RE: [ActiveDir] Overlapping AD Subnet Boundaries

2007-01-26 Thread Thommes, Michael M. 
An AD client will try to associate itself with the site that it is most
specific for its IP.

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Friday, January 26, 2007 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries

 

Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary
site, and another subnet as 10.10.41.0/24 and assign it to a secondary
site. Will AD treat a client address of, say, 10.10.41.104 as a client
on the secondary site, or will it default to the more general primary
subnet? The reason I ask is we now have a need for a second AD site (I
can see all the enterprise folks grinning now) and we have quite a
number of other subnets that I'd have to manually enter if this is not
the case. I don't mind doing it, but I was curious either way.

Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax

[ActiveDir] OT: maintaining creation date when copying directories?

2007-01-25 Thread Thommes, Michael M. 
What move/copy tools can be used to copy directories/files to another
location and still retain the creation date value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the creation date as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the modified date is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] OT: maintaining creation date when copying directories?

2007-01-25 Thread Thommes, Michael M. 
Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the
/E /B /COPYALL switches.  It does not seem to have the desired effect
(ie, both the modified date and the creation date are still the
current date).  Any other thoughts?

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining creation date when copying
directories?

 

What move/copy tools can be used to copy directories/files to another
location and still retain the creation date value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the creation date as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the modified date is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] Kerberos Question

2007-01-25 Thread Thommes, Michael M. 
I think you are seeing your Kerberos tickets start to reach their
expiration time.  The kerbtray icon will go from green to red.  I think
the last 5 or 15 minutes the default configuration will also issue an
audible (and very distinctive) sound.  The tickets will renew
automatically (and the icon will go from red back to green).  This will
happen until you reach the default renew tickets until... date.  At
that time you will need to manually renew your ticket unless you do
something like logoff and then logon to automatically get new tickets.

 

Hth,

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, January 25, 2007 1:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Kerberos Question 

 

Just curious - 

 

I have the resource kit tool Kerbtray running on my taskbar - When I
double click it; it list my tickets, etc... 

Twice during the day yesterday it turned red and said there was no
tickets available. It's already done this once today - 

 

When it was showing information it had a ticket renewal until time up to
8 days and a start and end time offset of 10 minutes 

 

Does this mean my ticket is getting renewed or that I could have a time
problem, connecting to the PDC emulator problem, etc. 

 

Thanks in advance for any insight on this.

 

Mike

RE: [ActiveDir] OT: maintaining creation date when copying directories?

2007-01-25 Thread Thommes, Michael M. 
Hi Ulf,

I don't have any problems with the creation date on files.  It's
the creation date on the directory folders that is not right.  Could
you try robocopy again, this time trying to copy some tree structure
that has branches (subdirectories) and see what creation date is on
the subdirectory folders?  Thanks much!

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Hi Thommes,

 

I've just tried this here, and both commands

Robocopy /B .\ ..\ wins.dll

Robocopy /B .\ c:\ wins.dll

 

(first one on the same drive, second one on another drive)

 

Maintain the Create and Modified date. My Robocopy-Version is the same
(XP010, 5.1.1.1010)

 

Weird.

 

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  Profile  Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811D
blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4
89-F2F1214C811D
  Weblog: http://msmvps.org/UlfBSimonWeidner
blocked::http://msmvps.org/UlfBSimonWeidner 
  Website: http://www.windowsserverfaq.org
blocked::http://www.windowsserverfaq.org/ 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 14:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Hi Ulf,

Thanks for the response!  I tried Robocopy (version XP010) with the
/E /B /COPYALL switches.  It does not seem to have the desired effect
(ie, both the modified date and the creation date are still the
current date).  Any other thoughts?

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Thursday, January 25, 2007 6:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: maintaining creation date when copying
directories?

 

Robocopy with the /B-Switch should work.

 

Ulf

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 25. Januar 2007 13:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: maintaining creation date when copying
directories?

 

What move/copy tools can be used to copy directories/files to another
location and still retain the creation date value?  Robocopy seems to
keep creation date on files but directories are given the current date.
Am I missing a switch in Robocopy to do this?  A backup/restore
operation (with ntbackup.exe) retains the creation date as one would
expect.  I am just looking for other possible tools.  I should mention
that with all of the tools I've tried, the modified date is always the
current date for directories.  Any help is appreciated!

 

Mike Thommes

RE: [ActiveDir] PHP Module for Windows

2007-01-24 Thread Thommes, Michael M. 
Is this what you are looking for?  http://www.php.net/downloads.phpI
have not used it, however, and can't speak to how well it works but it
seems to come from the right place.  ;)

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists
Sent: Wednesday, January 24, 2007 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PHP Module for Windows

 

Hi -

 

I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it
appears to only run on Linux. Does anyone know of an off the shelf
module that will run under Windows?

 

Thanks.

 

-- nme

 

Noah Eiger

[ActiveDir] moving server local groups to AD?

2007-01-24 Thread Thommes, Michael M. 
(I sure hope this doesn't sound like too dumb a question!)  We have a
server where local security groups were created for local file access.
The files on this server are going to be moved to a file server cluster.
Can ADMT v3 migrate these security groups up to the AD structure with
the hopes of retaining SIDHistory and therefore access to the moved
files?

 

If ADMT wouldn't work, does anyone have suggestions for this operation?
As always, any help is appreciated!

 

Mike Thommes

[ActiveDir] OT: Apache LDAP authentication oddity

2007-01-19 Thread Thommes, Michael M. 
We have an application that is using an Apache server to do LDAP
authentications against our active directory.  (Yeah, I know; if only I
were king!  LOL!)  The application developer tells me that if he tries
doing an auth against our root base (dc=yyy,dc=zzz), the auth fails.  If
he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works.  The
user account that is being tested is some OU levels below this.  He is
coding a subtree scope and he is filtering on (objectclass=user and
objectcategory=person).

 

It's like Apache needs to start at an OU structure.  I couldn't find
much on Google about this other than someone else was having the same
issue last Fall and just gave up in frustration.   The Apache
documentation I could find seemed to indicate that a search of
dc=yyy,dc=zzz SHOULD work.

 

Any thoughts/pointers are appreciated!  Thanks!

 

Mike Thommes

RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)

2007-01-19 Thread Thommes, Michael M. 
You might want to test the network connection.  We have a public tester
at http://miranda.ctd.anl.gov:7123/ that might detect duplex mismatches
or faulty cables.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, January 19, 2007 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

Given the fact that its intermittent, that its just this one server,
that
you've already replaced the NIC and that the error is an unexpected
network
error occurred, there's not much else to do I think, other than get MS
involved. Either its something in the OS or the network switch you're
using
is flaky.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton
Sent: Friday, January 19, 2007 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

I spoke too soon in regards to it being fixed.  Apparently it is now
intermittent and I can't make the 1054 error come up consistently.  The
logging has been set to 0x00030002 for some time but I haven't been able
to catch anything beyond the 59 error.  I did a gpupdate about 5 minutes
ago and it showed the 1054 error but then when I waited a couple of
minutes (not changing anything at all) it did not show up after doing a
gpupdate and the userenv log showed nothing out of whack (no 59 errors).

Any ideas to what could be the cause of intermittent issues?  After over
a week with this issue I'm losing my hair, and I don't have much more to
lose. 8-(

Donavon Yelton 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, January 19, 2007 1:21 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
Policy)

http://support.microsoft.com/kb/221833/en-us
Up the debugging Set to 0x00030002 what's the log say?

Donavon Yelton wrote:
 Well, I did as you and other suggested, install an Intel NIC card in 
 the system.  I purchased an NC360T Intel chipset card.  So after a 
 $300 NIC card was installed in the system I boot it up, run gpupdate 
 and bam, I get a 1054 userenv error (same one I was getting with the
Broadcom's).

 Any further suggestions before I call Microsoft?

 Donavon Yelton

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
 Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Monday, January 15, 2007 4:07 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group
 Policy)

 And if you like I'll ping you up with Les, Nick and others who ..yes 
 ...brand spanking new server... brand spanking new machines and they 
 would not/could not do what they were supposed to do.

 Put in Intels and all was well.

 If you'd like to get a similar dent in your head feel free.  All I can

 say is, these days the minute we start having weird issues and there's

 a Broadcom on the box, we're not wasting the time on them anymore.

 Donavon Yelton wrote:
   
 I'm not about to give up on the Broadcom NICs as this is a brand new 
 server that cost as much as a Honda Accord.  I'm not sure I can 
 believe that HP would put a defective card in such a machine.  You'd 
 think others would have the same issues in mass quantity if that were

 the case.  I'm also using Broadcoms in other HP servers here 
 (including the two DCs) and they have not had any issues.  It is all 
 too easy to chalk up a problem like this to network cards, but I 
 don't
 

   
 think it explains why the GPO is applied successfully without issues 
 within the first 15 minutes or so after a reboot.  There are no other

 problems cropping up from these Broadcoms either.

 Now for a question, how do I disable slow link detection for all 
 terminal service users on this problem server since that seems to 
 have
 

   
 fixed the issue?  I need to make the change in the registry on the 
 problem server apparently as making the switch in the GPO itself 
 seems
 

   
 to not have any effect.

 Donavon

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
 Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Monday, January 15, 2007 3:09 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - 
 Group
 Policy)

 Dump the broadcoms and get Intel.
 http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netw
 o
 rk
 -cards-are-evil.aspx

 We've had no end of weirdness with those suckers.
 Even the latest drivers don't work.
 Donavon Yelton wrote:
   
 
 Yes, these are Broadcom NICs.  I want to go back to the last 
 question
   

   
 that was asked (if my network card drivers were up to date) and 
 change

[ActiveDir] release date for W2K3/SP2?

2007-01-19 Thread Thommes, Michael M. 
Has anyone heard of a release date for Windows Server 2003/SP2?  Thanks.

 

Mike Thommes

RE: [ActiveDir] Shares with Computer Account Permissions

2007-01-09 Thread Thommes, Michael M. 
Hi Laura,

  That's what I thought of first but that would stop all traffic to
the server, not just a particular share.

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Tuesday, January 09, 2007 4:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Shares with Computer Account Permissions

 

Sure. IPsec.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 09, 2007 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Shares with Computer Account Permissions

I was asked today whether it was possible to allow or deny
access to shares not just based on user accounts, but also upon computer
accounts.  My immediate response was that I didn't think so.

 

So I tested it by simply creating a folder up on our file
server, and added the computer account for my workstation and denying it
access completely.  This made no difference to my permissions when
trying to access it from this workstation.

 

So my question is this, is there any way to design access
permissions in such a way so you could not only allow access to a share
to a certain security group, but also to this security group only when
they are accessing it on hosts that we have explicitly defined?

 

~Ben

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date:
1/8/2007 4:12 PM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007
4:12 PM

RE: [ActiveDir] Disabled user + when

2007-01-03 Thread Thommes, Michael M. 
If nothing else has been done to the account, I wonder if you could use
the whenChanged attribute.

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar
Sent: Wednesday, January 03, 2007 9:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled user + when

 

Thanks for the quick response. I don't have logs for more than 2 days on
the DCs. They get overwritten due to size. Is there any other way? In
future I will have monitoring to detect the event and send me an email
for future reference. But right now  I need information from the last
quarter. 

 

Thanks

-Parag

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward
Sent: Wednesday, January 03, 2007 4:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Disabled user + when

 

Auditing, 

 

You are looking for the following event ID. 

 

Event Type= Account Management

Event ID 629 (User account disabled)

 

Edward E. Ziots 
Network Engineer 
Lifespan Organization 
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + 
email:[EMAIL PROTECTED] 
cell:401-639-3505 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar
Sent: Tuesday, January 02, 2007 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Disabled user + when

Team,

 

Is there way to find when user account was disabled in AD? Our sox
auditor would like to see the list of users that accounts were disabled
in last quarter plus the date when they were disabled. They will match
this information with HR database. We can't rely on whenmodified
attribute because helpdesk team takes a day or two to complete rest of
the termination process on that account after account is disabled.

 

-Parag

[ActiveDir] how to get ALL users in Domain Users

2007-01-02 Thread Thommes, Michael M. 
I am trying to get a list of all of the users in the builtin group
Domain Users.  I am using the following commands, but get incomplete
results.  Can someone tell me why?  Thanks!  And Happy New Year to
everyone!

 

dsquery group -name domain users | dsget group -members 
c:\temp\domain_users.txt

 

Mike Thommes

[ActiveDir] OT: help with running a scheduled job

2006-12-15 Thread Thommes, Michael M. 
We are trying to get a particular account to run a scheduled backup job
on a server.  Our results are puzzling.  Here are the particulars:

2003 R2 standard server

Domain account, non privileged, doesn't belong to domain users

Added to local backup operators group

Trying to run a system state backup job through a scheduled batch (.bat)
file

File permissions appear to be ok in file system where batch file is
located.

 

 

Results:

When run from a remote scheduled tasks/run (without the user logged
into the server):

a scheduled job with the user's credentials specifying an ipconfig
command works.

a scheduled job with the user's credentials specifying notepad.exe
works.

a scheduled job with the user's credentials calling a batch file (.bat)
which runs ntbackup.exe FAILS with (from SchedLgU.txt):

test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR **

Unable to start task.

The specific error is:

0x80070005: Access is denied.

Try using the Task page Browse button to locate the
application.

 

All the jobs run successfully from a remote scheduled tasks/run
environment if the user is in the local administrators group.

 

When the user is only in the local Backup Operators group, all the jobs
run successfully from a remote scheduled tasks/run environment when
this account is logged into the server/console!  They can also be run
successfully locally by the user.  Note this same user got an Access is
denied previously.

 

 

We checked through the local security policy thinking it could be
related to User Rights assignments or Security Options but did not
see anything there.  I think we're missing something really simple here,
but it's eluding us.   Any thoughts are appreciated.

 

Mike Thommes

RE: [ActiveDir] OT: help with running a scheduled job

2006-12-15 Thread Thommes, Michael M. 
Mike,

 Thanks!  That worked.  I owe you a beer if we ever cross paths!
Thanks again!

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael A.
Barker
Sent: Friday, December 15, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: help with running a scheduled job

 

I think the default permissions of the CMD.exe file are getting you,
read the KB enclosed. As I recall permissions allow RX for the
interactive special group which is why it worked if you're signed in at
the console. On our servers where we have ordinary users executing
batch jobs I've setup a local group to grant read and execute.

 

http://support.microsoft.com/kb/867466

 

Mike

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, December 15, 2006 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: help with running a scheduled job

 

We are trying to get a particular account to run a scheduled backup job
on a server.  Our results are puzzling.  Here are the particulars:

2003 R2 standard server

Domain account, non privileged, doesn't belong to domain users

Added to local backup operators group

Trying to run a system state backup job through a scheduled batch (.bat)
file

File permissions appear to be ok in file system where batch file is
located.

 

 

Results:

When run from a remote scheduled tasks/run (without the user logged
into the server):

a scheduled job with the user's credentials specifying an ipconfig
command works.

a scheduled job with the user's credentials specifying notepad.exe
works.

a scheduled job with the user's credentials calling a batch file (.bat)
which runs ntbackup.exe FAILS with (from SchedLgU.txt):

test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR **

Unable to start task.

The specific error is:

0x80070005: Access is denied.

Try using the Task page Browse button to locate the
application.

 

All the jobs run successfully from a remote scheduled tasks/run
environment if the user is in the local administrators group.

 

When the user is only in the local Backup Operators group, all the jobs
run successfully from a remote scheduled tasks/run environment when
this account is logged into the server/console!  They can also be run
successfully locally by the user.  Note this same user got an Access is
denied previously.

 

 

We checked through the local security policy thinking it could be
related to User Rights assignments or Security Options but did not
see anything there.  I think we're missing something really simple here,
but it's eluding us.   Any thoughts are appreciated.

 

Mike Thommes

RE: [ActiveDir] dynamic variables within an event log entry?

2006-12-01 Thread Thommes, Michael M. 
Hi Laura,

(Brian's answer came in after I sent my email out.)  The problem
with using adfind (in my experience) is that the creator (Caller User
Name) is not part of the AD object's attributes, only the owner, which
will be Domain Admins for accounts created by members of Domain Admins
(as you pointed out).  I would like my daily report to contain the
actual name (samaccountname) that created the account.  Maybe the only
way I can create the report I am looking for (account name, DN, when
created, and creator name) is to collect eventid 624 records and filter
them on creation date.  However, I am still looking for suggestions.
Thanks.

 

Mike Thommes

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 11:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

Okay, the below totally cracked me up. :-) Brian gave you the ADFind
answer, but I guess I would also ask in what format you need to retrieve
this information and whether or not you're plugging it into something.
I'm not sure that last sentence even made sense, sorry. I'm sleep
deprived. 

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 10:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?

Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping
eventid 624 and I see the Caller User Name: entry with the right
value.  Where I got confused was when I built a daily job using adfind
(with the -owner switch) to produce a list of users created during the
previous 24 hours.  Laura's #2 answer explains why I see what I do for
accounts created by members of the Domain Admins.  Her #1 answer is
going to make me rethink how we do some of the account creations.  Her
#3 answer begs the question of how would I construct a query to produce
new accounts created over a 24 hour period?  Adfind was the first (and
maybe only) tool that popped into my head to do this.  Other
suggestions?  Thanks!

 

Mike Thommes





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log
entry?

 

1. This is one of the eight gazillion reasons to discourage the
use of accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

2. By default, when a member of the Domain Admins group creates
an object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

3. When I create an object with an account that is a member of
Domain Admins, the creator of the object shows as that account, not as
Domain Admins. Why aren't you just looking at that value in the event
logs, rather than looking at the ownership of the object? That's why
auditing allows tracking of who creates/modifies/deletes directory
objects.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event
log entry?

I wonder if someone could explain to me (or point me at
some reference) about what mechanism is used to populate the information
in a Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this
design on purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 -
Release Date: 11/30/2006 5:07 AM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

 

--
No virus found in this incoming message

RE: [ActiveDir] Split pagefile

2006-12-01 Thread Thommes, Michael M. 
How about a remote shutdown like shutdown /m \\computername /r /f

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Friday, December 01, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

If you can get to Computer Management, you could start the Telnet
service.  At that point, telnet to the server and do a shutdown /r.  And
I mean a standard telnet connection, not telnet to some fancy port.

