[ActiveDir] Identify STATIC records in AD DNS

2004-06-07 Thread Jef 
Hi there,

Does anyone know of a way to programmatically identify STATIC records within
an AD integrated DNS zone?

The DNS manager gui can show if a record has a timestamp or not, but with
100's of thousands of records you can't check them all.

I've looked for a property I can search on using ADSI or WMI, but have not
found anything consistent.

The closest I found is the AD property dnsIsTombstoned.  It appears to have
3 values:

TRUE = Already tombstoned and will be replicated
FALSE = Not tombstoned yet, but can be
not set = Will not be scavenged.

This is not 100% though, so I think I am missing something else.

Thanks,

Jef Kazimer



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Show the EmployeeID field within ADUC

2006-07-20 Thread jef 



The request to view attributes outside of the those 
allowed with the standard ADUC display dll's seems to come up a lot. I am 
surprised in the newer MMC and tools they did not come up with an SDK that is 
more obtainable for the admins who are not programmers. I have never liked 
the idea of using custom script additions, but it's one of the better options if 
you do not have the programming resources for a custom DLL.

I suppose this has always been the arena of 3rd 
parties to supply their tools for custom management, but it would be nice to 
have a nice GUI based config for distributing a custom ADUC.

We have pretty much abandoned the ADUC tool for 
most admins in favor a homegrown ASP.NET app because of the need to expose more 
attributes than the standard ADUC displays.

The MMC is such a good concept, but to fully 
leverage it, it seems you do need programming skillset which many AD shops may 
not be able to leverage. 

just my 2c 


  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, July 20, 2006 8:34 
  AM
  Subject: RE: [ActiveDir] Show the 
  EmployeeID field within ADUC
  
  The below is non-trivial, whilst exposing the data via a 
  context menu option (i.e. right click user, select 'show emp id') is far 
  simpler.
  
  A good example can be found here:
  http://www.petri.co.il/add_unlock_user_option_to_dsa.htm
  
  You'll need to write a script to go get the emp id and 
  make changes in the Config partition.
  
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: 20 July 2006 
  14:13To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Show the EmployeeID field within ADUC
  
  One of our admins 
  has populated the EmployeeID field within AD. We would now like this field to 
  be visible to all of our admins but are unsure how to make it appear on any of 
  the tabs within the user's account in ADUC.Any suggestions on how to 
  make this field appear on a user's account information?
  
  BONNIE 
  POHLSCHNEIDERCOPELAND 
  HELP DESK937-493-2333 or Ext. 2333
  
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies.

Re: [ActiveDir] Using non-standard TLDs within Active Directory

2006-07-21 Thread jef 
Title: Using non-standard TLDs within Active Directory



neil,

In a re-design we are moving away from using our 
existing COM TLD, and moving to a CORP TLD.

IE - COMPANY.COM is now COMPANY.CORP 
for the internal Forest name and DNS zone.

There are issues with having COMPANY.COM internal 
and external from a DNS routing perspective, so we want to remove any possibly 
assumption that they are the same thing.

Thanks,

Jef

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, July 21, 2006 4:19 AM
  Subject: RE: [ActiveDir] Using 
  non-standard TLDs within Active Directory
  
  Thanks Peter.
  
  Are we referring to same thing?
  
  I refer to the suffix at the end of the DNS name - e.g. I 
  refer to 'blob' in 'neil.blob'.
  
  I am not referring to the 'neil' 
part.
  
  Does your response still hold?
  
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Peter 
  JohnsonSent: 21 July 2006 09:56To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using 
  non-standard TLDs within Active Directory
  
  
  Ive always gone the 
  opposite way. I like the idea of using a completely non-standard TLD for my 
  forest root so that if the company name changes etc it has no effect on the 
  forest. It also enables you to split the internal DNS from the external DNS 
  structure. If the internal DNS structure is ever published to the Internet it 
  will simply be dropped. 
  
  I always set mine up 
  with non-standard TLDs and have never had any 
  issues.
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of 
  [EMAIL PROTECTED]Sent: 21 July 2006 10:20To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard 
  TLDs within Active Directory
  
  Does anyone have experience or 
  comments regarding the use of non-standard TLDs within a production AD 
  forest? 
  E.g. x.nom 
  The name will be used within a 
  production environment - a separate forest will exist for testing and 
  QA. 
  I've always preferred to use 
  standard TLDs in prod [so the name can be registered etc] and permit the 
  non-standard TLD in test forests only.
  Any comments? 
  
  Thanks, neil 
  
  PLEASE READ: The information 
  contained in this email is confidential and 

  
  intended for the named 
  recipient(s) only. If you are not an intended 
  
  
  recipient of this email please 
  notify the sender immediately and delete your 
  
  
  copy from your system. You must 
  not copy, distribute or take any further 
  
  action in reliance on it. Email is 
  not a secure method of communication and 
  
  Nomura International plc ('NIplc') 
  will not, to the extent permitted by law, 
  
  accept responsibility or liability 
  for (a) the accuracy or completeness of, 
  
  or (b) the presence of any virus, 
  worm or similar malicious or disabling 
  
  code in, this message or any 
  attachment(s) to it. If verification of this 
  
  
  email is sought then please 
  request a hard copy. Unless otherwise stated 
  
  
  this email: (1) is not, and should 
  not be treated or relied upon as, 
  
  investment research; (2) contains 
  views or opinions that are solely those of 
  
  the author and do not necessarily 
  represent those of NIplc; (3) is intended 
  
  for informational purposes only 
  and is not a recommendation, solicitation or 
  
  
  offer to buy or sell securities or 
  related financial instruments. NIplc 
  
  does not provide investment 
  services to private customers. Authorised and 
  
  
  regulated by the Financial 
  Services Authority. Registered in England 
  
  
  no. 1550505 VAT No. 447 2492 35. 
  Registered Office: 1 St Martin's-le-Grand, 
  
  
  London, 
  EC1A 
  4NP. A member of the Nomura group of 
  companies. 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer

Re: [ActiveDir] DNS suffix resolution..

2006-07-31 Thread jef 



just as an FYI:

If you specify suffix search list it will override 
the searching of appending the parent suffix of primary DNS suffix.

So if you just specify:
domain2.domain1.com
domain3.domain1.com

and not

domain1.com

it will not search domain1.com since it is not 
specified in the Suffix Search List.

So if you want to still search the parent 
suffix, be sure to include it in the SSL.

Jef

  - Original Message - 
  From: 
  Matheesha Weerasinghe 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, July 31, 2006 4:13 AM
  Subject: Re: [ActiveDir] DNS suffix 
  resolution..
  
  I assume you are using WINS and the DCs of child and parent 
  domainsare registered there. Therefore the netbios names are 
  resolving.
  
  What happens when you try to ping the FQDN of the child domain server? 
  Does that work? I think your issue is you want the child domain suffix to be 
  appended automatically. My understanding is that it doesnt happen by default. 
  However the reverse is true. If you are in a child domain and ping or attempt 
  to resolve a name, it tries its own domain suffix before attempting to append 
  the parent domain suffixes. This is true as long as you havent disabled the 
  default behaviour, havent modified this through GPOs etc... 
  
  You can also specify a list of search suffixes to go through in a certain 
  order if you wish.
  M@
  On 7/30/06, HBooGz 
  [EMAIL PROTECTED] wrote: 
  
I have a Forrest with one forest root and one child domain.The 
child domain is running windows 2000 SP4 and the HQ sites are running 
windows 2003 R2 standard.I have the the child domain controller 
setup as an AD-integrated zone and i have the 2003 DNS servers setup to 
receive that zone as a secondary zone. if i don't include the suffix 
search order on the nic cards' dns entry page, i just resolve the netbios 
names of the hosts at the remote site. for example.hq = company.comchild domain = 
sales.company.comwhen i initiate a ping from any 
host at HQ to a host in the child domain i only resolve the netbios name. 
how can i resolve this ?I've tried setting up dns name 
delegation in the past when i was running a full 2000 domain, but that name 
resolution never worked right and it wasn't 
timely.thanks,-- 
HBooGz:\

Re: [ActiveDir] Single Space in LDAP query dropped: Why?

2006-08-18 Thread jef 

Joe,

Yup, escaping the character worked like a charm.

Joe mentioned that the query appears to be trimmed, so that seems to be what 
is happening.


Thanks,

Jef

- Original Message -
From: Joe Kaplan [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, August 18, 2006 8:33 AM
Subject: Re: [ActiveDir] Single Space in LDAP query dropped: Why?

I'm pretty sure that's part of the RFC spec.  A space at the beginning or 
end of a query value will be ignored.  Your space in this example would be 
both.  Did you try escaping it to see if that works?


Joe Kaplan
- Original Message - 
From: Jef Kazimer

To: ActiveDir@mail.activedir.org
Sent: Friday, August 18, 2006 12:15 AM
Subject: [ActiveDir] Single Space in LDAP query dropped: Why?


I had posted this today, and I was curious if anyone knew why an LDAP 
filter drops the query when searching for a single space value?  Though I 
was using Joe's ADfind, I did have the same results in ADSIedit, and 
thought someone better than I, may know why.  It's not really a problem, 
just a curiousity.


Thanks,

Jef


http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!642.entry

LDAP queries are spaced out...
I was looking at a metaverse object in MIIS today noticed some admin had 
set the mail attribute to a single SPACE ( ) character.  The Metaverse is 
stored in a SQL server, so naturally the query structure is different than 
any constraints of LDAP.
I wanted to discover how many other user objects had the same issue, so I 
decided to pull out ADfind and issue this command:

ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail= )) -C
0 found
ok, so I thought it was my lack of quoting and tried:
ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=' ')) -C
0 found
Since it's command line I was sure that the quoting would encapsulate it 
correctly, so I figure it is being stripped out by the LDAP query (I made 
this same Query ins ADSIedit and LDP with no luck) so perhaps there is an 
escape character for such a thing.   I have done many queries with filters 
like description=The Man, and the space was interpreted correctly.  Yet 
it seems, a single space, by itself is not passed to the query correctly.
So I check out the uber friendly RFCs and find escape characters for types 
such as * and NUL, but really no mention of  a single space as anything 
special.  I checked the LDAP V3 RFC as well for any real mention of when 
and when a single space is dropped from the query, finding nothing 
related.
Fortunately,  using the escaped sequence in the query (mail=\20) to 
represent a space worked just fine and returned the object I was looking 
for.

ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=\20)) -C
48 found
So LDAP filters can container spaces as the value being queried for, but 
cannot be a single space without using an escape sequence to represent the 
value.
I suppose it's kind of silly, but I had never really looked for such an 
occurrence before, so it was an interesting learning experience.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Single Space in LDAP query dropped: Why?

2006-08-18 Thread jef 

It's .NET - Get it right! ;)



- Original Message -
From: joe [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, August 18, 2006 10:15 PM
Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why?

You NET programmers ;o) 



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Friday, August 18, 2006 11:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Single Space in LDAP query dropped: Why?

Me too.  I was that lazy. :)

Joe Kaplan
- Original Message - 
From: joe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, August 18, 2006 5:46 PM
Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why?



I have it bookmarked. :)

LDAP V3 - http://www.faqs.org/rfcs/rfc2251.html
LDAP Attribute Syntax - http://www.faqs.org/rfcs/rfc2252.html
LDAP DN representation - http://www.faqs.org/rfcs/rfc2253.html
LDAP Search Filters - http://www.faqs.org/rfcs/rfc2254.html
LDAP URL Format - http://www.faqs.org/rfcs/rfc2255.html
LDAP V3 X500 User Schema - http://www.faqs.org/rfcs/rfc2256.html



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Secure LDAP queries from the outside

2006-08-22 Thread jef 



This might be already tried, but did you 
try running pkiview.msc from the machine? This checks the 
availability of the CRL from the current client against the CRL locations of 
http and/or AD.

I had an issue awhile back when trying to read a 
http based CRL, that it could not connect due to an issue in the internal PAC 
script, which was not directing the client correctly.

Jef


  - Original Message - 
  From: 
  steve patrick 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 22, 2006 11:53 
  AM
  Subject: Re: [ActiveDir] Secure LDAP 
  queries from the outside
  
  You cannot remove a CDP extension from a specific 
  template - it is configured for all certs issued from the issuing 
  CA.
  If he plans to have clients from outside his 
  network access the DC's of LDAPS - he should reconfigure the CA to include a 
  CDP which is available outside of his network.
  
  my .02
  
  steve
  
  
- Original Message - 
From: 
Bernier, 
Brandon (.) 
To: ActiveDir@mail.activedir.org 

Sent: Tuesday, August 22, 2006 9:14 
AM
Subject: RE: [ActiveDir] Secure LDAP 
queries from the outside


Areyou publishing a CRL? If so then it must use the path to 
theCRL that's specified in the certificate or it bombs out (latency to 
the hosting CRL serverwill kill it too..forgot the exact value). Why 
do you need CRL checking on your DC's? Doesn't that make you question who is 
on your DC's that would make you revoke a cert among other things? I would 
modify the template (ifyour using a Enterprise CA) andreissue 
the certs without a CRL and make sure the clients have the public key to 
your Root CA in their trusted root store. Something to 
ponder.

-Brandon


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP 
queries from the outside


Hi 
Robert,
 
Yes, the command is *exactly* 
the same. We are thinking that our CRL location is not available 
outside of the firewall. We generate our own certificates; we don’t 
use a “well known” provider.

Mike 
Thommes





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Williams, 
RobertSent: Tuesday, 
August 22, 2006 9:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP 
queries from the outside

Hey 
Mike,

When you say “It 
works fine behind our firewall”, are you meaning that the *exact same* command line works and you 
get the object returned?

I tried using 
adfind to connect to my test DC using port 636 and got the exact same 
error…but I don’t have a cert installed on my DC so I’d expect mine not to 
work.

Robert 
Williams 



From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP 
queries from the outside

Hi,
 We are trying to 
set up secure LDAP queries from the outside to AD for pulling email 
addresses but are running into an issue. Port 636 has been opened up 
to our DCs but we get a 0x51 error like the one shown below in this example 
of using “adfind”:

adfind -h dc1.abc.com:636 -u 
[EMAIL PROTECTED] -up * -default -nodn -f sn=thommes 
extensionAttribute2

AdFind V01.26.00cpp Joe Richards 
([EMAIL PROTECTED]) February 2005

LDAP_BIND: [rhino221.anl.gov] 
Error 0x51 (81) - Server Down
Terminating 
program.

(extensionAttribute2 is used for 
email address)

Portqry shows that the DC is 
listening on port 636. Using “ldp”, the bind operation seems to want 
to default to port 389 (which is not open).

It works fine behind our 
firewall. Is there some other port that needs to be open (besides 
389)? Or maybe some security feature (we are running w2k3/sp1 on our 
DCs) that is getting in the way? Any help is 
appreciated!

TIA,
Mike 
Thommes



2006-08-22, 10:35:32The information contained in 
this e-mail message and any attachments may be privileged and confidential. 
If the reader of this message is not the intended recipient or an agent 
responsible for delivering it to the intended recipient, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify the sender immediately by replying to 
this e-mail and delete the message and any attachments from your 
computer.

Re: [ActiveDir] ADAM bind Redirection with a NULL password

2006-09-28 Thread jef 

Tony,

I have to wonder what is classified as a special circumstances, since I 
suppose they are all sort of special.


