RE: [ActiveDir] Remote Exchange Access and Timing
What element are you remotely accessing? I take it you mean a client at a remote site? Which version of Exchange? I'm taking it that you mean an outlook client accessing an Exch2003 svr, if so then an outlook over SSL connection will be fine, especially if you cache locally... I've got clients out on lines 500ms + Cheers, Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 12 December 2006 17:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remote Exchange Access and Timing All; This may be slightly off topic. Does anyone remember how fast Exchange needs the line speed to be for remote access? I am working with a client that is having time out issues with a 248ms (average) packet time. With some static routing I might be able to get this number down to say 125ms but my fear is that will likewise be too slow. From a networking (routing) side of things I can see some peering loss in Europe so there is no really easy answer save building special static routes or PPP connections, etc. Thanks! Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224 Fax: (312) 762-9275 The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect. Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
RE: [ActiveDir] can not browse the internet after dcpromo
Is this for the whole network or just the dc? Are the clients looking to this DC for DNS resolution? Can you resolve DNS names using nslookup? Can you telnet out to a known external IP serving HTTP (80)? It sounds like DNS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Sent: 11 December 2006 16:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] can not browse the internet after dcpromo Hi, The internet is not working after a sucessful DCPROMO. This is a secondary DNS server. What are the things I need to check to troubleshoot the problem. Any suggetion is highly appreciated. Thanks. John __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[ActiveDir] OT: Benefits of SBS2003 R2 over SBS2000
Hi Guys, Has anyone got a decent list of the benefits of SBS2003 R2 over SBS2000? I cant find anything detailing the improvements/benefits. Thanks, Rob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD with mixed DC
Very straightforward... you need to do a domain and forest prep... search the internet for loads of info... i.e. - http://searchwinit.techtarget.com/tip/0,289483,sid1_gci990371,00.html Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: 06 December 2006 21:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD with mixed DC I have an AD domain with 2 2k domain controllers. I want to add a thirds domain controller that has a 2k3 os. I know there is something that needs to be enabled or disable before having an AD with mixed DC. What do I need to do before adding the third DC? Thanks Antonio Aranda Network Analyst UT-Permian Basin 432-552-2413
RE: [ActiveDir] Missing Computer Account
Drop it into a workgroup then try to add to the domain again I'd also just delete the computer account for good measure. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Hofert Sent: 24 November 2006 13:36 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Missing Computer Account I shot myself in the foot and as a result need a little help. I have a Win2003 Domain. I was setting up a new PC for a user and I thought I had inadvertantly gave it the same computer name as the users existing computer. I found it strange that it allowed me to do that, but I changed the name of the computer and all seemed well. That is until the user logged off of his computer. What actually happened was I named it properly to begin with, then when I renamed it I gave it the same name DOH! Now I cannot get the users computer to log back into the domain. I have removed the new PC from the domain, and have renamed the user PC a couple of times but when logging on I get Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable, or because your computer account was not found. The computer account does appear in AD and the PC does have connectivity and is able to see the domain controller. Can anyone provide instructions how to get around this and get the computer back in the domain? Thanks Todd This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] OT: M$
Can we kill this thread now, please? Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 13 November 2006 11:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Clearly there are differing opinions about whether it's merely slang or whether it's an inappropriate slur. Simpler just not to use it, don't you think? I mean, I don't refer to the USAF as the useless air farce and expect its members to think that's funny. I don't take offense when people refer to Microsoft as borg or talk about drinking the Kool-Aid; in fact, I have been known to reference both myself. However, I remember the origin of M$ (unlike, I suspect, some of those who use the phrase and think it's funny), and I think it's ignorant and inappropriate for people to use it on a Microsoft-centric list. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, November 13, 2006 5:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ You have to be able to laugh at yourself. M$ is a tounge in cheek _expression_ and certainly a corporation like Microsoft can laugh at itself when M$ is used as slang in its reference. Thats why wenickname really big guys tiny. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Sunday, November 12, 2006 10:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ being conciliatory is laudable, but I think you're missing the point. It's not wether anybody is offended or not -- the question is why does someone come into a peaceful gathering casting offense. Especially when it's not necessary. If someone deliberately spits on the dinner table, do you say 'oh, well, he didn't hit any plate, let's just forget it' ? or even worse, 'he hit someone else's plate -- no worries.' - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 10, 2006 9:08 AM Subject: RE: [ActiveDir] OT: M$ I highly doubt that any MS employee takes offence at what is surely as tongue in cheek _expression_. Let's not get _too_ PC please :/ neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Laura A. Robinson Sent: Thursday, November 09, 2006 6:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: M$ Just out of curiosity, whatmakes people think it's appropriate to refer toMicrosoft as M$ on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positiveview of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, November 09, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or _vbscript_? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=""> -- Sincerely, J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and _vbscript_, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and _vbscript_, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains view
RE: [ActiveDir] OT: M$
;oP Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 13 November 2006 12:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ There's a reason for the OT portion of the subject line, you know. ;-) Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, November 13, 2006 6:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Can we kill this thread now, please? Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 13 November 2006 11:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Clearly there are differing opinions about whether it's merely slang or whether it's an inappropriate slur. Simpler just not to use it, don't you think? I mean, I don't refer to the USAF as the useless air farce and expect its members to think that's funny. I don't take offense when people refer to Microsoft as borg or talk about drinking the Kool-Aid; in fact, I have been known to reference both myself. However, I remember the origin of M$ (unlike, I suspect, some of those who use the phrase and think it's funny), and I think it's ignorant and inappropriate for people to use it on a Microsoft-centric list. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Monday, November 13, 2006 5:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ You have to be able to laugh at yourself. M$ is a tounge in cheek _expression_ and certainly a corporation like Microsoft can laugh at itself when M$ is used as slang in its reference. Thats why wenickname really big guys tiny. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert Duro Sent: Sunday, November 12, 2006 10:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ being conciliatory is laudable, but I think you're missing the point. It's not wether anybody is offended or not -- the question is why does someone come into a peaceful gathering casting offense. Especially when it's not necessary. If someone deliberately spits on the dinner table, do you say 'oh, well, he didn't hit any plate, let's just forget it' ? or even worse, 'he hit someone else's plate -- no worries.' - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, November 10, 2006 9:08 AM Subject: RE: [ActiveDir] OT: M$ I highly doubt that any MS employee takes offence at what is surely as tongue in cheek _expression_. Let's not get _too_ PC please :/ neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Laura A. Robinson Sent: Thursday, November 09, 2006 6:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: M$ Just out of curiosity, whatmakes people think it's appropriate to refer toMicrosoft as M$ on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positiveview of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, November 09, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or _vbscript_? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=""> -- Sincerely, J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and _vbscript_, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and _vbscript_, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your sys
RE: [ActiveDir] how to access blocked site.
Hi Ajay, This isnt the right forum for such a request, I suggest you go onto google and type proxy avoidance Cheers, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: 13 November 2006 13:18 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to access blocked site. Hi all, It could be wrong question but I want to know about how toacess the restricted or blocked site, which is access denied from office. I know some tools work like K-PROXY, but it woks on some internet site. So please suggest me how to access blocked site. which can work well. Thanks Regards, Ajay pardeshi
RE: [ActiveDir]AD SECURITY.Run As command used - to impersonate Administrators
Could be a backup system or something like that kicking off a run as looks like it. I dont know the product though. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: 13 November 2006 14:39 To: ActiveDir@mail.activedir.org Subject: [ActiveDir]AD SECURITY.Run As command used - to impersonate Administrators Hi, So I decided to try out GFI event monitor, I am loving it so far, but I am not a security expert so I am easy to impress. Anyway, I got a bunch of emails like the one below. Have you guys seen something similar in your logs? Is this someone trying to hack ora service trying to run something? Thanks Subject: 11/12/2006 12:28:38 PM Run As command used - to impersonate Administrators - outside work hours - Critical - servername - 552 Logon attempt using explicit credentials: Logged on user: User Name: administrator Domain: domain Logon ID: (0x2,0x9D018B17) Logon GUID: {ec9c7758-8375-8064-3e03-8e860a568322} User whose credentials were used: Target User Name: administrator Target Domain: domain.com Target Logon GUID: {13d439ef-0597-c23e-aa24-8ca92f9e7730} Target Server Name: server.domain.com Target Server Info: cifs/server.domain.com Caller Process ID: 1620 Source Network Address: - Source Port: - .org/
RE: [ActiveDir] Restrict CD rom, floppy and USB via group policy?
Title: Restrict CD rom, floppy and USB via group policy? Depends on your exact requirements as the standard settings arent too flexible youll probably find out you need a 3rd party tool, such as :- http://www.gfi.com/endpointsecurity/ Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan Conrad Sent: 10 November 2006 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restrict CD rom, floppy and USB via group policy? HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers http://support.microsoft.com/kb/555324 Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, Russ Sent: Friday, November 10, 2006 9:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restrict CD rom, floppy and USB via group policy? Hi everyone Is there a way to use group policy to disable the CD rom, floppy and USB drives? Thanks Russ
RE: [ActiveDir] Decommissioning a DC
No worries. Demote her, remember the good times, shed a tear, crack on. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: 07 November 2006 21:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Decommissioning a DC We have several DCs in our environment all of which are 2003 SP1 servers except for one. I am preparing to demote this one through DCPromo this weekend. All of our DCs are also GCs, including this last remaining 2000 server. It does not own any FSMO roles. The Exchange RUS services are not using this DC. We are a single site and domain. Is there anything unique about demoting the last 2000 DC, given there are plenty of other 2003 DC/GCs available? Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Why we go for exchange 2003 server
Hi, I suggest you google this type of request before posting loads of resource around http://support.microsoft.com/kb/816888 Thanks, Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: 30 October 2006 13:36 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Why we go for exchange 2003 server Hi, Can any one pls tell me why Ishould implement exchange 2003 enterprise server instead of 2000 enterprise server In my organization. BecozExchange 2000 having Messenging serivces but 2003 doesn't have. Actually My main intention is why I go for 2003 exchagne server. Pls suggest me. Regards, Ajay pardeshi
RE: [ActiveDir] A few things [List Admin]
Tony, Ive moved in and out of the group since 2000, and just wanted to thank you for all your effort keeping this beast going over the years. The list made a real difference to my career over the years, and I still cant pull myself away from keeping up-to-date (to a degree) with AD. This community is now second to none I dont get the time Id like to contribute, but thanks are due to all the guys that do. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: 27 October 2006 22:51 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A few things [List Admin] Hi all Just a couple of things. I will be out of the country for three weeks from tomorrow, with only intermittent access to email. While I am away Matty Holland will be looking after the list. If you see any problems or need help with unsubscribing, etc. then Matty is your man ([EMAIL PROTECTED]). Please play nicely while I'm away or I won't bring you a present. ;-) I am aware of the ongoing list latency problems and am awaiting a response from my ISP. Hopefully it will be resolved shortly. I suspect it might be related to volume as we the number of subscribed users has grown quite sharply over the past few months. You may have noticed the recent time-out issues with the archive hosted at ActiveDir.org. The experiment we had with using Mhonarc for archiving largely failed due to the poor performance. We are working on a new archive using a different method and this should be available shortly. In the meantime, please use the off-site archive at http://www.mail-archive.com/activedir@mail.activedir.org/ Finally, a reminder that you can subscribe to the list with the No mail (aka post-only)option, which is useful if you have a public folder subscribed to the list but also want to be able to post (but not receive mail) using your own address. If you want me to set you up for this, just let me know (but bear in mind that I may not get around to it immediately, because I'll be on the beach - ha ha ha). Tony ActiveDir.org general dogsbody.
RE: [ActiveDir] Latency in List
Yeah, I get an average of 20 mins delay... it does mess with the flow of threads. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 22:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latency in List I initially sent a reply with to this thread (below) at 19:43 BST yet I only receive it back at 21:37 BST nearly two hours later, is anyone else experiencing latency or is just me? Let's see what this message does! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 19:43 To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Test Lab Naming Conventions
Id say that if you are looking to fully mirror your production environment and it will not be connected to the production network - then use the same convention. It will probably make it marginally easier in the test and documentation process. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Patton Sent: 03 October 2006 16:39 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Test Lab Naming Conventions Im trying to complete a plan for a fully isolated, permanent test lab. I intend to fully mirror our current production environment. The primary purpose will be to test disaster recovery and other procedures before production implementation. I dont intent to establish any domain trusts or other connections between the lab and production. The one question I have regards server and domain naming conventions. For those of you that have setup labs that mirror your production environments, did you use the same domain and server names in your test lab? Thanks
RE: [ActiveDir] RPC Over HTTPS Problem....
The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] RPC Over HTTPS Problem....
