks, 
  --- Jeff 
  Green Network Support Manager 
  SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 
  "I dream of hover cars and old transistor radios 
  ... She dreams of flowers in a field of sunny bungalows" 
   
  Confidentiality Note: The information contained in this email and 
  document(s) attached are for the exclusive use of the addressee and may 
  contain confidential, privileged and non-disclosable information. If the 
  recipient of this email is not the addressee, such recipient is strictly 
  prohibited from reading, photocopying, distribution or otherwise using this 
  email or its contents in any way. Please notify the Sapiens (UK) Ltd. 
  Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this 
  email in error.Disclaimer: The views, opinions and guidelines 
  contained in this confidential e-mail are those of the originating 

RE: [ActiveDir] OT: My Docuent not Redirecting

[Robert Rutherford]

It was re-directed, but now not? 

Does the profile appear on the c:\?

What is the behavior when the user logs
onto another machine?



Rob








 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: 28 June 2006 21:33
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: My
Docuent not Redirecting





I have a user on a Windows 2000 Pro SP 4 box that
used to have his My Documents auto redirected to his user drive, however all of
a sudden the computer wont re-direct it.



The GPO is fine, he is the owner of his user drive,
security is correct on the folder, there are zero errors on the box.



Does anyone have any ideas of what else I can try?



Justin A. Salandra

MCSE Windows 2000  2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]

RE: [ActiveDir] A quick(?) NTP question

[Robert Rutherford]

Title: A quick(?) NTP question








I remember from an AD trouble-shooting
course many years ago that it simply checks first one in the list and moves
down on fail. Im sorry but dont have any supporting documentation
to confirm.



Rob








 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 June 2006 11:05
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] A quick(?)
NTP question





Here's
a simple one for anyone who understands the internals of NTP: 

Scenario: 
PDCe
in root domain is configured to use 2 NTP servers 

Question: 
Will
the PDCe always sync with the same NTP server unless it's not available and
then sync with the other NTP server? 
Or

Will
the PDCe talk to both NTP servers and adjust its clock according to the various
NTP algorithms used to determine which NTP server is 'more accurate'?

If
the latter, does anyone have a doc which explains that algorithm?


Many
thanks, 
neil




PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If verification
of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
solicitation or 





offer to buy or sell securities or related financial
instruments. NIplc 





does not provide investment services to private customers.
Authorised and 





regulated by the Financial Services Authority. Registered in
England






no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 





London, EC1A 4NP. A member of the Nomura
group of companies. 

RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Robert Rutherford]

Hi David,

Just restore and resume as it's a single DC.

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 20 June 2006 10:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


To all single DC folks - when you perform a restore of your single DC
from an image, as part of your procedure do you increase the value of
the RID pool or just restore and resume working?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] 
Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best 
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for us.

(Fenway was cool btw)


Paul Glenn wrote:

 I attended a Disaster Recovery of AD class at TechEd this past week.
 One thing they said was to NEVER EVER rely on a ghost image for DR.  
 Their reasoning was the whole SID situation.
  
 Paul

  
 On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:

 And us SBSers will say that sometimes that single DC with a DR
 strategy
 in place can be less issue than multiple domain controllers.
(please
 note the DR strategy phrase there.. this is planned ahead of 
 time)

 What is the size of the firm and what is the tolerance of
downtime.
 Start from there.  Plan your DR process.

 Almeida Pinto, Jorge de wrote:

  Only in an AD environment with ONE DC in the AD FOREST, there
would
  not be much of an issue. Although I still recomment to use a
 supported
  method.
  No matter how many DCs, using a supported method/tool/procedure,
 you
  will always be ready for it.
  As soon as you get a second DC, the image thing won't work that
good
  anymore.
 
  For more info also see:
  http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
 
  I also recommend to have AT LEAST 2 DC in each AD domain (and
backup
  at least 2, preferably more if you have more DCs) for if
something
  goes wrong with one DC. In that case while one DC is still
 running you
  can repair the other or promote another DC into the AD domain.
 If you
  only have one DC, AD will be available again as soon as that
 single DC
  is up and running again.
 
  Met vriendelijke groeten / Kind regards,
  Ing. Jorge de Almeida Pinto
  /Senior Infrastructure Consultant/
  /MVP Windows Server - Directory Services/
  //
  *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
  (   Tel : +31-(0)40-29.57.777
  (   Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80
  *   E-mail : see sender address
 
 


  *From:* [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] on behalf of Jose
 Medeiros
  *Sent:* Sat 2006-06-17 08:01
  *To:* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
  *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org
 mailto:ActiveDir@mail.activedir.org
  *Subject:* [ActiveDir] Ghost Backup or Image for Active
Directory
  Server and Exchange Server
 
  Hi Amit,
 
  Well first you'll need to buy Symantec Ghost Corporate Edition
 so you
  have the 32 bit version. Then if you have a server such as a HP
  Proliant DL-580 with a 6400 Smart Raid Controller you'll need to
add
  the Raid controller driver to your bootable CD Rom that you'll
 have to
  create so it can access the Raid Disk Array.
 
  If you Want to create your own Bootable CD, I would recommend
 you use
  Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/
 http://www.nu2.nu/pebuilder/.
 
  Barts also allows you to use Acronis http://www.acronis.com/
 which may
  be less expensive then Ghost Corporate, however I have only used
 Ghost
  Version 8, 32Bit and can attest that it works ( I've imaged
several
  hundredservers with it at ADP Payroll Systems ).
 
  Hope this helps, the rest

RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server

[Robert Rutherford]

Note that you will of course need to restore the changes taken between
images, i.e. system state et al

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: 20 June 2006 11:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server

Hi David,

Just restore and resume as it's a single DC.

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: 20 June 2006 10:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


To all single DC folks - when you perform a restore of your single DC
from an image, as part of your procedure do you increase the value of
the RID pool or just restore and resume working?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] 
Sent: 20 Jun 2006 1:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory
Server and Exchange Server


And you didn't go to Jeff Middleton's TechEd session on DR for Small 
business did you?

We're a single DC folks.. hello... it works.

We're not enterprise and that means best practices for you are not best 
practices for us.

Acronis works.

Big boys can't image DCs.. we can.  We're little..we're agile and we can

do it.

Big server land can't ...and that's fine...but the rules of big server 
land stop at the gates of SBSland... it's a whole diff ball game for us.

(Fenway was cool btw)


Paul Glenn wrote:

 I attended a Disaster Recovery of AD class at TechEd this past week.
 One thing they said was to NEVER EVER rely on a ghost image for DR.  
 Their reasoning was the whole SID situation.
  
 Paul

  
 On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:

 And us SBSers will say that sometimes that single DC with a DR
 strategy
 in place can be less issue than multiple domain controllers.
(please
 note the DR strategy phrase there.. this is planned ahead of 
 time)

 What is the size of the firm and what is the tolerance of
downtime.
 Start from there.  Plan your DR process.

 Almeida Pinto, Jorge de wrote:

  Only in an AD environment with ONE DC in the AD FOREST, there
would
  not be much of an issue. Although I still recomment to use a
 supported
  method.
  No matter how many DCs, using a supported method/tool/procedure,
 you
  will always be ready for it.
  As soon as you get a second DC, the image thing won't work that
good
  anymore.
 
  For more info also see:
  http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx
 
  I also recommend to have AT LEAST 2 DC in each AD domain (and
backup
  at least 2, preferably more if you have more DCs) for if
something
  goes wrong with one DC. In that case while one DC is still
 running you
  can repair the other or promote another DC into the AD domain.
 If you
  only have one DC, AD will be available again as soon as that
 single DC
  is up and running again.
 
  Met vriendelijke groeten / Kind regards,
  Ing. Jorge de Almeida Pinto
  /Senior Infrastructure Consultant/
  /MVP Windows Server - Directory Services/
  //
  *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)*
  (   Tel : +31-(0)40-29.57.777
  (   Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80
  *   E-mail : see sender address
 
 


  *From:* [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] on behalf of Jose
 Medeiros
  *Sent:* Sat 2006-06-17 08:01
  *To:* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
  *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org
 mailto:ActiveDir@mail.activedir.org
  *Subject:* [ActiveDir] Ghost Backup or Image for Active
Directory
  Server and Exchange Server
 
  Hi Amit,
 
  Well first you'll need to buy Symantec Ghost Corporate Edition
 so you
  have the 32 bit version. Then if you have a server such as a HP
  Proliant DL-580 with a 6400 Smart Raid Controller

RE: [ActiveDir] Win2k Sites Login Servers

[Robert Rutherford]

Does all look good with your DNS SRV
records per site?

Are there any errors in the client event
logs?

Does the behavior occur from any site?

If you reboot and log on to the other site
is all ok?














 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 20 June 2006 11:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win2k Sites
 Login Servers






Windows 2000 Domain in Native Mode (Test Environment)


1
Domain 
3
Sites each with it's subnets defined 
3
servers each with an IP address relating to a particular site. 
Each
server is hosting DNS and DHCP. 
Each
server is a GC. 

When
I plug a laptop in and log on as a user for the 1st time it will log onto the
DC that is in it's relevant site, but when I log off and login to another site
it will still connect to the previous GC as it's login server unless we perform
a flushdns before login off. The laptop will pick up the correct DHCP address
depending on what site it is at. 

