RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Been here. Busy. Vacation. Back soon. -gil -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 8:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Sadly, Gil has not been spending as much time here as he has in the past. Not sure why. He does post now and then - especially when the replication or lower level programming talk gets deep. Robbie Allen and Richard Puckett have been fairly visible - Richard, I can't say why he hasn't been here. Robbie, though - I can speak for. I KNOW what he's doing :-) He'll be free(er) shortly.. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:59 PMTo: [EMAIL PROTECTED] It will definitely be fun. I personally am waiting for a Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and every other LDAP joeware tool) wouldn't exist except for Gil and his book and that would be a sadthing for me because I love those tools. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Yeah! LOL! That's waay too good. Glad you could make it. You will certainly be a worthy addition to the characters that wander in here. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem, as there are no real 'downfalls'. However - if they don't want them - stick to your guns. Policy says NO. If there are any questions, refer to latter statement. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Yeah, I like those joeware tools too :-)He even does Perl! Robbie Allen http://www.rallenhome.com/ -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain LOL, no problem, glad you like the tools, that is why I put them out there. So many things lacking that need to be done... so little time, especially when it is for free. ;oP~ I really have some serious updates coming for ADFIND or at least I want them to be coming, I want to restructure and go to V2 and add Security Descriptor stuff and decoding of more values like useraccountcontrols, et al and also allowing reencoding of nice names into blobs for searching if possible. However I expect that I will be gearing a little towards E2K right now as that is what my paying job is throwing me into now. Note that if you hadn't heard joeware has been getting shut down at the end of the month or so every month lately so I moved it to a new provider so that shouldn't happen for a bit now. Man I got some serious flames when that would happen too, made me laugh pretty hard. I also finally killed the midi's that everyone bitched about. I started seeing how much bandwidth those little things were taking up and decided I didn't like them that much either. eg Anyway, thanks for the welcome. Hopefully I can contribute my share. :o) joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, June 12, 2003 12:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message *ding!* *ding!**ding!*... my 'joeware' filter alarm just went off (it's set toalert mewhen it detects +1.0 blood/alcohol level on a thread). :-) Sorry folks, I've been super busy answering to "the master... yes preciou..." and haven't had lots of time to participate (though I've been enjoying some the threads).I'll try to be a more responsible netizen and chime in when and whereI can with code and what not. As for Robbie - well *hmpfh* - he's moved into a cushy architecture job where he gets caviar and champagne all the time (or so I hear). :-p From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 11:46 PMTo: [EMAIL PROTECTED] Well that sucks about Gil, I'll have to see if I can start some down and dirty threads to pull him out of the corner. I owe Richard a note, don't let him know I am here... s... peers about I read like 6 last night, 2 more tonight and my part will be done and Robbie should be cool. NowI get to focus full time on trying to dress thatE2K pig up and making it dance and pretend to be a scaleable properly manageable mail system. I just learned the dirty secret about msExchSecurityDescriptor this afternoon and stomped out of the lab in disgust, not even sure why they used the attribute at all. Either do it in the store or do it in the directory, one or the other, JUMP! Reminds me of the parable of the grape who couldn't figure out which side of the road was betterand squish. Because of that and I think for fun and to egg on the Premier guys this week I am going to turn on inefficient query logging on the Exchange lab DC's to see how funny it is. ;oP We have indexed objectclass now so that should help it out quite a bit. Definitely helped out with some of the other poorly written apps running around that were experiencing time outs. We were toldwe could probably expect a 25-30%+ DIT size growth doing that, it was a tiny growth, indexed a whole bunch of other attributes as welland our GC DIT only grew by like 100-150MB which is a drop in the bucket to the 6GB GC DIT. Ah, I need to get back into Word. Though before I go does Laura hang out here as well? How about Dean/Roger/Ace/Jimmy/Thomas and the rest of the troublemakers? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 11:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Sadly, Gil has not been spending as much time here as he has in the past. Not sure why. He does post now and then - especially when the replication or lower level programming talk gets deep. Robbie Allen and Richard Puckett have been fairly visible - Richard, I can't say why he hasn't been here. Robbie, though - I can speak for. I KNOW what he's doing :-) He'll be free(er) shortly.. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:59 PMTo: [EMAIL PROTECTED] It will definitely be fun. I personally am waiting for a Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and every other LDAP joeware tool) wouldn't exist except for Gil and his book and that would be a sadthing for me because I love those tools. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Yeah! LOL! That's waay too good. Glad you could make it. You will certainly be a worthy addition to the characters that wander in here. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-)