Hi Ravi, The certifcate does needs to match the name of the site... i.e. mail.comp.com . If it doesn't then it wont work. There are numerous reasons why it fails but that is the first. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 01:36 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RPC Over HTTPS Problem Hi Bob, Can you please explain how it should be. because i think i have something wrong here related to certificate. Thanks Ravi Dogra On 9/16/06, Robert Rutherford [EMAIL PROTECTED] wrote: The usual issue with that is that the url u r connecting to matches the name on the cert. This must match on internal and external, i.e. u must use split brain or you must config ur firewall to accept that connection on the WAN interface. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 16 September 2006 00:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RPC Over HTTPS Problem Hi, I am facing a weird problem here is some required information. Frontend - Backend Structure. Exchange with SP2 on Win2k3 SP1 on all Servers. FE1 and BE1 is on a different site, BE2 is on my Site. Configured RPC Over Https on Frontend Server. OWA (SSL) is working fine. Now here is the situation:- I have configured my client for RPC over Https. When client machine tries to establish connection with my Exchange Server it prompts me for User Name and Password. When i am providing my credentials it is not accepting and keeps me prompting for same. Also while doing this when i use Ctrl + Right click on Outlook icon on rightside of taskbar and then selecting connection it never shows me established. It remains on Connecting and tries to connect my BE2 server where my mailbox resides. What could be the possible reason for this? If any other information is required please let me know. -- Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Controlled user access, i.e. no admin rights, and use a good class firewall with spyware/av protection on the gateway... no issues. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 14 September 2006 20:11 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Protecting against Spyware/Adware Nonadmin I peronally have had way less issues when users that don't need admin rights don't have them. Chinnery, Paul wrote: We're using CounterSpy Enterprise from Sunbelt Software. Like you, we have seen aperformance hit* on computers with just 128 meg of memory but that goes away when we add more memory. The only issue I ran into, other than performance, was it blocked a cookie that was necessary for our payroll department. However, once I okayed that cookie, it was fine. *According to Sunbelt, the next version is supposed to reduce the performance impact. -Original Message- *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of *Chris Pohlschneider *Sent:* Thursday, September 14, 2006 10:44 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway Sportswear IT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED] -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS Entries --Laptop Users--
Confusing... Please keep the thread going when you reply so we can look back through... 1) If your VPN device is giving the windows client machines connecting a DNS server setting of your internal DNS server, then the client will update its records with the IP address allocated by the VPN device. 2) You can see 2 records for the same host name within the DNS manager? Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 08 September 2006 01:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Entries --Laptop Users-- Jolly, I was not sure abt how VPN Box was configured and as i had a word with Prashant boss, it is not configured for updating records to our DNS. I will talk to Prashant boss abt ths. But the thing is i can see 2 DNS records for one host. One is for VPN and the other one is for Wireless IP Address for the Host. Al, It is letting the device update their own record to DNS. Thanks Ravi Dogra List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DNS Entries --Laptop Users--
What is the VPN device? Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: 06 September 2006 00:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Entries --Laptop Users-- Hi, Problem is i have 2 different records of each laptop (Using VPN Connection) in my DNS. I have secure updates configured in my DNS Conf. we are using DHCP. Laptop users getting a specific VLAN IP Address for there wireless connection which is getting registered in my DNS. This is good. But the Problem is that when these Laptop users login from home using VPN, they get a new IP Address from my VPN Box which is also getting registered in my DNS. I have no clue why this is happening. i m suspecting on DNS conf on local machine under Advanced Tcp Ip settings. I am not sure i am heading right way or not. here is the snapshot attached for same. -- RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT]The last departmental picnic [list owner]
Heheh. I'll be there.. You'll know who I am as I'll be the first to be man handled out of the door for trying to touch the living legend Rob Hoff it's me .. Hoff Who are you? Rob Your number 1 fan... come here you big hunk 'o' love I know we are going to be reprimanded for this outburst... OK joking's over :) I'm sorry but I couldn’t resist a follow up. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 06 September 2006 14:47 To: ActiveDir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] David Hasselhoff - will be at Borders Books on Oxford Street, London on Monday at 12, Wear Leather and lots of it. -Original Message- From: Laura A. Robinson [EMAIL PROTECTED] Date: Wed, 06 Sep 2006 09:36:20 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] Given that the culprit hasn't received any of the backlash, my guess is that it was still an accident. Can't anybody just cut the guy some slack? Yeesh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Wednesday, September 06, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT]The last departmental picnic [list owner] My guess – the second was on purpose after all the backlash From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: Tuesday, September 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT]The last departmental picnic [list owner] Yeah, I just let him know he messed up on this one. Can't argue with banning him after 2 messups. :( On 9/5/06, Tony Murray [EMAIL PROTECTED]: mailto:[EMAIL PROTECTED] wrote: Not sure what's going on so I have temporarily suspended his subscription. Tony List owner and humourless [EMAIL PROTECTED] Sent via the WebMail system at mail.activedir.org : http://mail.activedir.org List info : http://www.activedir.org/List.aspx: http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx: http://www.activedir.org/ml/threads.aspx .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§Ã¶v®—± [EMAIL PROTECTED])
RE: [ActiveDir] Sharepoint access after user AD migration
Hmm wasnt that then Quite a bit on Google grabbed this http://www.sharepointblogs.com/dustin/archive/2004/09/10/756.aspx Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: 06 September 2006 17:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Sharepoint access after user AD migration Hi Rob, I've been told that the Sharepoint install is SP2. Not aware of which hotfixes are on it yet. I've got aconference call scheduled in an hour to discuss it. Thanks, Mike On 9/5/06, Robert Rutherford [EMAIL PROTECTED] wrote: What Sharepoint servicepack are you running? You need at least one and a hotfix.. cant remember which. I'll look through my old KB to see if I can find the hotfix. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Baudino Sent: 05 September 2006 21:58 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sharepoint access after user AD migration Apologies if this is not the most appropriate forum for this question. The situation is an NT4.0 domain with 18,000 users. Migrating to AD Win2k. Two-way trust and sIDHistory filtering is disabled. There's a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users can access the Sharepoint just fine. The users, after being migrated, are not able to access the Sharepoint using their new AD accounts until after the Sharepoint admins add their new AD account to the Sharepoint security. Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if so, is there some setting we need to change? Thanks, Mike
RE: [ActiveDir] Rid Master recovery
Hi, Use NTDSUTIL http://support.microsoft.com/kb/255504/ Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 05 September 2006 13:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rid Master recovery Guys , another question One of My RID master is crashed before transfering of FSMO role to other DC on the network , is that any possiblities to make an another domain as RID master ( backup is failed so i can not restore the failed RID master DC now) Thanks in advance Almeida Pinto, Jorge de [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 11:18 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Rid Master also see: RID Master FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx cheers,jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 04, 2006 18:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how it is managed versus what records need to be in DNS for AD to work or how its app NC replicates. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Monday, September 04, 2006 10:46 AM To: ActiveDir@mail.activedir.org Subject: RE: OT - RE: [ActiveDir] W. in hell I have
RE: [ActiveDir] Rid Master recovery
To seize the role. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 05 September 2006 13:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Rid Master recovery Hi, Use NTDSUTIL http://support.microsoft.com/kb/255504/ Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 05 September 2006 13:03 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rid Master recovery Guys , another question One of My RID master is crashed before transfering of FSMO role to other DC on the network , is that any possiblities to make an another domain as RID master ( backup is failed so i can not restore the failed RID master DC now) Thanks in advance Almeida Pinto, Jorge de [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 11:18 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Rid Master also see: RID Master FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx cheers,jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 04, 2006 18:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how
RE: [ActiveDir] Distribution list Maintenance. Policy dilemma
This is more of an internal policy/procedure thing than anything else.. in my view. I have seen packages which Brian mentioned but cannot remember a name of a single one. Useful am I not? J Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: 05 September 2006 21:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribution list Maintenance. Policy dilemma Thats an idea although I am not very concern about getting the request for adding a new account/contact to a DL. My concern is to maintain the DL, in most of the cases the DL would have contacts not AD users, and you cant put expiration on contacts. So, how do I force/remind the managers to notify me whenever a contact should not longer be in the DL? Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, September 05, 2006 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribution list Maintenance. Policy dilemma Youve got to use an automated system (web based usually) where an employee requests the contractor account/contact and puts an expiration on it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, September 05, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribution list Maintenance. Policy dilemma Hi, I have Department managers asking me to create DL in exchange of people who dont work in the company There is not technical problem to do that, but I am finding out, that the previous guy was doing that via contacts in AD. The problem is that in this business, a consultant will work one day for you and next to your competitor. My question is, what is the common practice in terms DL. Does anyone know a good way of maintaining them? Most of the time, I dont get notified when we no longer work with a consultant. How do you guys deal with DL maintenance? .Any suggestion?
RE: [ActiveDir] Sharepoint access after user AD migration
What Sharepoint servicepack are you running? You need at least one and a hotfix.. cant remember which. Ill look through my old KB to see if I can find the hotfix. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: 05 September 2006 21:58 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Sharepoint access after user AD migration Apologies if this is not the most appropriate forum for this question. The situation is an NT4.0 domain with 18,000 users. Migrating to AD Win2k. Two-way trust and sIDHistory filtering is disabled. There's a Sharepoint server in the legacy NT4.0 domain. The NT4.0 users can access the Sharepoint just fine. The users, after being migrated, are not able to access the Sharepoint using their new AD accounts until after the Sharepoint admins add their new AD account to the Sharepoint security. Isn't Sharepoint supposed to be able to take advantage of sIDHistory and, if so, is there some setting we need to change? Thanks, Mike
RE: [ActiveDir] Completely OT: Maroons
Come through fine on mine Laura. Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: 04 September 2006 15:06 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Completely OT: Maroons Has anybody figured out what's causing the blank posts, or is it just me who got blank replies from Mark and Neil? Thanks, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, September 04, 2006 4:15 AM To: ActiveDir.org Subject: Re: [ActiveDir] Completely OT: Maroons List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Rid Master
as the tumbleweed blows on through the group, Rob peers over to Joe, tilts his hat, and gives a knowing nod ;) Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 04 September 2006 17:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how it is managed versus what records need to be in DNS for AD to work or how its app NC replicates. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Monday, September 04, 2006 10:46 AM To: ActiveDir@mail.activedir.org Subject: RE: OT - RE: [ActiveDir] W. in hell I have a hell of a sense of humor (as Im sure a lot of geeks here do) this just isnt the place for it when people come here for help. /just sayin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Sunday, September 03, 2006 10:58 PM To: ActiveDir@mail.activedir.org Subject: RE: OT - RE: [ActiveDir] W. in hell Nah.it looks more like the sender mistook this list for some other lists. On other lists, this would have been a engendered more rapid-fire flame war to the sender's satisfaction, even though the joke itself is very old and has outlived its useful shelf life. I'm sure he's disappointed that this list is so geeky and full of maroons with no sense of humors. Sincerely, _ (, / | /)/) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize
RE: [ActiveDir] OT: Servers rebooting, etrust antivirus
Absolutely Shocking! Rob Robert Rutherford QuoStar Solutions Limited T:+44 (0) 8456 440 331 F:+44 (0) 8456 440 332 M:+44 (0) 7974 249 494 E:[EMAIL PROTECTED] W:www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 01 September 2006 17:46 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Servers rebooting, etrust antivirus CA eTrust Antivirus flagging lsass.e x e http://isc.sans.org/diary.php?nstoryid=1665 Unsubscribe: http://isc.sans.org/notify.php Yup Kevin Brunson wrote: Anyone else out there dealing with the Computer Associates eTrust Antivirus signature thing this morning? Symptoms: The system process C:\Windows\System32\lsass.exe terminated unexpectedly with status code 0. The system will now shut down and restart. After the reboot, it once again gives the same message, over and over. Resolution: Update to the latest eTrust Antivirus signatures. The version ending in .3056 is known stable. Details: Apparently the signatures are detecting lsass.exe as a virus and trying to rename or delete it. Windows File Protection kicks in and says no. They then argue for a bit and neither wins so the server gives up and reboots. Hopefully no one else has experienced this, but if you are running ca, this should solve your problem. Almost all of my customers are running eTrust Antivirus, so it has been a very long morning. Kevin -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
No, it will sort itself out.. if its a big operation then you may want to shape the IP traffic to give the AD some priority on reconnect. Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: 29 August 2006 15:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks, ...D -- CPDE - Certified Petroleum Distribution Engineer CCBC - Certified Canadian Beer Consumer
RE: [ActiveDir] OU tareq
Create a group in AD and add the users to it. Then use restricted groups (via group policy) to add that group into local admin on the PCs. Cheers Rob Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tareq ttt Sent: 24 August 2006 15:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OU tareq dears, How i can build a group policy that permit normal account in the active directory to login as Local Admin for any computer in one OU. tareq All-new Yahoo! Mail - Fire up a more powerful email and get things done faster.