I
am using 'echo %logonserver%' to determine which login server it is using.


I
have tried shortening the DHCP lease time but still the same issue occurs.


Chris.

RE: [ActiveDir] Servers or Workstations

[Robert Rutherford]

Hi John,

I would 'generally' opt for servers first as you can then take advantage
of the 2K, 2K3 goodies, i.e. AD straight away when you migrate the
workstations. 

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky
Sent: 20 June 2006 18:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Servers or Workstations

 
Hey all,

  I thought I had our Ad Migration plan as we were going to do
workstations
first but I'm having second thoughts. I think we should do servers first
then workstation's. Could I have your thoughts on this.

Thanks

john
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

[Robert Rutherford]

Hi,

It does sound like our old pal DNS. 

If you run a dcdiag and netdiag, do they both run clean? If not then
please post the results.

If all is clean and it's a test environment then pull it and clean it up
with ntdsutil et al. 

If it's a new situation then just replicate and see if you still have
the issue. I have always found a couple of hours helps many ills.

BR

Rob

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: 19 June 2006 20:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain

I've in the process of upgrading my test domain (empty root and 1 child)

to w2k3 R2 based DCs and (thanks to help from the friendly folks here) 
am just about done. I have one last w2k dc left to remove. It doesn't 
want to go peacefully.

I moved the FSMO roles off and the next day tried to dcpromo it down to 
a simple server. I get

Managing the network session with FBDC1.fnal.gov failed

Access is denied. 
dcpromoui t:0x848 00479  Exit  State::GetFailureMessage The 
operation failed because:

Managing the network session with FBDC1.fnal.gov failed

A quick check shows that I can't get to the admin shares of my new w2k3 
dc/FSMO role holder from the w2k dc. I can get to the admin shares of 
the other simple servers but not either of the 2 DCs. Other systems can 
access the admin shares via the domain admin account I'm using on the 
w2k DC.

I've been searching and have found people having a similar problem when 
promoting a w2k machine to be a DC but not when demoting. I've tried a 
number of the things that were suggested in those articles and they have

had no affect.

There is no firewall in the way. AD replication and FRS work.

Any ideas before I rip it out?

al

-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Acitve Directory Internet Cafe Software

[Robert Rutherford]

Hello,

I looked some time ago but didn't find anything which truly fits, but I did use 
http://www.antamedia.com/caffe/ in one environment and it was fine.

If you have a suitable firewall and/or a suitable content filter then we could 
work something... what are u using?

Cheers

Rob


Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
 T:  +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams
Sent: 19 June 2006 21:47
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Acitve Directory Internet Cafe Software


Hi
Is there anyone out there aware of internet Café software that utilizes 
active directory accounts? Basically I have a bunch of computers I have users 
log into, and I need to monitor there time logged in and create reports on 
computer usage by active directory accounts. The sort of software that does 
this is typically the same software the runs internet cafés but it seems they 
all use a proprietary account setup.

Lloyd Williams 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Group Policy not working?!

[Robert Rutherford]

Will need to be the user object. Not
security groups. You can use sec groups to filter.








 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 16 June 2006 11:40
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy
not working?!






Windows 2000 Domain in Native Mode (Test Environment)


1
Domain 
3
OU's (FactoryOU, RaceTeamOU, TestTeamOU) 
In
each of the OU's is a Security Group - Global 
In
each of the groups we have placed the users  computers relevant to that
group. 

The
default domain policy takes effect with no problems but we are unable to get
the Factory, RaceTeam or TestTeam policy's to work unless we take them out of
the security group and place them directly into the OU. 

Do
GPO's work with groups or is it only users? 

Chris.

RE: [ActiveDir] Group Policy not working?!

[Robert Rutherford]

I didnt exactly make that clear,
did I?



The group policy will apply to the user
object located within their site, domain and OU. You can however stop or allow
specific policies from taking effect by using the ACL on each policy.



Rob








 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: 16 June 2006 12:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Group
Policy not working?!





Will need to be the user object.
Not security groups. You can use sec groups to filter.








 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 16 June 2006 11:40
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Group Policy
not working?!






Windows 2000 Domain in Native Mode (Test Environment) 

1
Domain 
3 OU's
(FactoryOU, RaceTeamOU, TestTeamOU) 
In
each of the OU's is a Security Group - Global 
In
each of the groups we have placed the users  computers relevant to that
group. 

The
default domain policy takes effect with no problems but we are unable to get
the Factory, RaceTeam or TestTeam policy's to work unless we take them out of
the security group and place them directly into the OU. 

Do
GPO's work with groups or is it only users? 

Chris.

RE: [ActiveDir] How to get rid of from blacklisted

[Robert Rutherford]

This isnt AD should be posted in
Exch groups.



http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm












 
  
  
  
  
  
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar
Sent: 15 June 2006 14:12
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to get
rid of from blacklisted







Hi all,











Can u help me on this prob. Problem is that my exchange 2003 which
installed on win 2003 dc agets blacklisted (Means my static ip is blacklisted).
I searched how to stop this





and on net i found solutions pointing towards open relay and spam
protection. They r saying that ur
exchange is spaming so tell me how to control and stop spamming.























Sam.

RE: [ActiveDir] Domain Controller - Location Move

[Robert Rutherford]

You shouldnt have any issues,
except the subnet/site.








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Contreras, Robert
Sent: 08 June 2006 13:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller - Location Move









Hello everyone,











Simple question - just want to verify:











Single forest\single domain comprised on
2 domain controllers physically in one location. We would like
tophysically move one of the domain controllers (the 2nd
onepromoted)toa new location (eventually both - during the
complete data center relocation). The DC will most likely change
IP'safter the move- so configuring a site in the new location and
assigning the appropriate subnets for the new location is important - anything
else other than shutting it down and bringing it over?











Thx!





RC

RE: [ActiveDir] Domain Controller - Location Move

[Robert Rutherford]

Of course, just note that youll
need to ensure DNS records are correct for the servers to find each other for
repl.








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Contreras, Robert
Sent: 08 June 2006 13:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain
Controller - Location Move









Hello everyone,











Simple question - just want to verify:











Single forest\single domain comprised on
2 domain controllers physically in one location. We would like
tophysically move one of the domain controllers (the 2nd
onepromoted)toa new location (eventually both - during the
complete data center relocation). The DC will most likely change
IP'safter the move- so configuring a site in the new location and
assigning the appropriate subnets for the new location is important -
anything else other than shutting it down and bringing it over?











Thx!





RC

RE: [ActiveDir] Domain Controller - Location Move

[Robert Rutherford]

If you can then yes.








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Contreras, Robert
Sent: 08 June 2006 15:49
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller - Location Move









Thanks for the responses - I wonder if
it would just be easier to create a new DC at the new location (within the new
AD site). 



























From: Laura E.
Hunter
Sent: Thu 6/8/2006 9:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller - Location Move



A good place to start is the following checklist that Jorge posted awhile back:How to move a DC to another site?:http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspxThere have also been a number of discussions that you can find in thelist archives: http://www.activedir.org/ml/threads.aspxHTHLauraOn 6/8/06, Contreras, Robert [EMAIL PROTECTED] wrote: Hello everyone, Simple question - just want to verify: Single forest\single domain comprised on 2 domain controllers physically in one location. We would like to physically move one of the domain controllers (the 2nd one promoted) to a new location (eventually both - during the complete data center relocation). The DC will most likely change IP's after the move - so configuring a site in the new location and assigning the appropriate subnets for the new location is important - anything else other than shutting it down and bringing it over? Thx! RC-- ---Laura E. HunterMicrosoft MVP - Windows Server NetworkingAuthor: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Virtual DCs

[Robert Rutherford]

Title: Virtual DCs








Im a great advocate of VMWare and
use it for many services. If the hardware supports the load happy days!








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada
Sent: 06 June 2006 12:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virtual DCs





We have a single domain forest with about 7,000 users.
Currently we 8 AD regional sites and
one HQ AD site. The regional
sites each have a DC serving
their local regional area and there are multiple DCs in our HQ site. The environment
is currently running Windows 2000 SP4 and we are
looking to upgrade our DCs to W2K3. The direction from
management is that we will put all of
our domain controllers on VM Ware when we upgrade
the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?

RE: [ActiveDir] Slow Boot Up

[Robert Rutherford]

Sounds like DNS... check your srv records are correct in DNS.

Anything showing in the client event logs?

Robert Rutherford
QuoStar Solutions Limited
 
The Enterprise Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:   +44 (0) 8456 440 331
F:   +44 (0) 8456 440 332
M:   +44 (0) 7974 249 494
E:  [EMAIL PROTECTED]
W:  www.quostar.com  
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier,
Brandon (.)
Sent: 25 May 2006 16:02
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Slow Boot Up

I would use ethereal to grab a trace of opening up ADUC and take a peek
at what its trying to do. Maybe it's a DNS issue. Also, are your clients
logging event ID 1030's in the app log?  

-Brandon

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Thursday, May 25, 2006 10:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Slow Boot Up

Morning everyone,
Recently all my wkstns are taking up to 5 minutes to log in after a
restart. Stuck at Applying Computer Settings and Applying Security
Settings.  Only change to GPO is offline files options are all
disabled.  While from the desktop it takes up to 30 seconds to load and
open up AD snap-in to add a user to a group. Doesn't matter if firewall
is turned on or off. No weir logs on DC.  DCDIAG and NetDiag showed no
errors.

