RE: [ActiveDir] inactive computers
Wow John...according to the combination of times on our computers, you look to be clairvoyant as you answered the question prior to it being asked... That's really not that big of a deal, but the part that impressed me is that you not only knew what he was going to ask, but also worded it exactly the same...now that's a neat trick!! It's really neat sometimes when you get a mail, that according to the time for sent, arrived before it was sent... Ok, I'm done with my dull humor...time to go visit DC Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, August 18, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] inactive computers OldCmp joeware john Tom Kern wrote: I know win2k AD has no lastlogontimestamp attrib, but is there anyway to find inactive computers in a 2000 domain? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us not quite up to speed, but severely overtasked Administrators); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication in question. Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object? Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Title: RE: [ActiveDir] Question on Replication Topology I wasnt answering with any specific setup in mindthe previous poster asked about the single-domain part. I dont know where it came from and it wasnt really important to my answerbut yes, if you have more than one domain than you will still have the same requirements (meaning separate the IM from GC or make *all DCs* GCs). Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. quote We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 /quote Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? single-domain forest or empty root domain + child domain ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us not quite up to speed, but severely overtasked Administrators); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication in question. Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object? Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest Root at FFL? Thanks in advance people for any assistance. This list is so valuable, it's not funny. (Seriously!) __ Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company 136 Center Street Old Town, Maine 04468 207.827.4456 [EMAIL PROTECTED] www.jws.com __ List info
RE: [ActiveDir] Question on Replication Topology
Exactly...same conclusion...whew! Glad we got that out of the way...hehe. Have a great afternoon! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. quote We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 /quote Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? single-domain forest or empty root domain + child domain ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us not quite up to speed, but severely overtasked Administrators); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication in question. Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes to DC1 and DC4 and DC5 The question is, Shouldn't they all have automatically generated connection objects to everybody else and if they don't, is it just a matter of me adding the manual new connection object? Or am I seeing a properly configured Sites and Services. If not, is part of my problem that I have not got the Forest
RE: [ActiveDir] Question on Replication Topology
Title: Message Correctit can, unless all dcs are gcs From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology In that case I believe that running IM on GCs can cause issues. The IM in child domain has almost no phantoms to track, but the IM in forest root would try talking to itself and would fail to update phantoms for all the user/group/computer/etc objects in the child domain. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 6:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology We have a Forest root domain (technically empty No accounts and groups other than default) (win.jws.com.) We have a single production domain under the forest root. (ot.win.jws.com.) Rocky __ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. quote We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 /quote Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? single-domain forest or empty root domain + child domain ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Question on Replication Topology Dear List Members (Whom I have a hard time figuring out how you all have so much time to help us not quite up to speed, but severely overtasked Administrators); After a power failure took a Forest Root DC offline over the weekend (for 26 hours), I came in today to find my replication in question. Repadmin /Showreps does not show any errors however, it shows inconsistent Replication partners. Here is my question; We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 Everyone is W2K3 (no Service Packs) and everyone is a GC and everyone is a DNS server. I was positive that I had the Forest Root and Domain at Windows Server 2003 Forest Functional Level but now when I go to AD Domains and Trusts and click the Forest Root Domain and right click Properties I get: Domain Functional Level = Windows 2000 mixed Forest Functional Level = Windows 2000 When I go to AD Domains and Trusts and click the Domain and right click Properties I get: Domain Functional Level = Windows Server 2003 Forest Functional Level = Windows 2000 I must have miscalculated, but that's not my question. In my AD Sites and Services, I have connection objects that have automatically been generated for each DC but they are inconsistent. ie: DC1 goes to DC2 and DC6 DC2 goes to DC1 and DC5 DC4 goes to DC5 and DC6 DC5 goes to DC4 and DC6 DC6 goes
RE: [ActiveDir] Question on Replication Topology
The part that is throwing me for a loop is that they both seem to be saying the same thing...if all DC's in a multi-domain forest are GC's then it doesn't matter where the IM goes since there aren't any phantoms created and thus there aren't any phantoms to keep track of. Phantoms are created (Dean, Brett, Eric...correct me if I'm mistaken) when we (we are DC's) don't have knowledge of the object. I don't know about an object since it's not in my database, but in the database of another DC somewhere. So when you ask me to reference those objects on the other DC's (i.e. adding users from other domains to groups in yours) I need some way to reference them. I will create phantoms to reference these objects since they don't really exist in my database. Well, the problem with having the GC on the IM is that if I'm a GC then I will have a copy of the object (read-only, but still a copy), so there will be no need for me to create a phantom thus the problem where my references to your objects gets all outta whack. If you have only one domain, again we will have no reason to create these freaking phantoms (phantom sounds evil anyway) so the IM will be sitting there doing nothing all day (how lazy!). If everyone is a GC regardless of the # of domains then I again won't create a phantom (unless it's for a FSP or something along those lines not really relating to this discussion) since I have the object handy locally. Please chime in if there is something to add / correct..imagine if the KB article was as jumbled up as the above paragraph. I can almost hear the phone ringing now... Have a good one guys! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I love this particular discussion. I can never quite follow the reasoning why about the IM/GC issue... but learn a little more about it each time. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Tuesday, August 16, 2005 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Deji, Thank you for pointing out my mistake. You are correct. DC5 holds all 3 roles, not all 5 roles. It's the details, I know. I can just hear joe now, SEE, SEE, This is what I'm always talking about! Rocky -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 16, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I read it to be that he has 2 domains. He fat-fingered the number of FSMO roles in the child. But the conclusion is still the same - when all DCs are GCs in a given domain, IM and GC can co-exist. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Teverovsky, Guy Sent: Tue 8/16/2005 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Rob, My understanding is that he has two domains in the forest: empty root and a production child domain. Though the forest root domain is empty, but it still has 2 domains. quote We have: Forest Root Domain (Empty) DC1 (Holds all 5 roles) (the DC offline for 26 hours) DC2 One Domain in the Forest DC4 DC5 (Holds all 5 Roles) DC6 /quote Now looking again at this layout makes me a bit confused as child domains can hold only 3 FSMOs. Rocky, can you explain what you actually have there ? single-domain forest or empty root domain + child domain ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, August 16, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Actually, if it's a Single Domain Forest then the Infrastructure Master has no phantoms to keep track of and thus, can be sent anywhere or left alone as a paper weight. So while I agree with Jose that it is perfectly fine to move it, doing so won't really matter until you have phantoms for the infrastructure master to keep an eye on. Just my $0.02 Have a great day! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have
RE: [ActiveDir] Question on Replication Topology
I'm kinda confused as to what the confusion is about... What is he saying that is different than what you're saying? Hehe Cheers! rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 1:15 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology For my own purposes, I am interested to know why it is you interpret the whitepaper you posted a link to as supporting your case, it clearly states - Multidomain forest where every domain controller in a domain holds the global catalog: If every domain controller in a domain that is part of a multidomain forest also hosts the global catalog, there are no phantoms or work for the infrastructure master to do. The infrastructure master may be put on any domain controller in that domain. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact the IM imposes on a DC is typically negligible (forest design can impact that statement to some extent but I've not personally seen a forest designed or utilized that badly). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology You are correct. However if you have two DC's it doesn't hurt to offload the infrastructure master role to the DC that dose not have the other 4 roles, even if it's in a single domain forest. Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Teverovsky, Guy Sent: Tuesday, August 16, 2005 8:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology Am I missing something or having Infrastructure Master running on GC is an issue in multi-domain forest ? Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, August 15, 2005 9:28 PM To: activedir@mail.activedir.org Subject: [ActiveDir]
RE: [ActiveDir] lost and found
It's really hard to tell based on that but a few guesses are: Someone deleted an OU, then fixed a replication problem after tombstone lifetime has passed...this OU had many child OU's which might be the ones you see...maybe the attribute for parent is a back-link or something like that where it will be blank if the object it references doesn't exist (that is a complete guess...I don't know that this works that way...it was used as an example). All other explanations are variations of tombstone lifetime, replication problems, etc... Can you give us more detail about these objects? Whether you should be concerned may depend solely on whether the person you are inherited the forest from is concerned :-0 It's hard to say right now... Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 2:27 PM To: activedirectory Subject: [ActiveDir] lost and found I'm inheriting this forest(which we are migrating away from) which has a ton of objects in the lost and found container in the domain NC(users,OU's with about 2000 objects in them,etc). Know of them have the lastKnownParent attrib set. Is this something to be concerned with? Is there a reason there would be so many objects in here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] lost and found
I think that maybe the stray users / computers were just direct children of the OU which was deleted...it's virtually impossible to know without digging a bit more...maybe they decommissioned a DC and then brought it back later. If you're not currently experiencing any replication problems and all the DCs are valid, working, sharing sysvol, bla, bla, bla...then it's really a judgement call if you wanna just delete those objects or dig some more to find out their origin. I would be certain that they aren't being used, if they were real user / computer accounts then you may have some users / computers who are mysteriously not getting the right GPO's or who's scripts are failing because the DN of the object is different... May the force be with you! Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] lost and found Some OU's are acutally named old-ou or deleted-ou, so they knew they were getting rid of them. I jusy wondered why they would end you there. The ou's are nested at least3 deep. there are also some stray parent-less user and computer accounts. I guess it's just a result of serious on going replication issues or a movetree gone bad? Unfortunately the persons responsible are long gone for not the best of reasons... thanks On 8/16/05, Robert Williams (RRE) [EMAIL PROTECTED] wrote: It's really hard to tell based on that but a few guesses are: Someone deleted an OU, then fixed a replication problem after tombstone lifetime has passed...this OU had many child OU's which might be the ones you see...maybe the attribute for parent is a back-link or something like that where it will be blank if the object it references doesn't exist (that is a complete guess...I don't know that this works that way...it was used as an example). All other explanations are variations of tombstone lifetime, replication problems, etc... Can you give us more detail about these objects? Whether you should be concerned may depend solely on whether the person you are inherited the forest from is concerned :-0 It's hard to say right now... Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 2:27 PM To: activedirectory Subject: [ActiveDir] lost and found I'm inheriting this forest(which we are migrating away from) which has a ton of objects in the lost and found container in the domain NC(users,OU's with about 2000 objects in them,etc). Know of them have the lastKnownParent attrib set. Is this something to be concerned with? Is there a reason there would be so many objects in here? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ok, last one really
I'm certain this can be done Tom...I'm in a hurry at the moment so I can't do the research...but you may want to use your favorite search engine (for instance, MSN Search) and look for the following: text file input and vbs That may give you enough to go on and find what you wish to do. I'm 100% certain this can work though as I've done it before. I just don't have that script handy at the moment (reference 'the hurry'). If you can't find it, please repost (or reply to me) and I'll find something. Look and Ye shall find!! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 7:41 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ok, last one really what I really want to do, is modify that script to read all my servers with static ip's from a text file and change their dns ip's to point to 2 new dns servers and get rid of the old ones. we have about 500 servers and they all have static ip's and we're changing over our dns to 2 new servers. i'd like to script pointing them to the new servers. either remotely or from a login script. the script i sent will do that but you have to enter the server names/ip's in the script and it prints info to stdout. i'd rather it read from a text file and only log errors or info to a seperate file. is this doable? thanks a lot! On 8/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: How about While ts.AtEndOfStream strcomputer=ts.readline wend ts.close James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] |-+-- | | Tom Kern | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 08/12/2005 04:32 PM AST| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] ok, last one really | --- ---| how would you write that to loop thru every line in a file? thanks On 8/12/05, Alain Lissoir [EMAIL PROTECTED] wrote: On MSDN, you can find some sample scripts to read from a file. See at http://msdn.microsoft.com/library/en-us/script56/html/sgWorkingWithFiles .asp For instance, Dim fso, ts Const ForReading = 1 Set fso = CreateObject(Scripting. FileSystemObject) Set ts = fso.OpenTextFile(c:\test.txt, ForReading, True) strComputer = ts.ReadLine() ts.Close() Depending on the format of your file, you can read a single line and split the comma separated computer names or You can loop and read lines one-by-one if you have a computer name per line. Your call ... For a book on scripting and WMI, you can always have a look at my web site ;) http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 7:46 AM To: activedirectory Subject: [ActiveDir] ok, last one really How can i change this script so i can just feed it a file of computer names so i can automate the changing of dns servers in the client properties? SCRIPT- On Error Resume Next strComputer = . arrNewDNSServerSearchOrder = Array(192.168.0.1, 192.168.0.2) Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colNicConfigs = objWMIService.ExecQuery _ (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True) WScript.Echo VbCrLf Computer: strComputer For Each objNicConfig In colNicConfigs WScript.Echo VbCrLfNetwork Adapter objNicConfig.Index WScript.Echo DNS Server Search Order - Before: If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo strDNSServer Next End If intSetDNSServers = _ objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder) If intSetDNSServers = 0 Then WScript.Echo Replaced DNS server search order list. Else WScript.Echo Unable to replace DNS server
RE: [ActiveDir] Advice
My own opinion is that the organization should demand from the consulting firm the administrator password or an equal account immediately (as in, while they are on the phone with the person before even hanging up). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, July 29, 2005 6:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Advice I'm starting a new job in a week as a AD/Exchange engineer(I posted about my anxieties before on the list). This company used to outsource all their AD/Exchange infrastructure and now they want to take control of it. As it stands, their relationship with the outsourcing firm is rocky. While the DC's and Exchange server are physically in the company, no one has Domain or Enterprise admin rights. And no one, including me, is about to attempt elevation of privilges with all the numerous ways to hack a DC when you have physical access. That would be in poor taste. My questions to the list are, if you were coming into such an enviorment, what are the first things you would do and look for? How much as a regular user can you glean of the AD/Exchange enviorment and what would be your first steps? Thanks very much. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: new job
Thank you Tom!!! It's good to see your open-ness...I wish more were as honest as that... That's good stuff Rick! Often people don't bring up these fears due to the misconception that it will make them seem weak. My opinion is quite the opposite. Being afraid isn't a bad thing at all in my mind and if I were to be completely honest I would say that I was quite nervous / scared when I started my position as an RRE (Rapid Response Engineer) here at Microsoftand I loved that fear because it makes me push myself to learn / grow. I don't mean to get all psychological / philosophical but fear is one of the biggest, if not the biggest, motivation in life. Fear of losing something you have or not getting something you want drives us to do some of the strangest things. This fear can drive you over the edge or you can rise to the occasion and try to learn from every situation. I choose the latter. Sure there are times when I think Am I worthy or similar fears that there's just too much to learn and not enough lifetime to learn it all in. Some of us try to pretend that we know everything and are never wrong technically and when I come across these people I'm usually chuckling inside because everyone has to know that they cannot possibly know everything and it's rather comical that this simple fact escapes notice by some of these guys / gals. There's always more to learn so just keep on trying and you will be just fine. I actually want to NEVER know everything because there's no point to being alive if I won't be learning from the people, things, situations that surround me. Please don't misunderstand me...I don't ever claim to have everything figured out. I'm on a constant quest for knowledge that I'm hoping will not end until the last breath leaves my body. One simple thing that I tell myself from time to time when faced with something that is extremely difficult or that stretches my technical skills: Do the best that you can do As long as you are always trying, you can never fail. Nobody can realistically expect you to do better than trying your best since that's just not possibleand if you're doing your best, then you have no excuses to make for yourself since you're giving everything an honest effort. Sometimes you will not succeed in your efforts. I can't tell you how many times some person or another on the Microsoft team or some mailing list has got me out of jams. That's why we're all here anyway, right. We're network administrators because we want to be there when people have a problem with their computer so we can figure it out. That's been a driving force since I was a child...just to figure it out. I love that stuff!! Integrity is another attribute that is often overlooked but could not be more important. Never say anything that you know is not true...bla...bla...bla...you know what I'm saying (Never, ever lie about anything...even non-technical stuff). So that's my $0.02 anyway. You know what they say about opinions...everyone has one and they all stink ;-) OK...enough of the non-technical, bleeding-heart stuff...GET THAT SERVER WORKING NOW!!! Have a great night / morning (depending on your time zone)!! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, July 23, 2005 11:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: new job Tom, Make no mistake - you are experiencing many of the same 'fears' that I am. I have a BIG responsibility as I take on assignments here for Microsoft. The first question that I asked myself is Am I REALLY good enough? The first thing that I was told by my boss was You have some couple hundred to a few thousand folks to call on directly. If that's not good enough - I have a Company of 60,000 that are interested in your success. We aren't going to let you fail. Though that makes me FEEL better, it's still a lot to take in given that I was _THE_ source of knowledge and architecture at my last company. Now, I'm a minnow in a big pond. And, it's really OK. You may not directly have the resources that I have to call on, but WE are still going to be here for you. Good luck - now go get it! :O) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Saturday, July 23, 2005 1:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: new job Thanks for all your replies. This really helps. As I told Al offlist, I'm gonna start asking you guys for relationship advice. Also as Al pointed out,I'm most def a generalist. I'm the only engineer at my current job with 400 users. I do the DNS(Win and BIND) as well as the routers/switches,firewall,AV,DR,wan links,Blackberry server!on top of AD/Exchange. Pretty much everything but help desk.