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem, as there are no real 'downfalls'. However - if they don't want them - stick to your guns. Policy says NO. If there are any questions, refer to latter statement. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B.Sent: Wednesday, June 11, 2003 2:48 PMTo: [EMAIL PROTECTED] Has anyone come across any problems with installing the new windows 2003 servers to the Windows 2000 site. Running W2K with SP3 and Exchange 2000 all in native modes. Our company is having a storm of interns coming in and wanting to run projects on a W2k3 server. Other than it is against company policy not to allow users to install servers, or even there own systems. Management is trying to come up with some negatives to this, other than just saying it is against company policy. Ron Pennell [EMAIL PROTECTED]
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message Well that sucks about Gil, I'll have to see if I can start some down and dirty threads to pull him out of the corner. I owe Richard a note, don't let him know I am here... s... peers about I read like 6 last night, 2 more tonight and my part will be done and Robbie should be cool. NowI get to focus full time on trying to dress thatE2K pig up and making it dance and pretend to be a scaleable properly manageable mail system. I just learned the dirty secret about msExchSecurityDescriptor this afternoon and stomped out of the lab in disgust, not even sure why they used the attribute at all. Either do it in the store or do it in the directory, one or the other, JUMP! Reminds me of the parable of the grape who couldn't figure out which side of the road was betterand squish. Because of that and I think for fun and to egg on the Premier guys this week I am going to turn on inefficient query logging on the Exchange lab DC's to see how funny it is. ;oP We have indexed objectclass now so that should help it out quite a bit. Definitely helped out with some of the other poorly written apps running around that were experiencing time outs. We were toldwe could probably expect a 25-30%+ DIT size growth doing that, it was a tiny growth, indexed a whole bunch of other attributes as welland our GC DIT only grew by like 100-150MB which is a drop in the bucket to the 6GB GC DIT. Ah, I need to get back into Word. Though before I go does Laura hang out here as well? How about Dean/Roger/Ace/Jimmy/Thomas and the rest of the troublemakers? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 11:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Sadly, Gil has not been spending as much time here as he has in the past. Not sure why. He does post now and then - especially when the replication or lower level programming talk gets deep. Robbie Allen and Richard Puckett have been fairly visible - Richard, I can't say why he hasn't been here. Robbie, though - I can speak for. I KNOW what he's doing :-) He'll be free(er) shortly.. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:59 PMTo: [EMAIL PROTECTED] It will definitely be fun. I personally am waiting for a Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and every other LDAP joeware tool) wouldn't exist except for Gil and his book and that would be a sadthing for me because I love those tools. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain Yeah! LOL! That's waay too good. Glad you could make it. You will certainly be a worthy addition to the characters that wander in here. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 9:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem, as there are no real 'downfalls'. However - if they don't want them - stick to your guns. Policy says NO. If there are any questions, refer to latter statement. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B.Sent: Wednesday, June 11, 2003 2:48 PMTo: [EMAIL PROTECTED] Has anyone come across any problems with installing the new windows 2003 servers to the Windows 2000 site. Running W2K with SP3 and Exchange 2000 all in native modes. Our company is having a storm of interns coming in and wanting to run projects on a W2k3 server. Other than it is against company policy not to allow users to install servers, or even there own systems. Management is trying to come up with some negatives to this, other than just saying it is against company policy. Ron Pennell [EMAIL PROTECTED]
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message
I've
got about 5 more to go (including the Appendix) but I just got Chp 14 today -
and it's right in my Wheelhouse. Sec and Auth - so I've got to spend a bit
of extra time there and add some value Got a bit sidetracked by an MS
Security Guide I'll have to tell you the whole story on this one
sometime. I may not be doingreview work on MS documents any tme
soon. Waste of 5 days for nothing at all. I'm sure that the paper
will be fine, but quite a bit of a disappointment for the work that I put into
it.
E2Kgoodness, here we go again. Now I'm intrigued. "the
dirty secret about msExchSecurityDescriptor". What did you learn that
caused this kind of turmoil in Blue Oval-ville? I do like the inefficient
query logging thing. I'm looking for a reason to piss off my Exchange
admins - I just have to wait for it to happen. I now have the
punishment. :-
Oh,
how I wish Laura - and all of her vicious 'don't like it my way? Tough -
eat $%)@!' would hang around here now and again. Yeah, she'd spice things
up! Hehe. Finally met her face to face in San Francisco at the
Launch. She's more fun in person!
Thomas
I haven't seen here. Dean, for a while, but he's doing the whole "Teach
PSS Windows 2K3", and is constantly on the road. Abell I can't get
involved in anything. He's quite the character, and very set in his
ways, Ace, sadly - no. Jimmy shows up when he's not busy. He's
doing much the same as Dean, but in the EU.