My FSMO roles are spread between two DC in two separate subnets. Schema
Master, Domain Naming Master, and GC are on the same DC. RID, Infras,
and PDC is on the other DC. I  thought about promoting another server to
a DC.

Any thought or idea where to check and look?

-Z.V.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] GPO Software Deployment

[Robert Rutherford]

Thanks Darren that worked. I Should
have figured that out for myself from the error message. Its been a
tough week J



Much appreciated






 
  
  
  
  
  
  
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 16 May 2006 16:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment





So, I suspect what is happening here,
based on that error, is the popup you're seeing is Windows Installer trying to
repair the application but not finding the right files to do it. The Feature
name, WIFEAT0001, tells me the package was created using WinInstall--not very
interesting. I suspect that the registry still contains references to the
package. I would search the registry by the Product GUID, below, and get rid of
all instances of it. Alternatively, you could try downloading and running the
Installer Cleanup tool, found at http://support.microsoft.com/kb/290301/



Darren









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert
 Rutherford
Sent: Tuesday, May 16, 2006 3:26
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment

Hi Guys,



Thanks for the input but still no
joy nothing is showing in the logs and I dont have the original
package. The below is popping up in the event log though :-



Event Type:
Warning

Event Source: MsiInstaller

Event
Category:
None

Event
ID: 1001

Date:
16/05/2006

Time:
11:20:21

User:
domain\username

Computer:
compname

Description:

Detection of product
'{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed
during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}'



Does this jog any memories for anyone? I
think Im just going to have to get the whole lot rebuilt. Woe is
me.



Cheers








 
  
  
  Robert Rutherford
  QuoStar
  Solutions Limited
  
  
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 15 May 2006 23:43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment






Rob


Do you have
access to the original MSI (it could be repackaged as an EXE)?


msiexec /i
file.msi /L*vx c:\path\to\logfile.txt 

That will
dump out as much possible info about what is happening. If you need

help
debugging the output, let me know. 

Cheers


Jon Austin


[EMAIL PROTECTED]
wrote on 16/05/2006 12:11:41 AM:
 From: [EMAIL PROTECTED]
[mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Robert Rutherford
 Sent: Wednesday, May 10, 2006 3:05 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] GPO Software Deployment

 HI All,

 

 Strange
one.. 
 

 I have
taken over the support of an organisation where the last 
 organisation has made a bit of a pigs ear of
the AD deployment. It 
 appears upon discussion with staff that a
software deployment of 
 Acrobat reader has been put in at some point
and then removed. I 
 also found an old machine with a self built
msi package on. 
 

 Now,
while the users are working away an msi installer window just 
 flickers up on the screen and vanishes
regularly. This is 
 infuriating for the user base but I
cant seem to nail it down as 
 any reference has been removed from the
registry. 

_ 
This e-mail has been scanned for viruses by MessageLabs.

RE: [ActiveDir] GPO Software Deployment

[Robert Rutherford]

Hi Guys,



Thanks for the input but still no joy
nothing is showing in the logs and I dont have the original package. The
below is popping up in the event log though :-



Event Type: Warning

Event Source: MsiInstaller

Event Category: None

Event ID: 1001

Date: 16/05/2006

Time: 11:20:21

User: domain\username

Computer: compname

Description:

Detection of product
'{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed
during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}'



Does this jog any memories for anyone? I
think Im just going to have to get the whole lot rebuilt. Woe is
me.



Cheers








 
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
  
  
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
  Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
 
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 15 May 2006 23:43
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment






Rob


Do you have
access to the original MSI (it could be repackaged as an EXE)?


msiexec /i
file.msi /L*vx c:\path\to\logfile.txt 

That will
dump out as much possible info about what is happening. If you need

help
debugging the output, let me know. 

Cheers


Jon Austin


[EMAIL PROTECTED]
wrote on 16/05/2006 12:11:41 AM:
 From: [EMAIL PROTECTED]
[mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of Robert Rutherford
 Sent: Wednesday, May 10, 2006 3:05 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] GPO Software Deployment

 HI All,

 

 Strange
one.. 
 

 I have
taken over the support of an organisation where the last 
 organisation has made a bit of a pigs ear of
the AD deployment. It 
 appears upon discussion with staff that a
software deployment of 
 Acrobat reader has been put in at some point
and then removed. I 
 also found an old machine with a self built
msi package on. 
 

 Now,
while the users are working away an msi installer window just 
 flickers up on the screen and vanishes
regularly. This is 
 infuriating for the user base but I
cant seem to nail it down as 
 any reference has been removed from the
registry. 

_ 
This e-mail has been scanned for viruses by MessageLabs.

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Robert Rutherford]

No, and I always find it a relief to have a local admin account in a
failure situation.

 
 
Robert Rutherford
QuoStar Solutions Limited

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: 16 May 2006 16:26
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is there a way to force users to logon to
domain?

On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS
[EMAIL PROTECTED] wrote:
 Yeah, disregard what I said about just leaving Admins on the allow
logon
 locally setting, that's my bad.  I guess best thing to do would be
delete
 all existing local user accounts.

Can you actually delete localhost\administrator on NT4/2K/XP
workstations?

-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Software Deployment

[Robert Rutherford]

Hi Darren,



Thanks for the reply.



Unfortunately there are no logs being
dumped at all. The Windows intstaller screen literally just flashes for
a second and then vanishes, more or less each time they open a new window or
app.



Any other ideas?



Robert
Rutherford 

QuoStar
Solutions Limited 
The Enterprise Pavilion, Fern Barrow, Wallisdown,
Poole, Dorset, BH12 5HH 
T: 08456 440 331 
F: 08456 440 332 
M: 07974 249 494 
E:
[EMAIL PROTECTED] 
W: www.quostar.com 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 10 May 2006 15:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO
Software Deployment





Robert-

If Installer is really doing something, it
should generate an MSI*.log file in %temp% (or in %windir\%temp% for per
machine installs). I would look in there for a recent one that shows what's
going on.



Darren









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Wednesday, May 10, 2006 3:05
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO Software
Deployment

HI All,



Strange one..



I have taken over the support of an
organisation where the last organisation has made a bit of a pigs ear of the AD
deployment. It appears upon discussion with staff that a software deployment of
Acrobat reader has been put in at some point and then removed. I also found an
old machine with a self built msi package on.



Now, while the users are working away an
msi installer window just flickers up on the screen and vanishes regularly.
This is infuriating for the user base but I cant seem to nail it down as
any reference has been removed from the registry.



Any ideas?



Cheers,



Rob

RE: [ActiveDir] Is there a way to force users to logon to domain?

[Robert Rutherford]

Be restrictive on the use of local
accounts and dont give them passwords is the cleanest way.








 
  
  
  
  
  
  
  
  Robert
   Rutherford
  QuoStar
  Solutions Limited
  
  
 
 
  
  The Enterprise
  Pavilion
  Fern Barrow
  Wallisdown
Poole
Dorset
  BH12 5HH
  
  
  
  
  
  
  
   

T:


+44 (0) 8456 440
331

   
   

F:


+44 (0) 8456 440
332

   
   

M:


+44 (0) 7974 249
494

   
   

E:



[EMAIL PROTECTED]

   
   

W:



www.quostar.com

   
  
  
  
  
  
  
 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca
Sent: 15 May 2006 16:57
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is there a
way to force users to logon to domain?





Is there a way to force users to logon to domain, or to disable loging
into local computer accounts via GPO? 

Thanks. 

RE: [ActiveDir] Can i give Enterprise admin rights to a child domain admin account.

[Robert Rutherford]

I've been out in the wilderness for a while.
Surprising what one forgets.



Create domain global groups in the child
domain, place the users in those groups, in the root domain place the global
groups in the Enterprise Admin and Schema Admin groups.



Oh yeah, and make sure you are at least in
W2K native move.



Cheers,



Rob



Robert Rutherford 

QuoStar
Solutions Limited 
The Enterprise Pavilion, Fern Barrow, Wallisdown,
Poole, Dorset, BH12 5HH 
T: 08456 440 331 
F: 08456 440 332 
M: 07974 249 494 
E:
[EMAIL PROTECTED] 
W: www.quostar.com 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh
Sent: 02 May 2006 08:48
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Can i give Enterprise admin rights
to a child domain admin account.





Can I add one of my
child domain users in Enterprise
admin group?



Or in other word how
to add users from other domain to EA groups.



Thanks,

Manjeet

RE: [ActiveDir] exporting list of members of a security group

[Robert Rutherford]

net group group name /domain c:\whatever.txt

Robert Rutherford 

QuoStar Solutions Limited 
The Enterprise Pavilion, Fern Barrow, Wallisdown, Poole, Dorset, BH12
5HH 
T: 08456 440 331 
F: 08456 440 332 
M: 07974 249 494 
E:  [EMAIL PROTECTED] 
W: www.quostar.com 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: 02 May 2006 21:02
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] exporting list of members of a security group

Is there a way to export to text file a list of the members of a
security
group?

Thanks

Antonio


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] how to get rid of an obsolete DC?

[Robert Rutherford]

It's been a while, but if I remember the old NT server manager will do
it... then check it's gone with ntdsutil.