RE: [ActiveDir] OT: new job
That's interesting...I think I got an e-mail from a recruiter about that position. :-) Good luck man!!! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Saturday, July 23, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new job I just got offered a position with a consulting company where I would be consulting full time for a major financial corp in NYC as their AD/Exchange guy. I'm a little nervous and I was wondering if anyone here had experience with big financial corps and IT. Is it very different from doing IT for a normal company. Their situation is that they outsourced all their Exchange/AD infrastructure and now they want to take it back and have someone support it full time. As it stands, their relationship is not so hot with the outsourcing firm which is reluctant to give them too much info. In fact I don't think anyone there has Domain or Enterprise Admin access as it stands. Finally, the other thing that makes me nervous is, I'd be working fulltime for the consulting firm(until after 3 months if the finanical corp would want me to join them fulltime, I'd work for them). In the consulting company handbook which clearly states is not legally binding, the state in bold letters that they reserve the right to let you go for any reason. That kinda scares me. Is that normal? Are they just covering their butt? Thanks. My apologies for the way OT. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: new job
P.S. I live in NYC as well...do you shoot pool?? Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Saturday, July 23, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new job I just got offered a position with a consulting company where I would be consulting full time for a major financial corp in NYC as their AD/Exchange guy. I'm a little nervous and I was wondering if anyone here had experience with big financial corps and IT. Is it very different from doing IT for a normal company. Their situation is that they outsourced all their Exchange/AD infrastructure and now they want to take it back and have someone support it full time. As it stands, their relationship is not so hot with the outsourcing firm which is reluctant to give them too much info. In fact I don't think anyone there has Domain or Enterprise Admin access as it stands. Finally, the other thing that makes me nervous is, I'd be working fulltime for the consulting firm(until after 3 months if the finanical corp would want me to join them fulltime, I'd work for them). In the consulting company handbook which clearly states is not legally binding, the state in bold letters that they reserve the right to let you go for any reason. That kinda scares me. Is that normal? Are they just covering their butt? Thanks. My apologies for the way OT. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: new job
Sorry to spam you man... Yes, most states have a right to hire law which MUST (by LAW) appear somewhere at the place of employment. They are just reminding you of this in your handbook. Also, the fact that it's a consulting firm I figure they would say that anyway so that if things aren't working out they can just say Thanks, bye!. Keep on trying and you'll be fine...never give up!!! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Saturday, July 23, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: new job I just got offered a position with a consulting company where I would be consulting full time for a major financial corp in NYC as their AD/Exchange guy. I'm a little nervous and I was wondering if anyone here had experience with big financial corps and IT. Is it very different from doing IT for a normal company. Their situation is that they outsourced all their Exchange/AD infrastructure and now they want to take it back and have someone support it full time. As it stands, their relationship is not so hot with the outsourcing firm which is reluctant to give them too much info. In fact I don't think anyone there has Domain or Enterprise Admin access as it stands. Finally, the other thing that makes me nervous is, I'd be working fulltime for the consulting firm(until after 3 months if the finanical corp would want me to join them fulltime, I'd work for them). In the consulting company handbook which clearly states is not legally binding, the state in bold letters that they reserve the right to let you go for any reason. That kinda scares me. Is that normal? Are they just covering their butt? Thanks. My apologies for the way OT. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modify multiple users
I was going to suggest that deleting the OU or running DCPromo would modify the attributes pretty quickly but somehow I don't think that's what he is looking for Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center Mobile Phone: (917) 572-9973 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, June 30, 2005 5:05 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Modify multiple users First, how do you define 'multiple users' ... a query of some kind, perhaps based upon a common value or group membership? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, June 30, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modify multiple users How can I quickly change the 'extensionAttribute' of multiple users in a domain? VBScript? ADMod? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Recall: [ActiveDir] Modify multiple users
Robert Williams (RRE) would like to recall the message, [ActiveDir] Modify multiple users. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modify multiple users
Sorry...hit send too soon :-) I really depends on whatever you're most comfortable with. Myself, I haven't used admod so I would probably write a VBS script and take some of the sample scripts located here: http://www.microsoft.com/technet/scriptcenter/default.mspx Then fiddle with them until I got what I wanted...it just takes some time to read and get comfortable with scripting. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Robert Williams (RRE) Sent: Thursday, June 30, 2005 5:16 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Modify multiple users I was going to suggest that deleting the OU or running DCPromo would modify the attributes pretty quickly but somehow I don't think that's what he is looking for Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, June 30, 2005 5:05 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Modify multiple users First, how do you define 'multiple users' ... a query of some kind, perhaps based upon a common value or group membership? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, June 30, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Modify multiple users How can I quickly change the 'extensionAttribute' of multiple users in a domain? VBScript? ADMod? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 - __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Dns start up
And if you want a handy-dandy way to do it via a script (command-line): 842561 How to install the Microsoft Loopback Adapter in Microsoft Windows http://support.microsoft.com/?id=842561 I like having the loopback adapter around especially if you're messing with virtual server / vmware...I guess with regard to it being enabled by default; the functionality is there...meaning: The route table on any NT or better (probably on older ones too but I really don't care about those :-)) sends anything destined for 127.x.x.x to 127.0.0.1 and the traffic makes it to my network card so the driver defaults to accept for the loopback address. I can't explain the reasons it's not there by default but it seems easy enough to get it there if you want it there. If it were there by default then people would probably be upset that we assumed they wanted it there :-) Catch-22 I guess...lol Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, June 30, 2005 8:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Dns start up That worked. Thanks. I never understood why MS didn't just enable this as a given like most *nixes do? Thanks a lot guys!! -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I guess with regard to how long it will take the logs to wrap...it depends on too many things to even try and predict...for instance, you can log different severities of info (by modifying reg settings)...or you can also set in the registry how many log files you wish to keep. Maybe even more relevant is how much data you're replicating and the rate of change for files...too much stuff to predict. :-) You can however just stop your ntfrs service and delete all the ntfrs_000x.log files. Then you would see if that same error came back. FRSDiag will keep reporting it as an error because part of its job is to scan all the log files and look for errors...so it will keep reporting those same errors as log as they are in the log files. I hope it doesn't come back...it would be rather strange to me that you get that error and are able to replicate in both directions. Did you by any chance have any other DC's in this domain in the past...did you maybe rebuild this DC with the same name and not do a metadata cleanup first to remove the old DC's data...I'm reaching here for various things that might produce that error...since you're replicating fine in both directions what my next suspicion would be is that you have some left over connection objects from another server. Check something real quick while you're there... Open up adsiedit.msc (from the support tools I believe). Go to the following location: -Domain[yourdomain.com] --DC=yourdomain,DC=com CN=System CN=File Replication Service --CN=Domain System Volume (SYSVOL share) How many nTFRSMember objects do you see in there on the right pane (should be 2 for you)? Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Wednesday, June 29, 2005 9:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED It's appears as if it's a recurring error. I agree with your logic about not fixing what isn't broken. I waited a week before I posted her to see if the error cleared. No luck.How long does it take the FRSlogs to wrap? Can they be cleared manually? R- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 28, 2005 2:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - Send Penalty] Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above . failed with 3 error entries Checking NtFrs Service (and dependent services) state...passed Checking NtFrs related Registry Keys for possible problems...passed Checking Repadmin Showreps for errors...passed I have 2 domain controllers in a Windows 2003 Domain both running AD Integrated DNS. I followed the KB Article 839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003 and was not able to produce an error following all of the tests mentioned in the article that I ran. (DCDIAG, NETDIAG, Repadmin, Ntdsutil, Gpotool, Portqry) I did not run ADMT or DCPROMO. I also ran nslookup and verified my DNS was returning the proper IP address. I checked to see if the FRS service was running on both computers and it is indeed started. I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Everything seems to be working properly. Can I safely ignore this error? Does anyone know of a KB article that can help me correct this error or shed some light on what might be causing the error? Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Roberthold on a sec, before you open a case. Are those your only two DC's? their names are DC1 DC2?? In your FRS debug log, you see that the EPT_S_NOT_REGISTERED is referring to jao-ad.lajao.org. Was jao-ad at some point a domain controller or does that name have any other significance to you? If that used to be a DC, then I'd recommend going through this article to remove all the metadata junk: 216498 How to remove data in Active Directory after an unsuccessful domain http://support.microsoft.com/?id=216498 You didn't mention any other problems, but if you once had this jao-ad server as a DC then the KCC on your other DC's would be complaining in the event log because they can't replicate with jao-ad. If I just saved you $245, a big THANK YOU will do :-) Come to think of it, if I just saved YOU $245 dollars then I just cost myself $245 dollars (I own part of the company of course). Please disregard everything above...LOL :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I completely agree with Steve here...if you don't see a problem, don't call But if it's bugging the hell out of you and is worth the dime (a few dimes, actually) then do what you need to do :-) Are there any other items in your FRSDiag that are alarming or is this one the only one? If you don't see other indications of a problem currently happening, then they won't have much to troubleshoot if you called anyway :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 28, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR
RE: [ActiveDir] Account Policies
Title: RE: [ActiveDir] Account Policies You see in his mail below the following: Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU When you are logging in using a domain account, the domain account policies are appliedwhen you log on using a local machine account on the machine in OU, then the account policy applied to OU are applied. I hope that makes sense Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account Policies Hi Jorge :) Just a notice about what you said. When u set a account policie at the domain level, doesn't it override all other account policies that was set in child OUs ? i thought that only account policies at the domain level apply to all domain + OUs level.. Cheers, Yann De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: lun. 27/06/2005 21:24 À: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Account Policies With the setup you show us the following applies Domain OU - 14 Days - applies to all user accounts in the domain and to all user accounts local to each server/client except for the servers/clients in the sales OU and the finance OU Sales OU - 30 Days - applies to all user accounts local to each server/client located in the sales ou Finance OU - 35 Days - applies to all user accounts local to each server/client located in the finance ou Definition of account policies at domain level apply to all user accounts in the domain Definition of account policies at OU level apply to all user accounts local to the servers in that particular OU Cheers #JORGE# From: Yusuf Mayet [mailto:[EMAIL PROTECTED]] Sent: Mon 6/27/2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Policies Hi all, As far as I remember and with best practices you can only have the one account policy takes effect in a domain but I have a client that has changed this option. Domain OU - 14 Days Sales OU - 30 Days Finance OU - 35 Days Now I would like some clarification around this implementation of password policy? TIA -Yusuf This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recursive serach on Root domain failed.
Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
RE: [ActiveDir] FW: Batch Script Fun
Hey DeanI havent tried it yet and since Im inherently lazy Ill ask and try if I dont get a response J Will this work against a 2003 DC as long as setpwd.exe from 2000 is available (in same directory script is run from or in the %PATH%)?? Thanks man; Cheers!! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Sunday, June 19, 2005 2:21 PM To: Send - AD mailing list Subject: RE: [ActiveDir] FW: Batch Script Fun Enclosed as a text file ... rename to a .CMD ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, June 19, 2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FW: Batch Script Fun Hmmm. Let me think.. YES! ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Sunday, June 19, 2005 12:57 PM To: Send - AD mailing list Subject: RE: [ActiveDir] FW: Batch Script Fun I appreciate the compliment Rick ... nothing interesting this time I'm afraid ... Anybody interested in a script that resets every DC's DSRM password to the same value? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, June 19, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FW: Batch Script Fun Heh. I see that Dean has already answered this, so Im most interested to see what the Wizard of the Shell Script has come up with. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, June 18, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FW: Batch Script Fun Maybe this didnt go through this morning? From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, June 18, 2005 2:34 PM To: 'ActiveDir@mail.activedir.org' Subject: Batch Script Fun Ok, hers what I need to do from within a .cmd file (this is the only hook I have into a process that runs on every workstation once an hour no I cant use a _vbscript_ or any of that): Check devices domain If Domain MyDomain Run netdom and remove Reboot Otherwise Quit Now I figured out a way to use wmic to get the domain, but it returns multiple lines of text, and I dont have a clue how I would parse that in a batch file. The output of wmic computersystem get domain looks like this: Z:\Files\PsToolswmic computersystem get domain Domain WORKGROUP Z:\Files\PsTools I just need that WORKGROUP. Ideally my script needs to work on NT and newer. Ill settle for 2000 newer and the field guys can do the NT ones by hand if need be. The NT inventory purportedly has WMI installed, which I presume means wmic would work. Im all up for a different way of doing this I dont know of an environment variable or similar holding the machines domain. Anyone got a way I can make this work? --brian
RE: [ActiveDir] how to allow a specific user to access the domain from one pc disallow the others
Can you please be more specific? You are seeking to allow only one specific user to log on INTERACTIVELY on your kiosk machine?? I think one way would be to give only that user account (and local Admin, of course) the Allow Logon Locally user right. This would restrict Interactive logon to only the users specified in this group policy (or local policy): Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ Allow log on locally On XP or 2003, you can log on through Remote Desktop if you have the following User Right (same path as above): \Allow Logon through Terminal Services I believe that Remote Desktop Users has the above right by default. You could take more drastic steps as well if youre afraid that the above techniques wont do the trick (e.g. permissions on C drive, Documents and Settings, HKU, etc). I hope that helped! Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser Sent: Sunday, June 12, 2005 3:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to allow a specific user to access the domain from one pc disallow the others Hello experts, Im setting a kiosk machine, my question is how do I allow a specific user to login to my domain from only one machine disallow other users from logging from the same machine. Regards, DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).