I suspect you are having the dreaded rdp doesn't work for some reason
problem, which somehow clears itself up after a reboot most of the time.
I know this has been discussed on this board several times, but no one
has really come up with a solution from what I've seen, other than
reboot and see if it works. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Friday, December 01, 2006 9:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

Laura,

Thanks ever so much for all your help. I will be trying some of these
things soon, but for now, I'm one of the over 400,000 people in St.
Louis without power. My workplace is closed, too, so I might end up
waiting it out 

One question, if you don't mind and have a minute: How do I reboot the
server if I can't log on?

Many thanks again.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Laura A. Robinson
 Sent: Thursday, November 30, 2006 8:32 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Split pagefile
 
 Inline... 
 
 
  
  Thanks for replying, Laura!
 
 Sure thing. 
 
  
  You wrote:
   Are you able to connect to the server via Computer Management?
  
  Yes.
 
 Then you can use that to reconfigure the pagefile, making 
 very, very sure
 you click Set. :-) After you've connected to it in CM, 
 right click the
 computer, choose Properties, go to the Advanced tab, yada yada yada.
  
  If so, can you see the service statuses and event logs on 
  the  server?
  
  Yes. I looked all through the event logs, and didn't see 
  anything relating to terminal services failures. And the 
  terminal services service is started.
 
 How about the security log? Are you seeing logon failures?
  
   Can you
   telnet to the RDP port? 
  
  If you mean, can I telnet to the server by name or by its IP 
  address, no. But yes, I can telnet to port 3389 on the 
  server, and the cursor sits there and blinks at me, but as 
  soon as I hit any key, I get back to my command prompt.
 
 Okay, port's open.
 
   Can you map a drive to a share on the server?
  
  Yes. And, in fact, I have the same 2Gb pagefile on C: that I 
  had before, and no pagefile on E: So, I'm thinking that A. I 
  forgot to hit the set button, or B. The server got confused.
 
 The snow might have made it sluggish. (That's a joke, folks.) 
 See above for
 remedy (hopefully).
 
  
   When
   you say you can't log on, do you get the logon dialog box and a 
   failure to let you log on, or do you get no remote desktop 
  UI at all?
  
  No remote desktop UI at all. I immediately get the 
  disconnected from server message.
 
 Okay. Try logging on with a different account that has TS connection
 permissions. Check the security logs. If you're not auditing 
 logon events,
 you'll need to do that. Check the terminal services 
 permissions, etc. Maybe
 do a preemptive reboot (or just do it as part of that 
 pagefile adjustment)
 and see if anything changes. If none of that works, there's 
 still more stuff
 to check, but I'm tired of typing right now and hopefully one 
 of the above
 things will determine the issue.
  
   Laura (probably a bit overcaffeinated now; can you tell?)
  
  No problem. I'm snowed in, but the server is running. 
  
  I guess what I'd like to do is see if I can reset the 
  pagefile and reboot the server, all remotely, and still 
  manage to terminal service to it and log in.
  
  Thanks for your help, Laura. You deserve many pats on the 
  back, attagirls, and stuff.
  
 No problem, and no pats necessary.
 
 Laura
 
 -- 
 No virus found in this outgoing message.
 Checked by AVG Free Edition.
 Version: 7.5.430 / Virus Database: 268.15.2/559 - Release 
 Date: 11/30/2006
 5:07 AM
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir@mail.activedir.org/
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   :

[ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Thommes, Michael M. 
I wonder if someone could explain to me (or point me at some reference)
about what mechanism is used to populate the information in a Windows
event log entry.  The reason why I ask is that I see in the Security log
when a new user account is created by an account which is a member of
the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not
XYZ\adminacct1 .  If it is created by an account that is a member of the
Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on purpose
or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

RE: [ActiveDir] dynamic variables within an event log entry?

2006-11-30 Thread Thommes, Michael M. 
Tony and Laura,

   Thanks for the replies!  Actually, I am already trapping eventid 624
and I see the Caller User Name: entry with the right value.  Where I
got confused was when I built a daily job using adfind (with the -owner
switch) to produce a list of users created during the previous 24 hours.
Laura's #2 answer explains why I see what I do for accounts created by
members of the Domain Admins.  Her #1 answer is going to make me
rethink how we do some of the account creations.  Her #3 answer begs the
question of how would I construct a query to produce new accounts
created over a 24 hour period?  Adfind was the first (and maybe only)
tool that popped into my head to do this.  Other suggestions?  Thanks!

 

Mike Thommes



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] dynamic variables within an event log entry?

 

1. This is one of the eight gazillion reasons to discourage the use of
accounts that are Domain Admins for routine purposes that can be
achieved without that level of rights.

2. By default, when a member of the Domain Admins group creates an
object in the directory, the Domain Admins group becomes the owner of
the object. That is by design. 

3. When I create an object with an account that is a member of Domain
Admins, the creator of the object shows as that account, not as Domain
Admins. Why aren't you just looking at that value in the event logs,
rather than looking at the ownership of the object? That's why auditing
allows tracking of who creates/modifies/deletes directory objects.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, November 30, 2006 7:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dynamic variables within an event log
entry?

I wonder if someone could explain to me (or point me at some
reference) about what mechanism is used to populate the information in a
Windows event log entry.  The reason why I ask is that I see in the
Security log when a new user account is created by an account which is a
member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins ,
not XYZ\adminacct1 .  If it is created by an account that is a member of
the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not
XYZ\Account Operators .

 

This makes auditing somewhat less worthwhile.  Is this design on
purpose or a deficiency?  Any help is appreciated.  Thanks!

 

Mike Thommes

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006 5:07 AM

RE: [ActiveDir] AD Security Group Information

2006-10-31 Thread Thommes, Michael M. 








adfind -default
-f (objectclass=group)(groupType=-2147483646) -tdc whenChanged



hth,

Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Tuesday, October 31, 2006
2:51 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] AD Security
Group Information







I'm having a clear up of my domain and there are approx 8000 security
groups.





Some of these are no longer required, how is the best way to determine
whether the groups are still in use? Is there any way to query the groups to
identify when they were last modified?





thanks





Frank





Single Domain, Windows 2003 FFL



 







We have the perfect Group for you. Check out the handy
changes to Yahoo! Groups.

RE: [ActiveDir] List Groups I'm In?

2006-10-25 Thread Thommes, Michael M. 








Hi Deji,

 My version
of whoami shows the usage as: whoami /groups. Thanks for
pointing me at this; I always just used whoami.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Wednesday, October 25, 2006
11:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] List
Groups I'm In?









whoami -group


















Sincerely, 

_

 (, / |
/)
/) /) 
 /---| (/_ __ ___// _
// _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/) 

(/ 
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon

















From: Michael B
Allen
Sent: Wed 10/25/2006 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] List Groups
I'm In?



Was is the easiest way for a user (say on a stock XP client) to listwhat groups they're in?Specifically I'd like the user to be able to just type a command like'net user list groups' or some such and get a list of NT Account namesfor tokenGroups.Or if there is a dialog somewhere that's good too.Ideas?Mike-- Michael B AllenPHP Active Directory SSOhttp://www.ioplex.com/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-18 Thread Thommes, Michael M. 
In W2K days, I would *always* log off an admin TS session and then do a remote 
shutdown/reboot.  Executing a shutdown from within the interactive session was 
problematic, to say the least.  I think part of it was breaking down 
TS-generated printer connections.  I don't see this problem with W2K3.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, October 18, 2006 2:13 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] The remote computer has ended the connection.

Does logging off before the shutdown happens still cancel the shutdown?

It used to be a top-tip in NT, but I can never reproduce this in 2Kx.



Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596


-Original Message-
From: Brian Desmond [EMAIL PROTECTED]
Date: Tue, 17 Oct 2006 17:21:07 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The remote computer has ended the connection.

My experience has been that it never actually reboots and I have to issue a 
shutdown –r –f –t 3 –m \\screwedupserver: file:///\\screwedupserver remotely. 
 
 
 
 
Thanks,
 
Brian Desmond
 
[EMAIL PROTECTED]
 
 
 
c - 312.731.3132
 
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael A. Barker
 Sent: Tuesday, October 17, 2006 5:48 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] The remote computer has ended the connection.
 
 
 
Are you really sure the system rebooted the first time? I’ve seen this twice in 
the last two months and all the machines I got to before someone rebooted them 
never actually shut down the first time. Connect and look at the logs or use 
the uptime command to check when the last reboot was. I think you’ll find it 
never really went down. You do however get the very familiar disconnect message 
which leads you to believe the machine is going down. For VIP systems I like to 
“ping –t IPAddress” and see that it goes down and comes back up. With that said 
I’ve never had a problem with patching from RDP (using WSUS) and then signing 
off to later send a reboot command over the wire.
 
 
 
 
 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
 Sent: Tuesday, October 17, 2006 12:01 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] The remote computer has ended the connection.
 
 
 
 
 
Yes it doesnt happened with any other serves but i have rebooted it more than 
twice. but no gud luck.
 
 
 
 
 
what do you guys suggest in this case? did only rebooting second time resolved 
the issue for you?
 
 
 
 
 
It worked for me when i have disjoined from my domain. but i am sure this has 
nothing to do with any GPO. Also 
 
 
same thing happened for me when i joined this to any other domain. other than 
the previous one.
 
 
 
 
 
Thanks!!!
 
 
Ravi
 
 
 
 
 

 
From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
 Sent: Tue 10/17/2006 8:33 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] The remote computer has ended the connection.
 
 
I have also seen where a second reboot is necessary for RDP to work.  I have 
not determined the cause of this yet.  It does not happen on all servers.
 
 
 
Mike Thommes
 
 
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
 Sent: Tuesday, October 17, 2006 10:29 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] The remote computer has ended the connection.
 
 
 
I have noticed that after updating to the latest security patches and rebooting 
that some (not all) of my servers had an issues with RDP.  It cleared after 
rebooting a second time.  Root cause?  Unknown at this time. 
 
 
 
-vC
 
 
 

 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
 Sent: Tuesday, October 17, 2006 8:28 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] The remote computer has ended the connection.
 Importance: High
 
 
 
 
Hi,
 
 
 
 
 
I am trying to access one of my servers using Remote Connection. I am using 
mstsc but its not connecting me to the server. error The remote computer has 
ended the connection. However if i am using mstsc /v:IP Address /console it 
lets me connect to it.
 
 
 
 
 
Problem is in this mode i can use only admin id when connected like this. I 
want my engineers (who dont have administrator priviledges) to access this. its 
not possible in this mode.
 
 
 
 
 
This all happened when i rebooted my server.
 
 
 
 
 
Please suggest what can be done to normalize the things.
 
 
 
 
 
Thanks!!!
 
 
Ravi
 .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿö+v*®—û­æ±«
[EMAIL PROTECTED])

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread Thommes, Michael M. 








I have also
seen where a second reboot is necessary for RDP to work. I have not determined
the cause of this yet. It does not happen on all servers.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Tuesday, October 17, 2006
10:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] The
remote computer has ended the connection.





I have noticed
that after updating to the latest security patches and rebooting that some (not
all) of my servers had an issues with RDP. It cleared after rebooting a
second time. Root cause? Unknown
at this time. 



-vC









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support
Sent: Tuesday, October 17, 2006
8:28 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] The remote
computer has ended the connection.
Importance: High







Hi,











I am trying to access one of my servers using Remote
Connection. I am using mstsc but its not connecting me to the server. error
The remote computer has ended the connection.However
if i am using mstsc /v:IP Address /console
it lets me connect to it.











Problem is in this mode i can use only admin id when
connected like this. I want my engineers (who dont have administrator
priviledges) to access this. its not possible in this mode.











This all happened when i rebooted my server.











Please suggest what can be done to normalize the things.











Thanks!!!





Ravi

RE: [ActiveDir] The remote computer has ended the connection.

2006-10-17 Thread Thommes, Michael M. 
Hi Susan,
I didn't mean to imply that this was just with the last set of
patches.  I think your note says that you have been seeing this for a
while.  We have too.  One of the guys in my group uses Update Expert to
patch and he sees it more often than I do.  Of course, he patches a lot
more servers than I do.  Another part of the group uses WSUS and they
have not mentioned any issues; but then again, they don't TS into
computers much.  And yes, I will bring it up with my TAM (again?).  I
think I had mentioned it to him previously but never started anything
formal on it.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 17, 2006 10:54 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] The remote computer has ended the connection.

Can you PLEASE call into Microsoft PSS or your tam or pam or whatever 
and report this?  Along with anyone else seeing this issue?

I know that calling into PSS can be a pain, but please report this
issue.

We are seeing this more and more and I need to have bodies called in.  
We seriously need to get to the bottom of this because in the SBS space 
we do a lot of remote management and if the RDP dies we have to fall 
back to ILOs and this isn't acceptable in my book for patching to do
this.

Do you rely on WSUS?


Vinnie Cardona wrote:

 I have noticed that after updating to the latest security patches and 
 rebooting that some (not all) of my servers had an issues with RDP.  
 It cleared after rebooting a second time.  Root cause?  /Unknown /at 
 this time.

  

 -vC




 *From:* [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical 
 Support
 *Sent:* Tuesday, October 17, 2006 8:28 AM
 *To:* activedir@mail.activedir.org
 *Subject:* [ActiveDir] The remote computer has ended the connection.
 *Importance:* High

  

 Hi,

  

 I am trying to access one of my servers using Remote Connection. I am 
 using mstsc but its not connecting me to the server. error /*/The 
 remote computer has ended the connection/*/. However if i am using 
 /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it.

  

 Problem is in this mode i can use only admin id when connected like 
 this. I want my engineers (who dont have administrator priviledges) to

 access this. its not possible in this mode.

  

 This all happened when i rebooted my server.

  

 Please suggest what can be done to normalize the things.

  

 Thanks!!!

 /*/Ravi/*/


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Determine disabled computer accounts

2006-10-16 Thread Thommes, Michael M. 
Check out oldcmp at http://www.joeware.net/win/free/tools/oldcmp.htm

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W
Mr HP
Sent: Monday, October 16, 2006 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Determine disabled computer accounts

Hello all
I'm trying to determine the number of computer accounts as well as which
are disabled for our three domains. I've tried Quest Reporter, ADUC and
Hyena but I'm not able to get the disabled computers from any of those
tools. I'm assuming at this point it will take a script but I'm not sure
of the attribute to use. From what I've gathered from web searches it
looks like I should use the userAccountControl attribute. But that
doesn't seem to give me the necessary answer either. Any help is
appreciated.

Thanks
 
Jerry

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Discovering LDAPS availability

2006-10-11 Thread Thommes, Michael M. 
In this context, would it make sense to write/use a servicePrincipalName
value? (maybe even using admod/adfind  8-)  )

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, October 11, 2006 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Discovering LDAPS availability

The alternate solution I previously mentioned to David and his cohorts
in
crime was a distasteful but functional solution of writing their own
service
or script to register the records based on that script/service querying
the
DCs and getting their LDAPS capability at any given point and then being
aware that there will be some level of latency there.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Wednesday, October 11, 2006 3:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Discovering LDAPS availability

The project that I'm working on makes heavy use of LDAPS.  However, at
the 
moment, we favour the latter statement - the built DCs don't leave
staging

until the certs are pulled.  They must be signed off, and that's one of
the 
last items on the deployment check list.

We'll probably automate this check soon, but we're too busy with
automating 
the buillds at the moment.

Personally, I like the idea of _ldaps SRV RRs.  Although I can
appreciate 
there's a bit more to it from MSFTs point of view than simply getting 
NETLOGON to register them in DNS.


--Paul

- Original Message - 
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Tuesday, October 10, 2006 10:45 PM
Subject: RE: [ActiveDir] Discovering LDAPS availability


 Hmm doesn't look like anyone else has figured this out or just doesn't
 deploy LDAPS or alternately makes sure every DC is capable of LDAPS.


 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Loder
 Sent: Friday, October 06, 2006 8:51 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Discovering LDAPS availability

 joe's absolutely right.  What's trying to be
 accomplished is to publish new LDAPS SRV records for a
 300+ DC environment.  But I don't want to just blindly
 assume each DC properly enrolled with the CA (we had
 problems like that at the beginning), and I'd really
 like to avoid the overhead of touching each DC.
 Unfortunately, that's about the only viable method I
 see.

 We have a DCR in with MS to change the behavior so
 that the DCs automatically publish LDAPS if it's
 available.  But what we're hearing right now is that
 it's probably not in the pipeline until LH SP1.

 --- joe [EMAIL PROTECTED] wrote:

 LDAPS records aren't published by DCs, only LDAP
 records. I can assure you
 if it were that easy, David wouldn't have had an
 issue. From what I have
 seen, if a secure LDAP connection is required, the
 internal routines from
 MSFT simply locate a DC and go to the port. If LDAPS
 isn't hot, the
 connection is dropped with server down error.


 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm



 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of
 [EMAIL PROTECTED]
 Sent: Thursday, October 05, 2006 6:28 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Discovering LDAPS
 availability

 Couldn't you just query the DNS for the SRV record
 advertising it...

 Matt Duguid
 Systems Engineer for Identity Services
 Department of Internal Affairs

 Phone: +64 4 4748028 (wellington)
 Mobile: +64 21 1713290
 Fax: +64 4 4748894
 Address: Level 4, 47 Boulcott Street, Wellington CBD
 E-mail: [EMAIL PROTECTED]
 Web: http://www.dia.govt.nz/



 |-+--
 | |  |
 | |  |
 | |  |
 | |   David Loder|
 | |   [EMAIL PROTECTED] |
 | |   Sent by:   |
 | |   [EMAIL PROTECTED]|
 | |   tivedir.org|
 | |  |
 | |  |
 | |   06/10/2006 08:56 a.m.  |
 | |   Please respond to  |
 | |   ActiveDir  |
 | |  |
 |-+--


--

-
 ---|
   |
 |
   |To:  ActiveDir@mail.activedir.org
 |
   |cc:
 |
   |Subject: [ActiveDir] Discovering LDAPS
 availability
 |

[ActiveDir] problem changing employeeID attribute value

2006-10-10 Thread Thommes, Michael M. 








For an AD user account, we normally populate
the attribute employeeID with a value. Circumstances surrounding
some accounts requires me to unpopulate this value. In ADSIEdit,
however, when I go to this Unicode String valued attribute with the Edit
function, I can delete the value but when I go to save it, I get The
parameter is incorrect. An unpopulated normal value shows not
set (without the quotes). Is it possible I should type in not
set instead of just trying to delete the value? It just doesnt seem
right. What am I doing wrong? Any help is appreciated!



TIA!

Mike Thommes

RE: [ActiveDir] problem changing employeeID attribute value

2006-10-10 Thread Thommes, Michael M. 