Robert Rutherford 

QuoStar Solutions Limited 
The Enterprise Pavilion, Fern Barrow, Wallisdown, Poole, Dorset, BH12
5HH 
T: 08456 440 331 
F: 08456 440 332 
M: 07974 249 494 
E:  [EMAIL PROTECTED] 
W: www.quostar.com 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: 02 May 2006 20:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] how to get rid of an obsolete DC?

In a child domain I have what I believe is the remnants of an old NT4
DC.  Using ADUC, it shows up in the child domain's Domain Controllers
OU.  When I try to delete it, I get The DSA object cannot be deleted.
When I use ADSIEdit and go to the domain, it only shows me the two
functioning DCs and not the one I'm looking for.

What other tools are available for this type of house cleaning?

Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Buitlin Administrators Group not taking effect

[Robert Rutherford]

If you log them off and then in again does
it work?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben D. Kusa
Sent: 03 March 2005 14:13
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Buitlin
Administrators Group not taking effect





When I add users to the Built-in Administrators group
they dont always have local administrator rights, Ill try and do
an install and it will tell me I dont have administrator rights or if I
try and change the name of the computer it will be grayed out. If I then use
the Network ID option to add the user to the administrators group they will
then have local rights.



Is there something I am doing wrong, or is there a way to
refresh the rights a user account should have from AD.


===
Scanned for virus infection by Messagelabs
===





===
Email security provided by Modrus using MessageLabs Email Security
www.modrus.com
===

[ActiveDir] OT: Exch2003 POP Connector

[Robert Rutherford]

Hi All,



Quick 1.



Does anyone know if it possible to config the POP3
connector to leave mail on the server its pulling from for
x number of days?



Many thanks,



Rob







===
Email security provided by Modrus using MessageLabs Email Security
www.modrus.com
===

RE: [ActiveDir] Time server in windows 2003 !!

[Robert Rutherford]

Windows2003 is automatically a time server..
when any 2000/XP client is a member of a domain it should automatically pull
the time from the DC.



Is this not happening?



Rob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil Kumar
Sent: 16 February 2005 12:39
To: Active directory group
Subject: [ActiveDir] Time server
in windows 2003 !!







Hi all,











We are having one windows 2003 DC and one windows 2003 ADC and 2000
clients of win 2000 prof and win xp prof. Now I want when the clients logs on
to the domain their computer should update the time of it with the windows 2003
server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is
there any third party programs which converts win 2003 server in to a
time server? If yes what is the name of the products.











Is there any opensource programs for setting up time server in windows
2003 or linux?











Can we configure this in GPO?











Thanks and Regards,

















K.SENTHIL KUMAR









Do you Yahoo!?
Yahoo! Search presents - Jib
Jab's 'Second Term' 
===
Scanned for virus infection by Messagelabs
===





===
Email security provided by Modrus using MessageLabs Email Security
www.modrus.com
===

RE: [ActiveDir] AD startup scripts problem

[Robert Rutherford]

the local computer's system account does process the script but here it looks 
like it doesnt have permissions to read the script on the 'servers' share 


From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Fri 28/01/2005 16:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD startup scripts problem



Correct me if I'm wrong, but doesn't the Local System account have full
control of the entire boot operation?  And isn't it responsible to process
the complete range of operations including network authentication and domain
based GPO processing?  And if not who is?  And if so, doesn't that mean it
should be processing this script?

Rocky
___



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul Wilkinson
Sent: Friday, January 28, 2005 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD startup scripts problem


I *think* that you do actually have network access at the point that
computer startup scripts run.  However, you'll have a security issue
because the local system account doesn't have access to your sever
share.  You could add each machine account to that share.  If one of
your computers is named Bob, add Bob$  to the ACL's of the share.  You
have to click on the object types button and select computers in the
window where you add the computer account.  You could also add Domain
Computers if you want all computers to be able to access the share with
the local system account.

I've never tried this myself, so I'm not sure if this will work.


Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville



Mark Abbiss wrote:

 I think this is it in a nutshell. When I put everything locally on the
 machine the script ran and created the report.

 As you say, I have no network connectivity when in the startup phase.

 Or is there a workaround ?

 Thanks for all the input


 Original Message Follows
 From: [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] AD startup scripts problem
 Date: Fri, 28 Jan 2005 08:05:12 -0600

 Hi Mark...

 I believe it's running at system level on startup, and i believe
 system has
 no network rights.

 John





  Mark Abbiss
  [EMAIL PROTECTED]

 ail.com   To
  Sent by:  ActiveDir@mail.activedir.org

 [EMAIL PROTECTED]  cc
  ail.activedir.org

 Subject
[ActiveDir] AD startup scripts
  01/28/2005 07:07  problem
  AM


  Please respond to
  [EMAIL PROTECTED]
 tivedir.org






 I have tried everything I know but I just cannot make a script run at
 computer start up. I have successfully got it working on a user basis at
 logon but assigning it to a computer is just not working.

 Here is what I have done, please can someone let me know if I have I
 missed

 something completely obvious ?!

 1. Wrote a very simple batch file. Contents of batch is :
  \\server01\analysepc.exe /output \\server01\output

 2. Created the necessary share on SERVER01
 3. Created a new domain security group and added the PC object into that
 group
 4. Made sure that the new group had full rights on the new share and
 output directory
 5. Created the GPO to run the batch file from the Computer Config section
 of
 the GPO. Also disabled the User Config processing section.
 6. Linked the GPO to the OU where my PC object is held
 7. Set the filtering to apply the GPO only to the new security group.

 Made sure everything was replicated and then started the computer. But
 the
 script does not work ! I have checked with gpresult that the policy is
 being
 applied and it is. If I try the command from the batch when I have logged
 on, it works !

 What might I be missing ?

 Many thanks


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6-Access denied

[Robert Rutherford]

Hmmm ... cant say for sure as I haven't got an IIS box to hand.

You don't want to use integrated windows auth as it will just supply
your domain credentials. ... I think.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 13 January 2005 14:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IIS 6-Access denied

What could be wrong??

To access a site I want the users to authenticate with a local user
account
and password on the web server. Anonymous is enabled on all other sites.

Environment: Windows 2000 AD
IIS 6.0 Server: Windows 2003 

For authentication I checked Integrated Windows authentication but the
particular account cannot log in. I am getting a 401.1- Unauthorized:
access
is denied due to invalid credentials. Anonymous Access is not checked.
The
account have READ/Execute access to the parent folder down.

Thanks,
Z.V.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6-Access denied

[Robert Rutherford]

Then again ... it should prompt if the credentials are wrong in
integrated.

Have you given them read under the website properties - home directory
tab?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 13 January 2005 14:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIS 6-Access denied

I have tried Digest Authentication from Windows domain servers but I
am
still getting the same deny error. 

Yes the account exist locally on the web server and in AD.

Thanks,
Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: Thursday, January 13, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIS 6-Access denied

Hmmm ... cant say for sure as I haven't got an IIS box to hand.

You don't want to use integrated windows auth as it will just supply
your
domain credentials. ... I think.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 13 January 2005 14:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IIS 6-Access denied

What could be wrong??

To access a site I want the users to authenticate with a local user
account
and password on the web server. Anonymous is enabled on all other sites.

Environment: Windows 2000 AD
IIS 6.0 Server: Windows 2003 

For authentication I checked Integrated Windows authentication but the
particular account cannot log in. I am getting a 401.1- Unauthorized:
access
is denied due to invalid credentials. Anonymous Access is not checked.
The
account have READ/Execute access to the parent folder down.

Thanks,
Z.V.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] IIS 6-Access denied

[Robert Rutherford]

If you got to basic does it work?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: 13 January 2005 14:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIS 6-Access denied

Then again ... it should prompt if the credentials are wrong in
integrated.

Have you given them read under the website properties - home directory
tab?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 13 January 2005 14:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIS 6-Access denied

I have tried Digest Authentication from Windows domain servers but I
am
still getting the same deny error. 

Yes the account exist locally on the web server and in AD.

Thanks,
Z.V.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: Thursday, January 13, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] IIS 6-Access denied

Hmmm ... cant say for sure as I haven't got an IIS box to hand.

You don't want to use integrated windows auth as it will just supply
your
domain credentials. ... I think.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 13 January 2005 14:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IIS 6-Access denied

What could be wrong??

To access a site I want the users to authenticate with a local user
account
and password on the web server. Anonymous is enabled on all other sites.

Environment: Windows 2000 AD
IIS 6.0 Server: Windows 2003 

For authentication I checked Integrated Windows authentication but the
particular account cannot log in. I am getting a 401.1- Unauthorized:
access
is denied due to invalid credentials. Anonymous Access is not checked.
The
account have READ/Execute access to the parent folder down.

Thanks,
Z.V.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
Email security provided by Modrus using MessageLabs Email Security
www.modrus.com
===

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Book recommendations please

[Robert Rutherford]

Title: Book recommendations please








I would say that the MS site has all the
info you need for both tasks.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: 11 January 2005 10:41
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Book
recommendations please





Hi


I'm
looking for some recommendations for books to buy regarding movng from AD 2000
to AD 2003 and Exchange 2000 to Exchange 2003.