RE: [ActiveDir] how to allow a specific user to access the domain from one pc disallow the others
I meant to have this in my last post... You could put the User Right Deny Logon Locally on all machines OTHER than your kiosk machine to accomplish the other part of your scenario (logging onto ONLY one machine). The method mentioned below by Mike would suffice also for that purpose. Sorry for the extra junk in your mailbox ;-) Have a good day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Sunday, June 12, 2005 5:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] how to allow a specific user to access the domain from one pc disallow the others To allow the user to only logon on to that machine go into their Account Tab and use the Log On To feature and only allow access to that particular machine. You could deny everyone else the right to log on locally using a policy. This is the setting in the GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Go into Log on Locally remove Users, Power Users, and Backup Operators then add this particular user. I would not remove the administrators but you can do that and just add your account in case you ever need to access the machine interactively. Thanks Mike On 6/12/05, Sharif Naser [EMAIL PROTECTED] wrote: Hello experts, I'm setting a kiosk machine, my question is how do I allow a specific user to login to my domain from only one machine disallow other users from logging from the same machine. Regards, DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security permissions on user object
Also keep in mind that if you were ever a member of one of these protected groups that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0.so you can change those back when you know the user isnt a member of one of the protected groups (changing those values before ensuring this will result in the values being resetas you are well aware by this point). AdminCount is just a book keeping method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
WellI guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or soother than that, the logic needed in a script to differentiate between users who are / are not currently in one of the protected groups would be astounding. You shouldnt have a problem trusting the fact that it will happen to the accounts still in the protected groups since thats what got you there in the first place J Hopefully that was helpfulhave a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that _vbscript_ in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these protected groups that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0.so you can change those back when you know the user isnt a member of one of the protected groups (changing those values before ensuring this will result in the values being resetas you are well aware by this point). AdminCount is just a book keeping method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it'sthe adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box isnot checked like every other user. If I check the box, others are temporarily able to modify thatformer domain admins account, but eventually, the box is unchecked again and they inherit their old security on their user object and it's broken again. I know thatI once read that this is by design, but how the heck do Ifix these users once and for all? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Security permissions on user object
Oh Certainly...that would work quite well. Joe, how much should he charge for that ;-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 10:52 PM To: Robert Williams (RRE); ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Can I just use ADSIEDIT and go to individual users and set the admincount to 0? Will that stick? If that works, I could write a winbatch that will prompt for a username, and set their admincount to 0 automatically. From: Robert Williams (RRE) [mailto:[EMAIL PROTECTED] Sent: Wed 6/8/2005 8:34 PM To: Rimmerman, Russ; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Well...I guess you can reset it for all of them and count on the AdminSDHolder thread to reset them to 1 in about an hour or so...other than that, the logic needed in a script to differentiate between users who are / are not currently in one of the 'protected groups' would be astounding. You shouldn't have a problem trusting the fact that it will happen to the accounts still in the protected groups since that's what got you there in the first place :-) Hopefully that was helpful...have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 08, 2005 8:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object OK looks like ya'll are on the right track. I found the script in the KB article to reset all the admincounts to 0, but that sounds scary. Can't I selectively set admincounts to 0 on a user-by-user basis somehow? Or is it safe to reset all users' admincounts to 0? I see Administrator in there, so that vbscript in http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 scares me. From: [EMAIL PROTECTED] on behalf of Robert Williams (RRE) Sent: Wed 6/8/2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object Also keep in mind that if you were ever a member of one of these 'protected groups' that your inheritance will not be turned on again, nor will the admincount attribute be reset to 0so you can change those back when you know the user isn't a member of one of the 'protected groups' (changing those values before ensuring this will result in the values being reset...as you are well aware by this point). AdminCount is just a 'book keeping' method to know that the ACL has been stamped by AdminSDHolder. I hope that helps. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Wednesday, June 08, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security permissions on user object It ssounds like it's the adminSDHolder behavior that's getting you. Are the users members of any of the other protected groups? It varies across versions, IIRC 2003 added more groups. The articles below should help point in the right direction. http://support.microsoft.com/default.aspx?scid=kb;en-us;318180 http://support.microsoft.com/default.aspx?scid=kb;en-us;817433 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, June 08, 2005 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security permissions on user object We migrated all our users from an NT4 domain to our AD domain. Anyone who was in Domain Admins on our NT4 domain got migrated into Domain Admins on our AD domain. We took them out of Domain Admins on our AD domain, but their accounts are inheriting the permissions like a normal user inherits. Whenever someone who is NOT a domain admin tries to reset a password or modify any properties of these migrated Domain Admins who are no longer Domain Admins, they are denied access. If I open up one of these users, they are not inheriting the permissions on their user object like every other normal user does. If I open their account and go to the object security the Inherit from parent the permission entries that apply to child objects. Include these with entries explicity defined here. box is not checked like every other user. If I check the box, others are temporarily able to modify that former domain admins account, but eventually, the box is unchecked again and they inherit
RE: [ActiveDir] Error in PDC Operations Master
When you are complete with the /forceremoval of this errant DC and have performed the metadata cleanup on one of the other DC's, you should be able to seize the PDC Emulator role using the GUI or NTDSUtil. After that's all done, just ensure that the changes have replicated around...then you can put the PDC on another server if you like (via a transfer of the role). I hope that helps! Have a great night / weekend! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Because I believe my errant DC to by my PDC will that be a problem demoting it and then re-introducing it to the domain? Here is a screen shot of my Operations Masters... http://www.mjbdesignz.com/temp/OM.htm Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 12:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master That's what I expected. Choice 1 - Mod. the registry and permit the errant DC to re-enter the replication topology (not recommended) Choice 2 - Forcibly demote the errant DC, cleanup its metadata and reintroduce it through DCpromo Caveats - Choice 1: lingering objects may exist Choice 2: you'll lose any changes locally introduced to the errant DC that occurred after its last successful replication attempt ? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master 1. Number of DCs/Domain/Sites 3 Sites - Site A has DC1 DC2 - Site B DC3 - Site C DC4 2. OS version of DCs - All DCs are running Windows 2003 Server Standard 3. Are the remaining DCs replicating successfully? - According to DC diag they all passed replications - They do all show in the DC diag the following: DC=domain,DC=ewu,DC=edu Last replication recieved from DC2 at 2005-03-23 02:00:40. WARNING: This latency is over the Tombstone Lifetime of 60 days! Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, May 27, 2005 11:16 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Error in PDC Operations Master It seems the FSMO errors you're receiving are merely symptoms of another more significant problem; my guess is that your DCs have been ignoring one another for quite some time, i.e. - not replicating. Before proceeding, can you give me some more info. - 1. Number of DCs/Domain/Sites 2. OS version of DCs 3. Are the remaining DCs replicating successfully? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, May 27, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error in PDC Operations Master Well, I have quite a few weird things going on. Roles: (both DCs in same site) DC2 = PDC role, RID pool manager DC1 = Infrastructure owner, schema owner, domain role owner When I look at the Operations Masters... - from DC1 It shows ERROR for RID PDC, shows DC1 in Infrastructure - from DC2 it shows ERROR for PDC, shows DC2 for RID DC1 for Infrastructure So neither DC1 or DC2 know who the PDC is. (It should be DC2) When I use the netdom query fsmo: - from DC1 it shows the roles as it should like above from DC2 it shows - the PDC role as DC1 rather than itself 1. When I try to manually replicate from DC2 to DC1 I get an error about Target Principal Name Incorrect After completing Article ID 288167 about resetting password (netdom resetpwd) and trying to replicate, I get a tombstone error between the 2 domains saying it has exceeded tombstone lifetime and cannot continue. 2. When I try to manually replicate from DC1 to DC2 I get the same error about Target Principal Name Incorrect but this is where I've stopped because DC2 is supposed to be the PDC and the KB article makes it sound like the PW should only be reset on the non PDC machines. All in all, my PDC seems to have amnesia and doesn't seem to remember that it's the PDC Thanks, -- Matt Brown [ SELECT * FROM IT WHERE
RE: [ActiveDir] removing a DC from AD
Also, unless you have a hankering for FRS headaches, you should make sure that the FRS objects in AD are deleted as well. The safest way is to use the methods built in (ntdsutil as per the articles mentioned). Good Luck! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 20, 2005 11:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] removing a DC from AD Hi Antonio, In theory you should just be able to go into sites and services and delete the server object. You will also have to delete the existing KCC connections to each DC that still has a connection to the deleted server and you will have to go into DNS and delete the SERVER SRV records that point to the old server and tombstone the Wins entry if your using a Wins server. Sincerely, Jose Medeiros - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Antonio Aranda Sent: Friday, May 20, 2005 8:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] removing a DC from AD Could anyone tell me how to remove a Domain Controller that does not exit anymore from AD? I had three controllers and one had a catastrophic hardware failure. So now I need to remove a nonexistent DC from the AD. Antonio == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] removing a DC from AD
What specific MOC Course (s) are you referring to? Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 20, 2005 12:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] removing a DC from AD Hi Robert, Thank you for pointing that out. I hope that the MOC courseware was also changed to reflect Microsoft's support recommendations on this subject. Thanks again, Jose Medeiros www.ntea.net www.sfntug.org www.tvnug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Williams (RRE) Sent: Friday, May 20, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] removing a DC from AD Also, unless you have a hankering for FRS headaches, you should make sure that the FRS objects in AD are deleted as well. The safest way is to use the methods built in (ntdsutil as per the articles mentioned). Good Luck! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, May 20, 2005 11:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] removing a DC from AD Hi Antonio, In theory you should just be able to go into sites and services and delete the server object. You will also have to delete the existing KCC connections to each DC that still has a connection to the deleted server and you will have to go into DNS and delete the SERVER SRV records that point to the old server and tombstone the Wins entry if your using a Wins server. Sincerely, Jose Medeiros - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Antonio Aranda Sent: Friday, May 20, 2005 8:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] removing a DC from AD Could anyone tell me how to remove a Domain Controller that does not exit anymore from AD? I had three controllers and one had a catastrophic hardware failure. So now I need to remove a nonexistent DC from the AD. Antonio == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, Credit Suisse, its subsidiaries and affiliates (CS) do not waive any confidentiality or privilege. CS retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CS until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Operations Error when running LDAP / GC Searches
Maybe Eric or Brett will come in here with one of their really well informed explanations, but since I do not have nearly the same level of knowledge as to the inner workings of databases, here is my explanation: The search is too broad. If you remove the objectcategory part from the filter, that may work. It appears that this was fixed in SP1 for 2003 so that is another avenue you can attempt. Good Luck. Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Wright Sent: Wednesday, May 18, 2005 12:05 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] LDAP Operations Error when running LDAP / GC Searches Hi, We are experiencing strange errors from AD when we are doing a couple of searches. We are searching against the GC with the following filter: ((ANR=james)(objectclass=user)(objectcategory=person)) When we run this in LDP we get the following error: --- ***Searching... ldap_search_ext_s(ld, (null), 2, ((ANR=james)(objectclass=user)(objectcategory=person)), attrList, 0, svrCtrls, ClntCtrls, 100, 0 ,msg) Error: Search: Operations Error. 1 Server error: 20EF: SvcErr: DSID-020A09B3, problem 5012 (DIR_ERROR), data -1603 Result 1: 20EF: SvcErr: DSID-020A09B3, problem 5012 (DIR_ERROR), data -1603 Matched DNs: Getting 0 entries: --- This search should return around 80 entries. If we run the same search with the following filter ((ANR=david)(objectclass=user)(objectcategory=person)) No error is returned and we get the results, returning around 30 entries. There would appear to be a cut off value of about 70 entries before this fails. If we remove the objectcategory=person search criteria both searches run successfully. We are running AD with 2003 Domain functional level. Any ideas? Cheers Dave -- David Wright Microsoft Solutions Engineer, 3 +44 (0) 1628 767922 +44 (0) 7782 324557 www.three.co.uk This e-mail message (including any attachment) is intended only for the personal use of the recipient(s) named above. This message is confidential and may be legally privileged. If you are not an intended recipient, you may not review, copy or distribute this message. If you have received this communication in error, please notify us immediately by e-mail and delete the original message. Any views or opinions expressed in this message are those of the author only. Furthermore, this message (including any attachment) does not create any legally binding rights or obligations whatsoever, which may only be created by the exchange of hard copy documents signed by a duly authorised representative of Hutchison 3G UK Limited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