Hi Andrew,

 I am
embarrassed the answer was so simple. (I thought I tried that; obviously
not!) Thanks!



-mike











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Cace
Sent: Tuesday, October 10, 2006
11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] problem
changing employeeID attribute value





Try clicking the 'Clear' button instead of
deleting the value.







-Andrew















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, October 10, 2006
11:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] problem
changing employeeID attribute value

For an AD user account, we normally
populate the attribute employeeID with a value.
Circumstances surrounding some accounts requires me to unpopulate
this value. In ADSIEdit, however, when I go to this Unicode String valued
attribute with the Edit function, I can delete the value but when I go to save
it, I get The parameter is incorrect. An unpopulated normal
value shows not set (without the quotes). Is it
possible I should type in not set instead of just trying to
delete the value? It just doesnt seem right. What am I doing
wrong? Any help is appreciated!



TIA!

Mike Thommes

RE: [ActiveDir] Who keeps creating this folder files?!

2006-10-05 Thread Thommes, Michael M. 








Try FileNotify 
freeware at http://www.xtware.com/



Mike Thommes











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kurt Falde
Sent: Thursday, October 05, 2006
1:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Who keeps
creating this folder  files?!





Drop filemon on the box with a filter for
mp3 and just let it stay running in a disconnected ts window would probably be
one method. 





Kurt Falde











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of J B
Sent: Thursday, October 05, 2006
12:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Who keeps
creating this folder  files?!







Argh! On one of our file servers, there is a
public directory that allows any authenticated user to do anything
within it (minus changing permissions). MP3 files and folders appear
there every so often and are removed soon thereafter. Is there some way
for me to tell who has created these folders and MP3 files?











Every time I check, no one is currently accessing the
files - which would be an easy way for me to know...

RE: [ActiveDir] 200 users network. Adding 2 classes to the GC

2006-10-03 Thread Thommes, Michael M. 








Hi Rezuma,

 I suspect
you might run into the same issue I had when I did the R2 forestprep with SFU
3.5 (although you have the earlier SFU 3.0). If so, see the fixup from Steve
Linehan posted to this newsgroup on 8/7/06 (and my comment from 8/12/06).



Mike Thommes











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Tuesday, October 03, 2006
11:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 200 users
network. Adding 2 classes to the GC





You get the R2 CD and do the forestprep,
it will install the entire R2 schema which includes all of those Unix interop
classes and attributes. You do not really want to do this manually or it could
be troublesome later.



 joe







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ramon Linan
Sent: Tuesday, October 03, 2006
11:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 200 users
network. Adding 2 classes to the GC

We are using windows 2003 servers. But
what I need is, to add those 2 classes that already exist in the AD schema to
the global catalog so they replicate through the GCs in theforest. How do
I add 2 whole classes with their attributes? changing the replicate this
attribute in the global catalog optionattribute by attribute?



Thanks



Rezuma









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, October 03, 2006
11:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 200 users
network. Adding 2 classes to the GC

Modifying the schema except for indexing
or adding PAS attributes in a forest with Windows 2000 domain controllers is
really a non-event when done properly with proper OIDs and names. Indexing can
work your DCs a little as the new indexes have to be created but it depends on
the attribs being indexed and what type of index is being created on how much
that will hit your DC. Usually I would say it is minimal impact. WIth Windows
2000 GCs, you get to enjoy a full PAS refresh which generates a considerable
amount of replication. Simply, if you are running Windows 2000 DCs, why in the
world are you doing so, upgrade already, 2003 has been around for 3 years
already and has a ton of AD enhancements. In a small network like yours, I
wouldn't expect even a small burp even in the worst case unless you have few
users and a ton (tens or hundreds of thousands)of other types of objects.
You would mention that though I expect.



 joe



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Tuesday, October 03, 2006
8:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 200 users
network. Adding 2 classes to the GC

thanks for the info, how do I go about
adding them to the GC? and, being a small network, do you see any dramatic
effect to doing that? in terms of replication I mean.



Thanks











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, October 02, 2006
11:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 200 users
network. Adding 2 classes to the GC

SFU30 is pretty old. What you really
shoulddo is apply the Windows Server 2003 R2 Schema which has the aux
classes:



posixAccount
posixGroup





 joe















--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Monday, October 02, 2006
3:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 200 users
network. Adding 2 classes to the GC



Hi,











I have a Unix application that uses LDAP queries.











The developer is telling me that 2 classes should be
available in the GC (theyneed to query the whole forest for some
information)











The classes are msSFU30PosixAccount and msSFU30PosixGroup.
How do I add a whole class to the GC? I know how to add an attribute, do I have
to go attribute by attribute?











We only have 200 users and no many AD objects, is there a
reason while I should not add those 2 classes, in terms of replication I mean
and for small network like this.

















Thanks











Rezuma

RE: [ActiveDir] different version of R2 available?

2006-09-21 Thread Thommes, Michael M. 








Thanks for all
of the replies! I actually was able to get a hold of the Standard and Enterprise versions of R2
(aka Disk 2) to do a compare (windiff.exe) and there are differences.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, September 20,
2006 5:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] different
version of R2 available?





My officemate and I were discussing whether
there are different versions of the R2 CD depending on whether youre
running Server 2003 Standard or Server 2003 Enterprise. Or is there only one
version of R2? TIA!



Mike Thommes

[ActiveDir] different version of R2 available?

2006-09-20 Thread Thommes, Michael M. 








My officemate and I were discussing whether
there are different versions of the R2 CD depending on whether youre
running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of
R2? TIA!



Mike Thommes

RE: [ActiveDir] OT: Protecting against Spyware/Adware

2006-09-14 Thread Thommes, Michael M. 








Touche
8-)



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 14, 2006
5:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware





I run as local admin and have zero issues
with spyware? Coincidence?



;o)







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Thursday, September 14, 2006
11:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Protecting against Spyware/Adware





Nobodyruns as a local
administrator. We have zero issues with spyware. Coincidence?















From:
[EMAIL PROTECTED] on behalf of Chris Pohlschneider
Sent: Thu 9/14/2006 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Protecting against Spyware/Adware





Just curious what other people are using for protecting
against adware/spyware? We are using Webroot Spysweeper right now, but I see
some performance hits on computers running this software and it does work, but
it causes headaches will installing some apps that we approve. Any suggestions
are appreciated. 



Chris Pohlschneider

Holloway SportswearIT

937-494-2559

937-497-7300 (Fax)

[EMAIL PROTECTED]

[ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem

2006-09-07 Thread Thommes, Michael M. 








Hi,

 I have moved a job that employs uptime.exe (in
a loop using the FOR command) from a Windows 2000/SP4 server to a Windows
2003/SP1 server. Now part way through the job, I get:



Event Type: Information

Event Source: Application Popup

Event Category: None

Event ID: 26

Date: 9/7/2006

Time: 9:29:36
AM

User: N/A

Computer: ODDJOB221

Description:

Application popup: UPTIME.EXE - Application Error : The
instruction at 0x7c837cf5 referenced memory at
0xfffd. The memory could not be read.



Click on OK to terminate the program

Click on CANCEL to debug the program



For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.



Any thoughts? TIA!



Mike Thommes

RE: [ActiveDir] Seperate Administrator password policy

2006-08-31 Thread Thommes, Michael M. 








We are still testing PassFiltPro software
(http://www.altusnet.com/products/) which supposedly has the ability with one
of its versions (MPE) to enforce different password policies based on global
groups. This is mentioned only for information, not endorsement, at this
time.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: Thursday, August 31, 2006
7:15 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Seperate
Administrator password policy







Just wanted to field this to see if it
makes any sense to any of you guys. 











We are going to implement a mandatory 15
character password policy for all of our administrator accounts. The only
way that makes sense is a subdomain with a separate password policy, since
there is only one per domain. I also know that I have to edit the
minPwdLength attribute and the uASCompat attribute to make this work on the
subdomain. Can anyone think of another method of doing this?

















Thanks,











Nate Bahta

[ActiveDir] www.activedir.org MIA?; storing pictures in AD?

2006-08-30 Thread Thommes, Michael M. 








Can anyone else get to the archives? Specifically, I was
looking for a thread from, I think, a couple of years ago where there was
discussion about storing (not storing?) employee pictures in AD. I am concerned
about how that attribute will grow our DIT. I seem to recall that maybe just a
pointer could be stored that would point to maybe an oracle or access
database. Any thoughts/recalls? Thanks!



Mike Thommes

RE: [ActiveDir] nslookup. AD beginer question

2006-08-29 Thread Thommes, Michael M. 








I am guessing, based on the port number,
you have a DNS A record for this computer in gc._msdcs.domain.com .



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Tuesday, August 29, 2006
10:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] nslookup.
AD beginer question





I did the nslookup -type=srv
_ldap._tcp.dc._msdcs.domain.com and I got



_ldap._tcp.dc._msdcs.domain.com
SRV service location:


priority = 0


weight = 100


port = 389


svr hostname = sami.domain.com





I cant find that machine anywhere,
not in the AD or dns server!!!











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, August 29, 2006
10:15 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] nslookup.
AD beginer question





I think the key to this question is a very
simple troubleshooting step. Go into DNS and look at the (same as parent
folder) records. Delete the ones that arent currently DNS
servers. If you are using AD integrated DNS, then this should be any
domain controllers that you want clients to get DNS from. Give it a day
or two and see if the bad ones come back. If they dont then you
can assume this was an obsolete entry. If they do then you can start
looking for why. 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Tuesday, August 29, 2006
4:43 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] nslookup.
AD beginer question







If you do NSLOOKUP
DOMAIN-NAME.COM then you will get a list of all the DNS servers for that
domain. For example, if you are using AD-Integrated DNS, you will get a
list of any DCs that are also DNS servers. Basically, that command
returns the (Same as parent) records for the domain.











If you want to pull
all DCs in the domain, you need to run something like this:











nslookup -type=srv
_ldap._tcp.dc._msdcs.domain-name.com

















If you run the above command
and get computer accounts back, see kb825675 as referenced by Steve. I
wasn't aware that that bug also registered A records for the domain name, but
it might...











If you're new to
NSLOOKUP, consider what information you want. There's a bunch of different
types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX).
When troubleshooting AD, the main ones to look for are A and SRV (there's also
an instance where you need to check the CNAME record too). Remember that
simply pinging a DC doesn't mean that the necessary SRV records are in place.
I personally always advise people to use a combination of NSLOOKUP and NLTEST
to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the
records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite
calls.

















--Paul







- Original Message - 





From: Ramon Linan 





To: ActiveDir@mail.activedir.org






Sent: Monday, August 28,
2006 7:14 PM





Subject: [ActiveDir]
nslookup. AD beginer question









Hi Everyone,



When I do a nslookup domain.com, being
domain.com my AD domain, what should I see? A list of the dns server in my domain?
A list of the DC? 



The fact is that I am doing nslookup and I
am getting, domain controllers but also a users computer



Thanks

RE: [ActiveDir] nslookup. AD beginer question

2006-08-28 Thread Thommes, Michael M. 








You should get back your domain
controllers IP addresses. Is it possible that your users
computer has gotten the IP of an old DC?



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Monday, August 28, 2006 3:03
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] nslookup.
AD beginer question





Thanks, but after reading all that I still
was not able to find out what kind of information do you get when you do lookup
domain.com, being domain.com your AD domain, and why am I getting a
users computer.



Thanks











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji
Sent: Monday, August 28, 2006 2:21
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] nslookup.
AD beginer question









http://www.cni.org/pub/inetroom/nslookup.html











http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true











http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true


















Sincerely, 
 _

 (, / |
/)
/) /) 
 /---| (/_ __ ___// _
// _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/) 

(/ 
Microsoft MVP - Directory Services
www.akomolafe.com- we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon

















From: Ramon Linan
Sent: Mon 8/28/2006 11:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] nslookup. AD
beginer question





Hi Everyone,



When I do a nslookup domain.com, being
domain.com my AD domain, what should I see? A list of the dns server in my
domain? A list of the DC? 



The fact is that I am doing nslookup and I
am getting, domain controllers but also a users computer



Thanks

RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved

2006-08-23 Thread Thommes, Michael M. 








Thanks to all who responded! The
problem was solved by installing our local root CA cert on the outside
computer since we are rolling our own and not using one of the
well known CAs (Trusted Root Certification Authorities).



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
 Michael M.
Sent: Tuesday, August 22, 2006
9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside





Hi Robert,

 Yes, the command is *exactly* the same. We are thinking
that our CRL location is not available outside of the firewall. We
generate our own certificates; we dont use a well known
provider.



Mike Thommes











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Williams, Robert
Sent: Tuesday, August 22, 2006
9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside





Hey Mike,



When you say It works fine behind
our firewall, are you meaning that the *exact same* command line works and you get the object
returned?



I tried using adfind to connect to my test
DC using port 636 and got the exact same errorbut I dont have a
cert installed on my DC so Id expect mine not to work.



Robert
Williams 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
 Michael M.
Sent: Tuesday, August 22, 2006
6:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure LDAP
queries from the outside





Hi,

 We are trying to set up secure LDAP queries
from the outside to AD for pulling email addresses but are running into an
issue. Port 636 has been opened up to our DCs but we get a 0x51 error
like the one shown below in this example of using adfind:



adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *
-default -nodn -f sn=thommes extensionAttribute2



AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005



LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down

Terminating program.



(extensionAttribute2 is used for email address)



Portqry shows that the DC is listening on port 636.
Using ldp, the bind operation seems to want to default to
port 389 (which is not open).



It works fine behind our firewall. Is there some other
port that needs to be open (besides 389)? Or maybe some security feature
(we are running w2k3/sp1 on our DCs) that is getting in the way? Any help
is appreciated!



TIA,

Mike Thommes







2006-08-22, 10:35:32
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved

2006-08-23 Thread Thommes, Michael M. 
Hi joe,
The CRL location is *not* available from the outside.  And since neither 
adfind, ldp or Outlook Express seemed to care, I am guessing that not many 
(any?) tools require it.  Kinda makes ya wonder why you would have it if it's 
not used.  Sorta like not using the book of bad credit card numbers when 
someone handed you a credit card!  (maybe some of you are old enough to 
remember this safeguard before there were computers everywhere!  LOL!).
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of joe
Sent: Wed 8/23/2006 7:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved


Cool, is the CRL available from the outside at all? I am really curious if that 
is truly needed from the client when using LDAPS, it doesn't seem to be needed 
but my testing has been far from perfect in that regard.
 
  joe
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.
Sent: Wednesday, August 23, 2006 8:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved



Thanks to all who responded!  The problem was solved by installing our local 
root CA cert on the outside computer since we are rolling our own and not 
using one of the well known CAs (Trusted Root Certification Authorities).

 

Mike Thommes

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.
Sent: Tuesday, August 22, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside

 

Hi Robert,

Yes, the command is *exactly* the same.  We are thinking that our CRL 
location is not available outside of the firewall.  We generate our own 
certificates; we don't use a well known provider.

 

Mike Thommes

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Tuesday, August 22, 2006 9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside

 

Hey Mike,

 

When you say It works fine behind our firewall, are you meaning that the 
*exact same* command line works and you get the object returned?

 

I tried using adfind to connect to my test DC using port 636 and got the exact 
same error...but I don't have a cert installed on my DC so I'd expect mine not 
to work.

Robert Williams 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael 
M.
Sent: Tuesday, August 22, 2006 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure LDAP queries from the outside

 

Hi,

   We are trying to set up secure LDAP queries from the outside to AD for 
pulling email addresses but are running into an issue.  Port 636 has been 
opened up to our DCs but we get a 0x51 error like the one shown below in this 
example of using adfind:

 

adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *  -default -nodn -f 
sn=thommes extensionAttribute2

 

AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005

 

LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down

Terminating program.

 

(extensionAttribute2 is used for email address)

 

Portqry shows that the DC is listening on port 636.  Using ldp, the bind 
operation seems to want to default to port 389 (which is not open).

 

It works fine behind our firewall.  Is there some other port that needs to be 
open (besides 389)?  Or maybe some security feature (we are running w2k3/sp1 on 
our DCs) that is getting in the way?  Any help is appreciated!

 

TIA,

Mike Thommes

 

 

2006-08-22, 10:35:32
The information contained in this e-mail message and any attachments may be 
privileged and confidential. If the reader of this message is not the intended 
recipient or an agent responsible for delivering it to the intended recipient, 
you are hereby notified that any review, dissemination, distribution or copying 
of this communication is strictly prohibited. If you have received this 
communication in error, please notify the sender immediately by replying to 
this e-mail and delete the message and any attachments from your computer.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Secure LDAP queries from the outside

2006-08-22 Thread Thommes, Michael M. 








Hi,

 We are trying to set up secure LDAP queries
from the outside to AD for pulling email addresses but are running into an
issue. Port 636 has been opened up to our DCs but we get a 0x51 error
like the one shown below in this example of using adfind:



adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default
-nodn -f sn=thommes extensionAttribute2



AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005



LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down

Terminating program.



(extensionAttribute2 is used for email address)



Portqry shows that the DC is listening on port 636. Using
ldp, the bind operation seems to want to default to port 389
(which is not open).



It works fine behind our firewall. Is there some other
port that needs to be open (besides 389)? Or maybe some security feature
(we are running w2k3/sp1 on our DCs) that is getting in the way? Any help
is appreciated!



TIA,

Mike Thommes

RE: [ActiveDir] Secure LDAP queries from the outside

2006-08-22 Thread Thommes, Michael M. 








Hi Robert,

 Yes, the command is *exactly* the same. We are thinking
that our CRL location is not available outside of the firewall. We
generate our own certificates; we dont use a well known
provider.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Tuesday, August 22, 2006
9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure
LDAP queries from the outside





Hey Mike,



When you say It works fine behind
our firewall, are you meaning that the *exact same* command line works and you get the object
returned?



I tried using adfind to connect to my test
DC using port 636 and got the exact same errorbut I dont have a
cert installed on my DC so Id expect mine not to work.



Robert
Williams 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
 Michael M.
Sent: Tuesday, August 22, 2006
6:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure LDAP
queries from the outside





Hi,

 We are trying to set up secure LDAP queries
from the outside to AD for pulling email addresses but are running into an
issue. Port 636 has been opened up to our DCs but we get a 0x51 error
like the one shown below in this example of using adfind:



adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *
-default -nodn -f sn=thommes extensionAttribute2



AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February
2005



LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down

Terminating program.