Cheers


Danny



===
Scanned for virus infection by Messagelabs
===

RE: [ActiveDir] OT:winsock

[Robert Rutherford]

Have you got something else interfacing with the stack on the box, i.e.
f/w software?

Also... uninstall the wlan card and see if you still get the same issue
on the internal nic.

BR

Rob


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 10 January 2005 15:39
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:winsock

I keep getting an error on a win2k pro sp4 laptop when renewing an ip
address-an operation was attempted on something that is not a socket

also when i try to start my linksys wlan adapter, i get
10093:Successful WSAStartup not yet performed
I've uninstalled and reinstalled tcp/ip but no go.

I know this is not a server issue, so I apologize for the OT.

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:winsock

[Robert Rutherford]

hmmm ... could be a virus trying to send the mail through outlook.
 
Can you see any other protocols, services, etc bound to the adapter?



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Mon 1/10/2005 4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:winsock



its uninstalled.
this user has no firewall sw that i can tell. though i get a pop up saying 
outlook express is trying to send a email. do you want to let it send it?
i have no idea whats making that pop up. its made to look like its coming from 
OE. the email is just the welcome message OE sends on first use.

thanks

-Original Message-
From: Robert Rutherford [mailto:[EMAIL PROTECTED]
Sent: Monday, January 10, 2005 10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:winsock


Have you got something else interfacing with the stack on the box, i.e.
f/w software?

Also... uninstall the wlan card and see if you still get the same issue
on the internal nic.

BR

Rob


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 10 January 2005 15:39
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:winsock

I keep getting an error on a win2k pro sp4 laptop when renewing an ip
address-an operation was attempted on something that is not a socket

also when i try to start my linksys wlan adapter, i get
10093:Successful WSAStartup not yet performed
I've uninstalled and reinstalled tcp/ip but no go.

I know this is not a server issue, so I apologize for the OT.

thanks
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


winmail.dat

RE: [ActiveDir] Software License Management

[Robert Rutherford]

Title: Message








http://www.expressmetrix.com/
will do it.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 05 January 2005 01:28
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Software
License Management





That went away
with SMS 2.0. It ran on a FoxPro db hahaha J











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr
InDyne/Enterprise IT
Sent: Monday, January 03, 2005
5:15 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Software
License Management





I can do that in SMS 2k3 natively.
I when that X+1 user tries to run the app, I want them to be denied.



Dave







//SIGNED//


David J. Perdue
NetworkSecurity Engineer, InDyne Inc
Comm: (805) 606-4597 DSN: 276-4597 
















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gonzalez, Thomas, ISD
Sent: Monday, January 03, 2005
14:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Software
License Management

In SMS 2K3 you can create a software
metering usage and you can get the plugin called SAM(http://www.extendedtools.com/) for SMS 2K3. 







Cheers:

Thomas









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr
InDyne/Enterprise IT
Sent: Monday, January 03, 2005 3:55
PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Software
License Management





I need to do some real software
metering. X number of users using this piece of software at once on the
network.

SMS 2k3 doesn't provide this. Can anyone
point me to a system that does?

Thanks,



Dave







//SIGNED//


David J. Perdue
NetworkSecurity Engineer, InDyne Inc
Comm: (805) 606-4597 DSN: 276-4597 










*
If you are not the intended recipient of this e-mail, please notify 
the sender immediately. The contents of this e-mail do not amend 
any existing disclosures or agreements unless expressly stated.
*


===
Scanned for virus infection by Messagelabs
===

RE: [ActiveDir] wireless DC

[Robert Rutherford]

OK...




So if you use a standard Ethernet LAN
adapter roaming profiles work?


Do you have a link light on the
Wireless NIC before login? If so, is it picking up a DHCP or static address?
Can you ping it b4 logon?


What model WLAN NIC are you using?


What Access Point are you using? 


Are you tunneling in a VPN?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info
Sent: 05 January 2005 14:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] wireless DC



Not really..



I have a few laptops that connect to a SBS serverits seperate from

corporate network.



SBS has AD installed, but when a laptop connects to it through wireless

option the roamin profile isn't loaded.what happens is that the
wireless

network pcmcia connects to network after the login and not before





-Oorspronkelijk bericht-

Van: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] Namens Mulnick, Al

Verzonden: woensdag 5 januari 2005 14:57

Aan: ActiveDir@mail.activedir.org

Onderwerp: RE: [ActiveDir] wireless DC



If I understand the need correctly, you want to come up with a way to

pre-authenticate wireless workstations possibly with domain credentials
but

not limited to. Or put another way, you want a way to prevent
unauthorized

workstations from wirelessly connecting to your network.

Presumably, you'd like to make sure that anyone that does connect is up
to

date with their virus scanners, patches, etc. but possibly not connect
to

your 'fully-trusted' network, but rather have limited resources
available.

An example would be a sales person or consultant on site temporarily
that

just needs web access or print ability.



Is that correct?





Al











-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info

Sent: Wednesday, January 05, 2005 4:20 AM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] wireless DC



No didnt solve itif u have more suggestions i would appreciate it





J



-Oorspronkelijk bericht-

Van: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] Namens Mulnick, Al

Verzonden: dinsdag 4 januari 2005 15:19

Aan: ActiveDir@mail.activedir.org

Onderwerp: RE: [ActiveDir] wireless DC



Does that solve the original problem? I read that post differently.



Al 



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-Elia

Sent: Monday, January 03, 2005 7:45 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] wireless DC



Ok. That is a different problem. Check out this article, which could be

related to this problem:

http://support.microsoft.com/default.aspx?scid=kb;en-us;840669



Also, I have had luck disabling DHCP media sense when I've had this
problem,

but that is not always the best solution. In any case, that is
described

here: http://support.microsoft.com/kb/239924



If neither works, then I would turn on verbose userenv logging and see
what

messages are being thrown on the profile failure. It could be something
like

slow link detection, which can alter the way roaming profiles are
treated.







From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info

Sent: Monday, January 03, 2005 4:40 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] wireless DC







The first one802.11x on corporate networkall laptops with
wireless

option do not load roamin profil at logone











Van: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] Namens Darren Mar-Elia

Verzonden: dinsdag 4 januari 2005 1:31

Aan: ActiveDir@mail.activedir.org

Onderwerp: RE: [ActiveDir] wireless DC







What do you mean by wireless? Do you mean you have 802.11x on a
corporate

network and your roaming profiles aren't being loaded at logon or do
you

mean remote mobile machines VPN'ing into a corporate network over a
wireless

connection? The former calls for a different solution to the latter.















From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info

Sent: Monday, January 03, 2005 4:01 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] wireless DC



Hi,







Does anyone have a solution to authenticate wireless networking
workstations

on a DC?







So the domain becomes available before logon...and the roaming profile
can

be loaded







Would appreciate some help/suggestions.







Grtz J



List info : http://www.activedir.org/mail_list.htm

List FAQ : http://www.activedir.org/list_faq.htm

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



List info : http://www.activedir.org/mail_list.htm

List FAQ : http://www.activedir.org/list_faq.htm

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info : http://www.activedir.org/mail_list.htm

List FAQ : 

RE: [ActiveDir] Outlook (OT)

[Robert Rutherford]

Don't think it's possible... it depends what you want to do.

You can put the /recycle switch after outlook.exe to use the same
instance.

Rob

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 05 January 2005 14:59
To: ActiveDir (E-mail)
Subject: [ActiveDir] Outlook (OT)

Hi. Is there anyway to prevent Outlook 2000 from opening up mutliple
instances? If I already have it open and double click on it again, I
want to prevent it from opening twice or more times.
is there any reg hack to do this?

thanks alot
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] wireless DC

[Robert Rutherford]

Are your internal DNS servers correct on
the WLAN segment? i.e. you login and can do an nslookup and resolve internal
addresses?











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Quatro Info
Sent: 05 January 2005 15:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] wireless
DC





-standard nic all is fine

-on XP are linked
.on WIN2K not.its DHCP

-accesspoint:
belkinwlan nic differs from Link sys and robotics PCMCIA and
internal DELL, Toshiba wlan nics

-no VPN etc



But all use cached
profile











Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens
Robert Rutherford
Verzonden: woensdag 5 januari 2005
15:55
Aan: ActiveDir@mail.activedir.org
Onderwerp: RE: [ActiveDir]
wireless DC





OK...




So if you use a standard Ethernet
LAN adapter roaming profiles work?


Do you have a link light on the
Wireless NIC before login? If so, is it picking up a DHCP or static address?
Can you ping it b4 logon?


What model WLAN NIC are you using?


What Access Point are you using? 


Are you tunneling in a VPN?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info
Sent: 05 January 2005 14:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] wireless DC



Not really..



I have a few laptops that connect to a SBS serverits seperate from

corporate network.



SBS has AD installed, but when a laptop connects to it through wireless

option the roamin profile isn't loaded.what happens is that the
wireless

network pcmcia connects to network after the login and not before





-Oorspronkelijk bericht-

Van: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] Namens Mulnick, Al

Verzonden: woensdag 5 januari 2005 14:57

Aan: ActiveDir@mail.activedir.org

Onderwerp: RE: [ActiveDir] wireless DC



If I understand the need correctly, you want to come up with a way to

pre-authenticate wireless workstations possibly with domain credentials
but

not limited to. Or put another way, you want a way to prevent
unauthorized

workstations from wirelessly connecting to your network.