I have used Bind Redirection with MIIS/IIFP for quite a few scenarios:

Corportate Spinoff:

We needed to split off a portion of our users into a new company, and an 
entirely new forest.  To solve the issue of apps only binding to a single 
NC, we used MIIS to populate an ADAM instance that contained active users 
from both forests during the TSA.


Corporate Acquisitions:
Similar situation, where we needed to combine users into a single NC.

Having more than 1 user domain, and an app that can ONLY bind to a single 
Domain/NC.


Custom Schema extensions for an application that is not an enterprise class 
application. You may not want to extend AD for a small subset of users. 
Extend the ADAM schema for the application, but proxy the user 
authentication back to the main AD.


It also helps with audit and compliance, where you are really only managing 
a single user principle, but proxying apps to it.



Unfortunately, LDAP seems to be the defacto standard for applications.  With 
that, simple bind seems to be the way of choice.   I would say, many are 
Java apps where I think someone wrote a howto many years ago, and I keep 
seeing the same thing come in as Authentication.


Some big name apps from Lotus/IBM, Documentum all have/had issues with only 
pointing to a single NC, so I don't want to say it's only smaller 
developers.  Many of the companies I've worked at, have had more than a 
single domain, so I am surprised that so many enterprise apps assume a 
single NC for authentication.


I can't solve the problems at the app level, but I try to solve it at the 
centralized directory level.


Thanks,

Jef


- Original Message -
From: Tony Murray [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 9:27 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password

My impression from reading the on-line documentation is that the use of 
ADAM Proxy Objects and bind redirection is frowned upon anyway.


Proxy users are designed for special circumstances and should only be 
used as a last resort, when Windows principals cannot be used directly.


and

ADAM bind redirection should be used only in special cases where an 
application can perform a simple LDAP bind to ADAM but the application 
still needs to associate the user with a security principal in Active 
Directory.


From 
http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true


Is there no way for the application to use the recommended alternative, 
i.e. where ADAM receives a SASL bind request and forwards the request to 
Active Directory?


Tony

-- Original Message --
From: Jef Kazimer [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 28 Sep 2006 21:17:39 -0500

Eric,

The problem stems from lack of ability to modify the application to 
correct

the behavior.  If I had the ability to force this, I would simply require
null/blank not to be passed to the ADAM server from the application.

I've been at odds about the DCR myself, for all the reasons you mentioned.
Yet, without the ability to control the applications, the only thing I can
control is the directory itself.  Without a mechanism to disable such
behavior, I am without recourse unfortunately.

So far, I've been able to avoid this problem, because the 2 apps I had 
this
happen with, the developer was able to modify the authentication dialog. 
I
have had other apps with other issuers, where modification was not 
possible.
These did not suffer this poor design issue, but I wonder if I will get 
such

an app eventually.  I suppose I am just trying to solve a problem, I have
not been forced to solve by this method, which means it cane wait.

I could go into how it would be nice to have enterprise application 
minimum
standards, and application owners involve infrastructure staff BEFORE an 
app

is purchased, instead of after when it doesn't work, but I won't :)

Jef


- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 8:48 PM
Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password

One solution would be to ACL all objects such that SELF can read them,
then have the app, after it has authenticated as the user, try and read
something on the user itself. This way you know you are in fact that
user (or someone else that has read access, which presumably won't work
as anonymous).

In terms of your DCR...could such a bit be put in? I guess. But DCRs
that are filed with the intentional intent of going again an RFC
typically have a rough time getting through even with a very strong
business impact. And you have a workaround already in the app, and
another solution I mentioned above. Just setting expectations...

~Eric

Re: [ActiveDir] ADAM bind Redirection with a NULL password

2006-09-28 Thread jef 

Joe,

FCB works with simple binds, and BR ONLY works with simple binds, so I 
suppose it's possible.


I've never coded to try however, but I could check it out.

Jef

- Original Message -
From: Joe Kaplan [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 10:12 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password

The problem is that this happens a lot.  There are simply tons of 
applications out there that don't use Windows SASL binds.  It would be 
nice if it wasn't this way, but that's the reality of LDAP auth, 
especially with vendors that don't use Microsoft's LDAP libraries.  I've 
got at least 6 of these at work right now.


The other thing that is hard to deal with is scenarios where you have a 
mix of ADAM and AD principals.  Since it isn't easy to tell apart ADAM 
from AD principals except for possibly by naming convention, so it can be 
hard to know whether an app should do a simple or SASL bind for a given 
user in this use case.


So, the advice from MS is good, but not easy to follow.  Also, the feature 
is there to be used.


Another thing is that to use features like Fast Concurrent Bind, you have 
to do simple bind.  It isn't supported with SASL.


BTW, does FCB work with bind proxies?  I've never tried.

Joe K.

- Original Message - 
From: Tony Murray [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 9:27 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password


My impression from reading the on-line documentation is that the use of 
ADAM Proxy Objects and bind redirection is frowned upon anyway.


Proxy users are designed for special circumstances and should only be 
used as a last resort, when Windows principals cannot be used directly.


and

ADAM bind redirection should be used only in special cases where an 
application can perform a simple LDAP bind to ADAM but the application 
still needs to associate the user with a security principal in Active 
Directory.


From 
http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true


Is there no way for the application to use the recommended alternative, 
i.e. where ADAM receives a SASL bind request and forwards the request to 
Active Directory?


Tony

-- Original Message --
From: Jef Kazimer [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 28 Sep 2006 21:17:39 -0500

Eric,

The problem stems from lack of ability to modify the application to 
correct

the behavior.  If I had the ability to force this, I would simply require
null/blank not to be passed to the ADAM server from the application.

I've been at odds about the DCR myself, for all the reasons you 
mentioned.
Yet, without the ability to control the applications, the only thing I 
can

control is the directory itself.  Without a mechanism to disable such
behavior, I am without recourse unfortunately.

So far, I've been able to avoid this problem, because the 2 apps I had 
this
happen with, the developer was able to modify the authentication dialog. 
I
have had other apps with other issuers, where modification was not 
possible.
These did not suffer this poor design issue, but I wonder if I will get 
such

an app eventually.  I suppose I am just trying to solve a problem, I have
not been forced to solve by this method, which means it cane wait.

I could go into how it would be nice to have enterprise application 
minimum
standards, and application owners involve infrastructure staff BEFORE an 
app

is purchased, instead of after when it doesn't work, but I won't :)

Jef


- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 8:48 PM
Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password

One solution would be to ACL all objects such that SELF can read them,
then have the app, after it has authenticated as the user, try and read
something on the user itself. This way you know you are in fact that
user (or someone else that has read access, which presumably won't work
as anonymous).

In terms of your DCR...could such a bit be put in? I guess. But DCRs
that are filed with the intentional intent of going again an RFC
typically have a rough time getting through even with a very strong
business impact. And you have a workaround already in the app, and
another solution I mentioned above. Just setting expectations...

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Thursday, September 28, 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM bind Redirection with a NULL password

Since there has been talk of LDAP Authentication as of late, I figured
I'd
post my issue of poorly developed applications allowing a null password
to
an ADAM instance using Bind Redirection.

http

Re: [ActiveDir] ADAM bind Redirection with a NULL password

2006-09-28 Thread jef 

Tony,


I have a workshop next week with a vendor to discuss an extranet solution. 
Unfortunately, LDAP auth is not going to be possible, since there will be no 
communication across the firewall.


I am steering them toward an ADFS solution, which I think will fit the bill 
better.  The issue will be, that it will require a 3rd party middleware to 
make work, which I am not sure they will be thrilled about.


Thanks for the thoughts on this.  Glad to know I'm not the only one 
struggling with bad apps! ;)


Jef



- Original Message -
From: Tony Murray [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 10:57 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password

Yes, I can see that Windows SASL binds might not be universally available 
;-)


Thinking about it, another problem with the SASL binds is that presumably 
the ADAM instance must be running on a server that is a member of the 
authenticating AD domain (or at least one that has a trust back to the 
authenticating domain).  This would limit it's usefulness in extranet 
scenarios because of the ports that would have to be opened between ADAM 
and AD (assuming they are on opposite sides of a firewall).


Tony
-- Original Message --
From: Joe Kaplan [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 28 Sep 2006 22:12:34 -0500

The problem is that this happens a lot.  There are simply tons of
applications out there that don't use Windows SASL binds.  It would be 
nice
if it wasn't this way, but that's the reality of LDAP auth, especially 
with

vendors that don't use Microsoft's LDAP libraries.  I've got at least 6 of
these at work right now.

The other thing that is hard to deal with is scenarios where you have a 
mix

of ADAM and AD principals.  Since it isn't easy to tell apart ADAM from AD
principals except for possibly by naming convention, so it can be hard to
know whether an app should do a simple or SASL bind for a given user in 
this

use case.

So, the advice from MS is good, but not easy to follow.  Also, the feature
is there to be used.

Another thing is that to use features like Fast Concurrent Bind, you have 
to

do simple bind.  It isn't supported with SASL.

BTW, does FCB work with bind proxies?  I've never tried.

Joe K.

- Original Message - 
From: Tony Murray [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 9:27 PM
Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password



My impression from reading the on-line documentation is that the use of
ADAM Proxy Objects and bind redirection is frowned upon anyway.

Proxy users are designed for special circumstances and should only be
used as a last resort, when Windows principals cannot be used directly.

and

ADAM bind redirection should be used only in special cases where an
application can perform a simple LDAP bind to ADAM but the application
still needs to associate the user with a security principal in Active
Directory.

From
http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true

Is there no way for the application to use the recommended alternative,
i.e. where ADAM receives a SASL bind request and forwards the request to
Active Directory?

Tony

-- Original Message --
From: Jef Kazimer [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 28 Sep 2006 21:17:39 -0500

Eric,

The problem stems from lack of ability to modify the application to
correct
the behavior.  If I had the ability to force this, I would simply require
null/blank not to be passed to the ADAM server from the application.

I've been at odds about the DCR myself, for all the reasons you 
mentioned.
Yet, without the ability to control the applications, the only thing I 
can

control is the directory itself.  Without a mechanism to disable such
behavior, I am without recourse unfortunately.

So far, I've been able to avoid this problem, because the 2 apps I had
this
happen with, the developer was able to modify the authentication dialog.
I
have had other apps with other issuers, where modification was not
possible.
These did not suffer this poor design issue, but I wonder if I will get
such
an app eventually.  I suppose I am just trying to solve a problem, I have
not been forced to solve by this method, which means it cane wait.

I could go into how it would be nice to have enterprise application
minimum
standards, and application owners involve infrastructure staff BEFORE an
app
is purchased, instead of after when it doesn't work, but I won't :)

Jef


- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 8:48 PM
Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password

One solution would be to ACL all objects such that SELF can read them

RE: [ActiveDir] Password Change for 100% Remote User Workstations

2002-07-18 Thread Kazimer Jef 
Title: Message



Gene,

Take a look at your VPN connection. Are you logging into the 
workstation, opening a tunnel, and doing their work.

OR

Are you logging into the workstation, opening the tunnel, 
logging out, and logging back into the now connected 
workstation?

If notthe user will not be flagged that their password is about to 
expire, and will end up being locked out.

We had the same issue, and have solved it.

Jef

  
  -Original Message-From: Molloy, Gene S. 
  [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 10:37 
  PMTo: [EMAIL PROTECTED]Subject: Password 
  Change for 100% Remote User Workstations
  We are having problems with users being able to change their passwords when 
  they expire. The users having the problem are 100% remote. Very 
  rarely do they connect to our private network.
  Most of the time they use VPN over a dial up connection. 
  I am wondering how other people are dealing with this problem. I 
  really do not want to set passwords to never expire.
  Any help would be greatly appreciated.
  Thanks,
  Gene Molloy

Re: [ActiveDir] Active Directory Mapping tool

2003-02-14 Thread Jef K 
Title: RE: [ActiveDir] Active Directory Mapping tool



Mike,

This was a wonderful Tool that was included in the Visio 
Network Pack for Visio 2000. I think they changed this for the latest 
version. I remember installing it and scratching my head where that 
import function was.

Check the Visio website for more info before you do the same. 
:)

Jef

  - Original Message - 
  From: 
  Celone, Mike 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Thursday, February 13, 2003 1:20 
  PM
  Subject: RE: [ActiveDir] Active Directory 
  Mapping tool
  
  I think you can do this with Visio. I know Microsoft had 
  a small program that will do this for Exchange and import it all into a Visio 
  file for you.
  Mike  -Original Message- From: Myrick, Todd 
  (NIH/CIT) [mailto:[EMAIL PROTECTED]] 
  Sent: Thursday, February 13, 2003 1:02 PM 
  To: '[EMAIL PROTECTED]' 
  
  Greetings All, 
  I am looking for a tool that would be able to query an AD 
  forest and map out domain constructs, site constructs, DC's and DNS 
  servers. Do any of you know of such a utility.
  Thanks in advanced 
  Todd Myrick List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Upgrade with bad NetBIOS name

2003-06-26 Thread Jef Kazimer 
Title: Message








Sorry I didnt realize you were
doing an inplace upgrade of the domain.



I was suggesting using a separate name
space (thus a separate netbios name) for migration.



Here is a Q article that suggest you
might have to any way:



Cannot
Use Same NetBIOS Name When You Upgrade a Windows NT 4.0 Domain to a Windows
2000 Domain (288443)

The information in this article applies to: 


Microsoft Windows 2000 Server SP1 


Microsoft Windows 2000 Server SP2 


Microsoft Windows 2000 Advanced Server SP1 


Microsoft Windows 2000 Advanced Server SP2 


Microsoft Windows NT Server 4.0 SP4 


Microsoft Windows NT Server 4.0 SP5 


Microsoft Windows NT Server 4.0 SP6 


Microsoft Windows NT Server 4.0 SP6a

This article was previously published under Q288443

SYMPTOMS

When you upgrade a Windows NT 4.0 primary domain controller (PDC) to a
Windows 2000 domain controller (DC) by using the same NetBIOS and DNS name, the
Active Directory Wizard generates the following error message: 

The name domain name.com
is already in use on this network. Type a name that is not in use. 

For example, this could occur if your Windows NT 4.0 domain name was
testdomain.com and your Windows 2000 domain name was also testdomain.com. 

RESOLUTION

Before you upgrade, change the NetBIOS name so that it is not the same
as the Windows 2000 domain name. 









Also look at this article too:



Cannot
Alter Down-Level Domain Name During Upgrade from Windows NT 4.0 to Windows 2000
(240156)











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, June 26, 2003 3:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD
Upgrade with bad NetBIOS name







I think you misunderstand.











The company's netbios name is company.com
-- that's the NT4 domain is company.com. I'm concerned about doing an AD
upgrade with a period in the netbios name.





-Original Message-
From: Jef Kazimer
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 3:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD
Upgrade with bad NetBIOS name

Why not just use an internal namespace?



Ive done it at a few
companies use corp.com publicly, and
corp.net internally. The only issue is if you
dont own corp.net and may in the future have to get to the external net.



Company.int is available. J
You can use company.com externally and company.int
for your internal network.



This would provide you a migration path
and a separation of internal and external namespaces.



Jef











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Thursday, June 26, 2003 1:53
 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD
Upgrade with bad NetBIOS name







Actually, that IS their real name. They
are a dot com that has succeeded and is still around.