(extensionAttribute2 is used for email address)



Portqry shows that the DC is listening on port 636.
Using ldp, the bind operation seems to want to default to
port 389 (which is not open).



It works fine behind our firewall. Is there some other
port that needs to be open (besides 389)? Or maybe some security feature
(we are running w2k3/sp1 on our DCs) that is getting in the way? Any help
is appreciated!



TIA,

Mike Thommes







2006-08-22, 10:35:32
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer.

RE: [ActiveDir] User AutoEnrollment

2006-08-16 Thread Thommes, Michael M. 
Maybe the CRL (Certificate Revocation List) location is not available?

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, August 16, 2006 8:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User AutoEnrollment

Event Source: AutoEnrollment
EventID: 15

Does anyone have a better definition of what this is?  Half of my 
machines cannot find the domain this morning. Lots of eventid 15 showed 
up. I went into GPO and disabled autorollment in both computer and user 
settings. BAM! Everyone can log on again.

-Z.V.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Adding the first Win2003 R2 DC

2006-08-15 Thread Thommes, Michael M. 








I fixed this issue with ldp and Steve
Linehans instructions to the list about two weeks ago. Microsoft
supposedly has an unofficial patch to fix this issue. Talk to
your TAM.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, August 15, 2006
6:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding
the first Win2003 R2 DC





All of the issues I have heard of around
R2 ForestPrep have been around the mangling of the SFU attributes that has been
discussed here. 



I am not sure why MSFT is acting surprised
about it. Aric Bernard (from the list here) encountered it and told them about
it in the beta groups a long long time ago. 







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Patton
Sent: Monday, August 14, 2006 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding
the first Win2003 R2 DC

Did you run into any issues performing
this upgrade?











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, July 27, 2006
10:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding
the first Win2003 R2 DC





Thanks to all for the responses.





Bryan Lucas

Server Administrator

Texas Christian University











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Thursday, July 27, 2006
10:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding
the first Win2003 R2 DC







You need to run forestprep from the R2 CD on your schema master. 











Paul has a nice summary here:











http://www.msresource.net/content/view/60/47/












and more from Microsoft 





http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true












Thanks





Mike

























On 7/27/06, Lucas, Bryan
 [EMAIL PROTECTED] wrote:








I
have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd
like to add a new DC that is Win2003 R2. Is there anything special I need
to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003
SP1 DC?



Thanks,



Bryan
Lucas

Server
Administrator

Texas Christian University

RE: [ActiveDir] joe - please say it isn't so!

2006-08-14 Thread Thommes, Michael M. 








So here I went to take a look at Deans
article, and I find this: http://blog.joeware.net/cat/recipes/
, expecting to find more of joes great adfind codes. At first, I
thought it got misfiled and should have been filed under humor
but I suspect this is hardly funny. Joe, are you pulling our collective
legs? Please tell me this blog is a poor Michiganders joke!
If not, please take me with you to New Zealand
 I need to see first hand that the Brown Trout there are bigger than
they are in Michigan!
;-)



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:02
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]







joe said pretty decent http://blog.joeware.net/2006/06/08/400/











I think thats an understatement ;-)











However, my profuse thanks to joe too. I wasnt aware of the article
until he blogged it.











M@







On 8/14/06, Dean
Wells [EMAIL PROTECTED]
wrote: 







Why thank you  but who said otherwise? ;0)











--
Dean Wells
MSE technology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:35
PM






To: ActiveDir@mail.activedir.org





Subject: Re:
[ActiveDir] 













http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808












I dont
care what anyone says. Thats a damn fine article.











I couldnt
possibly thank Dean enough for that info.

M@

















On
8/14/06, Graham Turner [EMAIL PROTECTED]
wrote: 

Alter ego
!

my thanks are due

worked out a treat - so the GC's are not so ***'d as i thought 

any info on the concept of the phantoms though ??

GT

 Hey Robert,

 In the article you posted, the registry key is incorrect in the KB 
 content.It lists the registry key as: 
 HKCU\Software\Policies\Microsoft\Windows\Directory

 However, the correct registry key is:
 HKCU\Software\Policies\Microsoft\Windows\Directory UI 

 I've sent a comment to my former employer to ask for them to fix the 
 article...next time, test it *before* you post!

 Your Alter Ego,
 Robert Williams

 -Original Message- 
 From: [EMAIL PROTECTED]
 [mailto:
[EMAIL PROTECTED]] On Behalf Of Williams,
 Robert
 Sent: Monday, August 14, 2006 9:28 AM 
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir]

 Hey Graham,

 This may not be what you're experiencing, but it could be worth it to 
 check to see how many members you have in the group(s) in
question.By 
 default, if the group has over 500 members in it, the user icons inside
 the group will turn grey.Check out this article for more
information: 
 http://support.microsoft.com/kb/q281923/

 Let us know if that turned out to be the cause.

 Have a great day!

 Robert Williams 


 -Original Message- 
 From: [EMAIL PROTECTED]
 [mailto:
[EMAIL PROTECTED]] On Behalf Of Graham Turner
 Sent: Monday, August 14, 2006 9:01 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] 

 Dear all, am experiencing issues that i think attributable to the
 concept of Active
 Directory phantoms

 the symptom is that when we open certain global groups the membership 
 list comes out
 with grey icons

 this is not all groups - affected ones being - Domain Users / Domain
 computers

 must confess to not a full understanding of the issue here -but it seems 
 this
 relates in some way to GC lookup ??

 i can for sure confirm that the GC port 3268 is open on the GC's

 not sure why as the group / user members are in the same domain ?

 after the understanding of what is going on here is, of course 'HOW DO
 WE FIX' ??

 technet seems to reference a concept of 'phantom clean up task' - a
 process that
 runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a 
 scheduled basis to
 resolve the directory issue.

 would seem not in this case ?

 as a point to note, neither netdiag or dcdiag are coming up with nothing
 concliusive
 in this respect.

 help as always gladly received

 GT


 List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx

 List archive: http://www.activedir.org/ml/threads.aspx
 List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx

 List archive: http://www.activedir.org/ml/threads.aspx
 List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx

 List archive: http://www.activedir.org/ml/threads.aspx



List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] joe - please say it isn't so!

2006-08-14 Thread Thommes, Michael M. 








look stupid And here the newsgroup
was telling me about check the date. April Fools Day
did not even dawn on me! (cant see the forest
through the trees.) Boy, joe, you must write convincingly, or
maybe I was too focused on New
  Zealand and those Brown Trout! /look
stupid :-o



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 14, 2006 4:04
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] joe
- please say it isn't so!





It ain't so. :)



Happy April Fool's day... 



Though I have to say, it felt good writing
that. Building a fountain in the middle of New Zealand so you can appreciate
it from a hammock sounds like a good gig. 









--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, August 14, 2006 3:28
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] joe -
please say it isn't so!

So here I went to take a look at
Deans article, and I find this: http://blog.joeware.net/cat/recipes/
, expecting to find more of joes great adfind codes. At first, I
thought it got misfiled and should have been filed under humor
but I suspect this is hardly funny. Joe, are you pulling our collective
legs? Please tell me this blog is a poor Michiganders joke!
If not, please take me with you to New Zealand
 I need to see first hand that the Brown Trout there are bigger than
they are in Michigan!
;-)



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:02
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]







joe said pretty decent http://blog.joeware.net/2006/06/08/400/











I think thats an understatement ;-)











However, my profuse thanks to joe too. I wasnt aware of the article
until he blogged it.











M@







On 8/14/06, Dean
Wells [EMAIL PROTECTED]
wrote: 







Why thank you  but who said otherwise? ;0)











--
Dean Wells
MSE technology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:35
PM






To: ActiveDir@mail.activedir.org





Subject: Re:
[ActiveDir] 













http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808












I dont
care what anyone says. Thats a damn fine article.











I couldnt
possibly thank Dean enough for that info.

M@

















On
8/14/06, Graham Turner [EMAIL PROTECTED]
wrote: 

Alter ego
!

my thanks are due

worked out a treat - so the GC's are not so ***'d as i thought 

any info on the concept of the phantoms though ??

GT

 Hey Robert,

 In the article you posted, the registry key is incorrect in the KB 
 content.It lists the registry key as: 
 HKCU\Software\Policies\Microsoft\Windows\Directory

 However, the correct registry key is:
 HKCU\Software\Policies\Microsoft\Windows\Directory UI 

 I've sent a comment to my former employer to ask for them to fix the 
 article...next time, test it *before* you post!

 Your Alter Ego,
 Robert Williams

 -Original Message- 
 From: [EMAIL PROTECTED]
 [mailto:
[EMAIL PROTECTED]] On Behalf Of Williams,
 Robert
 Sent: Monday, August 14, 2006 9:28 AM 
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir]

 Hey Graham,

 This may not be what you're experiencing, but it could be worth it to 
 check to see how many members you have in the group(s) in
question.By 
 default, if the group has over 500 members in it, the user icons inside
 the group will turn grey.Check out this article for more
information: 
 http://support.microsoft.com/kb/q281923/

 Let us know if that turned out to be the cause.

 Have a great day!

 Robert Williams 


 -Original Message- 
 From: [EMAIL PROTECTED]
 [mailto:
[EMAIL PROTECTED]] On Behalf Of Graham Turner
 Sent: Monday, August 14, 2006 9:01 AM
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] 

 Dear all, am experiencing issues that i think attributable to the
 concept of Active
 Directory phantoms

 the symptom is that when we open certain global groups the membership 
 list comes out
 with grey icons

 this is not all groups - affected ones being - Domain Users / Domain
 computers

 must confess to not a full understanding of the issue here -but it seems 
 this
 relates in some way to GC lookup ??

 i can for sure confirm that the GC port 3268 is open on the GC's

 not sure why as the group / user members are in the same domain ?

 after the understanding of what is going on here is, of course 'HOW DO
 WE FIX' ??

 technet seems to reference a concept of 'phantom clean up task' - a
 process that
 runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a 
 scheduled basis to
 resolve

RE: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question

2006-08-06 Thread Thommes, Michael M. 
Title: OT: Enterprise Terminal Server Licensing Server question








Hi Freddy,

 Thanks for the feedback. But I get
the same result from the W2K lsview.exe . And this is running these tools
right on the license server/domain controller! I am thinking that I need to
manually populate the AD group Terminal Server Licensing Servers.
Conversely, I hate making changes when there are no known problems.



Mike Thommes











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Freddy HARTONO
Sent: Sunday, August 06, 2006
11:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Enterprise Terminal Server Licensing Server question





Hi Mike



I had the same problems in which I
actually logged a pss call on, try using the windows 2000 resource kit version
of lsview.exe and it works fine.



Basically if i remember this correctly
using the win2003 lsview.exe it will only detect it if your machine is in the
same site as the tsls server, if you are running the lsview on a machine that
is outside the site, it wouldnt detect it.



No solution, fedup with the answers I was
getting - closed the ticket (as I thought this only occurs in my ex company,
apparently now im getting the same result as well)









Thank you
and have a splendid day!



Kind
Regards,



Freddy
Hartono

Group
Support Engineer

InternationalSOS
Pte Ltd

mail: [EMAIL PROTECTED]

phone: (+65) 6330-9785



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Saturday, August 05, 2006
5:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Enterprise Terminal Server Licensing Server question

Hi,


This is not causing any issues that I am aware of, but something does not seem
right. We set up two Enterprise Terminal Server Licensing Servers, both
DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com
under the attribute siteServer. When
I run the GUI LSVIEW.EXE from the W2K3 ResKit,
nothing populates but the spotlight icon shows green
(ie, everything is hunky-dory). Some more research shows that the AD
group Terminal Server License Servers has *no* members! Would it make sense to
populate this group with the appropriate servers? Any idea why it
wouldnt have been populated in the first place?

TIA,

Mike
Thommes

[ActiveDir] OT: Enterprise Terminal Server Licensing Server question

2006-08-04 Thread Thommes, Michael M. 
Title: OT: Enterprise Terminal Server Licensing Server question






Hi,

 This is not causing any issues that I am aware of, but something does not seem right. We set up two Enterprise Terminal Server Licensing Servers, both DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com under the attribute siteServer. When I run the GUI LSVIEW.EXE from the W2K3 ResKit, nothing populates but the spotlight icon shows green (ie, everything is hunky-dory). Some more research shows that the AD group Terminal Server License Servers has *no* members! Would it make sense to populate this group with the appropriate servers? Any idea why it wouldnt have been populated in the first place?



TIA,

Mike Thommes

RE: [ActiveDir] root admin account able to be locked out?

2006-07-22 Thread Thommes, Michael M. 
Title: root admin account able to be locked out?








Jorge (and joe),

 Thanks for your reply on this issue!



Mike Thommes











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, July 18, 2006 3:43
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] root
admin account able to be locked out?









My experience with
this is











the default ADMINISTRATOR can be locked out (wait before
shouting!)





what I mean is that if you have a lockout threshold of
lets say 5, the lockoutTime attribute will show the lockout date and time the
account was locked. In ADUC (using another custom admin account for example)
you will see the default ADMINISTRATOR is locked you will even see and
event ID 644 mentioning the account lockout











HOWEVER here it comes...











while the default ADMINISTRATOR is locked, it will
unlocked automatically by the SYSTEM (DC)AS SOON ASthe correct
password is used (even before it is unlocked after the unlock period)











jorge

















Met vriendelijke
groeten / Kind regards,





Ing. Jorge de Almeida
Pinto





Senior Infrastructure
Consultant





MVP Windows
Server- Directory Services













LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





( Mobile : +31-(0)6-26.26.62.80



* E-mail : see sender address

















From:
[EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Tue 2006-07-18 20:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] root admin
account able to be locked out?





Hi
AD Gurus!


We have penetration testing going on and I saw a security event log entry that showed
our root admin account getting locked out. I was surprised because I
thought this account could never get locked out. In addition,
we had a scheduled job that runs under the credentials of this root account
that ran successfully a couple of minutes *after*
the supposed account was locked. (We have the standard 30 minute lockout
time.) I think the reason that this happened was that the
penetration testing really didnt lock out the root account but did
lockout the local SID 500 account that exists on all
servers (including domain controllers). This is my
belief. My officemate says there is no such account on a DC
and that the root account could have been locked out for a short period of time
but then made active again when AD saw what the account was or that the
security log entry is just bogus. Can someone offer a little insight into
this (nope, no dinners or cash riding on this debate!). Thanks much!

Mike
Thommes

[ActiveDir] OT: Microsoft Acquires Winternals Software

2006-07-21 Thread Thommes, Michael M. 
Title: OT: Microsoft Acquires Winternals Software






You may find this of interest (from todays WServerNews):

Mike Thommes

=

Microsoft Acquires Winternals Software

Mark Russinovich and Bryce Cogswell have been snagged up by Redmond. And they deserve to be, as they have been making significant and very useful contributions to the Windows Market. Congrats from all of us at Sunbelt Software. Current Winternals products will be withdrawn from the market as they're integrated into existing or new Microsoft product offerings. The Sysinternals community site and tools will likely continue to be available, but that is not completely sure, so grab those tools while you can. Mark will become one of only 14 Microsoft Technical Fellows, taking his place alongside legends like Windows NT guru Dave Cutler and Jim Gray. Mark and Bryce are looking forward to making Windows an even better platform for all of us, and I'm sure they will. Official Press Release at:
http://www.wservernews.com/30R633/060724-Winternals

[ActiveDir] root admin account able to be locked out?

2006-07-18 Thread Thommes, Michael M. 
Title: root admin account able to be locked out?






Hi AD Gurus!

 We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didnt lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much!



Mike Thommes

RE: [ActiveDir] Account Password Expiration Tool

2006-07-11 Thread Thommes, Michael M. 
joe's tools again  ( 8-) ):

adfind -b ou=Employees,dc=xyz,dc=com -bit -f
((objectcategory=person)(useraccountcontrol:AND:=65536))
samaccountname  c:\temp\pw_never_expires.txt

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard
Sent: Tuesday, July 11, 2006 1:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account Password Expiration Tool

Do you know of any tools out there that would check for and list AD
accounts whose Password Never Expires is checked and/or how old is a
user's password; e.g. it would generate a report listing all accounts
with password older than 90 days?

The closest thing I can find is JoeWare's (bowing my head!) FindExpAcc
tool with -pwd switch, but it only lists accounts with expired
passwords.

TIA
 
Alex Alborzfard
Systems Administrator
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] importance of gc._msdcs.mycompany.com A records?

2006-06-29 Thread Thommes, Michael M. 
Title: importance of gc._msdcs.mycompany.com A records?






What is the importance of the gc._msdcs.mycompany.com A records? 



Environment:

1) Split DNS  Unix Bind and AD integrated DNS

2) DCs use:



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

RegisterDnsARecords=dword:

to avoid registering the A domain record on our Unix DNS server, which will not accept them. This record is put in manually. This registry entry also prevents these failures to register from being written into the system event log.



3) Today my DNS admin noticed that the gc._msdcs.mycompany.com zone was not populated correctly, with hardly any of the current GCs listed. Some of the IPs that were listed havent been used for years. The GC A record for our current GCs obviously is not written because of #2.

4) If I check for enterprise GCs using a tool like replmon, all of the GCs show up.



5) There are no AD issues that we are aware of.

So the question is  what are these A records used for, if anything. It would appear in our scenario this zone is unused. 



Any thoughts/comments are appreciated!

TIA!

Mike Thommes

RE: [ActiveDir] Ammunition, please!

2006-06-28 Thread Thommes, Michael M. 
Hi Larry,
 You might want to check this reference which was posted to this
group a few days ago:
http://iase.disa.mil/stigs/checklist/AD_Checklist_V1R11_20060607.pdf

It discusses physical security and not running other services on DCs,
among other things.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Wednesday, June 28, 2006 10:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ammunition, please!

On a lesser note, is there any problem with having a DC also be their
file server and print server? Again, we're only talking 20 people here.
Assuming I can at least get the server rack locked, and I put the file
shares on a separate partition (i.e., not on the C drive, of course).

This is all good. I think I have enough ammunition to, at least, cover
myself if management decides to go ahead and put a DC in that location.
The reason is, of course, this group of 20 folks have no money, so we'll
have to buy them a server out of our own budget, because they are one of
our supported clients and we have no choice. In my opinion, however, we
*do* have a choice as to whether we allow a DC to be in a physically
non-secure location.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] DC Configuration

2006-06-22 Thread Thommes, Michael M. 
I know, I know...how about the AD Party?  We're ethical, right?  joe's
probably the most ethical guy around.  And he gives stuff away for free.
When was the last time you saw a politician do that?  I nominate him for
President!  ;-)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, June 22, 2006 8:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] DC Configuration

A party? Where? They got beer?