Presumably, you'd like to make sure that anyone that does connect is up
to

date with their virus scanners, patches, etc. but possibly not connect
to

your 'fully-trusted' network, but rather have limited resources
available.

An example would be a sales person or consultant on site temporarily
that

just needs web access or print ability.



Is that correct?





Al











-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info

Sent: Wednesday, January 05, 2005 4:20 AM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] wireless DC



No didnt solve itif u have more suggestions i would appreciate it





J



-Oorspronkelijk bericht-

Van: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] Namens Mulnick, Al

Verzonden: dinsdag 4 januari 2005 15:19

Aan: ActiveDir@mail.activedir.org

Onderwerp: RE: [ActiveDir] wireless DC



Does that solve the original problem? I read that post
differently.



Al 



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-Elia

Sent: Monday, January 03, 2005 7:45 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] wireless DC



Ok. That is a different problem. Check out this article, which could be

related to this problem:

http://support.microsoft.com/default.aspx?scid=kb;en-us;840669



Also, I have had luck disabling DHCP media sense when I've had this
problem,

but that is not always the best solution. In any case, that is
described

here: http://support.microsoft.com/kb/239924



If neither works, then I would turn on verbose userenv logging and see
what

messages are being thrown on the profile failure. It could be something
like

slow link detection, which can alter the way roaming profiles are
treated.







From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info

Sent: Monday, January 03, 2005 4:40 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] wireless DC







The first one802.11x on corporate networkall laptops with
wireless

option do not load roamin profil at logone











Van: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] Namens Darren Mar-Elia

Verzonden: dinsdag 4 januari 2005 1:31

Aan: ActiveDir@mail.activedir.org

Onderwerp: RE: [ActiveDir] wireless DC







What do you mean by wireless? Do you mean you have 802.11x on a
corporate

network and your roaming profiles aren't being loaded at logon or do
you

mean remote mobile machines VPN'ing into a corporate network over a
wireless

connection? The former calls for a different solution to the latter.















From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info

Sent: Monday, January 03, 2005 4:01 PM

To: ActiveDir

RE: [ActiveDir] AD and ISP deployment

[Robert Rutherford]

Hi Steve,
 
AD aside 
 
What do u want to achieve? It's like saying I have a spanner... what can I do 
with it? You can do many different things but it all depends on what your 
requirements are?
 
Let us know what your problems and desires are from an ISP perspective. The 
guys here have a wealth of experience and can advise on the biggest of 
requirements/issues.
 
BR
 
Rob



From: [EMAIL PROTECTED] on behalf of Steve Schofield
Sent: Mon 27/12/2004 20:17
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD and ISP deployment



Hi todd,

Looking for best practices, tips/tricks at this point.  i've been reading
the docs on technet about general AD requirements, DNS etc.. just looking
for more information and particularly in an ISP environment.  A few things
off-hand include central user authentication, using GPO's, sms 2k3
integration, exchange 2k3 are a few things for starters but not sure how
different planning an AD for an ISP world vs a corporate environment. Thanks
again.

steve


- Original Message -
From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, December 27, 2004 7:15 AM
Subject: RE: [ActiveDir] AD and ISP deployment


 MCIS was MS's platform for hosting Exchange and Web, but they have since
 retired that initiative.

 I would start here in your search.  I would also look at the AD planning
 site.

 http://www.microsoft.com/serviceproviders/

 What objectives are you trying to accomplish?

 Todd Myrick


 -Original Message-
 From: Steve Schofield [mailto:[EMAIL PROTECTED]
 Sent: Monday, December 27, 2004 6:51 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] AD and ISP deployment

 I'm searching for best practices, tip/tricks for deploying AD in an
Internet

 Service Provider environment.  Any advice would be appreciated.

 *  - *
 *  Steve Schofield - MCP, CCA
 *  [EMAIL PROTECTED]
 *
 *  Microsoft MVP - ASP.NET
 *  http://www.deviq.com
 *  - *

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


winmail.dat

RE: [ActiveDir] User profile and Terminal Services

[Robert Rutherford]

Title: Message








http://www.brianmadden.com/

www.tokeshi.com



Rob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: 23 December 2004 10:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User profile
and Terminal Services







Please could someone recommend a good list where I can post
a user profile/terminal servicesrelated question. I have been hunting
around for a while for the answer without success.











Many thanks




===
Scanned for virus infection by Messagelabs
===

RE: [ActiveDir] worm (very very OT)

[Robert Rutherford]

You could resolve the mac and then search for it on your switches to tie
it down to a port... depending on your switches of course.

Which worm is it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 23 December 2004 16:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] worm (very very OT)

we're a switched network. i'd have to go to every pc(500) and run it.
i'm trying to avoid that. might as well run netstat -an on all pc's.

ethereal won't tell me the real address.

thanks

-Original Message-
From: Candee Vaglica [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 23, 2004 11:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] worm (very very OT)


Use a network scanner, like Ethereal to monitor the traffic.


On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom [EMAIL PROTECTED] wrote:
 this is way off and i apologize but you guys are really knowledgable
and such a great help, i thought i'd try here.
 
 i have a number of pc's infected with some wom that goes out on port
1 tcp and tries to attemp a DOS attack.
 
 I don't know the worm and a google searched didn't really turn
anything up.
 
 here's the thing. the worm uses a spoofed source address. my question
is, is there anyway to track down a spoofed address internally to the
real address?
 
 I don't know how to find the infected pc's.
 
 thanks
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Command Line Utility

[Robert Rutherford]

I know you said command line but I
always find treesize pro useful and cheap. Im not sure if you can
operate it from a command line maybe able to.



http://www.treesizepro.com/











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Salandra, Justin A.
Sent: 23 December 2004 16:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Command
Line Utility





On of my Senior VPs wants to see a list of
all files and folders within their legal directory. I dont know
why but they do.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford
Sent: Thursday, December 23, 2004
11:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Command
Line Utility



It's
still there but it draws the tree markers - I don't know what Justin's trying
to do but if it involves processing the output of the command in any way then
dir /s /b is good because you just get raw text to play with



Steve













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bobel
Sent: 23 December 2004 15:30
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Command
Line Utility





What
happened to TREE?






Bob



















From:
[EMAIL PROTECTED] on behalf of Steve Rochford
Sent: Thu 12/23/2004 6:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Command
Line Utility





dir /s

dir /s
/b



Steve













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: 22 December 2004 20:31
To: ActiveDir (E-mail)
Subject: [ActiveDir] Command Line
Utility



Everyone,











Do any of you know of a command line
utility that would display all file names in a folder and all subfolders of the
root folder?











TIA











Justin


















===
Scanned for virus infection by Messagelabs
===

RE: [ActiveDir] worm (very very OT)

[Robert Rutherford]

Does it reply to a ping on it's spoofed address then??

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 23 December 2004 17:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] worm (very very OT)

For port spanning, I would have to do that on a port by port basis for
500 pc's!

we use cisco 3550 cat.

the virus is in Albany and i'm in NYC. they have no network support.
I'm it.

maybe i can get someon to change their ip to the same subnet of the
spoofed address and ping it and then do an arp -a?

thanks

-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 23, 2004 12:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] worm (very very OT)


Your switches, if serious business types, should have mirror ports that
allow you to plug into to see all traffic going across the switch. 

Correct if the worm is spoofing Ethereal won't have the real address but
it
should have the real MAC. You can then tell your network people to dump
some
data from the switches/routers that will tell you what the real IP is of
the
MAC addresses. 

In general, probably worth grabbing your network person and asking them
what
other options they have from the network side. They may even be able to
look
at something and tell you directly which Ips?Acs are trying to connect
to
whatever port it is they are going after without ever breaking out a
sniffer. 

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, December 23, 2004 11:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] worm (very very OT)

we're a switched network. i'd have to go to every pc(500) and run it.
i'm
trying to avoid that. might as well run netstat -an on all pc's.

ethereal won't tell me the real address.

thanks

-Original Message-
From: Candee Vaglica [mailto:[EMAIL PROTECTED]
Sent: Thursday, December 23, 2004 11:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] worm (very very OT)


Use a network scanner, like Ethereal to monitor the traffic.


On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom [EMAIL PROTECTED] wrote:
 this is way off and i apologize but you guys are really knowledgable
and
such a great help, i thought i'd try here.
 
 i have a number of pc's infected with some wom that goes out on port
1
tcp and tries to attemp a DOS attack.
 
 I don't know the worm and a google searched didn't really turn
anything
up.
 
 here's the thing. the worm uses a spoofed source address. my question
is,
is there anyway to track down a spoofed address internally to the real
address?
 
 I don't know how to find the infected pc's.
 
 thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Change Control Systems

[Robert Rutherford]

$200,000!
 
You'd have to be blonde, wear a short skirt, and call me sir!



From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CIT)
Sent: Mon 20/12/2004 19:16
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Control Systems



While we are at it,

I will audit your changes personally for $200,000.00 a year.. personally.
No software to buy or upgrade.  I just need two bathroom breaks a day, 1 30
minute lunch, and 8 hours of sleep (6 if you really are pushing.)