-Original Message-
From: Raymond McClinnis
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 26, 2003 2:34
 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD
Upgrade with bad NetBIOS name

I dont know that its such a
bad thing Most or all of the TechNet examples will be personalized
for their environmentJ



But Seriously,
Id consider migrating to a domain that has their real name in it, if not
entirely for esthetic reasons.



But thats just
me









Thanks,



Raymond McClinnis 

Network Administrator

Provident Credit Union





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Michael B. Smith
Sent: Thursday, June 26, 2003 11:05
 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD Upgrade
with bad NetBIOS name





I've just retained a client whose
NT4 domain name is company.com -- yes, their netbios domain name.











I'm seriously concerned about
upgrading them to AD. Do I have any worries? I've never seen this one before,
and it isn't covered in any of the whitepapers I've quickly perused.











Thanks.

RE: [ActiveDir] Manual Replication - Any suggestions?

2003-09-05 Thread Jef Kazimer 
Thanks for the advice everyone!

Unfortunately I just started at this company, and it seems this deicision was made 
before I got here.  I'm trying to get background research done as to why this 
direction was chosen.

I did come from a bigger environment where we made changes to the ISTG timing to avoid 
some of the issues which worked fine until we were able to consider 2003.

Here, I'd rather push forward with the 2003 deployment instead of going manual.

Jef
No likey da Evil!

Original Message:

Return-Path: [EMAIL PROTECTED] Thu Sep 04 17:25:29 2003
Received: from mail.activedir.org [64.245.160.7] by mail16.crystaltech.com with SMTP;
   Thu, 04 Sep 2003 17:25:29 -0700
Received: from mallard.mail.pas.earthlink.net [207.217.120.48] by mail.activedir.org 
with ESMTP
  (SMTPD32-7.07) id A3F3EDE010C; Thu, 04 Sep 2003 19:00:03 -0400
Received: from dialup-67.72.217.187.dial1.detroit1.level3.net ([67.72.217.187] 
helo=mainpro)
   by mallard.mail.pas.earthlink.net with esmtp (Exim 3.33 #1)
   id 19v357-0001zi-00
   for [EMAIL PROTECTED]; Thu, 04 Sep 2003 16:00:02 -0700
From: Joe [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Manual Replication - Any suggestions?
Date: Thu, 4 Sep 2003 18:59:59 -0400
Message-ID: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain;
   charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
In-Reply-To: [EMAIL PROTECTED]
Importance: Normal
Precedence: bulk
Sender: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]


Hmm that seems kind of small to turn off the KCC. I wouldn't do it
myself. In fact we have about 500 sites defined, 375 DC's spread across
them, and nine domains. Most of the sites have a DC from one of the five
main domains though. If you have a hub and spoke topology and the site
links are configured properly and you have site transitivity turned off
you shouldn't have an issue.

Manually generating your topology is an evil evil thing. 

Also where did the MS advice come from? Not trying to smash MS but there
are only a few people from MS that I will listen to about AD right off.
Mostly I make the person I am talking to prove what they are saying.
Haven't found anyone in MCS yet with a really strong grasp, only decent.
One main person in PSS - JD. Then of course you have the folks like
Stuart Kwan and Dave Trulli. 


  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Thursday, September 04, 2003 10:51 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Manual Replication - Any suggestions?


I'm currently working at a company where we have 115 international
sites, and 3 domains.   The KCC and ISTG are working sub-optimal, and it
seems on MS's advice we are going to calculate a manual replication
connection model.

Anyone have any experience this, and have any gotcha's we should be
expecting?   

Thanks,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Secedit Errors

2003-10-02 Thread jef . kazimer 

Hello all,

I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly.

A day or so later, those that were repaired now have the same errors.  Anyone have any idea where to halt this cycle? What am I missing?

Source: Userenv
Name: Unexpected Error applying group policy to machine account
Description: The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (1208).


There were originally some group policy errors, which were fixed. Policy applies correct as per the winlogon.log after it is fixed, but the problem returns.

any help would be appreciated.

Jef Kazimer

Re: [ActiveDir] Secedit Errors

2003-10-03 Thread Jef Kazimer 
Title: Message



Darren,

Ahhh...that is what 145 meant! 
I couldn't find a lookup on that one anywhere. I am seeing these come from 
maybe 30+ servers in a domain. I see a mix of error code #5 which 
was access denied (this was due to a mistake in a policy setting and is fixed) 
and then I see the 1208 errors which leads me to find the secedit.sdb file is 
corrupt and needs to be rebuilt.The "cannot write shadowed header" 
error would be seen, andan errorcode of "3" made me think this was 
the case.

AV virus scan for I/O is set on the 
C:\winnt\security directory so I think the secedit.sdb file is being held open 
when GPO is applied and corrupting the DB. I confirmed with MS that this 
might be the case, and have informed our security group they need to change 
this.

Yet even if I exclude that directory 
manually, this corruption and secedit/userenv errors keep coming 
back.

Yes, after cleaning up group policy 
I had noticed they were not being applied on the boxes where I get these 
errors. After I fix the SDB they apply, but I will see the errors come 
back.

Looking at the extendedDebugLevel 
winlogon.log GPO processing dies when the DB is said that it can't be open, and 
GPO never gets applied unless I fix the DB on that database.

I am wondering if there is a central 
corruption in the template file somewhere..but I don't know how to "verify" a 
GPO for integrity.

Thanks!

Jef


  - Original Message - 
  From: 
  Darren Mar-Elia 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, October 02, 2003 1:54 
  PM
  Subject: RE: [ActiveDir] Secedit 
  Errors
  
  Jef-
  I 
  don't know if it helps but the flags (145) thing means the 
  following:
  
  Machine Policy is being applied as opposed to user 
  policy
  This 
  policy is being applied as a background refresh (rather than 
  foreground)
  No 
  changes were detected to the GPO during this processing cycle (so nothing was 
  applied)
  
  The 
  failure status code is just a Win32 error code, which in this case means, "An 
  extended error has occurred."-- Not very helpful.
  
  Are 
  you seeing other problems in terms of policy application other than these 
  errors? How often do these errors occur?
  
  Darren
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, October 02, 2003 10:41 
AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] 
Secedit ErrorsHello 
all, I am getting repeated secedit 
errors which seem to be due to a corrupted secedit.sdb file on the DCs. 
After using ESENTUTL to repair the DB, and group policy applies 
correctly. A day or so later, those 
that were repaired now have the same errors.  Anyone have any idea 
where to halt this cycle? What am I missing? Source: UserenvName: Unexpected 
Error applying group policy to machine accountDescription: The 
Group Policy client-side extension Security was passed flags (145) and 
returned a failure status code of (1208). There were originally some group policy errors, which were 
fixed. Policy applies correct as per the winlogon.log after it is 
fixed, but the problem returns. any help would be appreciated. Jef Kazimer

[ActiveDir] FRS 2k - What is the Latest version?

2003-11-03 Thread Jef Kazimer 
Hi all,

I'm using Ultrasound to diagnose some Replication problems.  One thing I am trying to 
do is bring FRS up to date on all the DCs.

What is the msot current release version of FRS?

The latest I am reporting is May-07-2003, but I know where is newer.  If I am going to 
upgrade them,  I want to make sure I have the latest.

Thank you,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FRS 2k - What is the Latest version?

2003-11-03 Thread Jef Kazimer 
The RPC connection errors of the UPSTREAM partner not replication to Sysvol.   If on a 
rebuild or D2,  the new DC (downstream) sits there.  We know the May 07's fixes this,  
but if I am going to move forward with an upgrade, I want to fix other issues as well. 
 We've seen the Sharing violation issue as well, and the incomplete Sysvol.

It's showing up on our international infrastructure more, and it maybe related to slow 
links in remote sites as well.

J

Original Message:
From: Travis Riddle [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FRS 2k - What is the Latest version?
Date: Mon, 3 Nov 2003 11:08:15 -0700

From what I have read, 07-May-03 is the latest FRS release, its included
with SP4 ( http://support.microsoft.com/?id=811370 ) I don't think you
can upgrade FRS beyond this without contacting MS with a need to do so
(if they even have anything newer at all)

What kind of replication problems are you experiencing?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Monday, November 03, 2003 10:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FRS 2k - What is the Latest version?

Hi all,

I'm using Ultrasound to diagnose some Replication problems.  One thing I
am trying to do is bring FRS up to date on all the DCs.

What is the msot current release version of FRS?

The latest I am reporting is May-07-2003, but I know where is newer.  If
I am going to upgrade them,  I want to make sure I have the latest.

Thank you,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] vbscript output to html

2003-11-03 Thread Jef Kazimer 
Rich,

I just create a file object, and output Text with HTML code to it to format the HTM 
file for making web based report.  Since HTML is just text anyway you can 
programatically format it.

Here is just a snippet for example:

'[Create ASP log file]

Set WshShell = WScript.CreateObject(WScript.Shell)
Set fso = WScript.CreateObject(Scripting.FileSystemObject)

set asplog = fso.OpenTextFile(log\autounlock.asp,8,true)
asplog.Writeline(HR)
asplog.writeline(centertable border='1' padding='2' align='center')
asplog.writeline(tr)
asplog.Writeline(td align='center' colspan=4Font color=Blue size=3[ 
/fontFont color=Red size=3NOW/fontFont color=Blue size=3 ]/Font/td)
asplog.writeline(/tr)
asplog.writeline(tr)
asplog.Writeline(td colspan='4' align='center'HR/td)
asplog.writeline(/tr)

'[End Create ASP Log File]

Original Message:
From: Rich Milburn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] vbscript output to html
Date: Mon, 3 Nov 2003 13:28:11 -0600

While scripting seems to be a good topic today, perhaps I'll throw this one
out there:

 

Does anyone know a q'n'd way to output vbscript results to html?  We're
trying to get users to change passwords till the average age comes down, and
while I have some good tools (courtesy of joeware.net) that will show me the
info I need, it would be nice if I could keep this running and put a page up
for managers to see how the progress is going Hmm I might  this to a
csv file or something for graphs... any ideas?

 

(PS yes I am doing research on my own, but my first exposure to vbscript was
last Thursday - I managed to avoid it for 10+ years of Windows but I guess
it's finally caught up with me! :-) )

 

Rich

 

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be
subject to attorney-client privilege. This message is intended only for the
use of the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding, printing, copying, distribution, or using
such information is strictly prohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply e-mail
and immediately destroy this message. Unauthorized interception of this
e-mail is a violation of federal criminal law. Applebee's International,
Inc. reserves the right to monitor and review the content of all messages
sent to and from this e-mail address. Messages sent to or from this e-mail
address may be stored on the Applebee's International, Inc. e-mail system.




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] Forcing Replication from a Source DC

2003-11-04 Thread Jef Kazimer 
Well,  this is more of a blanket suggestion, than a solution to your problem.

After coming to find many tasks that remote admins should be able to do, but that I 
don't want to give them rights to do,  I tend to try and centralize tools.   I've 
created ASP driven admin portal which is nothing more than VB scripts to do the 
processes.   The Remote admins are given access permission to the portal for their 
specific tasks, but the actual processing of the tasks is done with a service 
account with the privs, and not the user.

So they can kick off the tasks, see the results, but not ever have the permissions 
themselves.

I built in a logging interface, so I can tell when an admin did such a thing, which is 
much easier than parsing other logs.  

Replicate the site/DB around the world, and it's proven to be a very good source.  I 
can fix add tools as needed, and not worry about older versions still floating around.

I know that's not really going to help you, but with a little scripting experience, 
you might be able to create a front end utilizing replmon for the same thing.

Jef

Original Message:
From: FDiskThePC [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Forcing Replication from a Source DC
Date: Tue, 4 Nov 2003 09:36:02 -0800 (PST)

Okay, guys, I've done quite a bit of research here,
but I need some help.  I don't know about you guys,
but I find it frustrating that AD has been out for
over three years and so much of this stuff is still
undocumented!  Argh!

First problem was delegating the right for remote
admins to synchronize the domain.  For those out there
that may still be searching, you need to delegate the
Replication Synchronization right to your Domain
Naming Context (NC) and any other NC's (Schema,
Config, etc.) that you may have.  Note that if you do
not delegate this right to every NC, AD Sites 
Services will still fail because a Replicate Now
tries to sync every NC behind the scenes - there is no
way with this tool to sync a particular NC.  Note that
ADSIEdit will probably be needed to make the
delegation.

Okay, second problem that I still need an answer to. 
I need a way to force replication from one source DC
to all my other DC's.  Ah!  Use replmon you say
choosing Push Mode and Cross Site Boundaries. 
That works great, actually, but not for my remote
admins.  Come to find out, replmon doesn't work unless
the remote admin is also given the Replicating
Directory Changes and Manage Replication Topology
permission.  And I am not about to do that.

I've also looked at repadmin.  It appears that some
changes have been made to this command in W2K3, but
I'd like to do this in a W2K setting.  Unfortunately,
the W2K tool requires that you use actual GUIDS, but
the more important thing is that I can't figure out
how to push changes rather than pull!  I did come
across one undocumented switch with repadmin.  Using
repadmin /p /e /d server1.company.com forces server1
to pull any and all changes from every other server
(transitively).

Any advice on how to best take one DC's changes and
push them out to all other DC's would be GREATLY
appreciated.  Sounds like a script to me.  Thanks.

-Rick Dayton

__
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DHCP - DNS - DnsUpdateProxy Group

2003-11-05 Thread Jef Kazimer 
When specifying DHCP servers in the DnsUpdateProxy,  should the ACL For the record 
show the machine account (DHCPSERV1$) or should it show (DNSUPDATEPROXY)?

I'm looking at some Zones, and I see that the DHCP server as having FullControl, and 
the owner as SYSTEM.

Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the record?


Also, I am in the middle of scripting converting Reverse zones from a Class B to a 
more granular Class C scheme. We need to turn on scavenging on only specific zones, 
and not other to avoid missing records. 

If I export and re-import these records,  my account shows up on the ACL,   and the 
owner of SYSTEM.  I am going to assume that the DHCP nor a w2k client can not update 
these records.   

Is there a way to import records and retain the DNSUpdateProxy ACL even though it is a 
system group?

Any suggestions?  I fear these PTR records would not be able to the refreshed until 
after they are scavenged

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

2003-11-05 Thread Jef Kazimer 
Guido,

Thanks for the Response.

Since DNS is running AD integrated on the DCS, and runs under the System context, they 
don't need to be added to this group,correct?  I think you meant that Stand alone DNS 
servers would need to be added to this group to facilitate updates,correct?

Since coming to this site,  I'm wondering why they have the DCs in the DnsUpdateProxy 
Group,  as well as the the DHCP servers.  Apparently it was an MS recommendation, but 
I can't find a reason in my head why this would be required.  This would cause that 
insecurity issue, I'd imagine.  Am I missing something?

Also,  I see the records have Authenticated Users on the ACL as SPECIAL, but no 
properties/rights are checked.  This is the result that the Proxygroup creates, 
correct?  

So if I need to re-acl those records, this is the correct ACL?

THanks,  I appreciate the help.  I've setup the proxy group before, but never went 
into great detail trying to figure out someone elses design choices, so I'm learning 
more about it as I go.

This is 2k, and not 2k3 yet, as I would like to use the service account for DHCP 
when we can for these reasons.

Jef



Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 19:13:07 +0100

When you add servers to the DNSUpdateProxy group, it basically REMOVES any
security of the objects by granting Authenticated Users Full Control to
the DNS record = this is what allows other DNS servers (or whoever is added
to the DnsUpdateProxy group) to overwrite these records. 