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, June 22, 2006 8:31 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DC Configuration

...whichever party that may be.

On 6/22/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote:

 Ethics? Thats the stuff the guys in the other party don't have.
 

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Thursday, June 22, 2006 3:52 PM

 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DC Configuration

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Thursday, June 22, 2006 3:52 PM

 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DC Configuration


 Exactly...

 Congress: Ethics? What's that?


 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm


 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Darren Mar-Elia
 Sent: Thursday, June 22, 2006 6:25 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DC Configuration


 Yea, it seemed an awful basic question for you joe. And, of course I
fell
 for it. Agreed though that software RAID is like Congress creating its
own
 ethics rules--just a bad idea all around.
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Thursday, June 22, 2006 3:16 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DC Configuration


 ROFL!

 That was more of a case of purposely refusing to acknowledge software
RAID
 versus truly understanding what it is. I have had far more than my
share
of
 times trying to rebuild software raid configs.

 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm


 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Darren Mar-Elia
 Sent: Thursday, June 22, 2006 6:14 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DC Configuration


 Software RAID is where the OS (in this case) handles the striping of
the
 data rather than the hardware (usually the controller).


 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Thursday, June 22, 2006 3:05 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] DC Configuration


 o Software RAID? What's that?

 o Yeah I am not a fan of mirrors. I like lots of spindles. But then I
tend
 to work with big busy directories with Exchange beating on it.  Being
64
bit
 you don't have to worry _as much_ assuming you have enough RAM to
cache
your
 entire DIT but you still have to load that baby in the first place so
I
 would still recommend RAID 0+1, 10, or 5 or if you don't care about
fault
 tolerance the fastest is RAID-0.

 o I would say if you are going 64 bit, make sure you make it a
priority to
 get enough RAM to hold your entire DIT. That is the cool thing about
getting
 64 bit.



 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm


 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Al
 Mulnick
 Sent: Thursday, June 22, 2006 5:12 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] DC Configuration


 There would be a little more to gain than that but often that's the
reason.
 joe might point out that a two mirror configuration is not his optimal
 configuration. I'm pretty sure he'd also point out that compared with
 software raid, that he'd take that option. :)

 I can honestly say I'd agree with him on this one. Software mirroring
for
 this type of application is never a good idea.  The slower spindle
speeds
 likely won't be enough of an issue to matter in your configuration.
Unless
 you have a very large DIT queue jokes here or applications that
pound
the
 snot out of the individual servers spindle speed won't be nearly as
 important. Since it's 64 bit you're after, spend some money on the
memory
 and take advantage of the cache as much as you can.

 Al


 On 6/22/06, Noah Eiger [EMAIL PROTECTED] wrote:
  What would the partitions on the first configuration gain you (over
just
a
  single C:)? I thought the idea behind placing NTDS, etc on something
  _besides_ C: was to get the performance benefits of extra spindles

[ActiveDir] can I exclude a particular user account from authenticated users?

2006-06-19 Thread Thommes, Michael M. 
Title: can I exclude a particular user account from authenticated users?






This may sound like an off the wall question, but I would like to exclude a particular user account from the built-in security principal Authenticated Users. Is there any way to do this?



TIA!

Mike Thommes

RE: [ActiveDir] OT: srvinfo output incomplete -- solution!

2006-06-02 Thread Thommes, Michael M. 
The solution to this problem is that the Local Service account must
have read access to the following registry key:

HKLM\System\Currentcontrolset\control\securepipeservers\winreg

There are snippets here and there on Google implicating this issue can
happen when an upgrade is done to a W2K/SP4 computer to XP or Server
2003.  It supposedly does not happen to a pre-SP4 W2K upgrade to XP or
Server 2003.

If this fix doesn't work, check MS KB313222 on how to reset security
settings back to the default.

HTH,
Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, June 01, 2006 3:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: srvinfo output incomplete

It's been a while but last time I checked srvinfo was predominately
registry calls so I'd look at Remote Registry Service, policy settings
like Network Access: Remotely accessible Registry paths, stuff like
that. 

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\w
inreg might be enlightening...

Regmon on the remote machine should be helpful...


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, June 01, 2006 8:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: srvinfo output incomplete



Situation: running srvinfo \\computer_name file://\\computer_name 
with domain admin credentials from a remote computer.  One w2k3/sp1
server target returns the full complement of information, including CPU,
BIOS info, hotfixes, network card info, uptime.  Another w2k3sp1 server
target returns only partial information, missing CPU, BIOS info,
hotfixes, network card info, and uptime.  Also, this second computer
also returns Domain: Error 5 and PDC: Error 5.  This same domain
admin can log into the second computer target directly and run srvinfo
and get a full complement of information!  Both target computers are in
AD and have the same policies applied to them.  Security options appear
to be the same.

Does anyone have any thoughts as to what might be preventing a complete
information disclosure when running srvinfo from across the network?
TIA!

Mike Thommes

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1

2006-06-02 Thread Thommes, Michael M. 








This is the same issue I posted to this
group on 5/25/06. We never did figure out the cause. The local admins were
rebuilding the workstation in question yesterday since that seemed to be the
most expedient thing to do. I will be interested in future postings to this
thread.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)
Sent: Friday, June 02, 2006 12:52
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PCs hang
at Applying computer settings after upgradingDCs to 2K3 SP1





Hopefully the attachment comes through.
The interesting part, and where most of the time delay is seen is here:



USERENV(42c.2f0) 12:36:47:528
ProcessGPOs: Machine role is 2.

USERENV(42c.2f0) 12:37:50:606
MyGetUserName: GetUserNameEx failed with 1753.

USERENV(42c.2f0) 12:37:50:606
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(42c.2f0) 12:38:54:371 MyGetUserName:
GetUserNameEx failed with 1753.

USERENV(42c.2f0) 12:38:54:371
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(42c.2f0) 12:39:58:027
MyGetUserName: GetUserNameEx failed with 1753.

USERENV(42c.2f0) 12:39:58:027 MyGetUserName:
Retrying call to GetUserNameEx in 1/2 second.

USERENV(42c.2f0) 12:41:01:573
MyGetUserName: GetUserNameEx failed with 1753.

USERENV(42c.2f0) 12:41:01:573 ProcessGPOs:
MyGetUserName failed with 1753.

USERENV(42c.2f0) 12:41:01:573 ProcessGPOs:
No WMI logging done in this policy cycle.

USERENV(42c.2f0) 12:41:01:573 ProcessGPOs:
Processing failed with error 1753.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Friday, June 02, 2006 12:19
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] PCs hang
at Applying computer settings after upgradingDCs to 2K3 SP1







I think a different thread mentioned that DNS was about 90% of the
cause of this type of behavior. It's not the only one however. 











What keeps rebooting? The DC? Or the workstations? If the
workstations, not only ethereal but Darren's suggestion of logging is a good
idea. 







On 6/2/06, Za Vue
[EMAIL PROTECTED] wrote:






Finally..someone is also experiencing this problem. My DCs are Windows
2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS
DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is
reported in logs. It is not firewall. I have play with NetBIOS, changing
Provider Order in Network Neighborhood-Advanced Settings..nada. 

This week has been quiet. If someone calls again I have ethereal setup and
ready to capture. The thing about my environment is I do not manage the switches
or router. I don't know if someone is messing with something. 







-Z.V.







, Justin (ITS) wrote: 



Hello,



Last
night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting
tons and tons of calls from users who report that their computer sits at
Applying computer settings for a good 10 minutes, then another 10
or so minutes at Applying your personalized settings 



After
the upgrade we did start seeing DCOM errors in the System event log, which I've
found many people online have experienced. I fixed it (or at least
the DCOM errors went away) by granting Network Service the following rights: 



Local
Launch

Remote
Launch

Local
Activation

Remote
Activation



In
the Launch and Activation Permissions dialog on the Security tab of the netman
component. However, even after the DCOM errors have gone away, we continue to
see the same results on the clients. 



Any
ideas? I'm considering calling Premier Support, but I figured you guys would be
better help than them.



Thanks,




Justin Clay 
ITS Enterprise
Services 
Metropolitan Government
of Nashville and Davidson County
 
 Howard School Building 
Phone: (615) 880-2573






 
  
  
  
  ITS ENTERPRISE
  SERVICES EMAIL NOTICE
  
  The information contained in this email and any attachments is confidential
  and may be subject to copyright or other intellectual property protection. If
  you are not the intended recipient, you are not authorized to use or disclose
  this information, and we request that you notify us by reply mail or
  telephone and delete the original message from your mail system. 
  
 

















ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

[ActiveDir] OT: srvinfo output incomplete

2006-06-01 Thread Thommes, Michael M. 
Title: OT: srvinfo output incomplete






Situation: running srvinfo \\computer_name with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns Domain: Error 5 and PDC: Error 5. This same domain admin can log into the second computer target directly and run srvinfo and get a full complement of information! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same.

Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA!

Mike Thommes

RE: [ActiveDir] MSC pointing at untrusted domain?

2006-05-31 Thread Thommes, Michael M. 
How about:

Runas /netonly /user:target_computer\username eventvwr.exe
/auxsource=target_computer

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, May 31, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MSC pointing at untrusted domain?

Dear collective,

I was wondering if there was a way to have a .MSC file (eg to show the
event log) of a computer in another domain, which has no trust set up
with the one I'm using.

Unfortunately, setting up a trust is not an option - as the other
domain is sitting on an SBS box.

I had hoped I could create a .msc pointing at the SBS domain/server
and get prompted for credentials, but it just goes straight to an
access denied error.

Any ideas?

TIA,

-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] MSC pointing at untrusted domain?

2006-05-31 Thread Thommes, Michael M. 
Sorry for the last incorrect answer.  Try this:

runas /netonly /user:domain_or_target_computer\username mmc.exe
eventvwr.msc /computer=target_computer

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, May 31, 2006 11:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MSC pointing at untrusted domain?

Dear collective,

I was wondering if there was a way to have a .MSC file (eg to show the
event log) of a computer in another domain, which has no trust set up
with the one I'm using.

Unfortunately, setting up a trust is not an option - as the other
domain is sitting on an SBS box.

I had hoped I could create a .msc pointing at the SBS domain/server
and get prompted for credentials, but it just goes straight to an
access denied error.

Any ideas?

TIA,

-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: stuck processing policy

2006-05-26 Thread Thommes, Michael M. 
Title: OT: stuck processing policy








Hi Shariff (and Darren too!),

 Yeah,
I saw some entries in WINS that I didnt like. I believe it is some
issue where the computer is not fully into the domain. Although others
can use this particular computer with no issues whatsoever, next week I am
going to work with the local admins to take it out of the domain and then put
it back in, maybe even with a brand new IP. Thanks for the responses!



Mike Thommes

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff
Sent: Friday, May 26, 2006 7:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: stuck
processing policy





Mike,



Make sure you flush the local DNS cached
entries as well if you think it's a client-side DNS issue. I had encountered a
similar issue awhile back and I re-joined the box back to the domain after
noting authentication errors in the event log. Darren gives many possible
solutions and I would agree with him that it's probably that the client has
lost its trust relationship with the domain. To be sure, see the eventlog, more
specifically, the entries that deal with authentication.



-Shariff





























From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, May 25, 2006 5:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: stuck
processing policy

Ok. The purpose of MyGetUserName (and
GetUserNameEx) is so that GP can impersonate the user for the purposes of
applying user policy. GetUserNameEx returns the user name of the current
thread. MyGetUserName basically calls GetUserNameEx and asks for the Fully
Qualified DN of the current user. So, the fact that that is failing with an
internal error (1359) could mean almost anything. It could mean
that the user's FQDN is not available (not sure if its actually querying AD at
that point or just querying the token) or it could mean that, if it is querying
AD, that there isn't a good line to AD. Maybe the machine account has lost its
secure channel to the domain, or maybe the user logged in using cached creds or
something? I'm sorry I'm not more help here. I've seen this error a lot but
have never been able to track it down to a specific thing. I would make sure
DNS is configured correctly on the client, check the system event log on the
client to ensure there are no errors related to authentication, etc.



Darren









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, May 25, 2006 2:12
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: stuck
processing policy

Hi Darren!

 Here you go.
Thanks!



Mike Thommes

==



USERENV(2bc.774) 11:20:27:665 ProcessGPOs:

USERENV(2bc.774) 11:20:27:665
EnterCriticalPolicySectionEx: Entering with timeout 60 and flags 0x0

USERENV(2bc.774) 11:20:27:665
EnterCriticalPolicySectionEx: User critical section has been claimed.
Handle = 0x618

USERENV(2bc.774) 11:20:27:665
EnterCriticalPolicySectionEx: Leaving successfully.

USERENV(2bc.774) 11:20:27:665
ProcessGPOs: Machine role is 2.

USERENV(2bc.774) 11:20:27:681
PingComputer: Adapter speed 1 bps

USERENV(2bc.774) 11:20:27:681
PingComputer: First time: 0

USERENV(2bc.774) 11:20:27:681
PingComputer: Fast link. Exiting.

USERENV(2bc.774) 11:23:28:482 MyGetUserName:
GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:23:28:482
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:26:29:749
MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:26:29:749
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:29:31:015
MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:29:31:015
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:32:32:271 MyGetUserName:
GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:32:32:271 ProcessGPOs:
MyGetUserName failed with 1359.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
No WMI logging done in this policy cycle.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
Processing failed with error 1359.

USERENV(2bc.774) 11:32:32:286
LeaveCriticalPolicySection: Critical section 0x618 has been released.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
User Group Policy has been applied.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
Leaving with 0.

USERENV(2bc.774) 11:32:32:286
ApplyGroupPolicy: Leaving successfully.

USERENV(2bc.548) 11:32:32:286
GPOThread: Next refresh will happen in 104 minutes













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, May 25, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: stuck
processing policy





Hi Mike. Can you post the lines of userenv
right around that GetUserNameEx error? 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Thommes, Michael M.
Sent

RE: [ActiveDir] OT: stuck processing policy

2006-05-26 Thread Thommes, Michael M. 








Hi Al,

 Yeah, Im with you on
this. I checked this workstations settings yesterday and its
network performance and so far everything checks out. One curious point 
I cant get to computer remotely, like to view the event logs. The
computer name had been changed a few times, but I think at this point,
everything is in synch (computer name, domain suffix, DNS, etc). The big
problem that I see with this whole current track is that the workstation works
fine for other users. All of the network parameters etc apply to ALL
users. This particular user/computer had this issue several months ago.
The local admins gave up trying to solve the issue and just rebuilt the
OS. And the problem went away. Now its popped up again.
It may have to do with software that was installedstill to be determined.
Thanks.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Friday, May 26, 2006 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: stuck
processing policy







You might also want to check the network connection parameters. Make
sure it's connected and configured properlywithout errors. Everything
described to this point could easily be related to network issues (especially
at the NIC/Router) as well. 











Al







On 5/26/06, Thommes,
Michael M. [EMAIL PROTECTED]
wrote: 







Hi Shariff (and Darren too!),

 Yeah, I saw some entries
in WINS that I didn't like. I believe it is some issue where the computer
is not fully into the domain. Although others can use this particular
computer with no issues whatsoever, next week I am going to work with the local
admins to take it out of the domain and then put it back in, maybe even with a
brand new IP. Thanks for the responses! 



Mike Thommes

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Navroz Shariff
Sent: Friday, May 26, 2006 7:45 AM






To: ActiveDir@mail.activedir.org

Subject: RE:
[ActiveDir] OT: stuck processing policy





Mike,



Make sure you flush the local DNS cached entries as well if
you think it's a client-side DNS issue. I had encountered a similar issue
awhile back and I re-joined the box back to the domain after noting
authentication errors in the event log. Darren gives many possible solutions
and I would agree with him that it's probably that the client has lost its
trust relationship with the domain. To be sure, see the eventlog, more
specifically, the entries that deal with authentication. 



-Shariff





























From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Darren Mar-Elia
Sent: Thursday, May 25, 2006 5:38
PM






To: ActiveDir@mail.activedir.org

Subject: RE:
[ActiveDir] OT: stuck processing policy





Ok. The purpose of MyGetUserName (and GetUserNameEx) is so
that GP can impersonate the user for the purposes of applying user policy.
GetUserNameEx returns the user name of the current thread. MyGetUserName
basically calls GetUserNameEx and asks for the Fully Qualified DN of the
current user. So, the fact that that is failing with an internal
error (1359) could mean almost anything. It could mean that the user's
FQDN is not available (not sure if its actually querying AD at that point or
just querying the token) or it could mean that, if it is querying AD, that
there isn't a good line to AD. Maybe the machine account has lost its secure
channel to the domain, or maybe the user logged in using cached creds or
something? I'm sorry I'm not more help here. I've seen this error a lot but
have never been able to track it down to a specific thing. I would make sure
DNS is configured correctly on the client, check the system event log on the
client to ensure there are no errors related to authentication, etc. 



Darren









From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Thommes, Michael M.
Sent: Thursday, May 25, 2006 2:12
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: stuck
processing policy

Hi Darren!

 Here you go. Thanks!



Mike Thommes

==



USERENV(2bc.774) 11:20:27:665 ProcessGPOs:

USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx:
Entering with timeout 60 and flags 0x0 

USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx:
User critical section has been claimed. Handle = 0x618 

USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx:
Leaving successfully.

USERENV(2bc.774) 11:20:27:665 ProcessGPOs: Machine role
is 2.

USERENV(2bc.774) 11:20:27:681 PingComputer: Adapter speed
1 bps

USERENV(2bc.774) 11:20:27:681 PingComputer: First
time: 0

USERENV(2bc.774) 11:20:27:681 PingComputer: Fast
link. Exiting.

USERENV(2bc.774) 11:23:28:482 MyGetUserName:
GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:23:28:482 MyGetUserName: Retrying
call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:26:29:749 MyGetUserName:
GetUserNameEx failed with 1359.

USERENV(2bc.774) 11

RE: [ActiveDir] AD DNS along with Bind

2006-05-25 Thread Thommes, Michael M. 
(From my DNS admin)
If I did that, then I would have to open DNS conduits through our
firewalls for the DC, as anyone who was requesting information from any
AD zone would be querying the DNS Server on the DC.  We try to limit
contact to the DC from the Internet.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, May 24, 2006 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Why configure the BIND servers as secondary to the zones delegated to
the Windows DNS servers?  Why not just let the Windows DNS servers
handle those queries?  By doing so you would remove the issue
surrounding the zone serial numbers while also provide redundancy for
Windows based zones and the dynamic updates they require.