RE: [ActiveDir] Restoring RID
Hi Lucia, You can seize the roles via NTDSUTIL. http://www.petri.co.il/seizing_fsmo_roles.htm Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucia Washaya Sent: 14 August 2006 09:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Restoring RID How do I move the RID role when that server is already crashed? I want to recover from the loss of the RID master, so I canot move it since it is not available. Or there is a way to do it? Lucia Washaya CITS UNIOSIL Tel.: 022-295-526 xtn. 5497 Int'l Tel.: Via Italy + (39) 083123-5497 Via USA +1(212) 963-9588 (after audio response dial 174-5497) == The cobra will bite whether you call it Cobra or Dear Mr. Cobra. == Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 14/08/2006 03:43 Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Restoring RID I always recommend transferring FSMO roles from a box before upgrading it, then moving it back after the upgrade is completed successfully. If you've got enough DCs to justify splitting FSMO roles, you've got enough to move it to another box for a week to upgrade the box. On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] wrote: When the RID flexible single-master operations DC is restored, it may use old RID pool values, and it can cause the restored RID flexible single-master operations DC to begin issuing duplicate SIDs. The best way is: - to use another DC to seize the RID master role. - Rebuild the OS on crashed DC and promote it back as Domain Controller - transfer the RID master role back to the rebuild DC. Regards, Ai Chung On 8/14/06, Lucia Washaya [EMAIL PROTECTED] wrote: Colleagues, We have a server which crashed during upgrade (2000 to 2003). Now we want to restore it. Problem is this server is the RID holder and the documentation on the technet says Restoring the RID Master can result in Active Directory data corruption, so it is not recommended. So what is the best way to restore this server? Thank you in advance for your assistance Regards, Lucia Washaya CITS UNIOSIL Tel.: 022-295-526 xtn. 5497 Int'l Tel.: Via Italy + (39) 083123-5497 Via USA +1(212) 963-9588 (after audio response dial 174-5497) == The cobra will bite whether you call it Cobra or Dear Mr. Cobra. ==
RE: [ActiveDir] Password resets
Heheh... had this come in on Silicon's round-up of the week :) snip And finally, Microsoft - everybody's favourite love-hate tech titan - has been up to its old tricks of late with a botched live demo of new voice recognition software, which will be included in its Vista launch, in front of media and analysts at its Redmond headquarters. A Microsoft employee bravely took to the stage, no doubt with the same kind of trepidation felt by the world's first parachute jumper or the person who discovered 'yes, you can eat snails'. Dear mom comma, he began speaking purposefully into a headset microphone positioned just a few millimetres from his lips with all the pace and clarity of an English tourist trying to order Two... pints... of... lager... please... in a foreign country. At which point Dear aunt, appeared on the big screen for all to see, followed by some much-to-be-expected chortling from the audience who no doubt fear the day a Microsoft demo runs smoothly. Fix aunt, said the slightly embarrassed Microsoft man. Dear aunt, let's set, read the screen. Delete that, delete that, delete that... he said. Dear aunt, let's set so, said the big screen. I think it's picking up a bit of an echo, he told the guffawing audience. Delete, select all, he added. Dear aunt, let's set so double the killer delete select all, came the response on the screen. By which point the audience was laughing so hard the Round-Up suspected an accident of a toilet nature may befall at least a few of its members. I'm glad you're enjoying this, offered the Microsoft man, realising he may have seen his demonstration go horrendously wrong but he'd at least made them laugh and doubtless left them eager for more. The comedy could only have been heightened if at that point Mr Clippy announced his return by popping up and saying: It looks like you're writing a letter. Or perhaps even: It looks like you're making a right old balls up of this my friend. However, it seems the problem may have been down to some background noise at the demonstration and not - the Round-Up repeats 'not', you understand - any crappy software. snip- BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 11 August 2006 03:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password resets Well all I can say is that we have several partners that have built password and pin reset capabilities on top of Microsoft Speech Server 2004 and have customers that are very satisfied with them: http://www.microsoft.com/speech/solutions/password/default.mspx . It is something that I get asked about a lot and was a requested feature for the password reset capabilities that are being planned for Active Directory. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 10, 2006 7:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password resets Love that movie. (Sneakers with Robert Redford) I'd like world peace We're the government, we don't do that kind of thing! As an off topicif you get the Director's edition you get the info about how the code speech done by the character Gunther was actually augmented and reviewed by the guy who is the A in RSA. (okay okay I need a life, I know...) Passwords are one of the most challenging aspects of security and networks because they impact so closely with the human element. There is studies on how brains process numbers and how much we can remember. Amazon.com: Perfect Passwords: Selection, Protection, Authentication: Books: Mark Burnett,Dave Kleiman: http://www.amazon.com/gp/product/1597490415/sr=8-2/qid=1155257055/ref=pd _bbs_2/103-7791739-9887065?ie=UTF8 This one has a chapter on passwords: Amazon.com: Protect Your Windows Network: From Perimeter to Data (Microsoft Technology): Books: Jesper M. Johansson,Steve Riley: http://www.amazon.com/gp/product/0321336437/sr=1-1/qid=1155257102/ref=pd _bbs_1/103-7791739-9887065?ie=UTF8s=books The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: Security Management - October 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoin t100504.mspx The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet Column - Security Management - December 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx David Adner wrote: Wait, I've seen this one before. My voice is my
RE: [ActiveDir] Password resets
I understand that... just thought it was a funny read. Being a techie... I'm sure we have all been in these red-face situations :) Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 11 August 2006 14:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password resets The two products are actually quite different especially since one relies on the sampling frequency of a phone versus any microphone an end user may have. Anyway the story you reference below actually has a much more interesting background and the developer responsible for the issue blogged about it here: http://blogs.msdn.com/larryosterman/archive/2006/07/31/684327.aspx. It is always interesting to see how software bugs manifest themselves in real life. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Friday, August 11, 2006 7:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password resets Heheh... had this come in on Silicon's round-up of the week :) snip And finally, Microsoft - everybody's favourite love-hate tech titan - has been up to its old tricks of late with a botched live demo of new voice recognition software, which will be included in its Vista launch, in front of media and analysts at its Redmond headquarters. A Microsoft employee bravely took to the stage, no doubt with the same kind of trepidation felt by the world's first parachute jumper or the person who discovered 'yes, you can eat snails'. Dear mom comma, he began speaking purposefully into a headset microphone positioned just a few millimetres from his lips with all the pace and clarity of an English tourist trying to order Two... pints... of... lager... please... in a foreign country. At which point Dear aunt, appeared on the big screen for all to see, followed by some much-to-be-expected chortling from the audience who no doubt fear the day a Microsoft demo runs smoothly. Fix aunt, said the slightly embarrassed Microsoft man. Dear aunt, let's set, read the screen. Delete that, delete that, delete that... he said. Dear aunt, let's set so, said the big screen. I think it's picking up a bit of an echo, he told the guffawing audience. Delete, select all, he added. Dear aunt, let's set so double the killer delete select all, came the response on the screen. By which point the audience was laughing so hard the Round-Up suspected an accident of a toilet nature may befall at least a few of its members. I'm glad you're enjoying this, offered the Microsoft man, realising he may have seen his demonstration go horrendously wrong but he'd at least made them laugh and doubtless left them eager for more. The comedy could only have been heightened if at that point Mr Clippy announced his return by popping up and saying: It looks like you're writing a letter. Or perhaps even: It looks like you're making a right old balls up of this my friend. However, it seems the problem may have been down to some background noise at the demonstration and not - the Round-Up repeats 'not', you understand - any crappy software. snip- BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 11 August 2006 03:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password resets Well all I can say is that we have several partners that have built password and pin reset capabilities on top of Microsoft Speech Server 2004 and have customers that are very satisfied with them: http://www.microsoft.com/speech/solutions/password/default.mspx . It is something that I get asked about a lot and was a requested feature for the password reset capabilities that are being planned for Active Directory. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, August 10, 2006 7:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password resets Love that movie. (Sneakers with Robert Redford) I'd like world peace We're the government, we don't do that kind of thing! As an off topicif you get the Director's edition you get the info about how the code speech done by the character Gunther was actually augmented and reviewed by the guy who
RE: [ActiveDir] Password resets
I can almost hear a tumbleweed blow through . Ive never seen an effective voice recognition system work in the real world but would love to if anyone has? Would it not be easier to go for a simpler auth method, i.e. RSA, mobile (cell phone), finger, token, etc? You shouldnt have to worry about lockout issues. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 10 August 2006 22:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Password resets There is talk about using a home grown speech recognition system to reset a user's password. You would need to enroll, the system would recordyour voice and if you ever wanted to reset your password, it would ask you to repeat a word of its choice. The system would use a service account with the ability to reset passwords and turn on the option to force the user to reset the password at logon. Iam just sending this out to get somefeedback. Iwould have a challengetrying to excludecertain groups from being able to do this, like IT folks with elevated credentials. Unfortunately those IT folks are in the same OU as the users that want this functionality. Thoughts on any part of this? Thanks Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602) 747-4195 Fax (602) 747-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately
RE: [ActiveDir] machine GP load
Have you performed the usual gpresult, modelling, etc? Anything in the event logs? Is this a new policy or new machines (to the domain), or both in fact? Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: 09 August 2006 21:53 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] machine GP load I have a few machines that will not load the machine GP. Im pretty sure that its an issue with the workstations but just to cover butt, is there any thing that on the GP or AD that would prevent the GP from loading? Antonio Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Moving Sysvol .
http://support.microsoft.com/?kbid=842162 Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: 08 August 2006 13:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Moving Sysvol . Hello :) I have my ADw2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
RE: [ActiveDir] OT: SBS question
You should only have one SBS per domain, and also per subnet. You should be able to get round this by disabling DHCP on the new server... or putting it on a different subnet, etc. SBS is by it's nature a DC. You can go around hacking bits out of the registry but you will end up violating the EULA. The migration method entirely depends on the size and complexity of the install. You might be better off with a scratch build and build it back, again it depends on the state of play in the domain as it stands, i.e. is it clean? Also, if it's a dev box and they develop for external customers on MS products, then he may be eligible for the Microsoft Action Pack subscription. You can then get a cleaner setup with a 2003 member server loaded with SQL... for a small annual fee. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: 03 August 2006 10:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: SBS question I've never seen SBS, but my younger brother has just started a new job (first one since leaving Uni) and bought a new server and it came with SBS. When he built it it appeared he had no choice but to make it a DC, even though he only wanted it as a member server -there's already an SBS box there. Anyway, we didn't know at the time (this was a phone conversation) so I told him to go ahead with the promotion (thinking it was just a stupid Dell wizard) and demote it later. He did this and now it reboots every day. So, I think I know the answer to this from the tidbits of info. I've seen in the groups and forums, etc. but can the 2nd SBS box be added to the domain with the first SBS or does he need to get a k3 Std. license instead? All he wants at this point in time is a SQL and file server. (As you can guess, this is a small company, he's one of three dev guys there). And, if they wanted to replace the existing SBS box with this new one, how do they go about that if you can't have more than one SBS box? I doubt they want to migrate... Thanks, --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:45 AM Subject: Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Remove Defunct domains..