;

Happy Holiday's

Toddler
 

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED]
Sent: Monday, December 20, 2004 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Control Systems

While we're at it :-)

http://wm.quest.com/products/GroupPolicyManager/

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, December 20, 2004 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Control Systems

That second link should be:

http://www.netiq.com/products/gpg/default.asp

;)

ChangeAuditor is a great tool by the way. I don't know that it would
function as a very great Change Management tool (for workflow type
change management), especially in an environment with more than just AD.
But it is a great tool for keeping tabs on AD. I'd definitely recommend
taking a look at it.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, December 20, 2004 12:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change Control Systems

ChangeAuditor for AD from NetPro -
http://www.netpro.com/products/changemanager/index.cfm. Monitors and
logs all changes to AD configuration, including relevent files, registry
settings, AD objects, etc.

Group Policy Guardian from NetIQ -
http://www.netpro.com/products/changemanager/index.cfm. Logs changes to
group policy settings.

-gil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Rutherford
Sent: Saturday, December 18, 2004 5:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Change Control Systems


Many thanks Gil.

I have forwarded the CVS info to a number of developer friends.

I'm looking for something more along the lines of general systems change
control though, i.e. John wants to add a new GPO and provides the
description and detail. The senior staff and management can then approve
or deny. All info is logged in a DB.

It would be fairly easy to whip up I guess but it would be useful if
there is a system already around?

BR

Rob



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Sat 18/12/2004 03:07
To: ActiveDir@mail.activedir.org
Subject: RE: Change Control Systems


CVS is prety much the industry standard open source source code control
server. CVSNT is the best version for Windows that I'm aware of; see
http://www.cvsnt.com/. There are a couple of Windows clients available;
WinCVS is the one I use. Its on SourceForge at
http://sourceforge.net/project/showfiles.php?group_id=10072package_id=1
2664.

-gil



From: [EMAIL PROTECTED] on behalf of Robert Rutherford
Sent: Fri 12/17/2004 6:19 PM
To: ActiveDir@mail.activedir.org
Subject: OT: Change Control Systems


Hi All,

I'm on the hunt for an open source or free change management system...

I've worked for many companies who have an in-house system and I haven't
got the time to build my own. Does anyone know of any free or cheap
change management systems? I will build my own if necessary but would
rather cheat :O)

Its just a shot but the diversity of this group is like gold dust.

Merry Christmas to every user of this group. I hope the years ahead are
good to all the prolific posters. Your input is invaluable.

Rob
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


winmail.dat

RE: [ActiveDir] Change Control Systems

[Robert Rutherford]

Many thanks Gil.
 
I have forwarded the CVS info to a number of developer friends.
 
I'm looking for something more along the lines of general systems change 
control though, i.e. John wants to add a new GPO and provides the description 
and detail. The senior staff and management can then approve or deny. All info 
is logged in a DB.
 
It would be fairly easy to whip up I guess but it would be useful if there is a 
system already around?
 
BR
 
Rob



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Sat 18/12/2004 03:07
To: [EMAIL PROTECTED]
Subject: RE: Change Control Systems


CVS is prety much the industry standard open source source code control server. 
CVSNT is the best version for Windows that I'm aware of; see 
http://www.cvsnt.com/. There are a couple of Windows clients available; WinCVS 
is the one I use. Its on SourceForge at 
http://sourceforge.net/project/showfiles.php?group_id=10072package_id=12664.
 
-gil



From: [EMAIL PROTECTED] on behalf of Robert Rutherford
Sent: Fri 12/17/2004 6:19 PM
To: [EMAIL PROTECTED]
Subject: OT: Change Control Systems


Hi All,
 
I'm on the hunt for an open source or free change management system...
 
I've worked for many companies who have an in-house system and I haven't got 
the time to build my own. Does anyone know of any free or cheap change 
management systems? I will build my own if necessary but would rather cheat :O)
 
Its just a shot but the diversity of this group is like gold dust.
 
Merry Christmas to every user of this group. I hope the years ahead are good to 
all the prolific posters. Your input is invaluable.
 
Rob
winmail.dat

RE: [ActiveDir] Computer Display

[Robert Rutherford]

Hmm... I've never noticed it.

If you do a reverse lookup on the IPs, can you resolve the IP's?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 17 December 2004 13:17
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Computer Display

 
When you look at the open sessions on a DC, some machines are reported
by
computer names and others by IP addresses. I thought it may be because
of
the mixed environment of W2k and XP machines, but this is not the case.
Anyone notice this too?

THX,
Z.V.


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Change Control Systems

[Robert Rutherford]

Hi All,
 
I'm on the hunt for an open source or free change management system...
 
I've worked for many companies who have an in-house system and I haven't got 
the time to build my own. Does anyone know of any free or cheap change 
management systems? I will build my own if necessary but would rather cheat :O)
 
Its just a shot but the diversity of this group is like gold dust.
 
Merry Christmas to every user of this group. I hope the years ahead are good to 
all the prolific posters. Your input is invaluable.
 
Rob
winmail.dat

RE: [ActiveDir] Making a user a Domain Administrator

[Robert Rutherford]

I'd suggest using Restricted Groups through group policy. If you go on
the MS site you will get a ton of explanations and examples.

BR

Rob

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi
Owoeye
Sent: 13 December 2004 10:19
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Making a user a Domain Administrator

I have a domain with over 1000 computers and can't possibly go round the
machines doing this.

DO you have a sample script that can achieve this?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, December 13, 2004 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Making a user a Domain Administrator

Add the user to the local administrator group on each machine in the
domain. This can be done via script for example. Does anyone know if
this can be done by GPO?

Regards
Peter Johnson

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi
Owoeye
Sent: 13 December 2004 12:10
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Making a user a Domain Administrator

Hi Guys,

By Default the Domain Admin is an administrator on every client system
in the domain. Suppose I want to extend this functionality, i.e. having
a particular user who is not a domain administrator but has
administrator rights on every client machine in the domain.

How can I achieve this?

Cheers

Seyi

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] The server is not operational

[Robert Rutherford]

Can you run a dcdiag and post as a first
port of call?



Cheers











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: 08 December 2004 16:44
To: [EMAIL PROTECTED]
Subject: [ActiveDir] The server is
not operational





Hi All:



Image my surprise when I tried to fire up the dsa.msc and
was greeted with the error in the subject line. Specifically: Naming
information cannot be located for the following reason: The server is not
operational. In fact, I could not access any domain-related tools.



The server sure seemed operational since I was logged into
it on console as an administrator. But sure enough, it soon started to
literally die: users started dropping off and, eventually, I lost my remote
connection and was unable to get back in. Someone had to reboot the server
on-site. I might have written this off to just a weird occurrence, but it
happened again a short while later while I was checking the disturbingly happy
Event Logs  almost no errors or warnings. 



What I found in List archives and on the Web did not seem to
apply. The config is:



Stand-alone W2k3 Standard, DC

DNS runs locally and forwards to ISP
and is AD-integrated, allowing only secure updates

Local Ethernet interface points to
self for DNS

WINS is running locally (though the
Ethernet interface did not point to itself  or anywhere 
initially)

RRAS is running (only for me to make
a PPTP connection over which I run RD)



A few things stand out:

-
Event Logs showed a bunch of Userenv
1053 errors (related to GPOs not getting applied) just prior to the first
crash.

-
Due to RRAS, the server registers
another A record and SRV record in DNS (for the VPN interface). DNS also shows
that it is servicing requests on that address. 

-
Netdiag shows several warnings about
these two records: the DC knows only one address; DNS knows two (see below).



The Record is correct on DNS
server '192.168.0.30'.



The Record is different on
DNS server '192.168.0.30'.

DNS server has more than one
entries for this name, usually this means there are multiple DCs for this
domain.

Your DC entry is one of them
on DNS server '192.168.0.30', no need to re-register.



+--+

The record on your DC is: 

DNS NAME = abc.private.

DNS DATA = "">


A 192.168.0.116



The record on DNS server
192.168.0.30 is:

DNS NAME = abc.private

DNS DATA = "">


A 192.168.0.116


A 192.168.0.30

+--+





Sorry for the long winded post. Any thoughts on what might
have caused this? Is there some configuration (perhaps in RRAS or DNS) that I
might look at?



TIA.



-- nme




===
Scanned for virus infection by Messagelabs
===

RE: [ActiveDir] OT: Full vs Diff

[Robert Rutherford]

Ok...
 
Yes it is out of the ordinary for backups to take longer on Diffs.
I dont expect you should be running incrementals instead of Diffs, especially 
as you state that your fulls are only taking 4 hrs.
 
What backup software are u using?
Has it been working OK?
Have you checked the backup jobs to ensure they are similar, in terms of 
selections?
Are any other processes running during your diff's which arent running when you 
do a full?
Are you pulling over the network?
 
Rob
 
 
winmail.dat

RE: [ActiveDir] Offline Files

[Robert Rutherford]

Hi Lucia,

Any chance you can turn off your receipts for this group?

Thanks,

Rob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lucia Washaya
Sent: 01 December 2004 10:05
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Offline Files


Return Receipt
 

Your  RE: [ActiveDir] Offline Files

document

:

 

was   Lucia Washaya/UNAMSIL

received

by:

 

at:   01/12/2004 10:03:47 GMT

 






List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Snort

[Robert Rutherford]

IDS isnt going to protect you from these worms lets
initially focus on that:-



Im just going to ramble and we can then home in on a solution



Its hard to believe patched machines are being re-infected.. but
it does happen. I suspect you have a rogue machine which isnt managed in
your domain environment and you arent aware of, i.e. a 98 machine,
workgroup, user home laptop, etc.