Could just be a personal preference I suppose...

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, May 24, 2006 12:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Hi Freddy,
(From my DNS Admin)



When any client (or server) machine wants to locate an SRV record, it
asks the BIND slave servers, as the Windows 2003 DNS Server is not in
any TCP/IP configuration as a DNS server to be queried.
In fact, we recently moved the DNS Service from one DC to another when
we upgraded the original DC to new hardware.  The only machines we had
to change were the BIND slave servers, which had the IP address of the
old master in the BIND configuration file.


The BIND servers are slaves for all of the AD zones, so those BIND
servers give answers to the queries.  We have three DCs for the forest,
and if the one on which the DNS Service is running is down, then the
only problems are

   1) the rare DDNS update from a DC, updating an SRV or CNAME
  record

   2) the more frequent DDNS updates for one forward subdomain zone
  and its five reverse zones, all under the control of a Windows
  DHCP server.

I do not know of the DHCP code retries its DDNS.  The DC on which DNS
runs is not down that often, and we have not received complaints when it
was down.

Interesting article mentioned below, does it applies to 2003 as well?

I assume you are referencing 282826 (previously know as Q282826).
It does apply to 2003.  When I first read it, I could not understand it.
I made a flowchart from the text, and after a MS employee explained it,
I understood it.  

Assume that there is an AD-integrated zone, xxx.example.com, and there
are two DCs running the DNS Service.  Assume that all of the
behind-the-scenes AD synchronization has taken place, and both DCs have
exactly the same zone information; the zone serial number is, say 100.
Some machine, pc1.xxx.example.com, sends a DDNS update to DC1.  After
the update is complete, the zone serial number on DC1 is now 101.
At the same time, another machine, pc2.xxx.example.com, sends a DDNS
update to DC2.  After that update is complete, the zone serial number on
DC2 is 101.  We now have two copies of the zone, each with serial number
101, and each has an update that the other does not have.
Which DC has the correct zone information?  Neither.  I have no idea how
long it takes the behind-the-scenes AD synchronization to occur.
When it has occurred, the resulting zone has both updates.  But what is
the serial number?  It can't be 101, as serial number 101 was associated
with a copy of the zone that did not have both of the updates.  Can it
be 102?  No, as there could have been another DDNS update to DC1 before
the synchronization occurred.  In this case,
DC1 would have serial number 102, and DC2 serial number 101.
I contend that there is no value that can be used as the serial number
for the combined-update zone.

What 282826 is saying is that the zone serial number is meaningless
unless that DNS Server is a master server feeding a BIND (or other
vendor) slave server.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Tuesday, May 23, 2006 8:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Hi Mike,

If you

[ActiveDir] OT: stuck processing policy

2006-05-25 Thread Thommes, Michael M. 
Title: OT: stuck processing policy






I have a user on a computer that takes forever to log in. She can go to any other computer and log in quickly. Anyone else can go to the computer in question and log in quickly. It is only THIS user on the THIS computer. We have renamed her local profile to no avail. Looking at the userenv.log debugging file, I see a big time gap marked by a GetUserNameEx failed with 1359. Googling didnt produce much. Does anyone (Darren?) have any thoughts on how I can track this down? Thanks!

Mike Thommes

RE: [ActiveDir] OT: stuck processing policy

2006-05-25 Thread Thommes, Michael M. 
Title: OT: stuck processing policy








Hi Darren!

 Here you go. Thanks!



Mike Thommes

==



USERENV(2bc.774) 11:20:27:665 ProcessGPOs:

USERENV(2bc.774) 11:20:27:665
EnterCriticalPolicySectionEx: Entering with timeout 60 and flags 0x0

USERENV(2bc.774) 11:20:27:665
EnterCriticalPolicySectionEx: User critical section has been claimed. Handle =
0x618

USERENV(2bc.774) 11:20:27:665
EnterCriticalPolicySectionEx: Leaving successfully.

USERENV(2bc.774) 11:20:27:665
ProcessGPOs: Machine role is 2.

USERENV(2bc.774) 11:20:27:681
PingComputer: Adapter speed 1 bps

USERENV(2bc.774) 11:20:27:681
PingComputer: First time: 0

USERENV(2bc.774) 11:20:27:681
PingComputer: Fast link. Exiting.

USERENV(2bc.774) 11:23:28:482
MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:23:28:482
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:26:29:749
MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:26:29:749
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:29:31:015
MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:29:31:015
MyGetUserName: Retrying call to GetUserNameEx in 1/2 second.

USERENV(2bc.774) 11:32:32:271
MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2bc.774) 11:32:32:271 ProcessGPOs:
MyGetUserName failed with 1359.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
No WMI logging done in this policy cycle.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
Processing failed with error 1359.

USERENV(2bc.774) 11:32:32:286
LeaveCriticalPolicySection: Critical section 0x618 has been released.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
User Group Policy has been applied.

USERENV(2bc.774) 11:32:32:286 ProcessGPOs:
Leaving with 0.

USERENV(2bc.774) 11:32:32:286
ApplyGroupPolicy: Leaving successfully.

USERENV(2bc.548) 11:32:32:286 GPOThread:
Next refresh will happen in 104 minutes













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, May 25, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: stuck
processing policy





Hi Mike. Can you post the lines of userenv
right around that GetUserNameEx error? 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, May 25, 2006 1:44
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: stuck
processing policy

I
have a user on a computer that takes forever to log in. She can go to any
other computer and log in quickly. Anyone else can go to the computer in
question and log in quickly. It is only THIS user on the THIS
computer. We have renamed her local profile to no avail.
Looking at the userenv.log debugging file, I see a big time gap marked by a
GetUserNameEx
failed with 1359. Googling didnt produce much. Does
anyone (Darren?) have any thoughts on how I can track this down? Thanks!

Mike
Thommes

RE: [ActiveDir] view only rights on ADI DNS Zone

2006-05-24 Thread Thommes, Michael M. 








The Microsoft link at the bottom of an event
log entry has gotten much better.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]
Sent: Wednesday, May 24, 2006
10:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] view only
rights on ADI DNS Zone





I was able to get a nice list of sources
from EventcombMT. So that will get me started, but if anyone has a good
source with event IDs that would be cool.



Todd











From: Al Mulnick
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 24, 2006 9:27
AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] view only
rights on ADI DNS Zone







You'll need a description of the rights needed to open the tool in this
case, as everyone has read access by default. IIRC, the Windows 2000 DNS white
paper describes how to delegate rights etc. using tools such as ADSIEDIT or
DSACLS. 











Curious though: why bother? Read access to a DNS zone? Has the user
ever used NSLOOKUP or DIG? You can read the zone records using these tools
quite easily and it'll tell you just about everything you want to know about
the RR. Is there a different requirement in this? 











Al







On 5/24/06, Kamlesh
Parmar [EMAIL PROTECTED]
wrote: 





Is it possible to give normal domain account rights to view ADI DNS
zonein console ?











I tried to give normal account a rights to READ thru ACL on zone, but
it didn't help.











Only otherway, I know is to create a secondary for that zone, on that
users machine. but thats overkilll :)

-- 





Kamlesh
~
Be the change you want to see in the World
~

RE: [ActiveDir] AD DNS along with Bind

2006-05-24 Thread Thommes, Michael M. 
Hi Freddy,
(From my DNS Admin)



When any client (or server) machine wants to locate an SRV record, it
asks the BIND slave servers, as the Windows 2003 DNS Server is not in
any TCP/IP configuration as a DNS server to be queried.
In fact, we recently moved the DNS Service from one DC to another when
we upgraded the original DC to new hardware.  The only machines we had
to change were the BIND slave servers, which had the IP address of the
old master in the BIND configuration file.


The BIND servers are slaves for all of the AD zones, so those BIND
servers give answers to the queries.  We have three DCs for the forest,
and if the one on which the DNS Service is running is down, then the
only problems are

   1) the rare DDNS update from a DC, updating an SRV or CNAME
  record

   2) the more frequent DDNS updates for one forward subdomain zone
  and its five reverse zones, all under the control of a Windows
  DHCP server.

I do not know of the DHCP code retries its DDNS.  The DC on which DNS
runs is not down that often, and we have not received complaints when it
was down.

Interesting article mentioned below, does it applies to 2003 as well?

I assume you are referencing 282826 (previously know as Q282826).
It does apply to 2003.  When I first read it, I could not understand it.
I made a flowchart from the text, and after a MS employee explained it,
I understood it.  

Assume that there is an AD-integrated zone, xxx.example.com, and there
are two DCs running the DNS Service.  Assume that all of the
behind-the-scenes AD synchronization has taken place, and both DCs have
exactly the same zone information; the zone serial number is, say 100.
Some machine, pc1.xxx.example.com, sends a DDNS update to DC1.  After
the update is complete, the zone serial number on DC1 is now 101.
At the same time, another machine, pc2.xxx.example.com, sends a DDNS
update to DC2.  After that update is complete, the zone serial number on
DC2 is 101.  We now have two copies of the zone, each with serial number
101, and each has an update that the other does not have.
Which DC has the correct zone information?  Neither.  I have no idea how
long it takes the behind-the-scenes AD synchronization to occur.
When it has occurred, the resulting zone has both updates.  But what is
the serial number?  It can't be 101, as serial number 101 was associated
with a copy of the zone that did not have both of the updates.  Can it
be 102?  No, as there could have been another DDNS update to DC1 before
the synchronization occurred.  In this case,
DC1 would have serial number 102, and DC2 serial number 101.
I contend that there is no value that can be used as the serial number
for the combined-update zone.

What 282826 is saying is that the zone serial number is meaningless
unless that DNS Server is a master server feeding a BIND (or other
vendor) slave server.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Tuesday, May 23, 2006 8:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Hi Mike,

If you are delegating those 6 zones to only 1 DNS server, if that dns
server
is going through a quick reboot or downtime - then none of your client
can
find the NS delegation and hence causing a no domain controller found
scenario isnt it?

Interesting article mentioned below, does it applies to 2003 as well? 


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9785
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, May 24, 2006 4:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD DNS along with Bind

Adeel,
Here is a response from our DNS guy.  I hope it helps you.

Mike Thommes
=

Here are the steps I took for delegating the AD zones for example.com:

1) In the example.com zone on the BIND server I added these NS records
   to delegate the zone to the Windows 2003 DNS Server:

_msdcs  IN  NS  windnsserver.example.com.
_sites  IN  NS  windnsserver.example.com.
_tcpIN  NS  windnsserver.example.com.
_udpIN  NS  windnsserver.example.com.
ForestDNSZones  IN  NS  windnsserver.example.com.
DomainDNSZones  IN  NS  windnsserver.example.com.

2) Define these six zones on the Windows 2003 DNS Server

RE: [ActiveDir] Naming conventions (quasi-OT)

2006-05-24 Thread Thommes, Michael M. 
Title: Naming conventions (quasi-OT)








Following this thread, I want to comment
that we name workstations with their local serial numbers. In addition,
we have a process to look through the local security log to see who is the most
common user of the workstation and put their name in the description
field. That make computers easy to find.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, May 24, 2006 2:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Naming
conventions (quasi-OT)





If you don't have the resources or
timeto change a computer name every time is changes departments, you
could go with something static like a serial number or service tag number. It
may not help you physically locate the PC, but you would be able to track
machine history to determine if therewas a trend ofproblems leading
up to a hardware/software failure. By documenting the computer name on each
Help Desk ticket, it gives an effective log of issues with a particular
computer. One down side to this is that it's difficult to guess the
machine name if you need to remote in and work on it.



Bonnie









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline
Sent: Wednesday, May 24, 2006 1:35
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Naming
conventions (quasi-OT)

I'm
curious to see how some of you (especially at the larger corporations) name
your domain-joined computers. At my company we've got about 110 computers in
roughly , and for the longest time they've been named after the logon name of
the user who primarily operates the PC. (Not a fan of that method myself.)

However,
when naming or renaming a PC there are cases (such as preparing a replacement
PC for a user) where there's already one with the desired name. Our network
admin has a horrible habit of putting random numbers at the end when he runs
into this problem, rather than using ADUC to remove a ghost computer object (or
renaming the existing one when a new one is being prepared for said user). Of
course this constantly frustrates me as I can never correctly guess a user's PC
name when trying to remote control it during a support call.

I've
had several ideas in the past, the most favorable being naming them by location
then department, then numbering them (for example, CHS-DISP-01 would represent
the first dispatcher PC at our Charleston
terminal), and automagically renaming the My Computer icon on the
user's desktop at startup time to reflect the computer name. This way we'd never
have to worry about renaming a computer when an employee is terminated, and
when I've got a user on the phone I can simply ask them to read the computer
name to me. But I was curious to see how you guys go about naming your PCs and
how you deal with problems similar to this.

--

Brian
A. Cline 
Internet
Applications Developer 
GP
Trucking Company, Inc. 
Direct:
803.936.8595 
Toll
Free: 800.922.1147 x8595

RE: [ActiveDir] AD DNS along with Bind

2006-05-23 Thread Thommes, Michael M. 
Adeel,
Here is a response from our DNS guy.  I hope it helps you.

Mike Thommes
=

Here are the steps I took for delegating the AD zones for example.com:

1) In the example.com zone on the BIND server I added these NS records
   to delegate the zone to the Windows 2003 DNS Server:

_msdcs  IN  NS  windnsserver.example.com.
_sites  IN  NS  windnsserver.example.com.
_tcpIN  NS  windnsserver.example.com.
_udpIN  NS  windnsserver.example.com.
ForestDNSZones  IN  NS  windnsserver.example.com.
DomainDNSZones  IN  NS  windnsserver.example.com.

2) Define these six zones on the Windows 2003 DNS Server.
   I use ONLY ONE Windows DNS Server due to serial number problems
   that can/will occur with the MS multi-master setup.  See Q282826.

   Insure that the zones are AD-integrated with secure DDNS only.
   Change the zone properties:
 
In the SOA insure that the Responsible person field has 
the correct e-mail address (with the @ replaced with .).

In the Name Servers tab add the BIND slaves (that are the
registered nameservers for the example.com domain).

Allow zone transfers to the servers in the Name Servers tab.

Notify servers in the Name Servers tab.

   These changes will have to be done for each zone, as MS has not
   implemented global zone properties.

3) Define these six zones on the BIND slave DNS servers that are
   registered for the example.com zone.  The master server is
   obviously the Windows 2003 DNS Server.

4) In my case, the parent example.com zone is still on a BIND server,
   so I have manually entered the domain A records on that master
   server.  

Note that there are three types of DDNS from a Windows machine:

 a) A machine (desktop, server, or DC) self-registering
 b) A DC (netlogon) registering its SRV and CNAME records
 c) A DC (netlogon) registering the domain A record.

There are different registry keys controlling each of these, and since
they have been implemented at different times and since some of them
have been reused (from former, still current usage), the interaction
among these registry keys is complicated.  I count 162 different cases,
and I have not had time to test all of them.  If you do not care about
DDNS requests being sent to the BIND master for the example.com zone,
where (I would hope) the DDNS would be refused, then you do not have to
worry about some of these registry keys.

With this setup, the MS Windows DNS Server is a hidden master.
It is known only via the MNAME (master server name) field in the SOA
(Start of Authority) record in each zone.  If your clients (be they
Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP
configurations, then these clients will continue to use the BIND servers
for DNS resolution.  This will work for the AD zones, as all of the AD
zones are slaved on the BIND servers.  Any machine that needs to update
the zone (DCs updating CNAME and SRV records), or Windows clients
(self-registration via DHCP) will use secure DDNS, and these machines
will locate the master via a standard SOA query.

There is NO NEED for ANY machine to have the Windows DNS Server in its
TCP/IP configuration as a DNS server.  The nice thing about this is that
you do not have to go and change any client TCP/IP configuration.

On my one MS W2003 DNS Server I have the six AD zones for anl.gov and
fifteen sets of AD zones for subdomains of anl.gov.

There is documentation in the DNS Bible - DNS and BIND 4th edition
(with a fifth addition due out any minute, I am told).  There is also
documentation in DNS on Windows Server 2003.  Both are O'Reilly books.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: [EMAIL PROTECTED]
Argonne, IL   60439-4828 IBMMAIL:  I1004994


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari
Sent: Tuesday, May 23, 2006 2:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD DNS along with Bind

Team,

Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp,
_udp,
_msdcs etc. and have the rest of the non-AD zones managed by Bind. Has
anyone done something like this? There is a MS article (ID:255913) that
talks about it however, it doesnt say what DNS should client point to?

Regards,
Adeel

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ:

RE: [ActiveDir] how to find DNS servers in a forest?

2006-05-17 Thread Thommes, Michael M. 
Hi Deji,
I was thinking about the following but the results are wrong (and I
don't understand why!):

For /F %a IN ('dsquery server -o rdn -forest') do srvinfo \\%a |find /i
DNS Server

Can anyone tell me what I am doing wrong?  Thanks!

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, May 17, 2006 2:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to find DNS servers in a forest?

For /F %a IN ('dsquery server -o rdn') do portqry -n %a -e 53 -i|find /i
listening
 
This will check if the server is listening on 53, but it won't tell you
whether its MS-DNS or not.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com 
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 



From: [EMAIL PROTECTED] on behalf of Almeida Pinto,
Jorge de
Sent: Tue 5/16/2006 11:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to find DNS servers in a forest?


first thing comes to mind is using WMI and check for the DNS server
service
and that it is also started
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Manjeet Singh
Sent: Wed 2006-05-17 07:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] how to find DNS servers in a forest?



If I have a list of DCs in windows 2003 forest, I just want to verify if
they
have Microsoft-DNS installed on them? Where this information stored in
AD?

 

Or I want to find how many DC's have DNS Installed.

 

Thanks, Manjeet

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Test Windows 23K Firewall

2006-05-09 Thread Thommes, Michael M. 
telnet or portqry?

telnet [-a][-e escape char][-f log file][-l user][-t term][host [port]]
 -a  Attempt automatic logon. Same as -l option except uses
 the currently logged on user's name.
 -e  Escape character to enter telnet client prompt.
 -f  File name for client side logging
 -l  Specifies the user name to log in with on the remote system.
 Requires that the remote system support the TELNET ENVIRON
option.
 -t  Specifies terminal type.
 Supported term types are vt100, vt52, ansi and vtnt only.
 hostSpecifies the hostname or IP address of the remote computer
 to connect to.
 portSpecifies a port number or service name.