If you use WINS check for them in there and delete if required. Cheers, Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz Sent: 02 August 2006 22:46 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ? ADSI edit ? -- HBooGz:\
RE: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
Loads of tools as Susan says, but just to note the GFI one no longer works - one of my engineers tried it a couple of months ago. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 02 August 2006 22:21 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box RedEarth Software policypatrol.com Wizard and GUI The SBS way There are instructions at www.smallbizserver.net (I think they are still in the free docs) ...but I'm blonde and GUI and policy patrol works. If you are cheap GFI's mail scanner ...install the trial version and when it expires the disclaimer stays (or last I heard) Bart Van den Wyngaert wrote: Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DC Can't Handle DNS Pointed to Self
Sounds like its not replicating. When you say non-domain firewall, what do you mean? You dont want any firewall on it unless you have a specific need. If you strip the firewall off, where does that leave you? If you use dcdiag and netdiag they should also give you an idea about whats going on. If you like, feel free to mail them to me. Cheers, Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: 28 July 2006 07:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Can't Handle DNS Pointed to Self Hello: This is sort of a follow up to two recent postings. Any thoughts are welcome as I have now been trying to figure this one out for about a week. I have DC running as a virtual machine under (host W2k3 SP1 w/ VS 2005 R2; guest: W2k3 ENT R2). This machine was recently promoted. When its local DNS points to itself, the machine does not logon to the domain. It appears to not even know about itself. No one can get to it because it loads the non-domain firewall GPO (enabling the full firewall). When I point DNS across the WAN, it loads though interestingly it does not become visible on the network until I log into it (via the VS management tools). I can then log out and it stays visible. It then appears to function correctly. Any thoughts greatly appreciated. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/399 - Release Date: 7/25/2006
RE: [ActiveDir] DC Can't Handle DNS Pointed to Self
Also, whats your DNS setup? Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: 28 July 2006 07:20 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Can't Handle DNS Pointed to Self Hello: This is sort of a follow up to two recent postings. Any thoughts are welcome as I have now been trying to figure this one out for about a week. I have DC running as a virtual machine under (host W2k3 SP1 w/ VS 2005 R2; guest: W2k3 ENT R2). This machine was recently promoted. When its local DNS points to itself, the machine does not logon to the domain. It appears to not even know about itself. No one can get to it because it loads the non-domain firewall GPO (enabling the full firewall). When I point DNS across the WAN, it loads though interestingly it does not become visible on the network until I log into it (via the VS management tools). I can then log out and it stays visible. It then appears to function correctly. Any thoughts greatly appreciated. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.4/399 - Release Date: 7/25/2006
RE: [ActiveDir] Multihomed Domain Controllers
Jeff, If you back them up over the client-facing LAN conn or over your Gb back-end I wouldn't have any concerns. If you want to just standardise your setup then just go for it. Cheers. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Green Sent: 13 July 2006 12:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers Well, I don't think the driving factor is the size of the IT operation in terms of # DC's necessarily. In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x Sharepoint), the factors are My client facing network is 100 Mbs Ethernet Major vendor's servers have come with inbuilt dual GbE NICs for the last 3+ years GbE switches are now ridiculously cheap Backup software supports this configuration (some vendors recommend this config, as noted by other replies) Uniform configuration, I backup Exchange, file servers, etc using this configuration. So I guess you could look at as a poor man's SAN. From my perspective it seems a reasonable thing to do. --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 I dream of hover cars and old transistor radios ... she dreams of flowers in a field of sunny bungalows -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: 12 July 2006 16:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Multihomed Domain Controllers So how many DC's do you have? What is your DIT size like to warrant going through all this trouble? Are there other applications that you need to backup on the DC's that are requiring full backups of all your DC's. With most environments getting the system state from a DC/GC in each domain should be enough to allow you to do whatever authoritative restores that you need. Now if you have other apps that you need to do a large data backups of then this may be required. Yes you can do multiple nic's on DC's and quite a few organizations do however it definitely would not fall under best practices for Domain Controllers. Kurt Falde Premier Field Engineer Northeast Region Microsoft Corporation [deleted] Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error. Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers No issues, if you... Go to the TCP/IP settings of the backup network card, click advanced, goto the DNS tab and untick register the connection in DNS. Cheers, Rob Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
Title: Multihomed Domain Controllers Ive used the same configuration ina number of relatively sizeablesites (2000+ user base) with no issues as the guys state.. just trial it. Cheers Rob Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 13:03To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multihomed Domain Controllers Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff GreenSent: 12 July 2006 11:43To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd. Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way.Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED], if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating author and may not be representative of Sapiens (UK) Ltd.
RE: [ActiveDir] Multihomed Domain Controllers
I guess that is very true... on reflection I was using the separate connection situation on satellite sites, where the DC did have backup exec loaded.. I hear you*gasp* Cheers Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern BarrowWallisdownPooleDorsetBH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 12 July 2006 14:36To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Multihomed Domain Controllers Personally, I've never used that configuration for a DC. Since being bit in the nt4.0 days (before that really, but hate to show the age :) I've had architectural reasons to not do that. Since AD is made up of a multi-master fabric, I have had no reason at all to require an isolated network dedicated to backups. I get the feeling in your case it's just a nice to have vs. a requirement since you have the hardware and figure why not put it to use. You'd be a rare exception if the size of the dit is large enough to require such a configuration. Saying that, is it possible? Most likley. Will it be difficult when/if you call for support for some other issue to explain to the engineer that you have a mutli-homed DC? Most likely. Does it break the "keep it as simple as possible while meeting the requirements?" rule? Most likley. When you test this, as the others have mentioned, be sure to test the recoverability and the gotchas that come along with bringing up a recovered DC on a multi-homed machine. You'll want to have that documented and thouroughly tested so as not to have to deal with that when under pressure. You may also want to consider an alternative backup method that doesn't require a dedicated network to the DC's. Just some random thoughts and my $.04 (USD) worth. Al On 7/12/06, Jeff Green [EMAIL PROTECTED] wrote: Hi Guys, Many thanks to all that have responded (and so quickly !) Points / clarifications / additional Qs a) DNS multihomed issues Yes, found that in the MS KB about not "registering this connection in DNS" on the second NIC. Also leave the gateway / DNS TCP/IP settings blank on the second NIC. b) Browser Issues Several things in MS KB about this and fixes (including hackinga registry if I remember correctly) But would Browser issues affect AD operations - I'm talking about replication issues here ? c) Currently running W2K SP4 + rollups on all DCs - but moving to W2K3. Sorry should have stated this. d) Backup Using BackupExec, which allows binding of remote agents to specific NICs Have I got everything covered - I can't believe this is an unusual configuration ? Many Thanks From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jeff GreenSent: 12 July 2006 11:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Multihomed Domain Controllers Hi, First posting to this list but I've lurked quite a while and I've been very impressed by the quality of replies by the gurus. My question is regarding the advisability of having multihomed DCs. Basically I want to run backups over a separate GbE and as my servers have dual inbuilt NICs this seems an obvious route to take. I know there are some issues with DNS (I have a DNS integrated AD). Would this cause replication problems, etc ? Any other "gotchas" ? Many Thanks, --- Jeff Green Network Support Manager SAPIENS (UK) Ltd t: +44 (0)1895 464228 f: +44 (0)1895 463098 "I dream of hover cars and old transistor radios ... She dreams of flowers in a field of sunny bungalows" Confidentiality Note: The information contained in this email and document(s) attached are for the exclusive use of the addressee and may contain confidential, privileged and non-disclosable information. If the recipient of this email is not the addressee, such recipient is strictly prohibited from reading, photocopying, distribution or otherwise using this email or its contents in any way. Please notify the Sapiens (UK) Ltd. Systems Administrator via e-mail immediately at [EMAIL PROTECTED] , if you have received this email in error.Disclaimer: The views, opinions and guidelines contained in this confidential e-mail are those of the originating
RE: [ActiveDir] OT: My Docuent not Redirecting
It was re-directed, but now not? Does the profile appear on the c:\? What is the behavior when the user logs onto another machine? Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: 28 June 2006 21:33 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: My Docuent not Redirecting I have a user on a Windows 2000 Pro SP 4 box that used to have his My Documents auto redirected to his user drive, however all of a sudden the computer wont re-direct it. The GPO is fine, he is the owner of his user drive, security is correct on the folder, there are zero errors on the box. Does anyone have any ideas of what else I can try? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED]
RE: [ActiveDir] A quick(?) NTP question
Title: A quick(?) NTP question I remember from an AD trouble-shooting course many years ago that it simply checks first one in the list and moves down on fail. Im sorry but dont have any supporting documentation to confirm. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 21 June 2006 11:05 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A quick(?) NTP question Here's a simple one for anyone who understands the internals of NTP: Scenario: PDCe in root domain is configured to use 2 NTP servers Question: Will the PDCe always sync with the same NTP server unless it's not available and then sync with the other NTP server? Or Will the PDCe talk to both NTP servers and adjust its clock according to the various NTP algorithms used to determine which NTP server is 'more accurate'? If the latter, does anyone have a doc which explains that algorithm? Many thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's fine...but the rules of big server land stop at the gates of SBSland... it's a whole diff ball game for us. (Fenway was cool btw) Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than multiple domain controllers. (please note the DR strategy phrase there.. this is planned ahead of time) What is the size of the firm and what is the tolerance of downtime. Start from there. Plan your DR process. Almeida Pinto, Jorge de wrote: Only in an AD environment with ONE DC in the AD FOREST, there would not be much of an issue. Although I still recomment to use a supported method. No matter how many DCs, using a supported method/tool/procedure, you will always be ready for it. As soon as you get a second DC, the image thing won't work that good anymore. For more info also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx I also recommend to have AT LEAST 2 DC in each AD domain (and backup at least 2, preferably more if you have more DCs) for if something goes wrong with one DC. In that case while one DC is still running you can repair the other or promote another DC into the AD domain. If you only have one DC, AD will be available again as soon as that single DC is up and running again. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto /Senior Infrastructure Consultant/ /MVP Windows Server - Directory Services/ // *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)* ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80 * E-mail : see sender address *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] on behalf of Jose Medeiros *Sent:* Sat 2006-06-17 08:01 *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi Amit, Well first you'll need to buy Symantec Ghost Corporate Edition so you have the 32 bit version. Then if you have a server such as a HP Proliant DL-580 with a 6400 Smart Raid Controller you'll need to add the Raid controller driver to your bootable CD Rom that you'll have to create so it can access the Raid Disk Array. If you Want to create your own Bootable CD, I would recommend you use Microsoft WinPE or Bart's PE http://www.nu2.nu/pebuilder/ http://www.nu2.nu/pebuilder/. Barts also allows you to use Acronis http://www.acronis.com/ which may be less expensive then Ghost Corporate, however I have only used Ghost Version 8, 32Bit and can attest that it works ( I've imaged several hundredservers with it at ADP Payroll Systems ). Hope this helps, the rest
RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server
Note that you will of course need to restore the changes taken between images, i.e. system state et al Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 20 June 2006 11:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi David, Just restore and resume as it's a single DC. Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: 20 June 2006 10:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server To all single DC folks - when you perform a restore of your single DC from an image, as part of your procedure do you increase the value of the RID pool or just restore and resume working? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 20 Jun 2006 1:03 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server And you didn't go to Jeff Middleton's TechEd session on DR for Small business did you? We're a single DC folks.. hello... it works. We're not enterprise and that means best practices for you are not best practices for us. Acronis works. Big boys can't image DCs.. we can. We're little..we're agile and we can do it. Big server land can't ...and that's fine...but the rules of big server land stop at the gates of SBSland... it's a whole diff ball game for us. (Fenway was cool btw) Paul Glenn wrote: I attended a Disaster Recovery of AD class at TechEd this past week. One thing they said was to NEVER EVER rely on a ghost image for DR. Their reasoning was the whole SID situation. Paul On 6/17/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: And us SBSers will say that sometimes that single DC with a DR strategy in place can be less issue than multiple domain controllers. (please note the DR strategy phrase there.. this is planned ahead of time) What is the size of the firm and what is the tolerance of downtime. Start from there. Plan your DR process. Almeida Pinto, Jorge de wrote: Only in an AD environment with ONE DC in the AD FOREST, there would not be much of an issue. Although I still recomment to use a supported method. No matter how many DCs, using a supported method/tool/procedure, you will always be ready for it. As soon as you get a second DC, the image thing won't work that good anymore. For more info also see: http://blogs.dirteam.com/blogs/jorge/archive/2006/03/08/597.aspx I also recommend to have AT LEAST 2 DC in each AD domain (and backup at least 2, preferably more if you have more DCs) for if something goes wrong with one DC. In that case while one DC is still running you can repair the other or promote another DC into the AD domain. If you only have one DC, AD will be available again as soon as that single DC is up and running again. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto /Senior Infrastructure Consultant/ /MVP Windows Server - Directory Services/ // *LogicaCMG Nederland B.V. (BU RTINC Eindhoven)* ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 http://26.26.62.80 * E-mail : see sender address *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] on behalf of Jose Medeiros *Sent:* Sat 2006-06-17 08:01 *To:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Cc:* Medeiros, Jose; ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Ghost Backup or Image for Active Directory Server and Exchange Server Hi Amit, Well first you'll need to buy Symantec Ghost Corporate Edition so you have the 32 bit version. Then if you have a server such as a HP Proliant DL-580 with a 6400 Smart Raid Controller
RE: [ActiveDir] Win2k Sites Login Servers
Does all look good with your DNS SRV records per site? Are there any errors in the client event logs? Does the behavior occur from any site? If you reboot and log on to the other site is all ok? Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 20 June 2006 11:08 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Win2k Sites Login Servers Windows 2000 Domain in Native Mode (Test Environment) 1 Domain 3 Sites each with it's subnets defined 3 servers each with an IP address relating to a particular site. Each server is hosting DNS and DHCP. Each server is a GC. When I plug a laptop in and log on as a user for the 1st time it will log onto the DC that is in it's relevant site, but when I log off and login to another site it will still connect to the previous GC as it's login server unless we perform a flushdns before login off. The laptop will pick up the correct DHCP address depending on what site it is at. I am using 'echo %logonserver%' to determine which login server it is using. I have tried shortening the DHCP lease time but still the same issue occurs. Chris.