It does sound like your Watchguard box isnt really upto the job
especially as you are specifically blocking ports. It shouldnt be
processing blocked packets, thus shouldnt be under that high stress,
unless you are logging everything. Im not a Watchguard expert so maybe
it deals with packets differently. This is all an if scenario. I
guess we need to ascertain:-



What size is your network, i.e. Nodes?

Which Watchguard model do you have?

Lan switches?

WAN Links.



(Send a reply to me direct if you dont want to broadcast your
details)



It depends on your environment, but if you are sizeable, i.e. over 200+
users then I would shoot for something like Checkpoint with the SmartDefense subscription.
This will do deep inspection and cut out worms at the gateway, i.e. stopping
them entering the secured LAN. They are way ahead of the game
compared to Cisco (hearing Cisco fans smacking out angered replies). 



BR



Rob



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 01 December 2004 15:42
To: ActiveDir (E-mail)
Subject: [ActiveDir] Snort



Anyone had good experiences with snort and can you recommend it as a
IDS and intrusion prevention?

I'm really getting hit hard with bots like W32.spybot.worm and
W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs
are up to date. I'm looking for something cheap(read: free) to help me stop
these things or at least contain them.



My managers are looking int Cisco Self defending networks solution but
thats big $$ and might be a whole other mangement headache.



I was looking on some combination of our current AV(Symantec corporate
9.0) and GPO and snort as some sort of solution.

These bots are really annoying because they seem to infect even patched
and up to date systems and then they go out on ports 445 or 54321 or  and
even though our firewall(watchguard) blocks these ports, enough of these
infected systems can DOS my firewall or bring network traffic to a crawl.



Any recommendations?

thanks alot

List info : http://www.activedir.org/mail_list.htm

List FAQ : http://www.activedir.org/list_faq.htm

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



===


Scanned for virus infection by Messagelabs

===

RE: [ActiveDir] Snort

[Robert Rutherford]

If you watch your firewall logs. You
will more than likely see the offender, i.e. you will see it trying to talk on
specific ports and likely to be scanning up class C reserved
ranges. I just tend to filter the firewall logs and setup alerts for suspicious
activity. 



I think Watchguard do some deep packet
inspection techs as options? Im not 100% sure as I havent used
them to any great level.



Snort is fine, but if you have a good
firewall setup and configured correctly then you dont really need it. I
know many large companies who spent so much time setting it up but never look
at it. 











From: Kern, Tom
[mailto:[EMAIL PROTECTED] 
Sent: 01 December 2004 16:23
To: Robert Rutherford
Subject: RE: [ActiveDir] Snort







We have 500 nodes, mostly XP/WIn2k, but a
few win98 clients. the Winxp boxes have system restore disabled.











..snip



Sys details



.snip













I don't suppose there is any real way to
find out where a worm really orginated from on your network?





I thought snort might at least help with
this. Also ther is a feature called inline snort where it supposedly can do
intrusion prevention, but I have no expereince with this.











thanks





-Original Message-
From: Robert Rutherford
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 01, 2004
11:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Snort

IDS isnt going to protect you from these worms
lets initially focus on that:-



Im just going to ramble and we can then home in on a
solution



Its hard to believe patched machines are being re-infected.. but
it does happen. I suspect you have a rogue machine which isnt managed in
your domain environment and you arent aware of, i.e. a 98 machine,
workgroup, user home laptop, etc.



It does sound like your Watchguard box isnt really upto the
job especially as you are specifically blocking ports. It
shouldnt be processing blocked packets, thus shouldnt be under
that high stress, unless you are logging everything. Im not a Watchguard
expert so maybe it deals with packets differently. This is all an
if scenario. I guess we need to ascertain:-



What size is your network, i.e. Nodes?

Which Watchguard model do you have?

Lan switches?

WAN Links.



(Send a reply to me direct if you dont want to broadcast your
details)



It depends on your environment, but if you are sizeable, i.e. over 200+
users then I would shoot for something like Checkpoint with the SmartDefense
subscription. This will do deep inspection and cut out worms at the gateway,
i.e. stopping them entering the secured LAN. They are way ahead
of the game compared to Cisco (hearing Cisco fans smacking out angered
replies). 



BR



Rob



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 01 December 2004 15:42
To: ActiveDir (E-mail)
Subject: [ActiveDir] Snort



Anyone had good experiences with snort and can you recommend it as a
IDS and intrusion prevention?

I'm really getting hit hard with bots like W32.spybot.worm and
W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs
are up to date. I'm looking for something cheap(read: free) to help me stop
these things or at least contain them.



My managers are looking int Cisco Self defending networks solution but
thats big $$ and might be a whole other mangement headache.



I was looking on some combination of our current AV(Symantec corporate
9.0) and GPO and snort as some sort of solution.

These bots are really annoying because they seem to infect even patched
and up to date systems and then they go out on ports 445 or 54321 or  and
even though our firewall(watchguard) blocks these ports, enough of these
infected systems can DOS my firewall or bring network traffic to a crawl.



Any recommendations?

thanks alot

List info : http://www.activedir.org/mail_list.htm

List FAQ : http://www.activedir.org/list_faq.htm

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



===


Scanned for virus infection by Messagelabs

===






===
Scanned for virus infection by Messagelabs
===

RE: [ActiveDir] Snort

[Robert Rutherford]

Id block the non-critical ports over
the frame. You can also watch the routers to see whats hitting them or put a
sniffer in the gap between the frame router and LAN to hunt the offender.



Rob











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 01 December 2004 16:42
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Snort







I see the offender. What I want to know is
where the offender got it from.





I know its not from the internet because
we block all those ports incoming.





We have a sister corp that has ther own
independent IT staff and is connected to use via frame relay. We are all in the
same forest.





We also have mobile laptop users.





So it can only get in those 2 ways as far
as I know. I wish there was some way to tell for sure.











The Watchguard will block port and address
space probes and IP options and address spoofing. It also blocks syn flood
attacks(but Watchguard recommends you turn that off as it creates high stress
on the box).





It also comes with some prebuilt proxies
for http,ftp,smtp,dns. The rest is stateful packet inspection.





thats it for deep packet inspection.











-Original Message-
From: Robert Rutherford
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 01, 2004
11:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Snort

If you watch your firewall logs.
You will more than likely see the offender, i.e. you will see it trying to talk
on specific ports and likely to be scanning up class C reserved
ranges. I just tend to filter the firewall logs and setup alerts for suspicious
activity. 



I think Watchguard do some deep packet
inspection techs as options? Im not 100% sure as I havent used
them to any great level.



Snort is fine, but if you have a good
firewall setup and configured correctly then you dont really need it. I
know many large companies who spent so much time setting it up but never look
at it. 











From: Kern, Tom
[mailto:[EMAIL PROTECTED] 
Sent: 01 December 2004 16:23
To: Robert Rutherford
Subject: RE: [ActiveDir] Snort







We have 500 nodes, mostly XP/WIn2k, but a
few win98 clients. the Winxp boxes have system restore disabled.











..snip



Sys details



.snip













I don't suppose there is any real way to
find out where a worm really orginated from on your network?





I thought snort might at least help with
this. Also ther is a feature called inline snort where it supposedly can do
intrusion prevention, but I have no expereince with this.











thanks





-Original Message-
From: Robert Rutherford
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 01, 2004
11:11 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Snort

IDS isnt going to protect you from these worms
lets initially focus on that:-



Im just going to ramble and we can then home in on a
solution



Its hard to believe patched machines are being re-infected.. but
it does happen. I suspect you have a rogue machine which isnt managed in
your domain environment and you arent aware of, i.e. a 98 machine,
workgroup, user home laptop, etc.



It does sound like your Watchguard box isnt really upto the
job especially as you are specifically blocking ports. It
shouldnt be processing blocked packets, thus shouldnt be under
that high stress, unless you are logging everything. Im not a Watchguard
expert so maybe it deals with packets differently. This is all an
if scenario. I guess we need to ascertain:-



What size is your network, i.e. Nodes?

Which Watchguard model do you have?

Lan switches?

WAN Links.



(Send a reply to me direct if you dont want to broadcast your
details)



It depends on your environment, but if you are sizeable, i.e. over 200+
users then I would shoot for something like Checkpoint with the SmartDefense
subscription. This will do deep inspection and cut out worms at the gateway,
i.e. stopping them entering the secured LAN. They are way ahead
of the game compared to Cisco (hearing Cisco fans smacking out angered
replies). 



BR



Rob



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: 01 December 2004 15:42
To: ActiveDir (E-mail)
Subject: [ActiveDir] Snort



Anyone had good experiences with snort and can you recommend it as a
IDS and intrusion prevention?

I'm really getting hit hard with bots like W32.spybot.worm and
W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs
are up to date. I'm looking for something cheap(read: free) to help me stop
these things or at least contain them.



My managers are looking int Cisco Self defending networks solution but
thats big $$ and might be a whole other mangement headache.



I was looking on some combination of our current AV(Symantec corporate
9.0) and GPO and snort as some sort of solution.

These bots are really annoying because they seem to infect even patched
and up to date systems and then they go out on ports