I just want to be sure that everyone has the right information...I'm sorry for correcting so much lately. If the Terminal Services Licensing Server is installed on Windows 2000, it MUST be on a Domain Controller (if you think there is a way to alter this that IS SUPPORTED by Microsoft Dev, please reply to me offline as I'd be interested in hearing your opinion). Yes, you can bypass the discovery process by modifying the registry value mentioned in the following article: http://support.microsoft.com/kb/q239107 Here's a little snippet from that article: To select a specific license server, locate the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers Add the following value: Name: DefaultLicenseServer Data type: REG_SZ Data value: ServerName Substitute the NetBIOS name of the appropriate license server for ServerName. If the license server is located on a remote subnet, make sure the Terminal Services-based computer can resolve the NetBIOS name. If the Terminal Services Licensing Server is installed on Windows Server 2003, then it CAN be on a member server. Again, to over-ride the discovery process by modifying the registry as mentioned in the following article(pay attention to the difference as you are adding keys here instead of values): http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/46844a6e-386f-4ce3-98e5-d5377b5d6ba9.mspx Here is a snipped from that article: Using the registry 1.Click Start, click Run, type regedit, and then click OK. 2.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers 3.On the Edit menu, point to New, click Key, and then type LicenseServers to name the new key. 4.Locate, and then click, the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Paramet ers\LicenseServers 5.On the Edit menu, point to New, click Key, and then type ServerName where ServerName is the NetBIOS name of the license server that you want to use, and then press ENTER. The new key name can be any of the following designations that represent the license server: * The NetBIOS name of the server * The fully-qualified domain name (FQDN) of the server * The IP address of the server 6.Restart your computer So to sum it up...if the Terminal Services Licensing Server is 2000, must be on DC. If it's on 2003, can be member server. Have a great day! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Tuesday, May 17, 2005 9:35 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Citrix ahhh, thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Citrix No, it does not have to be on a DC if you change a registry setting on the Citrix servers to point to the TS Licensing server on a member server. If this entry is changed the server will no longer use the discovery process to find the TS licensing server and go directly to the hard coded server. Chris Ryan The Kroger Company [EMAIL PROTECTED] Office (513) 698-1935 Cell (513) 623-5362 Christine Allen christine.easton @bmchp.org To Sent by: 'ActiveDir@mail.activedir.org' [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 05/17/2005 09:20 RE: [ActiveDir] Citrix AM Please respond to [EMAIL PROTECTED] tivedir.org Thanks. Am I correct that in a 2000 environment it has to be on a DC? -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Citrix Christine, Your TS Licensing Server doesn't need to be on a DC (although thats what most people do). Currently have a Windows 2000 Licensing Server running on a DC and a 2003 one running on a mamber server in a 2k domain, works fine. G. Christine Allen wrote: Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations
RE: [ActiveDir] Telnet Service Disappeaars after installing Win2k3 SP1
Hello, I know this may sound like a strange question, but what is the computer name of the machine experiencing the problem? If your computer name is greater than 15 characters then I suggest you contact Microsoft support for assistance. I see one case with similar results as you and it might be a bug (this has not been decided as of yet though), but without knowing specific details of what you are seeing that determinination can't be made. This is not my area of specialty so please save yourself some time and just call into support...someone will be glad to help you. If it is a bug, there will be no charge for your call. You calling and reporting the issue will help with a fix being developed if it is indeed found out to be a bug. http://www.microsoft.com/services/microsoftservices/supp.mspx Good Luck! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi Owoeye Sent: Monday, May 16, 2005 5:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Telnet Service Disappeaars after installing Win2k3 SP1 Hello all, I have a winsk3 box and I need to make use of the telnet service, so after installing the box I enable the telnet service and make it automatic because the service is disabled by default. I then install windows 2003 SP1 and then I notice that the telnet service disappears from the services window without any trace. If I try to utilize the service I cant Does any one have any sorta work around on this issue List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Citrix
Justin, Sorry...slight correction to a previous posting. The Terminal Services Licensing Server does *not* have to be on a domain controller for 2003. Check out these links, they help explain things a bit: 301932 Terminal Services Licensing service discovery http://support.microsoft.com/?id=301932 279561 How to override the license server discovery process in Windows Server http://support.microsoft.com/?id=279561 239107 Establishing Preferred Windows 2000 Terminal Services License Server http://support.microsoft.com/?id=239107 232520 Description of Terminal Services License Server discovery http://support.microsoft.com/?id=232520 Have a great night! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Monday, May 16, 2005 5:32 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Citrix Yes you do and if its a 2000 or 2003 domain it needs to be on a DC. Once you install the TS licensing service, you need to call the MS clearing house to active them. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Monday, May 16, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Citrix If I have citrix installed on a Windows 2000 Server, do I have to also have installed and functioning a Terminal Server License Server? People in my environment that are connecting to citrix from workstations that are in the domain are unable to open up a session, but those outside my org who have an account are able to open up the session. What could be the issue? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Clients Not Authenticating with Site DC
Actually, if it were hard coded, it would be in the SiteName entry. The DynamicSiteName entry is for the dynamically discovered site as discovered by netlogon...check these links out: DynamicSiteName http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/55957.asp SiteName http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/55957.asp Rob From: [EMAIL PROTECTED] on behalf of Jeff Smith Sent: Mon 1/24/2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Clients Not Authenticating with Site DC Usually the problem is missing SRV Records or Sites and Services is misconfigured. Check the following registry location and see if that site is hard coded. You can write a script to reset this if needed. HKLM\SYSTEM\CCS\SERVICES\NETLOGON\PARAMETERS\DYNAMICSITENAME Also, check the NETLOGON.LOG on both the Client and the Server. You should be able to see what is going on there. On Thu, 20 Jan 2005 11:20:18 -0800, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I think your problem is that you probably upgraded the DC at that site last and, before the upgrade, your XP and 2K clients had discovered the new 2K3 DCs at the remote site. Once XP and 2K clients discover and authenticate against a 2K or 2K3 DC, they usually don't go back. This may be what you are seeing now. Have you tried disjoining and rejoining one or two of those clients? This should help them rediscover their local DC. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Jacob Walker Sent: Thu 1/20/2005 5:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Clients Not Authenticating with Site DC We are at the end of our migration from NT to AD 2003 and completing the PC moves. However, we are now receiving many reports that some PC's are authenticating against remote DC's. While many PC's in a location will respect the site configuration and authenticate against the local DC, some PC's are authenticating against DC's outside of the site. These are 2000 and XP machines, so we thought they should understand Active Directory sites. We do not have any network traces from any of these machines at this time, but we were wondering if they might be using WINS rather than DNS to locate a DC. But, why would this be happening? These newer OS clients should look for a DC using DNS, shouldn't they? We checked DNS, and it is correct. Any ideas? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] JRNL_WRAP_ERROR with Single DC
Noah, Is it possible that there were more DC (s) which existed in the past and werent properly DCPromod down (like an old DC which was just turned off). Also, is SYSVOL sharing out on this DC? You can look for an Event 13516 in the FRS event log or just go to a command prompt and type net share and look for SYSVOL. If there were more DCs in the past, then there are a few things to do to clean up. Let us know if you see other computer objects in the Domain Controllers OU or in Active Directory Sites and Services Good LuckMerry Merry, Happy Happy right back at ya J Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, December 27, 2004 1:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] JRNL_WRAP_ERROR with Single DC Hi Merry merry, happy happy everyone. I have inherited a single DC network (W2k SP4) that is spitting out NTFRS errors (ID 13568) every time the server (or service) restarts. Several online sources give instructions for, what appears to be, forcing synchronization. However, in this case, there is nothing with which to synchronize. My questions are: with a single DC, how could I be getting this error? And, is there anything I need to do about this error? Does it really indicate corruption in the SYSVOL? Thanks. -- nme