RE: [ActiveDir] Servers or Workstations
Hi John, I would 'generally' opt for servers first as you can then take advantage of the 2K, 2K3 goodies, i.e. AD straight away when you migrate the workstations. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: 20 June 2006 18:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Servers or Workstations Hey all, I thought I had our Ad Migration plan as we were going to do workstations first but I'm having second thoughts. I think we should do servers first then workstation's. Could I have your thoughts on this. Thanks john List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Problem removing last w2k DC from a w2k3 domain
Hi, It does sound like our old pal DNS. If you run a dcdiag and netdiag, do they both run clean? If not then please post the results. If all is clean and it's a test environment then pull it and clean it up with ntdsutil et al. If it's a new situation then just replicate and see if you still have the issue. I have always found a couple of hours helps many ills. BR Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: 19 June 2006 20:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 domain I've in the process of upgrading my test domain (empty root and 1 child) to w2k3 R2 based DCs and (thanks to help from the friendly folks here) am just about done. I have one last w2k dc left to remove. It doesn't want to go peacefully. I moved the FSMO roles off and the next day tried to dcpromo it down to a simple server. I get Managing the network session with FBDC1.fnal.gov failed Access is denied. dcpromoui t:0x848 00479 Exit State::GetFailureMessage The operation failed because: Managing the network session with FBDC1.fnal.gov failed A quick check shows that I can't get to the admin shares of my new w2k3 dc/FSMO role holder from the w2k dc. I can get to the admin shares of the other simple servers but not either of the 2 DCs. Other systems can access the admin shares via the domain admin account I'm using on the w2k DC. I've been searching and have found people having a similar problem when promoting a w2k machine to be a DC but not when demoting. I've tried a number of the things that were suggested in those articles and they have had no affect. There is no firewall in the way. AD replication and FRS work. Any ideas before I rip it out? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Acitve Directory Internet Cafe Software
Hello, I looked some time ago but didn't find anything which truly fits, but I did use http://www.antamedia.com/caffe/ in one environment and it was fine. If you have a suitable firewall and/or a suitable content filter then we could work something... what are u using? Cheers Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd Williams Sent: 19 June 2006 21:47 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Acitve Directory Internet Cafe Software Hi Is there anyone out there aware of internet Café software that utilizes active directory accounts? Basically I have a bunch of computers I have users log into, and I need to monitor there time logged in and create reports on computer usage by active directory accounts. The sort of software that does this is typically the same software the runs internet cafés but it seems they all use a proprietary account setup. Lloyd Williams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Group Policy not working?!
Will need to be the user object. Not security groups. You can use sec groups to filter. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 June 2006 11:40 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Policy not working?! Windows 2000 Domain in Native Mode (Test Environment) 1 Domain 3 OU's (FactoryOU, RaceTeamOU, TestTeamOU) In each of the OU's is a Security Group - Global In each of the groups we have placed the users computers relevant to that group. The default domain policy takes effect with no problems but we are unable to get the Factory, RaceTeam or TestTeam policy's to work unless we take them out of the security group and place them directly into the OU. Do GPO's work with groups or is it only users? Chris.
RE: [ActiveDir] Group Policy not working?!
I didnt exactly make that clear, did I? The group policy will apply to the user object located within their site, domain and OU. You can however stop or allow specific policies from taking effect by using the ACL on each policy. Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 16 June 2006 12:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Policy not working?! Will need to be the user object. Not security groups. You can use sec groups to filter. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 16 June 2006 11:40 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Policy not working?! Windows 2000 Domain in Native Mode (Test Environment) 1 Domain 3 OU's (FactoryOU, RaceTeamOU, TestTeamOU) In each of the OU's is a Security Group - Global In each of the groups we have placed the users computers relevant to that group. The default domain policy takes effect with no problems but we are unable to get the Factory, RaceTeam or TestTeam policy's to work unless we take them out of the security group and place them directly into the OU. Do GPO's work with groups or is it only users? Chris.
RE: [ActiveDir] How to get rid of from blacklisted
This isnt AD should be posted in Exch groups. http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar Sent: 15 June 2006 14:12 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to get rid of from blacklisted Hi all, Can u help me on this prob. Problem is that my exchange 2003 which installed on win 2003 dc agets blacklisted (Means my static ip is blacklisted). I searched how to stop this and on net i found solutions pointing towards open relay and spam protection. They r saying that ur exchange is spaming so tell me how to control and stop spamming. Sam.
RE: [ActiveDir] Domain Controller - Location Move
You shouldnt have any issues, except the subnet/site. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Contreras, Robert Sent: 08 June 2006 13:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller - Location Move Hello everyone, Simple question - just want to verify: Single forest\single domain comprised on 2 domain controllers physically in one location. We would like tophysically move one of the domain controllers (the 2nd onepromoted)toa new location (eventually both - during the complete data center relocation). The DC will most likely change IP'safter the move- so configuring a site in the new location and assigning the appropriate subnets for the new location is important - anything else other than shutting it down and bringing it over? Thx! RC
RE: [ActiveDir] Domain Controller - Location Move
Of course, just note that youll need to ensure DNS records are correct for the servers to find each other for repl. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Contreras, Robert Sent: 08 June 2006 13:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller - Location Move Hello everyone, Simple question - just want to verify: Single forest\single domain comprised on 2 domain controllers physically in one location. We would like tophysically move one of the domain controllers (the 2nd onepromoted)toa new location (eventually both - during the complete data center relocation). The DC will most likely change IP'safter the move- so configuring a site in the new location and assigning the appropriate subnets for the new location is important - anything else other than shutting it down and bringing it over? Thx! RC
RE: [ActiveDir] Domain Controller - Location Move
If you can then yes. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Contreras, Robert Sent: 08 June 2006 15:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller - Location Move Thanks for the responses - I wonder if it would just be easier to create a new DC at the new location (within the new AD site). From: Laura E. Hunter Sent: Thu 6/8/2006 9:38 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller - Location Move A good place to start is the following checklist that Jorge posted awhile back:How to move a DC to another site?:http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspxThere have also been a number of discussions that you can find in thelist archives: http://www.activedir.org/ml/threads.aspxHTHLauraOn 6/8/06, Contreras, Robert [EMAIL PROTECTED] wrote: Hello everyone, Simple question - just want to verify: Single forest\single domain comprised on 2 domain controllers physically in one location. We would like to physically move one of the domain controllers (the 2nd one promoted) to a new location (eventually both - during the complete data center relocation). The DC will most likely change IP's after the move - so configuring a site in the new location and assigning the appropriate subnets for the new location is important - anything else other than shutting it down and bringing it over? Thx! RC-- ---Laura E. HunterMicrosoft MVP - Windows Server NetworkingAuthor: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs Im a great advocate of VMWare and use it for many services. If the hardware supports the load happy days! Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, Ada Sent: 06 June 2006 12:51 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
RE: [ActiveDir] Slow Boot Up
Sounds like DNS... check your srv records are correct in DNS. Anything showing in the client event logs? Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: 25 May 2006 16:02 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Slow Boot Up I would use ethereal to grab a trace of opening up ADUC and take a peek at what its trying to do. Maybe it's a DNS issue. Also, are your clients logging event ID 1030's in the app log? -Brandon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, May 25, 2006 10:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Slow Boot Up Morning everyone, Recently all my wkstns are taking up to 5 minutes to log in after a restart. Stuck at Applying Computer Settings and Applying Security Settings. Only change to GPO is offline files options are all disabled. While from the desktop it takes up to 30 seconds to load and open up AD snap-in to add a user to a group. Doesn't matter if firewall is turned on or off. No weir logs on DC. DCDIAG and NetDiag showed no errors. My FSMO roles are spread between two DC in two separate subnets. Schema Master, Domain Naming Master, and GC are on the same DC. RID, Infras, and PDC is on the other DC. I thought about promoting another server to a DC. Any thought or idea where to check and look? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] GPO Software Deployment
Thanks Darren that worked. I Should have figured that out for myself from the error message. Its been a tough week J Much appreciated From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 16 May 2006 16:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment So, I suspect what is happening here, based on that error, is the popup you're seeing is Windows Installer trying to repair the application but not finding the right files to do it. The Feature name, WIFEAT0001, tells me the package was created using WinInstall--not very interesting. I suspect that the registry still contains references to the package. I would search the registry by the Product GUID, below, and get rid of all instances of it. Alternatively, you could try downloading and running the Installer Cleanup tool, found at http://support.microsoft.com/kb/290301/ Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, May 16, 2006 3:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment Hi Guys, Thanks for the input but still no joy nothing is showing in the logs and I dont have the original package. The below is popping up in the event log though :- Event Type: Warning Event Source: MsiInstaller Event Category: None Event ID: 1001 Date: 16/05/2006 Time: 11:20:21 User: domain\username Computer: compname Description: Detection of product '{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}' Does this jog any memories for anyone? I think Im just going to have to get the whole lot rebuilt. Woe is me. Cheers Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 15 May 2006 23:43 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment Rob Do you have access to the original MSI (it could be repackaged as an EXE)? msiexec /i file.msi /L*vx c:\path\to\logfile.txt That will dump out as much possible info about what is happening. If you need help debugging the output, let me know. Cheers Jon Austin [EMAIL PROTECTED] wrote on 16/05/2006 12:11:41 AM: From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, May 10, 2006 3:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment HI All, Strange one.. I have taken over the support of an organisation where the last organisation has made a bit of a pigs ear of the AD deployment. It appears upon discussion with staff that a software deployment of Acrobat reader has been put in at some point and then removed. I also found an old machine with a self built msi package on. Now, while the users are working away an msi installer window just flickers up on the screen and vanishes regularly. This is infuriating for the user base but I cant seem to nail it down as any reference has been removed from the registry. _ This e-mail has been scanned for viruses by MessageLabs.
RE: [ActiveDir] GPO Software Deployment
Hi Guys, Thanks for the input but still no joy nothing is showing in the logs and I dont have the original package. The below is popping up in the event log though :- Event Type: Warning Event Source: MsiInstaller Event Category: None Event ID: 1001 Date: 16/05/2006 Time: 11:20:21 User: domain\username Computer: compname Description: Detection of product '{5C3FD7C5-92BD-47A1-B5EE-52E71A1C2B82}', feature 'WIFEAT0001' failed during request for component '{500ED4E4-1352-4AF6-8FE3-21EFFBC7B34D}' Does this jog any memories for anyone? I think Im just going to have to get the whole lot rebuilt. Woe is me. Cheers Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 15 May 2006 23:43 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment Rob Do you have access to the original MSI (it could be repackaged as an EXE)? msiexec /i file.msi /L*vx c:\path\to\logfile.txt That will dump out as much possible info about what is happening. If you need help debugging the output, let me know. Cheers Jon Austin [EMAIL PROTECTED] wrote on 16/05/2006 12:11:41 AM: From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, May 10, 2006 3:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment HI All, Strange one.. I have taken over the support of an organisation where the last organisation has made a bit of a pigs ear of the AD deployment. It appears upon discussion with staff that a software deployment of Acrobat reader has been put in at some point and then removed. I also found an old machine with a self built msi package on. Now, while the users are working away an msi installer window just flickers up on the screen and vanishes regularly. This is infuriating for the user base but I cant seem to nail it down as any reference has been removed from the registry. _ This e-mail has been scanned for viruses by MessageLabs.
RE: [ActiveDir] Is there a way to force users to logon to domain?
No, and I always find it a relief to have a local admin account in a failure situation. Robert Rutherford QuoStar Solutions Limited -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: 16 May 2006 16:26 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is there a way to force users to logon to domain? On 16/05/06, Olivarez, Sergio J Mr CTNOSC/GD-NS [EMAIL PROTECTED] wrote: Yeah, disregard what I said about just leaving Admins on the allow logon locally setting, that's my bad. I guess best thing to do would be delete all existing local user accounts. Can you actually delete localhost\administrator on NT4/2K/XP workstations? -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Software Deployment
Hi Darren, Thanks for the reply. Unfortunately there are no logs being dumped at all. The Windows intstaller screen literally just flashes for a second and then vanishes, more or less each time they open a new window or app. Any other ideas? Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion, Fern Barrow, Wallisdown, Poole, Dorset, BH12 5HH T: 08456 440 331 F: 08456 440 332 M: 07974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 10 May 2006 15:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO Software Deployment Robert- If Installer is really doing something, it should generate an MSI*.log file in %temp% (or in %windir\%temp% for per machine installs). I would look in there for a recent one that shows what's going on. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Wednesday, May 10, 2006 3:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO Software Deployment HI All, Strange one.. I have taken over the support of an organisation where the last organisation has made a bit of a pigs ear of the AD deployment. It appears upon discussion with staff that a software deployment of Acrobat reader has been put in at some point and then removed. I also found an old machine with a self built msi package on. Now, while the users are working away an msi installer window just flickers up on the screen and vanishes regularly. This is infuriating for the user base but I cant seem to nail it down as any reference has been removed from the registry. Any ideas? Cheers, Rob
RE: [ActiveDir] Is there a way to force users to logon to domain?
Be restrictive on the use of local accounts and dont give them passwords is the cleanest way. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion Fern Barrow Wallisdown Poole Dorset BH12 5HH T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Lagreca Sent: 15 May 2006 16:57 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is there a way to force users to logon to domain? Is there a way to force users to logon to domain, or to disable loging into local computer accounts via GPO? Thanks.
RE: [ActiveDir] Can i give Enterprise admin rights to a child domain admin account.