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Wednesday, June 11, 2003 10:46 PMTo:
[EMAIL PROTECTED]
Well that sucks about Gil, I'll have to see if I can start
some down and dirty threads to pull him out of the corner.
I owe
Richard a note, don't let him know I am here... s... peers
about
I read
like 6 last night, 2 more tonight and my part will be done and Robbie should be
cool. NowI get to focus full time on trying to dress thatE2K pig up
and making it dance and pretend to be a scaleable properly manageable mail
system. I just learned the dirty secret about msExchSecurityDescriptor this
afternoon and stomped out of the lab in disgust, not even sure why they used the
attribute at all. Either do it in the store or do it in the directory, one or
the other, JUMP! Reminds me of the parable of the grape who couldn't figure out
which side of the road was betterand squish. Because of that and I think
for fun and to egg on the Premier guys this week I am going to turn on
inefficient query logging on the Exchange lab DC's to see how funny it is.
;oP
We
have indexed objectclass now so that should help it out quite a bit. Definitely
helped out with some of the other poorly written apps running around that were
experiencing time outs. We were toldwe could probably expect a 25-30%+ DIT
size growth doing that, it was a tiny growth, indexed a whole bunch of other
attributes as welland our GC DIT only grew by like 100-150MB which is a
drop in the bucket to the 6GB GC DIT.
Ah, I
need to get back into Word. Though before I go does Laura hang out here as well?
How about Dean/Roger/Ace/Jimmy/Thomas and the rest of the
troublemakers?
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003
11:05 PMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000
Domain
Sadly, Gil has not been spending as much time here as he has in the
past. Not sure why. He does post now and then - especially when
the replication or lower level programming talk gets deep.
Robbie Allen and Richard Puckett have been fairly visible - Richard, I
can't say why he hasn't been here. Robbie, though - I can speak
for. I KNOW what he's doing :-) He'll be free(er)
shortly..
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Wednesday, June 11, 2003 9:59 PMTo:
[EMAIL PROTECTED]
It will definitely be fun. I personally am waiting for a
Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and
every other LDAP joeware tool) wouldn't exist except for Gil and his
book and that would be a sadthing for me because I love those
tools.
joe
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick
KingslanSent: Wednesday, June 11, 2003 10:41 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT]
Installing Windows 2003 servers to Windows 2000 Domain
Yeah! LOL! That's waay too good.
Glad you could make it. You will certainly be a worthy addition
to the characters that wander in here.
-rtk
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
JoeSent: Wednesday, June 11, 2003 9:37 PMTo:
[EMAIL PROTECTED]
Everyo
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message I am in 14 right now actually. Last one thank the lord, it has been a long couple of weeks lately. We got smacked by the stupid MUMU worm and it was kind of a pain in the ass. I put in a good 30-40 hours Sat 2AM-Mon 4AM all by itself. The weekend before we had a schema update which had me in nursing the replication for the whole weekend, didn't think Singapore would ever come back to the light. LOL on the security guide and the reviewing. Hey on another MS topic have you seen an AD FAQ out on MS site at all yet? I was working with Levon et al on it and haven't heard anything for a while and when I went and peeked around I didn't see anything but I admit to probably looking in the wrong spots. msExchSecurityDescriptor is nothing really. Basically it is only really used prior to a mailbox being created. What I mean by that is that if you ever set that value and the store has already allocated for the user (they opened the mailbox or got mail) the value you set will get smacked when the store realizes it. If you set it prior to the store allocating the user the perms will go onto the user, but won't necessarily be the only perms depending on inheritence set up on the store. Also you can read that descriptor and be sure that the perms it lists are what are in the store, again because of inheritence. So basically it is a waste of space for setting security and a waste of space for reading it. Only real way is through cdoexm calls layered on the normal ADSI stuff. I think it was called the mailboxrights attrib. That will figure out where to go change the perms, either in AD prior to the allocation or to the store afterward. Also fighting with the whole disconnected mailbox thing, if MCS can't get an answer out of the Dev group pretty soon I am just going to escalate full tilt like you guys were recommending. Our main security manager got called out to Redmond for a one day committee meeting, we asked that he mention it to the guys sitting in the room with him to get them to ask their subordinates to give it a little attention but not sure if he did. Some of our email dev folks were at teched last week and they kept getting the response of upgrade to 2k3 which is a stupid response, it isn't out yet, fix your shit. This is supposed to be enterprise class, expose the api's so we can handle what you didn't think to. I love Laura, she totally rocks. I had a few small tiffs with her in the newsgroups way back when but once I met her and listened to her for 5 minutes decided right away she is my kind of people and quite fun to look at, especially when she is askeda question she isn't quite sure on as she screws up her face to answer, and then starts to