Portqry:
http://support.microsoft.com/default.aspx?kbid=832919


Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, May 09, 2006 5:50 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Test Windows 23K Firewall

What is the best and faster way to test Windows firewall. I want to see 
if a specific port is block when it is supposed to be open.
-Z.V.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Schema extension

2006-05-09 Thread Thommes, Michael M. 








DefaultHidingValue?




 
  
  defaultHidingValue
  
  
  A Boolean value that
  specifies the default setting of the showInAdvancedViewOnly
  property of new instances of this class. Many directory objects are not
  interesting to end users. To keep these objects from cluttering the UI, every
  object has a Boolean attribute called showInAdvancedViewOnly.
  
  If defaultHidingValue
  is set to TRUE, new object instances are hidden in the Administrative
  snap-ins and the Windows shell. A menu item for the object class will not appear
  in the New context menu of the
  Administrative snap-inseven if the appropriate creation wizard
  properties are set on the object class's displaySpecifier
  object.
  If defaultHidingValue
  is set to FALSE, new instances of the object are displayed in the Administrative
  snap-ins and the Windows shell. Set this property to FALSE to see instances
  of the class in the administrative snap-ins and the shell and enable a
  creation wizard and its menu item in the New
  menu of the administrative snap-ins.
  If the defaultHidingValue
  value is not set, the default is TRUE.
  
 






From: http://msdn.microsoft.com/library/default.asp?url="">



Mike thommes











-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, May 09, 2006 9:38 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Schema extension





We received our OID from Microsoft this week, so I went ahead and added

an attribute so I could flag service accounts so we won't accidently

'clean them up' during our account cleanup processes.





I then went to the User class and added my new attribute to
it.





When I view a user's AD schema properties, however, I'm not seeing the

new property assigned to it. Is there any other step that I'm missing?



Thanks





~~

This e-mail is confidential, may contain proprietary information

of Cameron and its operating Divisions and may be confidential

or privileged.



This e-mail should be read, copied, disseminated and/or used only

by the addressee. If you have received this message in error please

delete it, together with any attachments, from your system.

~~

List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] which GC answers?

2006-05-03 Thread Thommes, Michael M. 








Hi Jorge,

    I dont mean to hijack this
thread but I have also been having an issue with lingeringobjects.  I ran your
repadmin command shown below on one of the lingering objects I have.  For the
lingering object I specified, the output lists a GUID (Originating DC) that doesnt exist any more.  An Originating DC is also the owner
of the object, right?   The member DC/GCs) of the domain that once hosted this Originating
DC produce a different output from the repadmin /showobjmeta command
than the other GCs  namely Directory Object not found.  If
a DC is demoted, the object would be owned by one of the
remaining DCs.  But, if the owner is no longer around, the object
is garbage.  Right?



My question is this  why are
lingeringobjects such a bear to clean out?  It seems to me an
admin should be able to use a repadmin /removelingeringobjects GC: DN
of lingering object type of
syntax to take care of all of the GCs at the same time.  My TAM has indicated
the existence of a replfix tool, but Im not sure how it
works.  Thoughts/comments?



Mike Thommes



Ps. For any MS folks out there, it would
really be helpful to include examples within the repadmin help considering how
powerful this command can be.

Pps.  I think lingeringobjects
are synonymous with headache.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Sent: Wednesday, May 03, 2006 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] which GC
answers?









a way to check this
is:











REPADMIN /SHOWOBJMETA GC: DN of lingering object
 OUTPUT.TXT











GC: targets ALL GCs in the forest











For each GC:





* you get the metadata of the object if it exists on the
GC





OR





* you get Directory object not found if the
object does not exist











in addition to this you can wrap a script around this that
takes away some manual stuff you must do.

















Met vriendelijke
groeten / Kind regards,





Ing. Jorge de Almeida
Pinto





Senior Infrastructure
Consultant





MVP Windows
Server- Directory Services













LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)





( Tel : +31-(0)40-29.57.777





(    Mobile : +31-(0)6-26.26.62.80



*   E-mail : see sender address

















From:
[EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 2006-05-03 14:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] which GC
answers?






When I use ldp and I found a user (lingering) how can I
know which GC of many of them has that copy of the object? I use ADSIEDT, but I
have many GC´s. is there a easier way to discover in which of them it is?



Thanks


Adrião
F Ramos

[ActiveDir] how to get rid of an obsolete DC?

2006-05-02 Thread Thommes, Michael M. 
In a child domain I have what I believe is the remnants of an old NT4
DC.  Using ADUC, it shows up in the child domain's Domain Controllers
OU.  When I try to delete it, I get The DSA object cannot be deleted.
When I use ADSIEdit and go to the domain, it only shows me the two
functioning DCs and not the one I'm looking for.

What other tools are available for this type of house cleaning?

Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] how to get rid of an obsolete DC?

2006-05-02 Thread Thommes, Michael M. 
Sorry, I meant to say ntdsutil, not adsiedit.  Ntdsutil only shows
me the two active DCs in that child domain.  (It must be either a long
day or from the sweat I worked up getting through ntdsutil!  LOL!)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Tuesday, May 02, 2006 3:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to get rid of an obsolete DC?

ntdsutil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Tuesday, May 02, 2006 12:37 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] how to get rid of an obsolete DC?

In a child domain I have what I believe is the remnants of an old NT4
DC.  Using ADUC, it shows up in the child domain's Domain Controllers
OU.  When I try to delete it, I get The DSA object cannot be deleted.
When I use ADSIEdit and go to the domain, it only shows me the two
functioning DCs and not the one I'm looking for.

What other tools are available for this type of house cleaning?

Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] how to get rid of an obsolete DC?

2006-05-02 Thread Thommes, Michael M. 








H.so *is* ADSIEdit a valid tool to use? I can see the object I
want to delete in ADSIEdit. (Would I be talking to myself if I reply to my own
post?)



Mike Thommes



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, May 02, 2006 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to get rid of an obsolete DC?



Sorry, I meant to say ntdsutil, not adsiedit.
Ntdsutil only shows

me the two active DCs in that child domain. (It must be either a long

day or from the sweat I worked up getting through ntdsutil! LOL!)



Mike Thommes



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike

Sent: Tuesday, May 02, 2006 3:06 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] how to get rid of an obsolete DC?



ntdsutil 



-Original Message-

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,

Michael M.

Sent: Tuesday, May 02, 2006 12:37 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] how to get rid of an obsolete DC?



In a child domain I have what I believe is the remnants of an old NT4

DC. Using ADUC, it shows up in the child domain's Domain
Controllers

OU. When I try to delete it, I get The DSA object cannot be
deleted.

When I use ADSIEdit and go to the domain, it only shows me the two

functioning DCs and not the one I'm looking for.



What other tools are available for this type of house
cleaning?



Thanks!



Mike Thommes

List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive:

http://www.mail-archive.com/activedir%40mail.activedir.org/



List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive:

http://www.mail-archive.com/activedir%40mail.activedir.org/

List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] dealing with authentication errors after password change?

2006-05-02 Thread Thommes, Michael M. 
How do other admins deal with the copious authentication errors a user
will generate after the user resets his password with a CNTL+ALT+DEL and
stays logged into the session with his old credentials?

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] 2003/SP1 TS Licensing Server registry key confusion

2006-05-01 Thread Thommes, Michael M. 
Hi,
   In trying to determine why my TS Licensing Server (located on a
W2K3/SP1 DC) is only handing out temporary licenses, although we have
successfully entered the license data, I find the registry key for the
type of license is spelled differently (an extra space) than what I find
in KB834651.

Ours:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\Licensing Core]

KB834651:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\LicensingCore]


Our registry key was generated automatically; we did not enter it.  Can
anyone tell me what they have in their registry on their TS Licensing
Server for this key?  Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] anyone using IPV6?

2006-04-27 Thread Thommes, Michael M. 
Has anyone tried IPV6 yet?  Production?  Or just testbed?  Any gotchas?
What kind of infrastructure (eg, switches) is needed to support it?  How
does AD play in this sandbox?

I am probably out of my league pretty quickly with subject.  I've done a
little googling but it seems like a pretty big subject to get my arms
around.

Thanks for any info or pointers!

Mike Thommes

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] any experiences with PassFilt Pro software? (again)

2006-04-24 Thread Thommes, Michael M. 
(I didn't get any response to my first query.  I thought I would try it
again).  This software (http://www.altusnet.com/products/pfp/)
supposedly enhances the default passflt.dll, allowing an admin to
enforce/control password complexity and, at the same time, does a
dictionary check.  The price appears to be very reasonable. 
==
Anybody out there have any experience with the PassFilt Pro software by
Altus Networks Solutions, Inc.?

TIA,
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Lsasrv error

2006-04-24 Thread Thommes, Michael M. 








Maybe this will help.  From eventid.net:



Matthew
C. Miller (Last update 11/24/2005): 
The error in our server (domain controller) System Event Log was: The
Security System detected an authentication error for the server server.
The failure code from authentication protocol Kerberos was {Operation
Failed} The requested operation was unsuccessful. (0xc001). This
issue occurs if the Network Service security account does not have sufficient
privileges to access the following registry subkeys when you upgrade to Windows
Server 2003:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

To resolve this issue, assign the Network Service account full control access
to the mentioned registry subkeys.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Monday, April 24, 2006 10:01
AM
To: activedirectory
Subject: [ActiveDir] Lsasrv error







I keep getting this error logged in the system log of my PDC FSMO-





The source server casuing the issue is another DC in the same
domain(Win2k3 FFL)





Event
Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:10/28/2005
Time:11:04:18 PM
User:N/A
Computer:PDCFSMO
Description:
The Security System detected an authentication error for the server
cifs/myDC.mydomain.com. The failure code from authentication protocol
Kerberos was {Operation Failed} 
The requested operation was unsuccessful.
(0xc001).

For more
information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
: 01 00 00
c0
...À 







This is
the error logged on the offending DC-



Event
Type:Warning
Event Source:LSASRV
Event Category:SPNEGO (Negotiator) 
Event ID:40960
Date:4/11/2006
Time:11:04:19 PM
User:N/A
Computer:MYdc
Description:
The Security System detected an authentication error for the server
cifs/PDCFSMO.mydomain.com. 

The
failure code from authentication protocol Kerberos was The attempted
logon is invalid. 

This is
either due to a bad username or authentication information.
(0xc06d).

For more
information, see Help and Support Center at 

http://go.microsoft.com/fwlink/events.asp.
Data:
: 6d 00 00
c0
m..À 





I checked
Eventid but nothing really applies.



Does
anyone know what the issue could be?



Thanks

[ActiveDir] any experiences with PassFilt Pro software?

2006-04-18 Thread Thommes, Michael M. 
Anybody out there have any experience with the PassFilt Pro software by
Altus Networks Solutions, Inc.?

TIA,
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] how to report on scheduled jobs?

2006-04-17 Thread Thommes, Michael M. 
Is there a script to output scheduled job information?  Maybe something
I could call in a for loop driven by a list of servers.  Ideally, I
would like to see the job and who's credentials it is running under,
with maybe the schedule.

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] how to report on scheduled jobs?

2006-04-17 Thread Thommes, Michael M. 








Excellent! Just what I was looking for! Thanks,
Jef!



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Monday, April 17, 2006 3:15
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to
report on scheduled jobs?





Does
the SCHTASKS.EXE do what you want?



perhaps
with the /V switch


SCHTASKS /Query [/S system [/U username [/P password]]] [/FO format]
 [/NH] [/V] [/?]

Description:
 Enables an administrator to display the scheduled tasks on
the
 local or remote system.

Parameter
List:

/S
system Specifies the remote system to connect to.


/U
username Specifies the user context under

which the command should execute.


/P password
Specifies the password for the given

user context.


/FO
format Specifies the output format to be

displayed. Valid values: TABLE, LIST, CSV.


/NH
Specifies that the column header should not

be displayed in the output.

Valid only for TABLE and CSV formats.


/V
Specifies additional output to be

displayed.


/?
Displays this help/usage.

Examples:
 SCHTASKS /Query
 SCHTASKS /Query /?
 SCHTASKS /Query /S system /U user /P password
 SCHTASKS /Query /FO LIST /V /S system /U user /P password
 SCHTASKS /Query /FO TABLE /NH /V










Subject: [ActiveDir] how to report on scheduled jobs?
 Date: Mon, 17 Apr 2006 14:31:25 -0500
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 

Isthereascripttooutputscheduledjobinformation?Maybesomething
 Icouldcallinaforloopdrivenbyalistofservers.Ideally,I

wouldliketoseethejobandwho'scredentialsitisrunningunder,
 withmaybetheschedule.
 
 MikeThommes
 Listinfo:http://www.activedir.org/List.aspx
 ListFAQ:http://www.activedir.org/ListFAQ.aspx

Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

2006-04-13 Thread Thommes, Michael M. 
Hi Brian,
It appears that a schema attribute rename is what's needed.  We
haven't had a chance to try this yet in our testbed where the problem
occurred.  Here's the info we got back (we did not open an official case
opened with MS but I am guessing someone else did.) as a workaround
until an official patch is released.

HTH,
Mike Thommes


Case Problem:
Adprep for R2 runs into problems.
Attributes in conflict:

CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=gecos,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=loginShell,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=shadowLastChange,CN=Schema,CN=Configuration,DC=anl,DC=gov
CN=shadowMin,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=shadowMax,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=shadowWarning,CN=Schema,CN=Configuration,DC=anl,DC=gov
CN=shadowInactive,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=shadowExpire,CN=Schema,CN=Configuration,DC=anl,DC=gov
CN=shadowFlag,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=memberUid,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=memberNisNetgroup,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=ipServicePort,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=ipServiceProtocol,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=ipProtocolNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=oncRpcNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=ipHostNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=ipNetworkNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov
CN=ipNetmaskNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=macAddress,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=bootParameter,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=bootFile,CN=Schema,CN=Configuration,DC=anl,DC=gov
CN=nisMapName,CN=Schema,CN=Configuration,DC=anl,DC=gov 
CN=nisMapEntry,CN=Schema,CN=Configuration,DC=anl,DC=gov
CN=nisMap,CN=Schema,CN=Configuration,DC=anl,DC=gov

Resolution:
First of all, we followed the guidelines in 
http://support.microsoft.com/?kbid=285172

Step 1 - Connect to the Schema Master using LDP, Login with Enterprise
Admin Credentials or Schema Admin Privileges.
Step 2 - What we have to change is the conflicting Schema Attributes to
a bogus or a dummy name. Like for Example: Change uidnumber to
Old-uidNumber.
Step 3 - Choose Modify, and type in the name of the attribute and value
you want
Step 4 - We have to change the below attributes of the conflicting one:
 a. adminDisplayName
 b. LDAPDisplayName
 c. DN (This will have to be done after the two upper ones.) There is a
modify DN option just for it.
We have to do this with all the conflicting attributes.





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, April 13, 2006 12:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Mike-

Did you ever get any resolution on this or more info?

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:ActiveDir-
 [EMAIL PROTECTED] On Behalf Of joe
 Sent: Monday, February 20, 2006 7:14 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
 
 Ask him/her what the article number is if this is a known issue.  If
 he/she says there isn't one then say it sure isn't known very well
 then.
 
 
 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
 Michael M.
 Sent: Friday, February 17, 2006 2:18 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
 
 Our MS TAM has indicated this is a known bug!  I will keep the group
 posted as I learn more details.
 
 Mike Thommes
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
 Michael M.
 Sent: Friday, February 17, 2006 10:52 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
 
 As an update to this thread, we transferred the Schema Master role
back
 to other DC that has the SFU tools installed originally thinking this
 might get the R2 schema update to work.  Wrong!  It fails with the
same
 error.  I can only imagine we do not have that unique an environment
in
 our testbed and expect others to have the same experience.  Luckily,
we
 never put SFU 3.5 on our production systems.
 
 We are going to open up a trouble ticket with Microsoft regarding this
 issue.  I would like to hear of others' experiences (success or
 failure) when trying to install R2 in an environment where SFU 3.5 had
 been installed.  Thanks!
 
 Mike Thommes
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
 Michael M.
 Sent: Thursday, February 16, 2006 9:07

[ActiveDir] how to display DC services on a single line?

2006-04-13 Thread Thommes, Michael M. 
Brain freeze active There is a command that shows on a single line
what services are running on a DC.  The output is something like
DS::GC::Time::LDAP::  Can someone help this poor, tired
brain out?  Thanks!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] default values for net time /querysntp on new systems?

2006-04-11 Thread Thommes, Michael M. 
Hi,
   I've noticed in our Active Directory environment default settings on
Windows XP and Server 2003 computers for net time /querysntp to be one
of two values:

net time /querysntp
The current SNTP value is: time.windows.com,0x1

net time /querysntp
This computer is not currently configured to use a specific SNTP server.

The value does not seem to correspond to new vs. upgraded systems.

Our PDC emulator role holder, as recommended, is set to an outside time
source.

Does the value time.windows.com,0x1 have some special significance
like obtain your time through normal AD channels, but just in case
there is a problem, go to time.windows.com?

There are no time problems in my environment that I am aware of.  Thanks
for any enlightenment!

Mike Thommes

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Server 2003 DNS Admins group permissions

2006-04-06 Thread Thommes, Michael M. 
The default DNS Admins group has permission to use the DNS GUI
(dnsmgmt.msc) and to make changes in it but does not have permission to
view the DNS event log (DnsEvent.Evt).  Would this just be an oversight
on Microsoft's part?

TIA,
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 DFS/open files

2006-04-06 Thread Thommes, Michael M. 
Title: [ActiveDir] 2003 DFS/open files








Maybe I need to describe my environment a
little morewe have 3 file servers that have a common file structure with
one server holding a master directory structure that is copied to both itself
(with xcopy) and to the other two servers with robocopy. To ensure that a
file actually does get copied, via a daily scheduled job we need to stop the
server service and kick off each of the current user connections (net session
\\computer_name_here /delete) to make sure no one has a file open before the
xcopy/robocopy process starts. Note each of these users will only have a
particular file(s) open for read access.



With the latest DFS process using dynamic
file replication (yes, I know we can schedule the replication times), I wonder
what would happen when a file is updated and a user still has it open. Hope
this explanation makes things a little clearer.



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott
Sent: Wednesday, April 05, 2006
2:01 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
DFS/open files









The client will continue to have the file
open but depends on what action they take next...if they close the
file..nothing.











If they save the file, the last write is going to win and
possibly replace the changes that were made on the file saved previously that
the user may not be aware of.