As such you should NEVER add DCs to this group (even when hosting your DHCP
service on a DC) - otherwise you'll compromise security in your domain. If
you want this same insecurity for your imported records, you could also
grant these permissions or simply add your user account to the
DnsUpdateProxy group. 

Instead - if you are running 2003 - you should configure you DHCP service to
register records with a specific account. This way the records are still
secured against changes from all Authenticated Users - only DHCP servers
configured to use the same account can update the records.  It's not as
simple as running the service under an account, but it's some option of the
DHCP service - I'd have to look it up, but I'm sure others will fill in the
details.

/Guido

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5. November 2003 17:29
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

When specifying DHCP servers in the DnsUpdateProxy,  should the ACL For the
record show the machine account (DHCPSERV1$) or should it show
(DNSUPDATEPROXY)?

I'm looking at some Zones, and I see that the DHCP server as having
FullControl, and the owner as SYSTEM.

Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the
record?


Also, I am in the middle of scripting converting Reverse zones from a Class
B to a more granular Class C scheme. We need to turn on scavenging on only
specific zones, and not other to avoid missing records. 

If I export and re-import these records,  my account shows up on the ACL,
and the owner of SYSTEM.  I am going to assume that the DHCP nor a w2k
client can not update these records.   

Is there a way to import records and retain the DNSUpdateProxy ACL even
though it is a system group?

Any suggestions?  I fear these PTR records would not be able to the
refreshed until after they are scavenged

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

2003-11-05 Thread Jef Kazimer 
Guido,

I know my description is not doiong justice to what I am seeing. :)

The ACL has an ACE for Everyone, Authenticated users,  DnsADmins, etc

it lists Authenticated Users as Special and when you look at the properties,  it 
shows the Read All Properties and Write AlL properties,  but NONE of the Allow/Deny 
boxes are checked.  So I'm curious what access this actually means.

I hope that makes more sense, but I can give you a screen shot. :)

J

Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 22:15:07 +0100

look at the ACL with ADSIedit - it should not be empty.  Is there an
Everyone ACL? 

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5. November 2003 22:07
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

Guido,

Thanks.  I would agree with you,  but being a new person on this site, I'm
looking to get my facts straight before I bring it up.

The Records show the Authenticated users, with NOTHING set, which is kind of
odd to me.

I am glad you understand what I am getting at here, as I thought I was
misunderstanding how this should work.

Jef

Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 21:48:13 +0100

Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even
if they run DHCP services.  Only Stand alone (i.e. normal member servers)
should be added to the group.  I would sincerely suggest that you remove
your DCs from the group as you're currently rather unprotected = you could
just as well have configured dynamic DNS without the allow only secure
updates option... as any client/user can easily erase or hijack the DC
host-records potentially causing a full outage of your domain/forest.  

It might have been an MS recommendation 4 years ago, when they didn't know
the product themselves - but you'll not hear that recommedation today.

Have a look what permissions Authenticated Users have in Advanced View -
may
not be Full Control afterall, but at least write access to most of the
attributes of the record.


-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5. November 2003 20:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

Guido,

Thanks for the Response.

Since DNS is running AD integrated on the DCS, and runs under the System
context, they don't need to be added to this group,correct?  I think you
meant that Stand alone DNS servers would need to be added to this group to
facilitate updates,correct?

Since coming to this site,  I'm wondering why they have the DCs in the
DnsUpdateProxy Group,  as well as the the DHCP servers.  Apparently it was
an MS recommendation, but I can't find a reason in my head why this would
be
required.  This would cause that insecurity issue, I'd imagine.  Am I
missing something?

Also,  I see the records have Authenticated Users on the ACL as SPECIAL,
but
no properties/rights are checked.  This is the result that the Proxygroup
creates, correct?  

So if I need to re-acl those records, this is the correct ACL?

THanks,  I appreciate the help.  I've setup the proxy group before, but
never went into great detail trying to figure out someone elses design
choices, so I'm learning more about it as I go.

This is 2k, and not 2k3 yet, as I would like to use the service account
for DHCP when we can for these reasons.

Jef



Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 19:13:07 +0100

When you add servers to the DNSUpdateProxy group, it basically REMOVES any
security of the objects by granting Authenticated Users Full Control to
the DNS record = this is what allows other DNS servers (or whoever is
added
to the DnsUpdateProxy group) to overwrite these records. 

As such you should NEVER add DCs to this group (even when hosting your
DHCP
service on a DC) - otherwise you'll compromise security in your domain. If
you want this same insecurity for your imported records, you could also
grant these permissions or simply add your user account to the
DnsUpdateProxy group. 

Instead - if you are running 2003 - you should configure you DHCP service
to
register records with a specific account. This way the records are still
secured against changes from all Authenticated Users - only DHCP servers
configured to use the same account can update the records.  It's not as
simple as running the service under an account, but it's some option of
the
DHCP service - I'd have to look it up, but I'm sure others will fill in
the
details.

/Guido

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5

RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

2003-11-05 Thread Jef Kazimer 
I did look at it with both the DNS MMC, and then went into ADSI Edit as you suggested. 
 They have the same empty boxes.

Weirdness I tell you!  Weirdness!!!

Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 22:38:17 +0100

it does makes sense, as you've probably got a permission set that's filtered
from the UI (via the dssec.dat file in you sytems32 folder...) - that's why
you should look at it via ADSIedit, which doesn't filter any permissions in
the UI.

I don't have anything to test around here right now so I can't compare what
the ACL should be.

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5. November 2003 22:29
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

Guido,

I know my description is not doiong justice to what I am seeing. :)

The ACL has an ACE for Everyone, Authenticated users,  DnsADmins, etc

it lists Authenticated Users as Special and when you look at the
properties,  it shows the Read All Properties and Write AlL properties,  but
NONE of the Allow/Deny boxes are checked.  So I'm curious what access this
actually means.

I hope that makes more sense, but I can give you a screen shot. :)

J

Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 22:15:07 +0100

look at the ACL with ADSIedit - it should not be empty.  Is there an
Everyone ACL? 

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5. November 2003 22:07
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

Guido,

Thanks.  I would agree with you,  but being a new person on this site, I'm
looking to get my facts straight before I bring it up.

The Records show the Authenticated users, with NOTHING set, which is kind
of
odd to me.

I am glad you understand what I am getting at here, as I thought I was
misunderstanding how this should work.

Jef

Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 21:48:13 +0100

Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even
if they run DHCP services.  Only Stand alone (i.e. normal member
servers)
should be added to the group.  I would sincerely suggest that you remove
your DCs from the group as you're currently rather unprotected = you
could
just as well have configured dynamic DNS without the allow only secure
updates option... as any client/user can easily erase or hijack the DC
host-records potentially causing a full outage of your domain/forest.  

It might have been an MS recommendation 4 years ago, when they didn't know
the product themselves - but you'll not hear that recommedation today.

Have a look what permissions Authenticated Users have in Advanced View -
may
not be Full Control afterall, but at least write access to most of the
attributes of the record.


-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Mittwoch, 5. November 2003 20:15
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group

Guido,

Thanks for the Response.

Since DNS is running AD integrated on the DCS, and runs under the System
context, they don't need to be added to this group,correct?  I think you
meant that Stand alone DNS servers would need to be added to this group to
facilitate updates,correct?

Since coming to this site,  I'm wondering why they have the DCs in the
DnsUpdateProxy Group,  as well as the the DHCP servers.  Apparently it was
an MS recommendation, but I can't find a reason in my head why this would
be
required.  This would cause that insecurity issue, I'd imagine.  Am I
missing something?

Also,  I see the records have Authenticated Users on the ACL as SPECIAL,
but
no properties/rights are checked.  This is the result that the Proxygroup
creates, correct?  

So if I need to re-acl those records, this is the correct ACL?

THanks,  I appreciate the help.  I've setup the proxy group before, but
never went into great detail trying to figure out someone elses design
choices, so I'm learning more about it as I go.

This is 2k, and not 2k3 yet, as I would like to use the service account
for DHCP when we can for these reasons.

Jef



Original Message:
From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DHCP - DNS -  DnsUpdateProxy Group
Date: Wed, 5 Nov 2003 19:13:07 +0100

When you add servers to the DNSUpdateProxy group, it basically REMOVES
any
security of the objects by granting Authenticated Users Full Control to
the DNS record = this is what allows other DNS servers (or whoever is
added
to the DnsUpdateProxy group

RE: [ActiveDir] Bindview and ADMT

2003-11-07 Thread Jef Kazimer 
I would second that about making sure the users are logged off.   The earlier betas of 
2.0 really flaked out on that, so make sure you did use the 2.0 release.

We've had issues with RPC timeouts and not finding PCs on the net, but we think it's 
related to a global networking layout.   

When migrating stations, we have pre-test which verifies their on the network, wakes 
any machines or laptops out of sleep mode, and does a Force Logoff and Reboot of the 
boxes we want.  Since doing that,  our migration % haave increased greatly.

jef

Original Message:
From: Coleman, Hunter [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Bindview and ADMT
Date: Fri, 7 Nov 2003 11:11:31 -0700

Can't speak to Bindview, but for your listed problems:
 
1-All migrated accounts, accessing all resources in the source domain show
the problem? Can you verify with ADSIEdit that the SIDHistory attribute is
populated on the migrated accounts?
 
2-We occasionally ran into profile migration problems, but it was a low
percentage. You definitely want the user to be logged off, and you will
increase your chances of success if you reboot the macine prior to the
migration and don't login until after it automatically reboots
post-migration. This insures that the ntuser.dat files aren't held by
processes preventing the migration agent from acting.

  _  

From: Ellis, Debbie [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 07, 2003 10:19 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Bindview and ADMT


Have any of your guys used the Bindview Migration tool?  We have been
testing the newest ADMT but have run into several problems that are listed
below.  Have any of you had similar problems?
 
1. If a member of the domain admin or domain user group is migrated,
there are problems with accessing the resources in the source domain.
SIDhistory was migrated and instructions from ADMT were followed. 

2. There are problems migrating the local profiles on the user's
desktops.  It shows they were migrated over and no error message in the log
files, but they were not migrated.  We have tried with the user logged off
and logged on. 
 




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Bindview and ADMT

2003-11-07 Thread Jef Kazimer 
Ted,

Sure,  I'll clean it up and post it here.  Do you want it as a Text, or as an 
attachment.

It's nothing crazy.but it certainly helped. 

It takes a list of Computers and then

Does an NBTSTAT check
Does a Ping Test
If Online then
Checks to see if the RPC service is running
Uses RPC ping to verify it's accepting RPC calls
And connects to the box using WMI, and pulls the Machine name and verifies it the name 
expect (in case the WINS/DNS entries were old and another box is responding to PING)

Then spits out a CSV of all the tests, and a list of GOOD and BAD PCs.

You need RPCPING and the script.  RPCping came from the Win2k3 resource kit.

Jef

Original Message:
From: Strand, Ted [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Bindview and ADMT
Date: Fri, 7 Nov 2003 14:11:31 -0500

Jef, 

Can you share the pre-test code?

-Ted-
 

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 07, 2003 1:50 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Bindview and ADMT

I would second that about making sure the users are logged off.   The
earlier betas of 2.0 really flaked out on that, so make sure you did use the
2.0 release.

We've had issues with RPC timeouts and not finding PCs on the net, but we
think it's related to a global networking layout.   

When migrating stations, we have pre-test which verifies their on the
network, wakes any machines or laptops out of sleep mode, and does a Force
Logoff and Reboot of the boxes we want.  Since doing that,  our migration %
haave increased greatly.

jef

Original Message:
From: Coleman, Hunter [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Bindview and ADMT
Date: Fri, 7 Nov 2003 11:11:31 -0700

Can't speak to Bindview, but for your listed problems:
 
1-All migrated accounts, accessing all resources in the source domain 
show the problem? Can you verify with ADSIEdit that the SIDHistory 
attribute is populated on the migrated accounts?
 
2-We occasionally ran into profile migration problems, but it was a low 
percentage. You definitely want the user to be logged off, and you will 
increase your chances of success if you reboot the macine prior to the 
migration and don't login until after it automatically reboots 
post-migration. This insures that the ntuser.dat files aren't held by 
processes preventing the migration agent from acting.

  _

From: Ellis, Debbie [mailto:[EMAIL PROTECTED]
Sent: Friday, November 07, 2003 10:19 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Bindview and ADMT


Have any of your guys used the Bindview Migration tool?  We have been 
testing the newest ADMT but have run into several problems that are 
listed below.  Have any of you had similar problems?
 
1.If a member of the domain admin or domain user group is migrated,
there are problems with accessing the resources in the source domain.
SIDhistory was migrated and instructions from ADMT were followed. 

2.There are problems migrating the local profiles on the user's
desktops.  It shows they were migrated over and no error message in the 
log files, but they were not migrated.  We have tried with the user 
logged off and logged on.
 




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] User Profile

2003-11-12 Thread Jef Kazimer 
It's that Mysterious error they talk about in the ADMT 2.0 docs, that they say is 
unknown cause of it.

Do a shutdown and reboot of your workstations before you migrate them, and it solves 
this problem.   I meant to send out verification and reboot scripts this week since 
someone asked this earlier, but I forgot I am in training this week.   Send me a noten 
ext week, and maybe it can be of help.

J

Original Message:
From: Ellis, Debbie [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: [ActiveDir] User Profile
Date: Wed, 12 Nov 2003 14:30:39 -0500

Does anyone know of a process or service that locks a user profile even when
logged off? We are trying to migrate local profiles using ADMT and are
receiving an error message that the profile is in use.  We have even tried
rebooting the pc and not logging on and still receive the same error
message.




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] dns aging with 01/7/1601

2003-11-12 Thread Jef Kazimer 
Have you done the Age All Records (DNSCMD /AgeAllrecords command)

Records with TS before Scavenging was turned on at the server/domain level will not be 
scavenged, so you need to AgeAllRecords after enabling scavenging.

It will inherit the scavengeing attributes from the zone itself.

your new timestamp will be that of when you ran the command, and if it is not 
refreshed between then and scavenging date, it will be cleaned up.

Make sure you remove the Age this record check box thingy (I forgot the syntax) on 
the record for any static records you don't want to disapear.


Jef

Original Message:
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] dns aging with 01/7/1601
Date: Wed, 12 Nov 2003 14:35:22 -0600





Hi,
I am tryign to resolve  the  dns  aging timestamp 01/7/1601  --.
Can any one explain why I am still seeing the 01/7/1601 timestamp at the
aging property after I have already enabled the aging/scavenging feature at
our dns server , forward zones and some selective ( want to see the impact
first before the full implementations) reverse lookup zones?

This is a win2k  sp4 active directory domain but the dns server is not
integrated with active directory . Would this even matter? The dns server
is win2k with sp4 and it allows dynamic udpates from win2k clients. I need
to clean up the PTR because many stale ptr records exist at  many zones.
Any help is welcome. Thank you.


Sandy
Email:[EMAIL PROTECTED]

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] dns aging with 01/7/1601

2003-11-13 Thread Jef Kazimer 
Sandy,

Sorry for no Reply...

The Scavenge date will be on the Zone properties.  The TS on the record tells the zone 
that the record is availiable to be scavenged.  So if the Scavenge date on the record 
is greater than the date for the zone,  it will be scavenged.