I've been out in the wilderness for a while. Surprising what one forgets. Create domain global groups in the child domain, place the users in those groups, in the root domain place the global groups in the Enterprise Admin and Schema Admin groups. Oh yeah, and make sure you are at least in W2K native move. Cheers, Rob Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion, Fern Barrow, Wallisdown, Poole, Dorset, BH12 5HH T: 08456 440 331 F: 08456 440 332 M: 07974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: 02 May 2006 08:48 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can i give Enterprise admin rights to a child domain admin account. Can I add one of my child domain users in Enterprise admin group? Or in other word how to add users from other domain to EA groups. Thanks, Manjeet
RE: [ActiveDir] exporting list of members of a security group
net group group name /domain c:\whatever.txt Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion, Fern Barrow, Wallisdown, Poole, Dorset, BH12 5HH T: 08456 440 331 F: 08456 440 332 M: 07974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: 02 May 2006 21:02 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] exporting list of members of a security group Is there a way to export to text file a list of the members of a security group? Thanks Antonio List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to get rid of an obsolete DC?
It's been a while, but if I remember the old NT server manager will do it... then check it's gone with ntdsutil. Robert Rutherford QuoStar Solutions Limited The Enterprise Pavilion, Fern Barrow, Wallisdown, Poole, Dorset, BH12 5HH T: 08456 440 331 F: 08456 440 332 M: 07974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: 02 May 2006 20:37 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to get rid of an obsolete DC? In a child domain I have what I believe is the remnants of an old NT4 DC. Using ADUC, it shows up in the child domain's Domain Controllers OU. When I try to delete it, I get The DSA object cannot be deleted. When I use ADSIEdit and go to the domain, it only shows me the two functioning DCs and not the one I'm looking for. What other tools are available for this type of house cleaning? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Buitlin Administrators Group not taking effect
If you log them off and then in again does it work? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ben D. Kusa Sent: 03 March 2005 14:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Buitlin Administrators Group not taking effect When I add users to the Built-in Administrators group they dont always have local administrator rights, Ill try and do an install and it will tell me I dont have administrator rights or if I try and change the name of the computer it will be grayed out. If I then use the Network ID option to add the user to the administrators group they will then have local rights. Is there something I am doing wrong, or is there a way to refresh the rights a user account should have from AD. === Scanned for virus infection by Messagelabs === === Email security provided by Modrus using MessageLabs Email Security www.modrus.com ===
[ActiveDir] OT: Exch2003 POP Connector
Hi All, Quick 1. Does anyone know if it possible to config the POP3 connector to leave mail on the server its pulling from for x number of days? Many thanks, Rob === Email security provided by Modrus using MessageLabs Email Security www.modrus.com ===
RE: [ActiveDir] Time server in windows 2003 !!
Windows2003 is automatically a time server.. when any 2000/XP client is a member of a domain it should automatically pull the time from the DC. Is this not happening? Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil Kumar Sent: 16 February 2005 12:39 To: Active directory group Subject: [ActiveDir] Time server in windows 2003 !! Hi all, We are having one windows 2003 DC and one windows 2003 ADC and 2000 clients of win 2000 prof and win xp prof. Now I want when the clients logs on to the domain their computer should update the time of it with the windows 2003 server.Is windows 2003 has any inbuilt feature to setup it as a time server.Is there any third party programs which converts win 2003 server in to a time server? If yes what is the name of the products. Is there any opensource programs for setting up time server in windows 2003 or linux? Can we configure this in GPO? Thanks and Regards, K.SENTHIL KUMAR Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' === Scanned for virus infection by Messagelabs === === Email security provided by Modrus using MessageLabs Email Security www.modrus.com ===
RE: [ActiveDir] AD startup scripts problem
the local computer's system account does process the script but here it looks like it doesnt have permissions to read the script on the 'servers' share From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Fri 28/01/2005 16:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD startup scripts problem Correct me if I'm wrong, but doesn't the Local System account have full control of the entire boot operation? And isn't it responsible to process the complete range of operations including network authentication and domain based GPO processing? And if not who is? And if so, doesn't that mean it should be processing this script? Rocky ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Wilkinson Sent: Friday, January 28, 2005 10:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD startup scripts problem I *think* that you do actually have network access at the point that computer startup scripts run. However, you'll have a security issue because the local system account doesn't have access to your sever share. You could add each machine account to that share. If one of your computers is named Bob, add Bob$ to the ACL's of the share. You have to click on the object types button and select computers in the window where you add the computer account. You could also add Domain Computers if you want all computers to be able to access the share with the local system account. I've never tried this myself, so I'm not sure if this will work. Paul Wilkinson 865-974-0649 2422 Dunford Hall OIT Lab Services University of TN, Knoxville Mark Abbiss wrote: I think this is it in a nutshell. When I put everything locally on the machine the script ran and created the report. As you say, I have no network connectivity when in the startup phase. Or is there a workaround ? Thanks for all the input Original Message Follows From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD startup scripts problem Date: Fri, 28 Jan 2005 08:05:12 -0600 Hi Mark... I believe it's running at system level on startup, and i believe system has no network rights. John Mark Abbiss [EMAIL PROTECTED] ail.com To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject [ActiveDir] AD startup scripts 01/28/2005 07:07 problem AM Please respond to [EMAIL PROTECTED] tivedir.org I have tried everything I know but I just cannot make a script run at computer start up. I have successfully got it working on a user basis at logon but assigning it to a computer is just not working. Here is what I have done, please can someone let me know if I have I missed something completely obvious ?! 1. Wrote a very simple batch file. Contents of batch is : \\server01\analysepc.exe /output \\server01\output 2. Created the necessary share on SERVER01 3. Created a new domain security group and added the PC object into that group 4. Made sure that the new group had full rights on the new share and output directory 5. Created the GPO to run the batch file from the Computer Config section of the GPO. Also disabled the User Config processing section. 6. Linked the GPO to the OU where my PC object is held 7. Set the filtering to apply the GPO only to the new security group. Made sure everything was replicated and then started the computer. But the script does not work ! I have checked with gpresult that the policy is being applied and it is. If I try the command from the batch when I have logged on, it works ! What might I be missing ? Many thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IIS 6-Access denied
Hmmm ... cant say for sure as I haven't got an IIS box to hand. You don't want to use integrated windows auth as it will just supply your domain credentials. ... I think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 13 January 2005 14:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IIS 6-Access denied What could be wrong?? To access a site I want the users to authenticate with a local user account and password on the web server. Anonymous is enabled on all other sites. Environment: Windows 2000 AD IIS 6.0 Server: Windows 2003 For authentication I checked Integrated Windows authentication but the particular account cannot log in. I am getting a 401.1- Unauthorized: access is denied due to invalid credentials. Anonymous Access is not checked. The account have READ/Execute access to the parent folder down. Thanks, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IIS 6-Access denied
Then again ... it should prompt if the credentials are wrong in integrated. Have you given them read under the website properties - home directory tab? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 13 January 2005 14:42 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IIS 6-Access denied I have tried Digest Authentication from Windows domain servers but I am still getting the same deny error. Yes the account exist locally on the web server and in AD. Thanks, Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, January 13, 2005 9:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IIS 6-Access denied Hmmm ... cant say for sure as I haven't got an IIS box to hand. You don't want to use integrated windows auth as it will just supply your domain credentials. ... I think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 13 January 2005 14:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IIS 6-Access denied What could be wrong?? To access a site I want the users to authenticate with a local user account and password on the web server. Anonymous is enabled on all other sites. Environment: Windows 2000 AD IIS 6.0 Server: Windows 2003 For authentication I checked Integrated Windows authentication but the particular account cannot log in. I am getting a 401.1- Unauthorized: access is denied due to invalid credentials. Anonymous Access is not checked. The account have READ/Execute access to the parent folder down. Thanks, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] IIS 6-Access denied
If you got to basic does it work? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 13 January 2005 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IIS 6-Access denied Then again ... it should prompt if the credentials are wrong in integrated. Have you given them read under the website properties - home directory tab? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 13 January 2005 14:42 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IIS 6-Access denied I have tried Digest Authentication from Windows domain servers but I am still getting the same deny error. Yes the account exist locally on the web server and in AD. Thanks, Z.V. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Thursday, January 13, 2005 9:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] IIS 6-Access denied Hmmm ... cant say for sure as I haven't got an IIS box to hand. You don't want to use integrated windows auth as it will just supply your domain credentials. ... I think. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 13 January 2005 14:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] IIS 6-Access denied What could be wrong?? To access a site I want the users to authenticate with a local user account and password on the web server. Anonymous is enabled on all other sites. Environment: Windows 2000 AD IIS 6.0 Server: Windows 2003 For authentication I checked Integrated Windows authentication but the particular account cannot log in. I am getting a 401.1- Unauthorized: access is denied due to invalid credentials. Anonymous Access is not checked. The account have READ/Execute access to the parent folder down. Thanks, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Email security provided by Modrus using MessageLabs Email Security www.modrus.com === === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Book recommendations please
Title: Book recommendations please I would say that the MS site has all the info you need for both tasks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: 11 January 2005 10:41 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Book recommendations please Hi I'm looking for some recommendations for books to buy regarding movng from AD 2000 to AD 2003 and Exchange 2000 to Exchange 2003. Cheers Danny === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] OT:winsock
Have you got something else interfacing with the stack on the box, i.e. f/w software? Also... uninstall the wlan card and see if you still get the same issue on the internal nic. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 10 January 2005 15:39 To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:winsock
hmmm ... could be a virus trying to send the mail through outlook. Can you see any other protocols, services, etc bound to the adapter? From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Mon 1/10/2005 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock its uninstalled. this user has no firewall sw that i can tell. though i get a pop up saying outlook express is trying to send a email. do you want to let it send it? i have no idea whats making that pop up. its made to look like its coming from OE. the email is just the welcome message OE sends on first use. thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock Have you got something else interfacing with the stack on the box, i.e. f/w software? Also... uninstall the wlan card and see if you still get the same issue on the internal nic. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 10 January 2005 15:39 To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] Software License Management
Title: Message http://www.expressmetrix.com/ will do it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 05 January 2005 01:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Software License Management That went away with SMS 2.0. It ran on a FoxPro db hahaha J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, January 03, 2005 5:15 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Software License Management I can do that in SMS 2k3 natively. I when that X+1 user tries to run the app, I want them to be denied. Dave //SIGNED// David J. Perdue NetworkSecurity Engineer, InDyne Inc Comm: (805) 606-4597 DSN: 276-4597 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gonzalez, Thomas, ISD Sent: Monday, January 03, 2005 14:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Software License Management In SMS 2K3 you can create a software metering usage and you can get the plugin called SAM(http://www.extendedtools.com/) for SMS 2K3. Cheers: Thomas From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, January 03, 2005 3:55 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Software License Management I need to do some real software metering. X number of users using this piece of software at once on the network. SMS 2k3 doesn't provide this. Can anyone point me to a system that does? Thanks, Dave //SIGNED// David J. Perdue NetworkSecurity Engineer, InDyne Inc Comm: (805) 606-4597 DSN: 276-4597 * If you are not the intended recipient of this e-mail, please notify the sender immediately. The contents of this e-mail do not amend any existing disclosures or agreements unless expressly stated. * === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] wireless DC
OK... So if you use a standard Ethernet LAN adapter roaming profiles work? Do you have a link light on the Wireless NIC before login? If so, is it picking up a DHCP or static address? Can you ping it b4 logon? What model WLAN NIC are you using? What Access Point are you using? Are you tunneling in a VPN? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: 05 January 2005 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC Not really.. I have a few laptops that connect to a SBS serverits seperate from corporate network. SBS has AD installed, but when a laptop connects to it through wireless option the roamin profile isn't loaded.what happens is that the wireless network pcmcia connects to network after the login and not before -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mulnick, Al Verzonden: woensdag 5 januari 2005 14:57 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC If I understand the need correctly, you want to come up with a way to pre-authenticate wireless workstations possibly with domain credentials but not limited to. Or put another way, you want a way to prevent unauthorized workstations from wirelessly connecting to your network. Presumably, you'd like to make sure that anyone that does connect is up to date with their virus scanners, patches, etc. but possibly not connect to your 'fully-trusted' network, but rather have limited resources available. An example would be a sales person or consultant on site temporarily that just needs web access or print ability. Is that correct? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Wednesday, January 05, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC No didnt solve itif u have more suggestions i would appreciate it J -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mulnick, Al Verzonden: dinsdag 4 januari 2005 15:19 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC Does that solve the original problem? I read that post differently. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 03, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC Ok. That is a different problem. Check out this article, which could be related to this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Also, I have had luck disabling DHCP media sense when I've had this problem, but that is not always the best solution. In any case, that is described here: http://support.microsoft.com/kb/239924 If neither works, then I would turn on verbose userenv logging and see what messages are being thrown on the profile failure. It could be something like slow link detection, which can alter the way roaming profiles are treated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Monday, January 03, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC The first one802.11x on corporate networkall laptops with wireless option do not load roamin profil at logone Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Darren Mar-Elia Verzonden: dinsdag 4 januari 2005 1:31 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC What do you mean by wireless? Do you mean you have 802.11x on a corporate network and your roaming profiles aren't being loaded at logon or do you mean remote mobile machines VPN'ing into a corporate network over a wireless connection? The former calls for a different solution to the latter. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Monday, January 03, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] wireless DC Hi, Does anyone have a solution to authenticate wireless networking workstations on a DC? So the domain becomes available before logon...and the roaming profile can be loaded Would appreciate some help/suggestions. Grtz J List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ :
RE: [ActiveDir] Outlook (OT)
Don't think it's possible... it depends what you want to do. You can put the /recycle switch after outlook.exe to use the same instance. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 05 January 2005 14:59 To: ActiveDir (E-mail) Subject: [ActiveDir] Outlook (OT) Hi. Is there anyway to prevent Outlook 2000 from opening up mutliple instances? If I already have it open and double click on it again, I want to prevent it from opening twice or more times. is there any reg hack to do this? thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] wireless DC
Are your internal DNS servers correct on the WLAN segment? i.e. you login and can do an nslookup and resolve internal addresses? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: 05 January 2005 15:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC -standard nic all is fine -on XP are linked .on WIN2K not.its DHCP -accesspoint: belkinwlan nic differs from Link sys and robotics PCMCIA and internal DELL, Toshiba wlan nics -no VPN etc But all use cached profile Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Robert Rutherford Verzonden: woensdag 5 januari 2005 15:55 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC OK... So if you use a standard Ethernet LAN adapter roaming profiles work? Do you have a link light on the Wireless NIC before login? If so, is it picking up a DHCP or static address? Can you ping it b4 logon? What model WLAN NIC are you using? What Access Point are you using? Are you tunneling in a VPN? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: 05 January 2005 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC Not really.. I have a few laptops that connect to a SBS serverits seperate from corporate network. SBS has AD installed, but when a laptop connects to it through wireless option the roamin profile isn't loaded.what happens is that the wireless network pcmcia connects to network after the login and not before -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mulnick, Al Verzonden: woensdag 5 januari 2005 14:57 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC If I understand the need correctly, you want to come up with a way to pre-authenticate wireless workstations possibly with domain credentials but not limited to. Or put another way, you want a way to prevent unauthorized workstations from wirelessly connecting to your network. Presumably, you'd like to make sure that anyone that does connect is up to date with their virus scanners, patches, etc. but possibly not connect to your 'fully-trusted' network, but rather have limited resources available. An example would be a sales person or consultant on site temporarily that just needs web access or print ability. Is that correct? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Wednesday, January 05, 2005 4:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC No didnt solve itif u have more suggestions i would appreciate it J -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Mulnick, Al Verzonden: dinsdag 4 januari 2005 15:19 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC Does that solve the original problem? I read that post differently. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 03, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC Ok. That is a different problem. Check out this article, which could be related to this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Also, I have had luck disabling DHCP media sense when I've had this problem, but that is not always the best solution. In any case, that is described here: http://support.microsoft.com/kb/239924 If neither works, then I would turn on verbose userenv logging and see what messages are being thrown on the profile failure. It could be something like slow link detection, which can alter the way roaming profiles are treated. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Monday, January 03, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] wireless DC The first one802.11x on corporate networkall laptops with wireless option do not load roamin profil at logone Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Darren Mar-Elia Verzonden: dinsdag 4 januari 2005 1:31 Aan: ActiveDir@mail.activedir.org Onderwerp: RE: [ActiveDir] wireless DC What do you mean by wireless? Do you mean you have 802.11x on a corporate network and your roaming profiles aren't being loaded at logon or do you mean remote mobile machines VPN'ing into a corporate network over a wireless connection? The former calls for a different solution to the latter. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quatro Info Sent: Monday, January 03, 2005 4:01 PM To: ActiveDir
RE: [ActiveDir] AD and ISP deployment
Hi Steve, AD aside What do u want to achieve? It's like saying I have a spanner... what can I do with it? You can do many different things but it all depends on what your requirements are? Let us know what your problems and desires are from an ISP perspective. The guys here have a wealth of experience and can advise on the biggest of requirements/issues. BR Rob From: [EMAIL PROTECTED] on behalf of Steve Schofield Sent: Mon 27/12/2004 20:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD and ISP deployment Hi todd, Looking for best practices, tips/tricks at this point. i've been reading the docs on technet about general AD requirements, DNS etc.. just looking for more information and particularly in an ISP environment. A few things off-hand include central user authentication, using GPO's, sms 2k3 integration, exchange 2k3 are a few things for starters but not sure how different planning an AD for an ISP world vs a corporate environment. Thanks again. steve - Original Message - From: Myrick, Todd (NIH/CIT) [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, December 27, 2004 7:15 AM Subject: RE: [ActiveDir] AD and ISP deployment MCIS was MS's platform for hosting Exchange and Web, but they have since retired that initiative. I would start here in your search. I would also look at the AD planning site. http://www.microsoft.com/serviceproviders/ What objectives are you trying to accomplish? Todd Myrick -Original Message- From: Steve Schofield [mailto:[EMAIL PROTECTED] Sent: Monday, December 27, 2004 6:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD and ISP deployment I'm searching for best practices, tip/tricks for deploying AD in an Internet Service Provider environment. Any advice would be appreciated. * - * * Steve Schofield - MCP, CCA * [EMAIL PROTECTED] * * Microsoft MVP - ASP.NET * http://www.deviq.com * - * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] User profile and Terminal Services
Title: Message http://www.brianmadden.com/ www.tokeshi.com Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: 23 December 2004 10:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User profile and Terminal Services Please could someone recommend a good list where I can post a user profile/terminal servicesrelated question. I have been hunting around for a while for the answer without success. Many thanks === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] worm (very very OT)
You could resolve the mac and then search for it on your switches to tie it down to a port... depending on your switches of course. Which worm is it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 23 December 2004 16:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] worm (very very OT) we're a switched network. i'd have to go to every pc(500) and run it. i'm trying to avoid that. might as well run netstat -an on all pc's. ethereal won't tell me the real address. thanks -Original Message- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 11:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] worm (very very OT) Use a network scanner, like Ethereal to monitor the traffic. On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom [EMAIL PROTECTED] wrote: this is way off and i apologize but you guys are really knowledgable and such a great help, i thought i'd try here. i have a number of pc's infected with some wom that goes out on port 1 tcp and tries to attemp a DOS attack. I don't know the worm and a google searched didn't really turn anything up. here's the thing. the worm uses a spoofed source address. my question is, is there anyway to track down a spoofed address internally to the real address? I don't know how to find the infected pc's. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Command Line Utility
I know you said command line but I always find treesize pro useful and cheap. Im not sure if you can operate it from a command line maybe able to. http://www.treesizepro.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: 23 December 2004 16:46 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Command Line Utility On of my Senior VPs wants to see a list of all files and folders within their legal directory. I dont know why but they do. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Rochford Sent: Thursday, December 23, 2004 11:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Command Line Utility It's still there but it draws the tree markers - I don't know what Justin's trying to do but if it involves processing the output of the command in any way then dir /s /b is good because you just get raw text to play with Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bobel Sent: 23 December 2004 15:30 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Command Line Utility What happened to TREE? Bob From: [EMAIL PROTECTED] on behalf of Steve Rochford Sent: Thu 12/23/2004 6:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Command Line Utility dir /s dir /s /b Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: 22 December 2004 20:31 To: ActiveDir (E-mail) Subject: [ActiveDir] Command Line Utility Everyone, Do any of you know of a command line utility that would display all file names in a folder and all subfolders of the root folder? TIA Justin === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] worm (very very OT)
Does it reply to a ping on it's spoofed address then?? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 23 December 2004 17:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] worm (very very OT) For port spanning, I would have to do that on a port by port basis for 500 pc's! we use cisco 3550 cat. the virus is in Albany and i'm in NYC. they have no network support. I'm it. maybe i can get someon to change their ip to the same subnet of the spoofed address and ping it and then do an arp -a? thanks -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] worm (very very OT) Your switches, if serious business types, should have mirror ports that allow you to plug into to see all traffic going across the switch. Correct if the worm is spoofing Ethereal won't have the real address but it should have the real MAC. You can then tell your network people to dump some data from the switches/routers that will tell you what the real IP is of the MAC addresses. In general, probably worth grabbing your network person and asking them what other options they have from the network side. They may even be able to look at something and tell you directly which Ips?Acs are trying to connect to whatever port it is they are going after without ever breaking out a sniffer. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, December 23, 2004 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] worm (very very OT) we're a switched network. i'd have to go to every pc(500) and run it. i'm trying to avoid that. might as well run netstat -an on all pc's. ethereal won't tell me the real address. thanks -Original Message- From: Candee Vaglica [mailto:[EMAIL PROTECTED] Sent: Thursday, December 23, 2004 11:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] worm (very very OT) Use a network scanner, like Ethereal to monitor the traffic. On Thu, 23 Dec 2004 11:11:43 -0500, Kern, Tom [EMAIL PROTECTED] wrote: this is way off and i apologize but you guys are really knowledgable and such a great help, i thought i'd try here. i have a number of pc's infected with some wom that goes out on port 1 tcp and tries to attemp a DOS attack. I don't know the worm and a google searched didn't really turn anything up. here's the thing. the worm uses a spoofed source address. my question is, is there anyway to track down a spoofed address internally to the real address? I don't know how to find the infected pc's. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Change Control Systems
$200,000! You'd have to be blonde, wear a short skirt, and call me sir! From: [EMAIL PROTECTED] on behalf of Myrick, Todd (NIH/CIT) Sent: Mon 20/12/2004 19:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change Control Systems While we are at it, I will audit your changes personally for $200,000.00 a year.. personally. No software to buy or upgrade. I just need two bathroom breaks a day, 1 30 minute lunch, and 8 hours of sleep (6 if you really are pushing.) ; Happy Holiday's Toddler -Original Message- From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Monday, December 20, 2004 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change Control Systems While we're at it :-) http://wm.quest.com/products/GroupPolicyManager/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Monday, December 20, 2004 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change Control Systems That second link should be: http://www.netiq.com/products/gpg/default.asp ;) ChangeAuditor is a great tool by the way. I don't know that it would function as a very great Change Management tool (for workflow type change management), especially in an environment with more than just AD. But it is a great tool for keeping tabs on AD. I'd definitely recommend taking a look at it. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, December 20, 2004 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Change Control Systems ChangeAuditor for AD from NetPro - http://www.netpro.com/products/changemanager/index.cfm. Monitors and logs all changes to AD configuration, including relevent files, registry settings, AD objects, etc. Group Policy Guardian from NetIQ - http://www.netpro.com/products/changemanager/index.cfm. Logs changes to group policy settings. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Saturday, December 18, 2004 5:07 PM To: ActiveDir@mail.activedir.org Subject: RE: Change Control Systems Many thanks Gil. I have forwarded the CVS info to a number of developer friends. I'm looking for something more along the lines of general systems change control though, i.e. John wants to add a new GPO and provides the description and detail. The senior staff and management can then approve or deny. All info is logged in a DB. It would be fairly easy to whip up I guess but it would be useful if there is a system already around? BR Rob From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Sat 18/12/2004 03:07 To: ActiveDir@mail.activedir.org Subject: RE: Change Control Systems CVS is prety much the industry standard open source source code control server. CVSNT is the best version for Windows that I'm aware of; see http://www.cvsnt.com/. There are a couple of Windows clients available; WinCVS is the one I use. Its on SourceForge at http://sourceforge.net/project/showfiles.php?group_id=10072package_id=1 2664. -gil From: [EMAIL PROTECTED] on behalf of Robert Rutherford Sent: Fri 12/17/2004 6:19 PM To: ActiveDir@mail.activedir.org Subject: OT: Change Control Systems Hi All, I'm on the hunt for an open source or free change management system... I've worked for many companies who have an in-house system and I haven't got the time to build my own. Does anyone know of any free or cheap change management systems? I will build my own if necessary but would rather cheat :O) Its just a shot but the diversity of this group is like gold dust. Merry Christmas to every user of this group. I hope the years ahead are good to all the prolific posters. Your input is invaluable. Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] Change Control Systems