The work around for this issue really depends on the
structure of your DFS environment, I tend to use DFS-R to just replicate data
and disable referrals to that backup server so that doesn't happened.











Depends on exactly how your using it I guess...























Ion V. Gott

































From:
[EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Wed 4/5/2006 7:25 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 DFS/open
files





Can
someone tell me what happens with DFS/replication when a file is
updated on one DFS server and a client has that same file open on
another DFS server?

TIA!
Mike Thommes
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server 2003 DNS Admins group permissions

2006-04-06 Thread Thommes, Michael M. 
Thanks, Ulf and Sergio!  I also came across this one:
http://www.mcse.ms/archive45-2004-10-1149114.html

-mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivarez,
Sergio J Mr CTNOSC/GD-NS
Sent: Thursday, April 06, 2006 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 DNS Admins group permissions

Here is a link of what Ulf is talking about:

http://support.microsoft.com/default.aspx?scid=kb;en-us;323076


Thanks,
Sergio 

-Original Message-
From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 06, 2006 12:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Server 2003 DNS Admins group permissions

Might be - you know that you can delegate any eventlog by adjusting the
CustomSD Registrykey underneath the specific eventlog in the registry?

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214
C811
D   

 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Thommes, Michael M.
|Sent: Thursday, April 06, 2006 5:54 PM
|To: ActiveDir@mail.activedir.org
|Subject: [ActiveDir] Server 2003 DNS Admins group permissions
|
|The default DNS Admins group has permission to use the DNS GUI
|(dnsmgmt.msc) and to make changes in it but does not have 
|permission to view the DNS event log (DnsEvent.Evt).  Would 
|this just be an oversight on Microsoft's part?
|
|TIA,
|Mike Thommes
|List info   : http://www.activedir.org/List.aspx
|List FAQ: http://www.activedir.org/ListFAQ.aspx
|List archive: 
|http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] 2003 DFS/open files

2006-04-05 Thread Thommes, Michael M. 
Can someone tell me what happens with DFS/replication when a file is
updated on one DFS server and a client has that same file open on
another DFS server?

TIA!
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain

2006-04-04 Thread Thommes, Michael M. 








How about:

dsquery computer -samid computer_name_here
| dsget computer sid



Mike Thommes











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasinghe
Sent: Tuesday, April 04, 2006
10:56 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Empty
hostname for a Win 2003 server belonging to an AD domain







No it works fine as computer$. He wanted MS tools only remember? ;-)











M@







On 04/04/06, Freddy
HARTONO [EMAIL PROTECTED]
wrote: 



if getsid doesnt work (if i remember
correctly this is only for user accounts not comp)- try psgetsid or
newsid.exe













Thank
you and have a splendid day!



Kind
Regards,



Freddy
Hartono

Group
Support Engineer

InternationalSOS
Pte Ltd

mail:
[EMAIL PROTECTED]

phone:
(+65) 6330-9785























From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of matheesha weerasinghe
Sent: Tuesday, April 04, 2006
10:40 PM




To: ActiveDir@mail.activedir.org





Subject: Re:
[ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain











Use getsid.exe of the support tools.











How come you are using regmon. I thought sysinternals was a no no :0)

M@

















On 02/04/06, Rodrigo
Blanco [EMAIL PROTECTED]  wrote:


Freddy,

is there any stadard way (tools included in the W2K3 OS) to verify the
SID of a machine? I am not allowed to install or use any external 
software, such as sysinternals, for instance.

Joe,

I believe that the application is using the wINSOCK API too. TCP/IP is
working fine and the setting are just are they should be... :-/ So I
will do a regmon on a good machine and extract the differences with 
mine.

Thank you very much,
Best regards,
Rodrigo.

On 02/04/06, joe [EMAIL PROTECTED]
 wrote:
 I believe that tool is using the gethostname WINSOCK API call, I expect
you 
 are hitting an error and it isn't handling it gracefully.

 Is TCP/IP working properly on that machine? Are all of the TCP/IP settings

 correct?

 If everything looks ok, I would recommend running regmon on a known good 
 machine and then do the same on the troublesome machine and see what the
 differences are in the requests, you might get a hint there. 

joe


 --
 O'Reilly Active Directory Third Edition - 
 http://www.joeware.net/win/ad3e.htm


 -Original Message-
 From: [EMAIL PROTECTED]

 [mailto:[EMAIL PROTECTED]]
On Behalf Of Rodrigo Blanco 
 Sent: Tuesday, March 28, 2006 6:54 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Empty hostname for a Win 2003 server belonging to an
AD 
 domain

 Hello list,

 I am currently having a problem with a Windows 2003 server inside a
Windows 
 2003 server-based Active Directory domain. The problem is that when I run
 the hostname command, it is empty:

 C:\hostname

 C:\

 I suspect this happened after doing a clone of the VM machine and, by
error, 
 starting it and changing its name in the same network of the original one 
 (this should have happened in an off-line network).

 I have tried to take it out from the domain and register it again in it,
but 
 his will not help. There is no conflict between the DNS and the local
hosts 
 file on the server. The server is registered in both the direct and
inverse
 DNS lookup zones.

 If I look in System  Properties  Computer Name, everything looks 
 fine: hostname and domain are correctly configured. 

 Any help will more than welcome.

 Thanks in advance and best regards,
 Rodrigo.
 List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx

 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

 List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name

2006-03-01 Thread Thommes, Michael M. 
These may be of interest to you:

http://support.microsoft.com/kb/277717/en-us
http://support.microsoft.com/?kbid=300427

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Wednesday, March 01, 2006 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Mass AD Full Name  Display Name Changes - Last
name, first name

My goal is to automate a process to change Full Name and Display Name
from John Doe to Doe, John.  I am not yet familiar with VB et al
scripting, so assistance would be greatly appreciated if you propose a
scripting solution.

Thank you!

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] repadmin info oddity

2006-02-21 Thread Thommes, Michael M. 
Adfind (http://www.joeware.net/win/free/tools/adfind.htm) to the rescue!
I recently had to do this and got it accomplished with the following
syntax (with a little help from joe :)  ):

adfind -default -binenc -f
objectGUID={{GUID:0B3F5BC4-5713-4611-8F6A-752A3B0DE664}} dn

(adfind /??? For lots of good info!)

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of SCOTT KLASSEN
Sent: Monday, February 20, 2006 8:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] repadmin info oddity

I try to keep up on new or updated MS KB articles and often check to see
how 
they correlate with my environment.  I noticed that 875495, dealing with
USN 
rollbacks, was updated earlier this month.  As I've experienced two AD 
issues, both of which needed PSS involvement (one dealing with sysvol 
inconsistency and the other which wound up being the RID master going on

temporary strike) I figured that I'd do a quick check as described in
the 
article.  On the good side, the USN's are consistent between
controllers.  
On the disconcerting side, I got a little more information than I was 
expecting.  Besides my DC's, I also got USN listings for several GUIDs.
I 
assume these are leftovers from DC demotions and only remain in the form
of 
historical data.  Do I need to worry about these (especially the DC1 
(retired) listing) and is there a way I can resolve the GUIDs to names,
find 
where this info is hiding, and clear them out?

Thanks,

Scott Klassen

  repadmin /showutdvec dc1 dc=domain,dc=com
Caching GUIDs.
..
Default-First-Site-Name\DC2  @ USN455091 @ Time 2006-02-20
20:08:20
2c92760e-e8fc-4418-947e-3b1016ab8514 @ USN   1012381 @ Time 2005-08-04 
00:02:34
6e129965-56c3-469e-b70a-f1fdfb8bb2cc @ USN969931 @ Time 2004-07-24 
11:53:16
Default-First-Site-Name\DC1  @ USN   1717571 @ Time 2006-02-20
20:10:50
Default-First-Site-Name\DC1 (retired) @ USN   1298674 @ Time 2005-08-05 
06:36:16
e2199f22-f1dd-4d1c-90a6-0e8bb874f355 @ USN744173 @ Time 2004-12-28 
20:52:04
ff0d7d50-214f-4bc1-96b6-55ac6ef317f0 @ USN852323 @ Time 2005-06-08 
14:29:20


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

2006-02-17 Thread Thommes, Michael M. 
As an update to this thread, we transferred the Schema Master role back
to other DC that has the SFU tools installed originally thinking this
might get the R2 schema update to work.  Wrong!  It fails with the same
error.  I can only imagine we do not have that unique an environment in
our testbed and expect others to have the same experience.  Luckily, we
never put SFU 3.5 on our production systems.  

We are going to open up a trouble ticket with Microsoft regarding this
issue.  I would like to hear of others' experiences (success or failure)
when trying to install R2 in an environment where SFU 3.5 had been
installed.  Thanks!

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, February 16, 2006 9:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Guido,
   Thanks for the response!  This server is Windows 2003/SP1 with all
but the current month's patches.  It is the current FSMO role holder.  I
did some checking this morning and find the SFU 3.5 tools on another DC
that could have been the FSMO role holder at the time the SFU schema
changes were made.  I don't see why that would make any difference, do
you?

-mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, February 16, 2006 3:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Mike - I see you're upgrading from Win2000 AD. Are your sure that you've
previously installed SFU 3.5 or was it maybe SFU 2.0 ?

The reason I'm asking is that there's a known schema incompatibility
with SFU 2.0:
check out http://support.microsoft.com/?id=293783 Cannot Upgrade
Windows 2000 Server to Windows Server 2003 with Windows Services for
UNIX 2.0 Installed

CAUSE
The upgrade may not work because the attributeSchema 'uid' that is used
by Windows 2000 Server for the NIS schema is not compatible with the one
that is used by Windows Server 2003. 

As such your error is likely independent from the changes in the R2
schema - it's actually an incompatibility in the Win2003 base schema
(not that this really matters for you; I just want to clarify that the
error should be unrelated to R2). As such it's different from Aric's
case, who was performing an upgrade from a Win2003 schema to Win2003
R2...


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 16. Februar 2006 02:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Aric,
No, there were a lot more errors - all seem to be related to SFU
attributes.  I only copied a small portion to my posting to save
bandwidth.  Painful = time = headaches  8-(  I was expecting this
upgrade to be a walk in the park.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, February 15, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Are these the only two errors you received?

I encountered similar errors during beta testing when I implemented R2
in an existing forest - but a lot more than just 2. :)  I created a
secondary forest and validated that it did not recur.  Note that I also
had SFU installed in the original forest and the new secondary forest.

I was able to clean up the schema in the existing forest exhibiting the
errors but it was a fairly painful process of what seemed to be a goose
chase.  The tasks included disabling objects attributes in the schema
and renaming them amongst other things.

Fortunately I have not heard of this happening in production...yet.

So can these errors be ignored?  If I remember correctly ADPrep is
actually failing and therefore NO you cannot ignore these errors since
ADPREP will nto occur until they are resolved.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, February 15, 2006 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi,
We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on
our testbed FSMO DC.  It gave the following errors (only a portion shown
below) because, I am guessing, that we had already installed SFU 3.5 on
this forest some time ago.  Should I assume these errors can be ignored?
Has anybody else experienced this?  Thanks as always!

Mike Thommes



attributeId attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
1.2.840.113556.1
.4.7000.187.70 for object
CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

2006-02-17 Thread Thommes, Michael M. 
Our MS TAM has indicated this is a known bug!  I will keep the group
posted as I learn more details.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Friday, February 17, 2006 10:52 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

As an update to this thread, we transferred the Schema Master role back
to other DC that has the SFU tools installed originally thinking this
might get the R2 schema update to work.  Wrong!  It fails with the same
error.  I can only imagine we do not have that unique an environment in
our testbed and expect others to have the same experience.  Luckily, we
never put SFU 3.5 on our production systems.  

We are going to open up a trouble ticket with Microsoft regarding this
issue.  I would like to hear of others' experiences (success or failure)
when trying to install R2 in an environment where SFU 3.5 had been
installed.  Thanks!

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, February 16, 2006 9:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Guido,
   Thanks for the response!  This server is Windows 2003/SP1 with all
but the current month's patches.  It is the current FSMO role holder.  I
did some checking this morning and find the SFU 3.5 tools on another DC
that could have been the FSMO role holder at the time the SFU schema
changes were made.  I don't see why that would make any difference, do
you?

-mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, February 16, 2006 3:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Mike - I see you're upgrading from Win2000 AD. Are your sure that you've
previously installed SFU 3.5 or was it maybe SFU 2.0 ?

The reason I'm asking is that there's a known schema incompatibility
with SFU 2.0:
check out http://support.microsoft.com/?id=293783 Cannot Upgrade
Windows 2000 Server to Windows Server 2003 with Windows Services for
UNIX 2.0 Installed

CAUSE
The upgrade may not work because the attributeSchema 'uid' that is used
by Windows 2000 Server for the NIS schema is not compatible with the one
that is used by Windows Server 2003. 

As such your error is likely independent from the changes in the R2
schema - it's actually an incompatibility in the Win2003 base schema
(not that this really matters for you; I just want to clarify that the
error should be unrelated to R2). As such it's different from Aric's
case, who was performing an upgrade from a Win2003 schema to Win2003
R2...


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 16. Februar 2006 02:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Aric,
No, there were a lot more errors - all seem to be related to SFU
attributes.  I only copied a small portion to my posting to save
bandwidth.  Painful = time = headaches  8-(  I was expecting this
upgrade to be a walk in the park.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, February 15, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Are these the only two errors you received?

I encountered similar errors during beta testing when I implemented R2
in an existing forest - but a lot more than just 2. :)  I created a
secondary forest and validated that it did not recur.  Note that I also
had SFU installed in the original forest and the new secondary forest.

I was able to clean up the schema in the existing forest exhibiting the
errors but it was a fairly painful process of what seemed to be a goose
chase.  The tasks included disabling objects attributes in the schema
and renaming them amongst other things.

Fortunately I have not heard of this happening in production...yet.

So can these errors be ignored?  If I remember correctly ADPrep is
actually failing and therefore NO you cannot ignore these errors since
ADPREP will nto occur until they are resolved.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, February 15, 2006 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi,
We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on
our testbed FSMO DC.  It gave the following errors (only a portion shown
below) because, I am guessing, that we had already installed SFU 3.5 on
this forest some time ago.  Should I assume these errors can be ignored?
Has anybody else experienced this?  Thanks

RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

2006-02-16 Thread Thommes, Michael M. 
Hi Guido,
   Thanks for the response!  This server is Windows 2003/SP1 with all
but the current month's patches.  It is the current FSMO role holder.  I
did some checking this morning and find the SFU 3.5 tools on another DC
that could have been the FSMO role holder at the time the SFU schema
changes were made.  I don't see why that would make any difference, do
you?

-mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Thursday, February 16, 2006 3:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Mike - I see you're upgrading from Win2000 AD. Are your sure that you've
previously installed SFU 3.5 or was it maybe SFU 2.0 ?

The reason I'm asking is that there's a known schema incompatibility
with SFU 2.0:
check out http://support.microsoft.com/?id=293783 Cannot Upgrade
Windows 2000 Server to Windows Server 2003 with Windows Services for
UNIX 2.0 Installed

CAUSE
The upgrade may not work because the attributeSchema 'uid' that is used
by Windows 2000 Server for the NIS schema is not compatible with the one
that is used by Windows Server 2003. 

As such your error is likely independent from the changes in the R2
schema - it's actually an incompatibility in the Win2003 base schema
(not that this really matters for you; I just want to clarify that the
error should be unrelated to R2). As such it's different from Aric's
case, who was performing an upgrade from a Win2003 schema to Win2003
R2...


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Donnerstag, 16. Februar 2006 02:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi Aric,
No, there were a lot more errors - all seem to be related to SFU
attributes.  I only copied a small portion to my posting to save
bandwidth.  Painful = time = headaches  8-(  I was expecting this
upgrade to be a walk in the park.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Wednesday, February 15, 2006 7:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion?

Are these the only two errors you received?

I encountered similar errors during beta testing when I implemented R2
in an existing forest - but a lot more than just 2. :)  I created a
secondary forest and validated that it did not recur.  Note that I also
had SFU installed in the original forest and the new secondary forest.

I was able to clean up the schema in the existing forest exhibiting the
errors but it was a fairly painful process of what seemed to be a goose
chase.  The tasks included disabling objects attributes in the schema
and renaming them amongst other things.

Fortunately I have not heard of this happening in production...yet.

So can these errors be ignored?  If I remember correctly ADPrep is
actually failing and therefore NO you cannot ignore these errors since
ADPREP will nto occur until they are resolved.

Regards,

Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, February 15, 2006 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] issue with R2 upgrade; SFU confusion?

Hi,
We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on
our testbed FSMO DC.  It gave the following errors (only a portion shown
below) because, I am guessing, that we had already installed SFU 3.5 on
this forest some time ago.  Should I assume these errors can be ignored?
Has anybody else experienced this?  Thanks as always!

Mike Thommes



attributeId attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
1.2.840.113556.1
.4.7000.187.70 for object
CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v differently than the schema extension needed for Windows 2003 server
.
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the
schema to res
olve the inconsistency. Then run adprep again.





=
attributeId attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
1.2.840.113556.1
.4.7000.187.71 for object
CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v differently than the schema extension needed for Windows 2003 server
.
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the
schema to res
olve the inconsistency. Then run adprep

[ActiveDir] ability to create container objects not in ADUC

2006-02-16 Thread Thommes, Michael M. 
Is there a technical reason why the ability to create a new container is
not available in the Active Directory Users and Computers (ADUC) mmc?
(Sorry if this is a dumb question.)

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] issue with R2 upgrade; SFU confusion?

2006-02-15 Thread Thommes, Michael M. 
Hi,
We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on
our testbed FSMO DC.  It gave the following errors (only a portion shown
below) because, I am guessing, that we had already installed SFU 3.5 on
this forest some time ago.  Should I assume these errors can be ignored?
Has anybody else experienced this?  Thanks as always!

Mike Thommes



attributeId attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
1.2.840.113556.1
.4.7000.187.70 for object
CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v differently than the schema extension needed for Windows 2003 server
.
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the
schema to res
olve the inconsistency. Then run adprep again.





=
attributeId attribute value for objects defined in Windows 2000 schema
and ext
ended schema do not match.


A previous schema extension has defined the attribute value as
1.2.840.113556.1
.4.7000.187.71 for object
CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go
v differently than the schema extension needed for Windows 2003 server
.
[Status/Consequence]
Adprep cannot extend your existing schema
[User Action]
Contact the vendor of the application that previously extended the
schema to res
olve the inconsistency. Then run adprep again.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

  1   2   3   4   >