So If the Scavenge date on the zone is 11-14-2003,  it will be availiable to be 
scavenged on that date/time.   Then when scavenging is done, it looks at the records, 
and it's time stamps.  If your TTL is 7 days, and it finds a record that has not been 
updated/refreshed in GREATER than 7 days,  it will be scavenged.

For scavenging to take place,   The Server, Zone, and Record must have scavenging 
turned on. Records without a Timestamp will be ignored during scavenging.  And 
scavenging will NOT scavenge records with Timestamps older than when Scavenging was 
turned on for the zone.   This is why you need to age all records after turning it on.

So the Scavenge date for the zone is 11-14-2003. your scavenging date is 7/7.  you run 
the age all records for the zone command, and it adds the timestamp of 11-13-2003.

On 11-14-2003 no records will be scavenged since the records timestamp is only 1 day 
old.   But when it scavenges in 7 days from now on the 11-21-2003, If a record has not 
been refreshed with a newer timestamp than 11-13-2003,  all those records will be 
scavenged on 11-21 since the 7/7 period is set.  If a record has a newer timestamp 
(11-17-2003..) it will remain,  or if it has no timestamp it will remain.

You can use DNSCMD to export all the records if you need too.  Or use the 
DNSRESOURCE.VBS to export it as well.

If you reload the records make sure you are part of the DNSUPDATEPROXY group so that 
DHCP/users can update (refresh the timestamp) the records otherwise they will be 
scavenged during the next period.

J
Original Message:
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: re: [ActiveDir] dns aging with 01/7/1601
Date: Thu, 13 Nov 2003 11:03:18 -0600






Ok, I have now run the dnscmd /ageallrecords  in one reverse lookup zone.
With this command , I see the time stamp on each record  under this zone
has been changed to today's date. But my question is still not answered.
The Timestamp for the zone  ( at zone aging/scavengign property page) is
till 01/7/1601. According to MS, I am supposed to see the next scavenging
date from this page so I can have an idea about when to happen.

Anyone out there has done this  dns aging/scavenging before ? I would
really appreciate your thoughts.  Thanks.




Sandy

+-+


   
 Sandy 
 Wu/section13/lado 
 td/us  To 
   [EMAIL PROTECTED]
 11/13/2003 07:18   cc 
 AM
   Subject 
   re: [ActiveDir] dns aging with  
   01/7/1601(Document link: Sandy Wu)  
   
   
   
   
   
   



Jef,

Thank you very much for your reply. Your thought is really  pointing me to
a  closer  track now.

 Nope,  I have not done ageallrecords.  If I am reading you right, it
sounds like in addition to turn on the aging/scavenging at dns level, zone
level , I also need to do ageallrecords  to take care the pre-existing
records. Also the timestamp ( at zone aging/scavengign property page) will
not reflect the current date if  ageallrecords step is missing. Is this
correct ?
I will need to back up my DNS first , before  making any changes. Please
advise if I am mis-interpreting anything. Thanks




Sandy
+-+


   
 Jef Kazimer 
 [EMAIL PROTECTED] 
 Sent by:   To 
 [EMAIL PROTECTED] [EMAIL PROTECTED], 
 ail.activedir.org [EMAIL PROTECTED

re: [ActiveDir] dns aging with 01/7/1601

2003-11-13 Thread Jef Kazimer 
Sandy,

I just re-read thatit's the ZONE that doesn't have a TS on it,eh?  

Hmmyou could try changing the Server scavenging period,  then changing it back.  

This is an Integrated zone or a stand-a-lone?

I'm curious about it's details.  would you mind posting a ZoneInfo output for that 
zone?

C:\classdnscmd tunis /zoneinfo 2.168.192.in-addr.arpa
Zone query result:
Zone info:
ptr   = 00083050
zone name = 2.168.192.in-addr.arpa
zone type = 1
update= 2
DS integrated = 1
data file = (null)
using WINS= 0
using Nbstat  = 0
aging = 1
  refresh interval= 168
  no refresh  = 168
  scavenge available  = 3531621
Zone Masters
NULL IP Array.
Zone Secondaries
NULL IP Array.
secure secs   = 3
directory partition   = AD-Legacy flags 0012
zone DN   = DC=2.168.192.in-addr.arpa,cn=MicrosoftDNS,cn=Sys
tem,DC=nwtraders,DC=msft
Command completed successfully.





Original Message:
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: re: [ActiveDir] dns aging with 01/7/1601
Date: Thu, 13 Nov 2003 11:03:18 -0600






Ok, I have now run the dnscmd /ageallrecords  in one reverse lookup zone.
With this command , I see the time stamp on each record  under this zone
has been changed to today's date. But my question is still not answered.
The Timestamp for the zone  ( at zone aging/scavengign property page) is
till 01/7/1601. According to MS, I am supposed to see the next scavenging
date from this page so I can have an idea about when to happen.

Anyone out there has done this  dns aging/scavenging before ? I would
really appreciate your thoughts.  Thanks.




Sandy

+-+


   
 Sandy 
 Wu/section13/lado 
 td/us  To 
   [EMAIL PROTECTED]
 11/13/2003 07:18   cc 
 AM
   Subject 
   re: [ActiveDir] dns aging with  
   01/7/1601(Document link: Sandy Wu)  
   
   
   
   
   
   



Jef,

Thank you very much for your reply. Your thought is really  pointing me to
a  closer  track now.

 Nope,  I have not done ageallrecords.  If I am reading you right, it
sounds like in addition to turn on the aging/scavenging at dns level, zone
level , I also need to do ageallrecords  to take care the pre-existing
records. Also the timestamp ( at zone aging/scavengign property page) will
not reflect the current date if  ageallrecords step is missing. Is this
correct ?
I will need to back up my DNS first , before  making any changes. Please
advise if I am mis-interpreting anything. Thanks




Sandy
+-+


   
 Jef Kazimer 
 [EMAIL PROTECTED] 
 Sent by:   To 
 [EMAIL PROTECTED] [EMAIL PROTECTED], 
 ail.activedir.org [EMAIL PROTECTED]  
cc 
   
 11/12/2003 03:18  Subject 
 PMre: [ActiveDir] dns aging with  
   01/7/1601   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org

re: [ActiveDir] cleanup AD connections after move server to different site

2003-11-13 Thread Jef Kazimer 
Cindy,

Verify the Subnet data is replicated,  and then trigger the KCC (repadmin /kcc 
server or in Replmon)

you can just delete the connection that was created by the KCC, and whe nti rusn again 
it will add them if needed.

If you moved it to a new site,   and you created the proper site-link,  it wll need a 
connection to the other site BTw.

Jef

Original Message:
From: Rittenhouse, Cindy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] cleanup AD connections after move server to different site
Date: Thu, 13 Nov 2003 15:50:01 -0500


A computer consultant in a remote dept decided to promote his member server
to a DC without telling anyone in advance. Since the dept was part of the
default first site, that is where the DC was placed. Not good. Users started
authenticating across the WAN. I created a site for that dept, linked the
subnet, and moved the server. All seems to be well, but the original Active
Directory RPC connections to the other servers in the first site are still
listed under the server NTDS settings. I'm having difficulty finding
documentation on how to clean up or remove these settings. Can someone point
me in the right direction.
Thanks

Cynthia Rittenhouse  MCSE,CCNA
LAN Administrator
County of Lancaster
Lancaster, PA 17602
Phone: (717)293-7274

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] Directory Services Restore Password

2003-11-14 Thread Jef Kazimer 
HmmI think the setpwd was a hack they threw together to address the issue 
quickly.  You'll now found this ability to reset the password in the ntdsutil command 
on win2003.  the setpwd doesn't exist in 2003 either.

I am not running SP4,  but if you are, you might want to check ntdsutil to see if that 
option was added to it.  It was on the main menu, and I believe it was reset DSRM 
password was the command.

just a thought...

Jef

Original Message:
From: Rocky Habeeb [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Directory Services Restore Password
Date: Fri, 14 Nov 2003 11:47:48 -0500

Good People Of The List,

Please consider answering the following question if you have the time and
inclination:

You've lost control of your Directory Services Restore Password, however,
not to worry, because everything is up and healthy.  So you go to the DC and
log on, switch to %SystemRoot%\System32 and run setpwd.  The system says
Put in the new password.  However, unlike most other password entry
procedures, the system does not echo anything, even asterisks and it does
not ask you to confirm the password.

Is there a method, or tool that you can run to query the DC after the fact
to confirm the password, where it says OK, what is it?  Yes that's
correct.

Thanx in advance for anything you can offer.

-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Directory Services Restore Password

2003-11-14 Thread Jef Kazimer 
Rocky,

That was my question too. :)   I know it does not work with W2k SP3,   but since I 
don't have an SP4 box handy, I can't check if this option is now in NTDSUTIL.

Does anyone here who has an SP4 box handy mind checking out if you can reset the DSRM 
password in NTDSUTIL,  or if it's only in W2k3.

Jef

Original Message:
From: Rocky Habeeb [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Directory Services Restore Password
Date: Fri, 14 Nov 2003 12:46:43 -0500

Yikes.

I forgot to mention, I'm talking W2K not W2K3.

Do you know if that will work in W2K?

Thanks for responding.

RH

_



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jef Kazimer
Sent: Friday, November 14, 2003 12:11 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: re: [ActiveDir] Directory Services Restore Password


HmmI think the setpwd was a hack they threw together to address the
issue quickly.  You'll now found this ability to reset the password in the
ntdsutil command on win2003.  the setpwd doesn't exist in 2003 either.

I am not running SP4,  but if you are, you might want to check ntdsutil to
see if that option was added to it.  It was on the main menu, and I believe
it was reset DSRM password was the command.

just a thought...

Jef

Original Message:
From: Rocky Habeeb [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Directory Services Restore Password
Date: Fri, 14 Nov 2003 11:47:48 -0500

Good People Of The List,

Please consider answering the following question if you have the time and
inclination:

You've lost control of your Directory Services Restore Password, however,
not to worry, because everything is up and healthy.  So you go to the DC
and
log on, switch to %SystemRoot%\System32 and run setpwd.  The system says
Put in the new password.  However, unlike most other password entry
procedures, the system does not echo anything, even asterisks and it does
not ask you to confirm the password.

Is there a method, or tool that you can run to query the DC after the fact
to confirm the password, where it says OK, what is it?  Yes that's
correct.

Thanx in advance for anything you can offer.

-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

re: [ActiveDir] Sun Formatted Zone Files: Can DNSDump Help?

2003-11-14 Thread Jef Kazimer 
I'm currently using the DNSresource.vbs to dump zones to a text file,  then I use 
another VBS I wrote to parse the text file, and re-import the Reverse zones.



The syntax I am using is:

DnsResource /LIST PTR %2.%1.10.in-addr.arpa /S SERVER /O zone\%2-%1-10.dns

%1 and %2 are the B and C octets since I just run it from a command line batch file.

The output creates an entry for each record like this:

  Record Name : 101.176.251.10.in-addr.arpa
  Host Name   : gprdapm998624.northamerica.intra.company.com.
  DNS Server  : abtapdcn02.northamerica.intra.company.com
  Zone: 176.251.10.in-addr.arpa
  Domain  : 176.251.10.in-addr.arpa
  TTL : 900


If your output comes like this,  I can give you the VBS to reimport them, but I don't 
know if DnsResource.vbs works on unix.

If you can send me the output of a DIG dump I can rewrite the syntax for yout oo.

J

Original Message:
From: Jordan, Jason [EPM/AUS] [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: [ActiveDir] Sun Formatted Zone Files: Can DNSDump Help?
Date: Fri, 14 Nov 2003 11:49:33 -0600

I have a challenge for the group.  I'm sure that someone else out there has
seen this same issue.
 
We are migrating from an NT 4.0 domain and Sun DNS to Windows Server 2003
Active Directory and DNS.  The Sun admins gave us a text file of the DNS
zones, and we were able to successfully import the forward lookup zones to
Windows 2003.  However, the reverse lookup zone import fails with the error
0xc011d501.  My research into this error leads me to believe that the
problem is with the formatting of the text file but I have been unable to
find an example of what a properly formatted DNS zone text file should look
like.
 
So here is my question.  Will the DNSDump utility referenced in this
message,
http://www.mail-archive.com/[EMAIL PROTECTED]/msg09084.html
http://www.mail-archive.com/[EMAIL PROTECTED]/msg09084.html ,
help us to import reverse lookup zones from the Sun formatted text files?
Is there a specification for what a properly formatted DNS zone text file
should look like, and if so, where can I find it?
 
Please let me know if I left out any pertinent information.  Thanks in
advance for all of your help.

jasonjordan MCSE, MCP+I, MCP 
Sr. SQL DBA/Windows Network Administrator 
Emerson Process Management, Process Systems Division, Austin Data Center 
(512) 832-3191 

 




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] FRS and Ultrasound

2003-11-19 Thread Jef Kazimer 
Sooo...


I've finally deployed the latest FRS version (june 2003) and already I am seeing 
things clean up nicely!

Only problem has been with Ultrasound (I LOVE free tools like these!) that once the 
provider is deployed,  I can't get data and the provider gives these errors:

Recording NtFrs Performance Counters Failed to add FRS perfcounter 
\FileReplicaSet(_Total)\KB of Staging Space In Use (0xcbb8):  
(CWMIPerfCounterSet::GetData 468)  11/19/2003 3:03:15 PM   not set   True
00:00:4127.6 KB (28,232 bytes)


It's trying to add it to WMI providers, but fails.  I don't know how to manually 
correct this,  as de-installing and re-installing the provider fails with the same 
error.


Any thoughts?

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Mirror OU structure to Test

2003-11-21 Thread Jef Kazimer 
Hi all,

I have an urgent need to mirror our production OU structure to our Test Platform.   Is 
anyone aware of a script or tool where I can export and import the structure?

If sowould they share? :)

I think I can write something, but if anyone has a pointer in the right direction to 
an already existing one, that would help out alot!

Thanks,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Mirror OU structure to Test

2003-11-21 Thread Jef Kazimer 
Hunter,

Awesome!  I was just looking at the syntax for LDIFDE too, but this was easy! :)

Jef

Original Message:
From: Coleman, Hunter [EMAIL PROTECTED]
To: '[EMAIL PROTECTED]' [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Mirror OU structure to Test
Date: Fri, 21 Nov 2003 14:00:43 -0700

http://support.microsoft.com/?kbid=237677 has an example of how to do this
with LDIFDE. Very easy and fast

Hunter 

-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 21, 2003 1:32 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ActiveDir] Mirror OU structure to Test

Hi all,

I have an urgent need to mirror our production OU structure to our Test
Platform.   Is anyone aware of a script or tool where I can export and
import the structure?

If sowould they share? :)

I think I can write something, but if anyone has a pointer in the right
direction to an already existing one, that would help out alot!

Thanks,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DNS, Reverse and Limit

2003-11-25 Thread Jef Kazimer 
okTry to stick with me, as I explain this mess.

Having inherited DNS,  it appears that scavenging was never put on for the DHCP 
scopes, and there are over 60k of dead PTR records to clean up.  Unfortunately it 
was never turned on, since the fear of static records being wiped in the process if 
addresses had time stamps on them.

Originally they had Class B addresses,  but there is a clear designation of Dynamic 
subnets and static subnets, so we are converting the class B to class C's since the 
zone level is where we can set scavenging times, and what not.

The problem with this is,  it will create a HUGE number of reverse zones (looking at 
around 600-1000!)