Many thanks Gil. I have forwarded the CVS info to a number of developer friends. I'm looking for something more along the lines of general systems change control though, i.e. John wants to add a new GPO and provides the description and detail. The senior staff and management can then approve or deny. All info is logged in a DB. It would be fairly easy to whip up I guess but it would be useful if there is a system already around? BR Rob From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Sat 18/12/2004 03:07 To: [EMAIL PROTECTED] Subject: RE: Change Control Systems CVS is prety much the industry standard open source source code control server. CVSNT is the best version for Windows that I'm aware of; see http://www.cvsnt.com/. There are a couple of Windows clients available; WinCVS is the one I use. Its on SourceForge at http://sourceforge.net/project/showfiles.php?group_id=10072package_id=12664. -gil From: [EMAIL PROTECTED] on behalf of Robert Rutherford Sent: Fri 12/17/2004 6:19 PM To: [EMAIL PROTECTED] Subject: OT: Change Control Systems Hi All, I'm on the hunt for an open source or free change management system... I've worked for many companies who have an in-house system and I haven't got the time to build my own. Does anyone know of any free or cheap change management systems? I will build my own if necessary but would rather cheat :O) Its just a shot but the diversity of this group is like gold dust. Merry Christmas to every user of this group. I hope the years ahead are good to all the prolific posters. Your input is invaluable. Rob winmail.dat
RE: [ActiveDir] Computer Display
Hmm... I've never noticed it. If you do a reverse lookup on the IPs, can you resolve the IP's? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 17 December 2004 13:17 To: [EMAIL PROTECTED] Subject: [ActiveDir] Computer Display When you look at the open sessions on a DC, some machines are reported by computer names and others by IP addresses. I thought it may be because of the mixed environment of W2k and XP machines, but this is not the case. Anyone notice this too? THX, Z.V. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Change Control Systems
Hi All, I'm on the hunt for an open source or free change management system... I've worked for many companies who have an in-house system and I haven't got the time to build my own. Does anyone know of any free or cheap change management systems? I will build my own if necessary but would rather cheat :O) Its just a shot but the diversity of this group is like gold dust. Merry Christmas to every user of this group. I hope the years ahead are good to all the prolific posters. Your input is invaluable. Rob winmail.dat
RE: [ActiveDir] Making a user a Domain Administrator
I'd suggest using Restricted Groups through group policy. If you go on the MS site you will get a ton of explanations and examples. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 10:19 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator I have a domain with over 1000 computers and can't possibly go round the machines doing this. DO you have a sample script that can achieve this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, December 13, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Making a user a Domain Administrator Add the user to the local administrator group on each machine in the domain. This can be done via script for example. Does anyone know if this can be done by GPO? Regards Peter Johnson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: 13 December 2004 12:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Making a user a Domain Administrator Hi Guys, By Default the Domain Admin is an administrator on every client system in the domain. Suppose I want to extend this functionality, i.e. having a particular user who is not a domain administrator but has administrator rights on every client machine in the domain. How can I achieve this? Cheers Seyi List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] The server is not operational
Can you run a dcdiag and post as a first port of call? Cheers From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: 08 December 2004 16:44 To: [EMAIL PROTECTED] Subject: [ActiveDir] The server is not operational Hi All: Image my surprise when I tried to fire up the dsa.msc and was greeted with the error in the subject line. Specifically: Naming information cannot be located for the following reason: The server is not operational. In fact, I could not access any domain-related tools. The server sure seemed operational since I was logged into it on console as an administrator. But sure enough, it soon started to literally die: users started dropping off and, eventually, I lost my remote connection and was unable to get back in. Someone had to reboot the server on-site. I might have written this off to just a weird occurrence, but it happened again a short while later while I was checking the disturbingly happy Event Logs almost no errors or warnings. What I found in List archives and on the Web did not seem to apply. The config is: Stand-alone W2k3 Standard, DC DNS runs locally and forwards to ISP and is AD-integrated, allowing only secure updates Local Ethernet interface points to self for DNS WINS is running locally (though the Ethernet interface did not point to itself or anywhere initially) RRAS is running (only for me to make a PPTP connection over which I run RD) A few things stand out: - Event Logs showed a bunch of Userenv 1053 errors (related to GPOs not getting applied) just prior to the first crash. - Due to RRAS, the server registers another A record and SRV record in DNS (for the VPN interface). DNS also shows that it is servicing requests on that address. - Netdiag shows several warnings about these two records: the DC knows only one address; DNS knows two (see below). The Record is correct on DNS server '192.168.0.30'. The Record is different on DNS server '192.168.0.30'. DNS server has more than one entries for this name, usually this means there are multiple DCs for this domain. Your DC entry is one of them on DNS server '192.168.0.30', no need to re-register. +--+ The record on your DC is: DNS NAME = abc.private. DNS DATA = ""> A 192.168.0.116 The record on DNS server 192.168.0.30 is: DNS NAME = abc.private DNS DATA = ""> A 192.168.0.116 A 192.168.0.30 +--+ Sorry for the long winded post. Any thoughts on what might have caused this? Is there some configuration (perhaps in RRAS or DNS) that I might look at? TIA. -- nme === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] OT: Full vs Diff
Ok... Yes it is out of the ordinary for backups to take longer on Diffs. I dont expect you should be running incrementals instead of Diffs, especially as you state that your fulls are only taking 4 hrs. What backup software are u using? Has it been working OK? Have you checked the backup jobs to ensure they are similar, in terms of selections? Are any other processes running during your diff's which arent running when you do a full? Are you pulling over the network? Rob winmail.dat
RE: [ActiveDir] Offline Files
Hi Lucia, Any chance you can turn off your receipts for this group? Thanks, Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucia Washaya Sent: 01 December 2004 10:05 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Offline Files Return Receipt Your RE: [ActiveDir] Offline Files document : was Lucia Washaya/UNAMSIL received by: at: 01/12/2004 10:03:47 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Snort
IDS isnt going to protect you from these worms lets initially focus on that:- Im just going to ramble and we can then home in on a solution Its hard to believe patched machines are being re-infected.. but it does happen. I suspect you have a rogue machine which isnt managed in your domain environment and you arent aware of, i.e. a 98 machine, workgroup, user home laptop, etc. It does sound like your Watchguard box isnt really upto the job especially as you are specifically blocking ports. It shouldnt be processing blocked packets, thus shouldnt be under that high stress, unless you are logging everything. Im not a Watchguard expert so maybe it deals with packets differently. This is all an if scenario. I guess we need to ascertain:- What size is your network, i.e. Nodes? Which Watchguard model do you have? Lan switches? WAN Links. (Send a reply to me direct if you dont want to broadcast your details) It depends on your environment, but if you are sizeable, i.e. over 200+ users then I would shoot for something like Checkpoint with the SmartDefense subscription. This will do deep inspection and cut out worms at the gateway, i.e. stopping them entering the secured LAN. They are way ahead of the game compared to Cisco (hearing Cisco fans smacking out angered replies). BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 01 December 2004 15:42 To: ActiveDir (E-mail) Subject: [ActiveDir] Snort Anyone had good experiences with snort and can you recommend it as a IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs are up to date. I'm looking for something cheap(read: free) to help me stop these things or at least contain them. My managers are looking int Cisco Self defending networks solution but thats big $$ and might be a whole other mangement headache. I was looking on some combination of our current AV(Symantec corporate 9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched and up to date systems and then they go out on ports 445 or 54321 or and even though our firewall(watchguard) blocks these ports, enough of these infected systems can DOS my firewall or bring network traffic to a crawl. Any recommendations? thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] Snort
If you watch your firewall logs. You will more than likely see the offender, i.e. you will see it trying to talk on specific ports and likely to be scanning up class C reserved ranges. I just tend to filter the firewall logs and setup alerts for suspicious activity. I think Watchguard do some deep packet inspection techs as options? Im not 100% sure as I havent used them to any great level. Snort is fine, but if you have a good firewall setup and configured correctly then you dont really need it. I know many large companies who spent so much time setting it up but never look at it. From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: 01 December 2004 16:23 To: Robert Rutherford Subject: RE: [ActiveDir] Snort We have 500 nodes, mostly XP/WIn2k, but a few win98 clients. the Winxp boxes have system restore disabled. ..snip Sys details .snip I don't suppose there is any real way to find out where a worm really orginated from on your network? I thought snort might at least help with this. Also ther is a feature called inline snort where it supposedly can do intrusion prevention, but I have no expereince with this. thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort IDS isnt going to protect you from these worms lets initially focus on that:- Im just going to ramble and we can then home in on a solution Its hard to believe patched machines are being re-infected.. but it does happen. I suspect you have a rogue machine which isnt managed in your domain environment and you arent aware of, i.e. a 98 machine, workgroup, user home laptop, etc. It does sound like your Watchguard box isnt really upto the job especially as you are specifically blocking ports. It shouldnt be processing blocked packets, thus shouldnt be under that high stress, unless you are logging everything. Im not a Watchguard expert so maybe it deals with packets differently. This is all an if scenario. I guess we need to ascertain:- What size is your network, i.e. Nodes? Which Watchguard model do you have? Lan switches? WAN Links. (Send a reply to me direct if you dont want to broadcast your details) It depends on your environment, but if you are sizeable, i.e. over 200+ users then I would shoot for something like Checkpoint with the SmartDefense subscription. This will do deep inspection and cut out worms at the gateway, i.e. stopping them entering the secured LAN. They are way ahead of the game compared to Cisco (hearing Cisco fans smacking out angered replies). BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 01 December 2004 15:42 To: ActiveDir (E-mail) Subject: [ActiveDir] Snort Anyone had good experiences with snort and can you recommend it as a IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs are up to date. I'm looking for something cheap(read: free) to help me stop these things or at least contain them. My managers are looking int Cisco Self defending networks solution but thats big $$ and might be a whole other mangement headache. I was looking on some combination of our current AV(Symantec corporate 9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched and up to date systems and then they go out on ports 445 or 54321 or and even though our firewall(watchguard) blocks these ports, enough of these infected systems can DOS my firewall or bring network traffic to a crawl. Any recommendations? thanks alot List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] Snort
Id block the non-critical ports over the frame. You can also watch the routers to see whats hitting them or put a sniffer in the gap between the frame router and LAN to hunt the offender. Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 01 December 2004 16:42 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort I see the offender. What I want to know is where the offender got it from. I know its not from the internet because we block all those ports incoming. We have a sister corp that has ther own independent IT staff and is connected to use via frame relay. We are all in the same forest. We also have mobile laptop users. So it can only get in those 2 ways as far as I know. I wish there was some way to tell for sure. The Watchguard will block port and address space probes and IP options and address spoofing. It also blocks syn flood attacks(but Watchguard recommends you turn that off as it creates high stress on the box). It also comes with some prebuilt proxies for http,ftp,smtp,dns. The rest is stateful packet inspection. thats it for deep packet inspection. -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort If you watch your firewall logs. You will more than likely see the offender, i.e. you will see it trying to talk on specific ports and likely to be scanning up class C reserved ranges. I just tend to filter the firewall logs and setup alerts for suspicious activity. I think Watchguard do some deep packet inspection techs as options? Im not 100% sure as I havent used them to any great level. Snort is fine, but if you have a good firewall setup and configured correctly then you dont really need it. I know many large companies who spent so much time setting it up but never look at it. From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: 01 December 2004 16:23 To: Robert Rutherford Subject: RE: [ActiveDir] Snort We have 500 nodes, mostly XP/WIn2k, but a few win98 clients. the Winxp boxes have system restore disabled. ..snip Sys details .snip I don't suppose there is any real way to find out where a worm really orginated from on your network? I thought snort might at least help with this. Also ther is a feature called inline snort where it supposedly can do intrusion prevention, but I have no expereince with this. thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Snort IDS isnt going to protect you from these worms lets initially focus on that:- Im just going to ramble and we can then home in on a solution Its hard to believe patched machines are being re-infected.. but it does happen. I suspect you have a rogue machine which isnt managed in your domain environment and you arent aware of, i.e. a 98 machine, workgroup, user home laptop, etc. It does sound like your Watchguard box isnt really upto the job especially as you are specifically blocking ports. It shouldnt be processing blocked packets, thus shouldnt be under that high stress, unless you are logging everything. Im not a Watchguard expert so maybe it deals with packets differently. This is all an if scenario. I guess we need to ascertain:- What size is your network, i.e. Nodes? Which Watchguard model do you have? Lan switches? WAN Links. (Send a reply to me direct if you dont want to broadcast your details) It depends on your environment, but if you are sizeable, i.e. over 200+ users then I would shoot for something like Checkpoint with the SmartDefense subscription. This will do deep inspection and cut out worms at the gateway, i.e. stopping them entering the secured LAN. They are way ahead of the game compared to Cisco (hearing Cisco fans smacking out angered replies). BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 01 December 2004 15:42 To: ActiveDir (E-mail) Subject: [ActiveDir] Snort Anyone had good experiences with snort and can you recommend it as a IDS and intrusion prevention? I'm really getting hit hard with bots like W32.spybot.worm and W32.Randex.BTB. I get these worms even being fully patched and my Symantec defs are up to date. I'm looking for something cheap(read: free) to help me stop these things or at least contain them. My managers are looking int Cisco Self defending networks solution but thats big $$ and might be a whole other mangement headache. I was looking on some combination of our current AV(Symantec corporate 9.0) and GPO and snort as some sort of solution. These bots are really annoying because they seem to infect even patched and up to date systems and then they go out on ports