talk then screws up her face again. I hope to cross paths with her again somewhere but for a longer period. I finally met her when I was out in Redmond for the 2k3 RAP last September. You just want to say to her, lets go grab a case of beer and start arguing opinions because you know there is going to be some seriously good fighting. :o) joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, June 12, 2003 1:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain I've got about 5 more to go (including the Appendix) but I just got Chp 14 today - and it's right in my Wheelhouse. Sec and Auth - so I've got to spend a bit of extra time there and add some value Got a bit sidetracked by an MS Security Guide I'll have to tell you the whole story on this one sometime. I may not be doingreview work on MS documents any tme soon. Waste of 5 days for nothing at all. I'm sure that the paper will be fine, but quite a bit of a disappointment for the work that I put into it. E2Kgoodness, here we go again. Now I'm intrigued. "the dirty secret about msExchSecurityDescriptor". What did you learn that caused this kind of turmoil in Blue Oval-ville? I do like the inefficient query logging thing. I'm looking for a reason to piss off my Exchange admins - I just have to wait for it to happen. I now have the punishment. :- Oh, how I wish Laura - and all of her vicious 'don't like it my way? Tough - eat $%)@!' would hang around here now and again. Yeah, she'd spice things up! Hehe. Finally met her face to face in San Francisco at the Launch. She's more fun in person! Thomas I haven't seen here. Dean, for a while, but he's doing the whole "Teach PSS Windows 2K3", and is constantly on the road. Abell I can't get involved in anything. He's quite the character, and very set in his ways, Ace, sadly - no. Jimmy shows up when he's not busy. He's doing much the same as Dean, but in the EU. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain
Title: Message LOL, no problem, glad you like the tools, that is why I put them out there. So many things lacking that need to be done... so little time, especially when it is for free. ;oP~ I really have some serious updates coming for ADFIND or at least I want them to be coming, I want to restructure and go to V2 and add Security Descriptor stuff and decoding of more values like useraccountcontrols, et al and also allowing reencoding of nice names into blobs for searching if possible. However I expect that I will be gearing a little towards E2K right now as that is what my paying job is throwing me into now. Note that if you hadn't heard joeware has been getting shut down at the end of the month or so every month lately so I moved it to a new provider so that shouldn't happen for a bit now. Man I got some serious flames when that would happen too, made me laugh pretty hard. I also finally killed the midi's that everyone bitched about. I started seeing how much bandwidth those little things were taking up and decided I didn't like them that much either. eg Anyway, thanks for the welcome. Hopefully I can contribute my share. :o) joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, June 12, 2003 12:12 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] [OT] Installing Windows 2003 servers to Windows 2000 Domain glad you are here, joeware rocks! Don't think I have ever taken the time to thank you for the tools you make available, not because I'm not appreciative, just fundamentally lazy. So, thanks for all past joeware and looking forward to more :-] From: Joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 11, 2003 7:37 PMTo: [EMAIL PROTECTED] Everyone kept saying, join activedir join activedir, so I stumbled in fashionably late and three sheets to the wind... The only way to make an entrance. ;o) So where were we, I believe we were discussing slapping MIT Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 10:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Mr. Richards. welcome to the party. ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, June 11, 2003 8:54 PMTo: [EMAIL PROTECTED] I agree with Rick completely. I work for a very large organization and policy is policy. Not only will we not let you put them into our Active Directory, I have a script that will find them and throw the machine objects into an Enterprise Admin Access only OU and disable and smack the ACL of the offending object if you someone sneak one in. So not only do they not get to use the server anymore, they can't even use that server name again. We catch more than a couple of occurrances of this and we take away their ability to add anything and let their managers know that we did it and why. While I understand why people want to put them in (I in fact want to as well), we want a centralized controlled IT structure and the best way to maintain or reduce costs is to have a handle on what is in production. We do not have an official company load for W2K3 yet with all of the certified drivers and antivirus software so we don't want anyone deploying anything on it because anything they deploy we know will have to be revisited and is a possible breeding ground of viri, worm's, and support issues with no escalation paths. Tough love I guess. joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, June 11, 2003 7:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Installing Windows 2003 servers to Windows 2000 Domain Justifying it technically is going to be a problem, as there are no real 'downfalls'. However - if they don't want them - stick to your guns. Policy says NO. If there are any questions, refer to latter statement. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B.Sent: Wednesday, June 11, 2003 2:48 PMTo: [EMAIL PROTECTED] Has anyone come