My question is, is there are a hard limit as to how many zones that can be handled? 

With the cleaned up zones there might be only a few records per zone (some had over 
1500!!!), so the data might not be that high.  It's just spread out amongst many zones.

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static Records

2003-11-26 Thread Jef Kazimer 
Roger,

Thanks for the Reply!

Well I can say it can handle well over a 100. :)   I'm just second guessing
this strategy, but unfortunately it's the only way I can think of cleaning
up records.

A problem was, that with the Class B zones, I needed to AgeAll records to
clean up the thousands of dead records via scavenging.  This would then Age
even the Static records, and then I'd be hosed once it scavenged. :(   I'm
talking 115,000 PTR records and 33,000 A records, so it was a huge mess when
I came to this place.

So I've identified each of the DHCP zones, and broke them off into their own
class C subnet, and set their scavenging times to what the Lease teams are
for that zone.  This definitely seems to keep them clean, and tidy, which is
a huge relief.  The support folks were constantly complaining about the dead
PTR records and everyone is happy now.


I've written WMI scripts to pull the records into a SQL backend, where I can
keep count of how many records are in each zone.  This way I can identify
the problem zones and convert them.The process of conversion is pretty
simple, just an export, and import, and an AgeAll to the records (this is my
concerns here, if a static was there it would be wiped too), and let the
scavenging time expire.

So,  My next quest will be to determine just how many static records there
are in the AD zones.   WMI seems blind to this,  as I can't find any
property of the MicrosoftDNS_PTRType to tell me this.

Since they are AD zones,  each record does have a property called
dnsTombstone.I believe this is what sets the GUI flag for the Delete
this record after.  The Values seem to be True,False, and null.   I'm
not sure what the difference between Null or False are yet,  but I suspect
this might be the searchable value to pull a list of static entries out of
AD.   Any experience with that?

I'm wondering if and when we get these zones clean,  if it would be better
to ClassB the DHCP zones, and create classC's for the Static zones and turn
scavenging off.

Jef


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, November 26, 2003 6:01 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DNS, Reverse and Limit

Two things.

I've not noticed a limit to the number of zones, but I've also only tried
about 100 (but that was in production, so take that for whatever its worth).

Second - manually entered records don't get scavenged, only those which are
dynamically registered. Therefore, you should be able to enable scavenging
then use dnscmd.exe from the reskit to force age all records.

When I've migrated DNS from Unix/BIND to Windows 2000, I've always done it
via a zone transfer from BIND to Windows, then changing the zone to AD
Integrated. In that experience, none of the records brought over via the
xfer process are marked for aging, so I see no reason to worry about it at
this point.

Personally, I'd keep the supernetted reverse zones - we use class B ranges
for our hub offices, and I just roll all the subnets (usually between 5 and
20) into a single reverse zone.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, November 25, 2003 4:17 PM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: [ActiveDir] DNS, Reverse and Limit
 
 
 okTry to stick with me, as I explain this mess.
 
 Having inherited DNS,  it appears that scavenging was never 
 put on for the DHCP scopes, and there are over 60k of dead 
 PTR records to clean up.  Unfortunately it was never turned 
 on, since the fear of static records being wiped in the 
 process if addresses had time stamps on them.
 
 Originally they had Class B addresses,  but there is a clear 
 designation of Dynamic subnets and static subnets, so we are 
 converting the class B to class C's since the zone level is 
 where we can set scavenging times, and what not.
 
 The problem with this is,  it will create a HUGE number of 
 reverse zones (looking at around 600-1000!)
 
 My question is, is there are a hard limit as to how many 
 zones that can be handled? 
 
 With the cleaned up zones there might be only a few records 
 per zone (some had over 1500!!!), so the data might not be 
 that high.  It's just spread out amongst many zones.
 
 Jef
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS, Reverse and Limit

2003-11-26 Thread Jef Kazimer 
Michael,

Sheez...The Zone Transfers alone must be mind boggling :)

Do you see any performance hits with so many zones?   I'm not seeing any so
far, but I am curious if I will.   I do notice the startup time of DNS is
wretched, but that I expected on bootup.

Jef

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, November 26, 2003 7:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS, Reverse and Limit

I've got 809 zones in production, right now. Standard primaries tho (not
A/D integrated). 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, November 26, 2003 7:01 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS, Reverse and Limit

Two things.

I've not noticed a limit to the number of zones, but I've also only
tried about 100 (but that was in production, so take that for whatever
its worth).

Second - manually entered records don't get scavenged, only those which
are dynamically registered. Therefore, you should be able to enable
scavenging then use dnscmd.exe from the reskit to force age all records.

When I've migrated DNS from Unix/BIND to Windows 2000, I've always done
it via a zone transfer from BIND to Windows, then changing the zone to
AD Integrated. In that experience, none of the records brought over via
the xfer process are marked for aging, so I see no reason to worry about
it at this point.

Personally, I'd keep the supernetted reverse zones - we use class B
ranges for our hub offices, and I just roll all the subnets (usually
between 5 and
20) into a single reverse zone.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Jef Kazimer [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, November 25, 2003 4:17 PM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: [ActiveDir] DNS, Reverse and Limit
 
 
 okTry to stick with me, as I explain this mess.
 
 Having inherited DNS,  it appears that scavenging was never put on for

 the DHCP scopes, and there are over 60k of dead
 PTR records to clean up.  Unfortunately it was never turned on, since 
 the fear of static records being wiped in the process if addresses had

 time stamps on them.
 
 Originally they had Class B addresses,  but there is a clear 
 designation of Dynamic subnets and static subnets, so we are 
 converting the class B to class C's since the zone level is where we 
 can set scavenging times, and what not.
 
 The problem with this is,  it will create a HUGE number of reverse 
 zones (looking at around 600-1000!)
 
 My question is, is there are a hard limit as to how many zones that 
 can be handled?
 
 With the cleaned up zones there might be only a few records per zone 
 (some had over 1500!!!), so the data might not be that high.  It's 
 just spread out amongst many zones.
 
 Jef
 
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static Records

2003-11-26 Thread Jef Kazimer 
They can't be,  unless you use the /AgeAll in DNSCMD.

It adds a timestamp to ALL records within that zone.This makes them
ready for scavenging (if the zone and server have it on).

Since scavenging was not on originally, the PTR records have no timestamps.
Even so, the zones had it off, so I had to turn it on the zones/server, and
then /AgeAll the zones.   If I didn't the PTR records would never be
scavenged.

But, since there is no way to determine if it was a static record or one
created by DHCP/client they all would get the timestamp.

The case would be in the smaller offices, where they would have maybe 10
legacy servers, and 90 clients on one subnet.   Aging all those records
would make sure those PTRs are clean, but the server records would get
timestamps as well, and be wiped.

If after I cleaned the zone,   set scavenging on for new dynamic record,
then used DNSCMD to add in the static records, they would no be scavenged
since they would not have a timestamp, and life would be good. :)

I just need to be 100% sure that I got all the static records, and I'm not
putting faith in the DNS admins that they recorded all the records they put
in. :(


http://www.tburke.net/info/suptools/topics/dnscmd_ageallrecords.htm1



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, November 26, 2003 8:03 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static
Records

I wasn't aware that staticly entered records could be scavenged - wouldn't
that defeat the purpose of it being static?

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
 Sent: Wednesday, November 26, 2003 8:53 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] DNS, Reverse and Limit, and 
 Searching for Static Records
 
 
 Roger,
 
 Thanks for the Reply!
 
 Well I can say it can handle well over a 100. :)   I'm just 
 second guessing
 this strategy, but unfortunately it's the only way I can 
 think of cleaning
 up records.
 
 A problem was, that with the Class B zones, I needed to 
 AgeAll records to
 clean up the thousands of dead records via scavenging.  This 
 would then Age
 even the Static records, and then I'd be hosed once it 
 scavenged. :(   I'm
 talking 115,000 PTR records and 33,000 A records, so it was a 
 huge mess when
 I came to this place.
 
 So I've identified each of the DHCP zones, and broke them off 
 into their own
 class C subnet, and set their scavenging times to what the 
 Lease teams are
 for that zone.  This definitely seems to keep them clean, and 
 tidy, which is
 a huge relief.  The support folks were constantly complaining 
 about the dead
 PTR records and everyone is happy now.
 
 
 I've written WMI scripts to pull the records into a SQL 
 backend, where I can
 keep count of how many records are in each zone.  This way I 
 can identify
 the problem zones and convert them.The process of 
 conversion is pretty
 simple, just an export, and import, and an AgeAll to the 
 records (this is my
 concerns here, if a static was there it would be wiped too), 
 and let the
 scavenging time expire.
 
 So,  My next quest will be to determine just how many 
 static records there
 are in the AD zones.   WMI seems blind to this,  as I can't find any
 property of the MicrosoftDNS_PTRType to tell me this.
 
 Since they are AD zones,  each record does have a property called
 dnsTombstone.I believe this is what sets the GUI flag 
 for the Delete
 this record after.  The Values seem to be True,False, 
 and null.   I'm
 not sure what the difference between Null or False are yet,  
 but I suspect
 this might be the searchable value to pull a list of static 
 entries out of
 AD.   Any experience with that?
 
 I'm wondering if and when we get these zones clean,  if it 
 would be better
 to ClassB the DHCP zones, and create classC's for the Static 
 zones and turn
 scavenging off.
 
 Jef
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Roger Seielstad
 Sent: Wednesday, November 26, 2003 6:01 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] DNS, Reverse and Limit
 
 Two things.
 
 I've not noticed a limit to the number of zones, but I've 
 also only tried
 about 100 (but that was in production, so take that for 
 whatever its worth).
 
 Second - manually entered records don't get scavenged, only 
 those which are
 dynamically registered. Therefore, you should be able to 
 enable scavenging
 then use dnscmd.exe from the reskit to force age all records.
 
 When I've migrated DNS from Unix/BIND to Windows 2000, I've 
 always done it
 via a zone transfer from BIND to Windows, then changing the zone to AD
 Integrated. In that experience, none of the records brought 
 over via the
 xfer process are marked

[ActiveDir] ADMap 1.6.2

2003-12-03 Thread Jef Kazimer 
Actually I just used the ADmap 1.6.2 utility last night.  I believe it came out of MS 
consulting services from Germany. (it says so in the about)

It reads your Sites structure and builds it into a rather unwieldly VISIO map.  You 
will need a Plotter to print it out, and it's not perfect.   Not bad for an automap 
tool though.

It doesn't do OU structure, just your sites, connections, and server diagrams.
I don't know where I came across this utility, but it should be around.

Original Message:
From: Mark Caldwell [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Diagraming
Date: Wed, 3 Dec 2003 12:45:53 -0800

Official word on this subject from MS site-

Microsoft Office Visio(r) 2003 
 

One question we hear often about Visio 2003 is what happened to the
Autodiscovery feature?

The short answer is that it is no longer available. Visio 2003 cannot
import directory services information, such as an existing Active
Directory structure. Visio 2003 also cannot discover and diagram a
network using SNMP. 

These features were part of the Visio Enterprise Network Tools add-on to
Visio 2002 and Visio 2000 Enterprise Edition (but not Visio Professional
2002, Visio for Enterprise Architects, or Visio 2000 Professional
Edition). 

Based on customer feedback, we invested our resources in improving the
other network diagramming tools and creating new features that benefit a
broad cross-section of Visio users, like being able to track comments or
publish diagrams to a SharePoint workspace.

For Visio 2003, we did make several improvements to the network
diagramming tools, including a new rack diagramming template, a new
library of network diagramming shapes that look much better than the
earlier ones and have a consistent set of custom properties, and three
new pre-defined reports for extracting data from your network diagrams.

If you want to use Visio to map your network, you might want to check
out the various third-party products that are available, such as the
Optiview Console (formerly Network Inspector) and LAN MapShot products
from Fluke Networks. Both of these products use Visio to generate
detailed diagrams of discovered network devices.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, December 03, 2003 12:13 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Diagraming

Understood.  For discovery, that's why I recommended something like
Ecora.
Usually during discovery, you have a lot more information that's
required
other than topology and OU structure.  Not everyone has that requirement
I
suppose...


al 

-Original Message-
From: Rich Milburn [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 03, 2003 3:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Diagraming

I see what you mean Al, but like where I used to work, sometimes you
don't
have the budget to buy yet another 3rd party add-on tool when you just
need
basic functionality.  I imagine MS has to be more careful to leave room
for
3rd party development in light of the fact everyone wants to sue them it
seems, but sometimes it makes it more difficult on the tech who just
wants
to do his job... (the whole JavaVM issue is maybe an example of 3rd
party
adding complexity at the expense of the admins?)

Visio 2000 has the ability to do AD diagramming, though I've personally
never used it for discovery, just diagramming. I liked the 2002 look and
feel but stuck with my copy of 2000 Enterprise Edition.

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 1:48 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Diagraming

Now that's a pretty broad statement, don't you think?  They didn't break
anything by removing further development of the visio enterprise network
tools (that's what it's called).  As was said in the thread, it does a
fine
job of diagramming the OU structure, but doesn't really look at the
larger
picture anyway.  Hence the recommendation to look at the product I
posted
the link for.  

What's really typical here, is a strategy to create and sell products
that
do what the customers want, but also to leave room for third party
developers to make a living by writing products that work with Microsoft
products.  I'm not seeing the issue, but maybe I'm alone with that view?


Al 

-Original Message-
From: Steck, Herb [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 12:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Diagraming

Typical MS.  Break something that works, but don't fix what is broke.

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 03, 2003 11:50 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Diagraming


That does suck, doesn't it?

Some tools that I've seen that work well (but aren't free) come with
this
product http://www.ecora.com/ecora/products/reporter.asp

Gathers a lot of useful

re: [ActiveDir] Userenv.log error

2003-12-12 Thread Jef Kazimer 
Usually a Failure of 5 is Access Denied

turn on Winlogon Logging, and then use secedit to reapply security policies.  It will 
create the winlogon.log in the C:\winntt\security\logs directory.

Read through the log and you should see where the error is happening.

Search Technet for the keywords of winlogon.log and you should find the KB article 
with the registry keylocation.  Sorry I don't remember it off hand. :)

Jef

Original Message:
From: ActiveDirList-PPC [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Userenv.log error
Date: Fri, 12 Dec 2003 16:18:33 -0500

Anybody know of good resources for finding more info on the following
error

USERENV(52e8.5f2c) 15:32:55:476 RegisterGPNotification: CreateEvent
failed with 5

I've been having some GP oddities today and the userenv.log files on the
affected systems are covered up with this.  Google returns some sites,
but most seem to be msdn sites about API programming reference, and a
security paper in German which I have not been able to decipher yet.
Thanks,
KC Brown

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] UF_MNS_LOGON_ACCOUNT userflag

2004-01-09 Thread Jef Kazimer 
Thanks for the link.

I saw the reference to the Node set too, but it made no sense to me.  We haven't 
rolled 2003 out in any of production, and even so,  this userflag seems like it was 
around in 2000 and maybe before that too.   Stupid cross naming stuff! grrr

I see it referenced with alot of SAMBA info, but it always related back to the same 
description from the MSDN win32API which is useless

Perhaps it's a userflag for backwards compat, but it's no longer really used so it's 
not in the GUI? So where did it come from.

These users were migrated from Nt4 to win2000 AD, so maybe there is a link there?!

When the Account ops go to reset these users passwords in the MMC they get the The 
procedure cannot be found but if I do it from a DA, it works fine.  You'd think it's 
an account access problem right?   well, the ACLs are the same on all the users in 
that OU,  and the only difference I Can see is that they have that flag...AND there is 
a 4 hour window on 1 day they are not permitted to logon.  I tried duplicating that 
schedule on a user to see if it caused the flag to appear, but it didn't.


I don't want to remove the flag to see if it fixes the problem, if I don't know what 
it is there for in the first place...

Thanks again though.

Original Message:
From: Rich Milburn [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] UF_MNS_LOGON_ACCOUNT userflag
Date: Fri, 9 Jan 2004 16:58:39 -0600

Search on Majority Node Set - here's an article - 
http://tinyurl.com/2knrw -
Server Clusters: Majority Node Set Quorum
It is a ... new quorum type available in Windows Server 2003 clusters -
majority node set (MNS) clusters.

I'm with you, I'm not sure where to find it in the GUI, or what exactly it's
for.  I think the references I've seen to it have been copied from others
(defining constants in VBScripts).

Do you have Windows Server 2003 clusters there?  Could it be related to
them?

Anyway, happy hunting :)

Rich


-Original Message-
From: Jef Kazimer [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 09, 2004 4:28 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ActiveDir] UF_MNS_LOGON_ACCOUNT userflag

Does anyone know what the UF_MNS_LOGON_ACCOUNT Userflag is, and how it's
set in a GUI?   I'm seeing weird errors with some users and noticed they
have this userflag set.   I don't know what it is, and all documentation I
can find gives a description of Not an MNS user on the web.

What is an MNS user? What is MNS?   How did this get set?  and what is it
doing?

I can set the flag with an ADSI script, but other than that, I don't know
where it came from?

Thanks,

Jef


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be
subject to attorney-client privilege. This message is intended only for the
use of the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding, printing, copying, distribution, or using
such information is strictly prohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply e-mail
and immediately destroy this message. Unauthorized interception of this
e-mail is a violation of federal criminal law. Applebee's International,
Inc. reserves the right to monitor and review the content of all messages
sent to and from this e-mail address. Messages sent to or from this e-mail
address may be stored on the Applebee's International, Inc. e-mail system.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MNS user flag - fixed

2004-01-19 Thread Jef Kazimer 
Rich,

I have to say the latest MS rep we had was absolutely excellent. :)   I
won't say his name, but he's out of the Dallas offices, and we all would
request him again in the future.

He really tried to sit there and troubleshoot, and when he couldn't he got
all the right resources together to solve most of our issues.

Jef

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, January 19, 2004 7:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MNS user flag - fixed

Nice to hear that they did look at the source code though when they felt
they needed to - I've seen other companies pass around a call for weeks
trying to figure out something like command line parameters of their own
product, and a simple query to the developers would have resolved the issue.



-Original Message-
From: joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 16, 2004 4:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] MNS user flag - fixed

Thanks for the info, I was curious on that after seeing the initial post.

That shouldn't have required them to look at source code... That sucks. Good
example of poor documentation both publicly and internally.

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Friday, January 16, 2004 11:54 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ActiveDir] MNS user flag - fixed

Last week I posted here questioning what the UF_MNS_ACCOUNT user flag was
and how it got on my users.  We were getting the Procedure cannot be found
error when resetting their passwords.

After talking with MS,  they looked at the source code to determine it is
related to the Netware services from a previous domain.   There are KB
articles related to it, but it never references the User flag so I could not
find it.  Searching on NWLOGIN will bring it up in the KB.

Anyway,  the corruption we had was due to userparameters for the user obkect
containing values related to the Netware that the DLL no longer existed for.
Writing scripts to grab the UP's parse them to validate they only contained
NW info, and then NULLing them solved our problem.

I am going to assume MNS stands for Microsoft Netware Services. :)


I just wanted to share in case anyone here runs into this problem in the
future, and it should be googled in the archive. :)

Jef
Abbott Labs


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be
subject to attorney-client privilege. This message is intended only for the
use of the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding, printing, copying, distribution, or using
such information is strictly prohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply e-mail
and immediately destroy this message. Unauthorized interception of this
e-mail is a violation of federal criminal law. Applebee's International,
Inc. reserves the right to monitor and review the content of all messages
sent to and from this e-mail address. Messages sent to or from this e-mail
address may be stored on the Applebee's International, Inc. e-mail system.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to track object deletion?

2004-01-19 Thread Jef Kazimer 
I've been looking at ways for tracking static DNS record changes.   So far
I've been focusing on the dnsTombestone property which has 3 values of
NULL, TRUE, and FALSE.

Perhaps you can see if that object has a similar property?  I'm not at an AD
terminal now, so I can't check, but it might be something you can check on.

Just an Idea. :)

J

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 19, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] How to track object deletion?

Hello, AD gurus.
I' ve been developing a DirSync program that tracks for object changes in
AD.
Everything is fine except for object deletion.
When AD object is deleted, as everybody knows here, it is tombstoned. As I
figured out that means that the object is moved to the 
hidden container called 'Deleted Objects'. So when I delete an object
DirSync returns me the following

CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted
Objects,DC=sbhbd1,DC=local

as the DN of changed object.

In the example above I deleted object with DN: CN=user1,CN=Users,
DC=sbhbd1,DC=local.
But I've lost some part of original object DN like: * ,CN=Users, *

The question is: How to track AD objects deletion? I need to know  object
original DN, but AD hides it from me.
I don't want to keep a copy of original AD or whatever similar to it.

Thanks in advance! 



--
Best regards,
   (mailto:[EMAIL PROTECTED])19.01.2004, 18:27
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] ntfrsutl inlog command - How to clear old files? FRS problems

2004-01-20 Thread Jef Kazimer 

We have some servers with slow connections due to some political site link 
connections times.  What I believe is happening is that the replication window is not 
sufficient to propagate all the changes, and when the changes reach to the box,  the 
files it's expecting to change are no longer there.

Ultrasound reports these as Sharing Violations due to the fact they are in 
IBCO_INSTALL_RETRY.  It assume a process is holding them open, when in fact they are 
not.

The question is how do I clear these out of the ntfrs db to ignore those changes?   
One article I found (and can't refind!) suggested  clearing the connection on the 
server,  and restarting FRS service to clear the entries.   This worked for a few 
servers, but it seems those with manual connections it will not clear the inlog.

Anyone know a better way?  Or if anything, where to find more documentation?  the 
ntfrsutl I would expect to maybe have a switch to clear entries like this, but it does 
not.

I have entries dating back to 2002ugh...

Here is an example of 1 inlog result.  I have this on 80 some servers.  Notice the old 
dates, and 0'd out info.

Any help would be greatly appreciated, as I am having reservation on moving forward 
with a 2003 upgrade, until FRS is happy.

---

able Type: Inbound Log Table for DOMAIN SYSTEM VOLUME (SYSVOL SHARE) (1)
SequenceNumber   : 1291
Flags: 004a Flags [VVAct Locn Retry ]
IFlags   : 0001 Flags [IFlagVVRetireExec ]
State: 000f  CO STATE:  IBCO_INSTALL_DEL_RETRY
ContentCmd   :  Flags [Flags Clear]
Lcmd : 0003  D/F 1   Delete
FileAttributes   : 0030 Flags [DIRECTORY ARCHIVE ]
FileVersionNumber: 0006
PartnerAckSeqNumber  : 0012e131
FileSize :  
FileOffset   :  
FrsVsn   : 01c3b10e 7cd46dbf
FileUsn  :  82386de8
JrnlUsn  :  9edfe1a0
JrnlFirstUsn :  9edfe1a0
OriginalReplica  : 1  [???]
NewReplica   : 1  [???]
ChangeOrderGuid  : 8bbb9663-f7ee-498b-92b10db4077d4c1b
OriginatorGuid   : 656571a6-cac6-418b-950e50a8729c476e
FileGuid : 47a88a6c-2a59-4847-99752abc6e089242
OldParentGuid: 104f9971-95ad-4edc-934e073d9f62963f
NewParentGuid: 104f9971-95ad-4edc-934e073d9f62963f
CxtionGuid   : 9a9ddaf7-96c9-4730-a897861cf726df42
Spare1Ull: Sat Nov  8, 2003 14:01:00
MD5CheckSum  : MD5:     
RetryCount   : 0
FirstTryTime : Thu Dec 18, 2003 20:05:35
EventTime: Thu Dec 18, 2003 18:31:43
FileNameLength   :   76
FileName : {74F20E4C-B574-4A73-8879-C4330F02519A}


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Identify STATIC records in AD DNS

2004-06-09 Thread Jef Kazimer 
Ugh...Why do I get blinded by complexity?!

I didn't even think to use the /Detail switch!  This is perfect, as I can parse the 
output and identify them

J

Original Message:
From: Deji Akomolafe [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Identify STATIC records in AD DNS
Date: Mon, 7 Jun 2004 20:22:37 -0700

Have you tried parsing the output of dnscmd DNSServerName /ZonePrint ZoneName 
/Detail ?

Records without scavenging timestamp will have the following clue: dwTimeStamp  = 0 
([ 0: 0: 0] [ 1/ 1/1601])

HTH

Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: Jef
Sent: Mon 6/7/2004 6:44 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Identify STATIC records in AD DNS


Hi there,

Does anyone know of a way to programmatically identify STATIC records within
an AD integrated DNS zone?

The DNS manager gui can show if a record has a timestamp or not, but with
100's of thousands of records you can't check them all.

I've looked for a property I can search on using ADSI or WMI, but have not
found anything consistent.

The closest I found is the AD property dnsIsTombstoned.  It appears to have
3 values:

TRUE = Already tombstoned and will be replicated
FALSE = Not tombstoned yet, but can be
not set = Will not be scavenged.

This is not 100% though, so I think I am missing something else.

Thanks,

Jef Kazimer



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Account Expiration Date Mismatch?

2004-08-06 Thread Jef Kazimer 
I was brought this little problem today, which doesn't make alot of sense to me so far.It appears that ADUC displays the User Expiration date differently than a VBS script does. An in house coded application is being questioned because these values do not match.ADUC says 8/8/2004VBS says 8/9/2004The script is simply:Set objUser = GetObject _ (rs.fields("adspath"))wscript.echo(objUser.AccountExpirationDate)Does anyone know what the code is to return the same value as USers  Computers MMC?I have a feeling it's an estimate based on the time offset, but I am unsure.Jef

RE: [ActiveDir] Account Expiration Date Mismatch?

2004-08-06 Thread Jef Kazimer 
Thanks :)Shortly after I wrote the message, I noticed the naming difference in the MMC. It makes sense now, but I just have to explain it. :)Silly me :) But thanks againJef  From: "Coleman, Hunter" [EMAIL PROTECTED]Sent: Friday, August 06, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Account Expiration Date Mismatch? From http://msdn.microsoft.com/library/default.asp?url="">   "NoteThe accountExpires attribute contains the account expire date. The Active Directory Users and Computers MMC snap-in displays the date that the account will expire at the end of. That is, the Active Directory Users and Computers MMC snap-in will display the account expiration date as one day earlier than the date contained in the accountExpires attribute."  Hunter   From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, August 06, 2004 9:19 AMTo:
 [EMAIL PROTECTED]Subject: [ActiveDir] Account Expiration Date Mismatch? I was brought this little problem today, which doesn't make alot of sense to me so far.It appears that ADUC displays the User Expiration date differently than a VBS script does. An in house coded application is being questioned because these values do not match.ADUC says 8/8/2004VBS says 8/9/2004The script is simply:Set objUser = GetObject _ (rs.fields("adspath"))wscript.echo(objUser.AccountExpirationDate)Does anyone know what the code is to return the same value as USers  Computers MMC?I have a feeling it's an estimate based on the time offset, but I am unsure.Jef

RE: [ActiveDir] how to report on scheduled jobs?

2006-04-17 Thread Jef Kazimer 


Does the SCHTASKS.EXE do what you want?

perhaps with the /V switch
SCHTASKS /Query [/S system [/U username [/P password]]] [/FO format] [/NH] [/V] [/?]
Description: Enables an administrator to display the scheduled tasks on the local or remote system.
Parameter List: /S system Specifies the remote system to connect to.
 /U username Specifies the user context under which the command should execute.
 /P password Specifies the password for the given user context.
 /FO format Specifies the output format to be displayed. Valid values: TABLE, LIST, CSV.
 /NH Specifies that the column header should not be displayed in the output. Valid only for TABLE and CSV formats.
 /V Specifies additional output to be displayed.
 /? Displays this help/usage.
Examples: SCHTASKS /Query SCHTASKS /Query /? SCHTASKS /Query /S system /U user /P password SCHTASKS /Query /FO LIST /V /S system /U user /P password SCHTASKS /Query /FO TABLE /NH /V



 Subject: [ActiveDir] how to report on scheduled jobs? Date: Mon, 17 Apr 2006 14:31:25 -0500 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Isthereascripttooutputscheduledjobinformation?Maybesomething Icouldcallina"for"loopdrivenbyalistofservers.Ideally,I wouldliketoseethejobandwho'scredentialsitisrunningunder, withmaybetheschedule.  MikeThommes Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] stupid ldap queries

2006-04-18 Thread Jef Kazimer 


It seems like an obvious idea to implement. Sad we never thought about it. :)

Has anyone done any tests to reveal what performance gains this yields on queries?

Thanks,

Jef


Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






I did the same after I saw some of the activedir folks post about doing it… J





































:m:dsm:cci:mvp| marcusoh.blogspot.com





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries

I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago.

Wook





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries

No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There’s an attribute (I think “isIndexed”) which says the attribute should be indexed in the database.

Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 2:15 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] stupid ldap queries

bummer! I meant adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list 

On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:

sorry that was meant to be adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list 



On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: 

Thanks for the reply. In that case why does adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks

M@

On 4/18/06, Brian Desmond  [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do:   ((objectCategory=person)(objectClass=user))  Thanks, Brian Desmond [EMAIL PROTECTED]  c - 312.731.3132  -Original Message-  From: [EMAIL PROTECTED] [mailto:ActiveDir-   [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe  Sent: Tuesday, April 18, 2006 1:00 PM   To: ActiveDir@mail.activedir.org  Subject: [ActiveDir] stupid ldap queries   All   Could someone please explain how Non-indexed queries (e.g.  "objectClass=user") fall in this category? I saw this mentioned in  some  slides by Gil and couldnt quite understand what he meant. Isn't  objectclass indexed as part of the partial attribute set?   Thanks   M@   List info : http://www.activedir.org/List.aspx  List FAQ: http://www.activedir.org/ListFAQ.aspx   List archive: http://www.mail-  archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] automatic account disable

2006-04-19 Thread Jef Kazimer 


Myke,

You could write a script to do such a thing I suppose. Something to the effect of if lastLogonTimeStamp value is greater than 180 days, disable account kind of thing.

We utilize MIIS in house for this and for SOX deactivations, but it is certainly something you could write a script or a quick .NET exe for if you wanted.

Jef



 Date: Wed, 19 Apr 2006 11:38:58 -0300 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable  higuys,  it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool?  thanks  Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta

RE: [ActiveDir] Setting Wireless Config via GPO

2006-04-19 Thread Jef Kazimer 


We are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they get prompted to relogon periodically but too bad for them :)

So far from what I hear, the response has been excellent since all the people have to do is walk into a conference room and they get access to the WLAN if their radio is on.

Jef


Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Wed, 19 Apr 2006 11:32:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org

You really got that to work well? 
I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. 

Using Cisco 1220 x (27) with cisco 350 client cards x (80)
Thanks. 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO

Only way to fly, imho.

Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's.

User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO

Folks,

Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this.

Dave Wade
**This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.

RE: [ActiveDir] automatic account disable

2006-04-19 Thread Jef Kazimer 


I'm curious, how would you show activitity other than the last time the user authenticated? Since disabling the account would only affect the ability to authenticate (not including any external logic or process built on account status), I'm curious what other ways you would show account inactivity if not by lastlogon or lastlogontimestamp?

Thanks,

Jef



 Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policyornopolicy,heislookingatexternalintervention-third-partyor aroll-your-own.Rollinghisownmaybeburdensomebecausenowhehasto accountforthenumberofwaysanaccountcanbeactivewithoutnecessarily loggingin.LookingatLastlogonorlastlogontimestampisinsufficient.   Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon     From:[EMAIL PROTECTED]onbehalfofAlMulnick Sent:Wed4/19/20061:13PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisable   LOL.You'reright,itisoftenadvisabletodisablefirst.Igotcaughtup inthemoment;)  Myke,therewasalongconversationaboutsuchthingsafewmonthsago.You mightwanttosearchthearchivestoseewhatwassaidandseeifyouagree aboutwhatitsaysandsuggests.  Anadditionalpointtoconsider:startwithpolicyasNeilsuggests.Ifyou haveapolicythatsaystodisableaccountsandthendeletelater,ordelete basedondisuse,enforcementisprettymuchaneasythingtodo.Withoutthe policyfirst,itcanbeadifficulttraintoride.-ajm   On4/19/06,[EMAIL PROTECTED][EMAIL PROTECTED]wrote:  Wouldyounotdisabletheaccountinsteadoflockingit?  Alockedaccountmaybeunlockedintime(dependsuponpolicy), whereasadisabledaccountneedsadminintervention.  my2penneth, neil    From:[EMAIL PROTECTED][mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]OnBehalfOfAlMulnick Sent:19April200615:52  To:ActiveDir@mail.activedir.org  Subject:Re:[ActiveDir]automaticaccountdisableIt'spossible.What'syourcriteria?  DSQUERY,DSMODaretwotoolsthataretoutedasbeingabletodothis prettyeasily.Joewaretoolsarebetter(http://www.joeware.net http://www.joeware.net/)forthistaskIMHO.Scripts,etccanalsobe usedsuccessfully.  Al   On4/19/06,Myke[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:   higuys,  it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool?  thanks  Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASEREAD:Theinformationcontainedinthisemailisconfidential and intendedforthenamedrecipient(s)only.Ifyouarenotanintended recipientofthisemailpleasenotifythesenderimmediatelyand deleteyour copyfromyoursystem.Youmustnotcopy,distributeortakeany further actioninrelianceonit.Emailisnotasecuremethodof communicationand NomuraInternationalplc('NIplc')willnot,totheextentpermitted bylaw, acceptresponsibilityorliabilityfor(a)theaccuracyor completenessof, or(b)thepresenceofanyvirus,wormorsimilarmaliciousor disabling codein,thismessageoranyattachment(s)toit.Ifverificationof this emailissoughtthenpleaserequestahardcopy.Unlessotherwise stated thisemail:(1)isnot,andshouldnotbetreatedorrelieduponas, investmentresearch;(2)containsviewsoropinionsthataresolely thoseof theauthoranddonotnecessarilyrepresentthoseofNIplc;(3)is intended forinformationalpurposesonlyandisnotarecommendation, solicitationor offertobuyorsellsecuritiesorrelatedfinancialinstruments. NIplc doesnotprovideinvestmentservicestoprivatecustomers.Authorised and regulatedbytheFinancialServicesAuthority.RegisteredinEngland no.1550505VATNo.447249235.RegisteredOffice:1St Martin's-le-Grand, London,EC1A4NP.AmemberoftheNomuragroupofcompanies.   Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] automatic account disable

2006-04-19 Thread Jef Kazimer 


Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :)

Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :)

Thanks,

Jef



 Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:56:20 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  None.Thisiswherethepolicy/processelementcomein.Youknowwhichof youraccountsare"Serviceaccounts"andwhichofyourusersareonvacation. Youdoaperiodicqueryofyourlastlogon/timestamp,youfilteroutyour "servicesaccounts"andyourvacationingusersfromthelist,sendemailsto therestandwaitforaresponse.Ifnoresponse,youmovethemtoacommon stagingarea,andprocessthemperyourpolicy(changetheirpasswords, disablethem,lockthemout,etc)  It'saprocessthing.Iwanttoassumethatthereisaproductouttherewith thislogicbuilt-in.ThatproductissimplynottheOS-yet.   Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon     From:[EMAIL PROTECTED]onbehalfofJefKazimer Sent:Wed4/19/20062:37PM To:ActiveDir@mail.activedir.org Subject:RE:[ActiveDir]automaticaccountdisableI'mcurious,howwouldyoushowactivitityotherthanthelasttimetheuser authenticated?Sincedisablingtheaccountwouldonlyaffecttheabilityto authenticate(notincludinganyexternallogicorprocessbuiltonaccount status),I'mcuriouswhatotherwaysyouwouldshowaccountinactivityifnot bylastlogonorlastlogontimestamp?Thanks,Jef  Subject:RE:[ActiveDir]automaticaccountdisable Date:Wed,19Apr200614:25:24-0700 From:[EMAIL PROTECTED] To:ActiveDir@mail.activedir.org  Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policyornopolicy,heislookingatexternalintervention-third-party or aroll-your-own.Rollinghisownmaybeburdensomebecausenowhehasto accountforthenumberofwaysanaccountcanbeactivewithoutnecessarily loggingin.LookingatLastlogonorlastlogontimestampisinsufficient.   Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon     From:[EMAIL PROTECTED]onbehalfofAlMulnick Sent:Wed4/19/20061:13PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisable   LOL.You'reright,itisoftenadvisabletodisablefirst.Igotcaught up inthemoment;)  Myke,therewasalongconversationaboutsuchthingsafewmonthsago. You mightwanttosearchthearchivestoseewhatwassaidandseeifyouagree aboutwhatitsaysandsuggests.  Anadditionalpointtoconsider:startwithpolicyasNeilsuggests.If you haveapolicythatsaystodisableaccountsandthendeletelater,or delete basedondisuse,enforcementisprettymuchaneasythingtodo.Without the policyfirst,itcanbeadifficulttraintoride.-ajm   On4/19/06,[EMAIL PROTECTED][EMAIL PROTECTED]wrote:  Wouldyounotdisabletheaccountinsteadoflockingit?  Alockedaccountmaybeunlockedintime(dependsuponpolicy), whereasadisabledaccountneedsadminintervention.  my2penneth, neil    From:[EMAIL PROTECTED][mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]OnBehalfOfAlMulnick Sent:19April200615:52  To:ActiveDir@mail.activedir.org  Subject:Re:[ActiveDir]automaticaccountdisableIt'spossible.What'syourcriteria?  DSQUERY,DSMODaretwotoolsthataretoutedasbeingabletodothis prettyeasily.Joewaretoolsarebetter(http://www.joeware.net http://www.joeware.net/)forthistaskIMHO.Scripts,etccanalsobe usedsuccessfully.  Al   On4/19/06,Myke[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:   higuys,  it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool?  thanks  Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASEREAD:Theinformationcontainedinthisemailisconfidential and intendedforthenamedrecipient(s)only.Ifyouarenotanintended recipientofthisemailpleasenotifythesenderimmediatelyand deleteyour copyfromyoursystem.Youmustnotcopy,distributeortakeany further actioninrelianceonit.Emailisnotasecuremethodof communicationand NomuraInternationalplc('NIplc')willnot,totheextentpermitted bylaw, acceptresponsibilityorliabilityfor(a)theaccuracyor completenessof, or(b)thepresenceofanyvirus,wormorsimilarmaliciousor disabling codein,thismessageoranyattachment(s)toit.Ifverificationof this emailissoughtthenpleaserequestahardcopy.Unlessotherwise stated thisemail:(1)isnot,andshouldnotbetreatedorrelieduponas, investmentresearch;(2)containsviewsoropinionsthataresolely thoseof theauthoranddonotneces

RE: [ActiveDir] Setting Wireless Config via GPO

2006-04-20 Thread Jef Kazimer 


Dave,

The certs can be used in fifferent ways. If you are using EAP-TLS which uses the Certs to authenticate the user and the server, you will need a CA to issue this. This would require a PKI solution to be in place. While not hard or impossible in 2003, just something you want to be cautious about.

using EAP-PEAP method, the Cert is only used to identify the server to the client, and open a secure tunnel so the password credentials can be sent over. Once the user is authenticated, then the connection is secured through the 2 choices of wireless encryption. You do not need a CA For this, and can request an IAS certificate from Verisign I believe still.

Yes, XP SP2 would be great, especially being able to configure GPOs in the domains.

With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules.

Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively.
Jef



Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Thu, 20 Apr 2006 10:36:06 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org



Thanks for the input so far, and sorry I left the "read receipt" on on the e-mail. I guess I will be getting those for years to come. (I did that on an internal list two years ago and still get receipts from that one...)

I don't want people on my Wireless who are not on the domain. I assumeI stop that happening with certificates? I was also going to make sure all the laptops were on XP SP2 so I didn't need any third party utilities...


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: 19 April 2006 17:07To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO

We are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they get prompted to relogon periodically but too bad for them :)

So far from what I hear, the response has been excellent since all the people have to do is walk into a conference room and they get access to the WLAN if their radio is on.

Jef


Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Wed, 19 Apr 2006 11:32:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org
You really got that to work well? 
I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. 

Using Cisco 1220 x (27) with cisco 350 client cards x (80)
Thanks. 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO

Only way to fly, imho.

Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's.

User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else.



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO

Folks,

Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this.

Dave Wade
**This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
Confidentiality Notice: The information contained

RE: [ActiveDir] stupid ldap queries

2006-04-20 Thread Jef Kazimer 


My recent favorite was a rather "popular" software vendor told me I needed to increase my maxIdleConnectionTime for the Directory higher than 900s (15 mins)because their connection was timing out while processing the first page of 1000 users, and having the connection dropped before they went back for the next. I basically told them if they can't process 1000 users in less than 15 minutes, then they surely could not handle my entire user population which they were trying to loop through. I think we calculated we would have to increase that time to to over 32 hours so their crapplication could complete. :) 

I'll let you guess what did not happen in that situation. :)

Jef






From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queriesDate: Thu, 20 Apr 2006 09:07:09 -0400







Oh I love those! The app dev folks (or vendor) tell you that your AD is broken because it is so slow... Yep I have been there. 

Indexing is fine, just index things you regularly query on, no reason to suck up resources and perf for indexes that aren't used. For instance, indexing all attributes doesn't make sense but if you have a crit app or a bunch of apps using a query with no indexed attributes or having a specific attribute that could seriously help perf it is good to add. 

Wook, I think, is being a trifle facetious and plugging his creative work. :)

Schema updates are goodness when done correctly and smartly. There is no reason to be scared of doing them, just be scared of doing them wrong. g




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 19, 2006 10:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries


It’s only been that one. Okay, maybe one other that was indexed, but that was because a very large network/voip vendor that required a schema extension subsequently used one of these attributes in all of their queries. In a large implementation (which they clearly had never seen) the query would take a year to complete. Of course, in their lab with 5 objects, it completed in milliseconds.


:m:dsm:cci:mvp| marcusoh.blogspot.com





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Wednesday, April 19, 2006 11:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries

Adding indices will start you down the slippery slope that ultimately leads to custom schema extensions. Do you like new OIDs? J

Wook





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, April 19, 2006 4:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries

Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help.

I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 19, 2006 12:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries
It’d the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot.


:m:dsm:cci:mvp| marcusoh.blogspot.com





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Tuesday, April 18, 2006 5:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries

It seems like an obvious idea to implement. Sad we never thought about it. :)

Has anyone done any tests to reveal what performance gains this yields on queries?

Thanks,

Jef




Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org

I did the same after I saw some of the activedir folks post about doing it… J





































:m:dsm:cci:mvp| marcusoh.blogspot.com





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries

I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we

RE: [ActiveDir] Setting Wireless Config via GPO (Also update schema to 2003 level....)

2006-04-20 Thread Jef Kazimer 




The thought of a complete PKI has put us off this

--- Many people tend to be in the same boat. We are looking at integrating our Badge IDs and Smart Cards so I see a a full blown PKI initiative in the works.



This seems O.K.We generateda cert internally, andthis is how we intend to proceed...

Yes, XP SP2 would be great, especially being able to configure GPOs in the domains.

You still seem to need to run the GPO Editor on a W2003 Server. Is there a way to run this on an XP-SP2 Workstation? I have not found one. And since my original post I have been looking at what is needed to update the Schema to the Windows2003 Level. This seems to be really horrid. Has any one any good pointers on how-to and gotcha articles on this? The more I read the more nervous I get, and the further up the scale the risk assessment on my draft change request goes...

--- I'm not understanding this problem. Is this because you don't have the Admin Templates loaded on your XP workstation to modify the GPO settings?

With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules.

Does this still workfor domains in 2K mode. I don't seem to get any access unless the "remote access" flag is on in AD even though I have set policies on IAS...

 when I first started this project we were in 2K mode for the domain, but the IAS box was a windows 2003 Member Server. You need to have the users Remote Access Flag set to "Determine by Policy" for IAS to work. In 2K mode user's are created with the defaiult of "Deny", while in 2K3 mode they are defaulted with "Determine by Policy". 

Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively.

1. If you allow the machine to authenticate, won't policy apply and logon scripts run any way? (That is set to machine access with user re-authentication in the GPO). 

-- The old VPN scenario applies here. The user has to logon to the box with cache'd credentials (logon Script can't run since the machine is not connected yet), once they are logged on the WLAN connects and authenticates based on the logged on user. The GINA plugin just allows a pre-auth to open the WLAN connection before the Windows Logon happens. We are using user authentication, not Machine authentication so I need user interaction.

2. I have not tried any W2k boxes, but I have not managed to get any XP boxes to authenticate with WPA/EAP-PEAP when using third party tools to config the cards. I have tried IBM, Intel  3-COM cards but all seem to fail to authenticate. As soon as I enable the Zero Config windows takes over and all works fine...


-- We have used both the DELL client piece, and the 3COM client piece with success. though the management of these is horrible due to the lack of good replication of configurations.

Jef
Dave,
Hoping some of this makes sense,**This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**

RE: [ActiveDir] Root Place Holder justification

2006-04-26 Thread Jef Kazimer 


Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

2006-04-26 Thread Jef Kazimer 


The problem I always had with the idea of a tighter security for a root domain for admins is that it doesn't always flow down correctly for all tasks in the child domains.

IE

You have your Admins in the ROOT domain which has a tighter security policy than your child domain. Yet you can't place these users in the Domain Admins group of the child domain since it is a global group and is not accepting users from the root domain.

you can place the users in the Administrators group, but this does not get you everything in the child domain since most things are ACL'd by Domain Admins by default and not the domain's Administrator group. 


So you can use these Admins with a tighter security policy to do actions that are 90% of the job because they are Administrators, but for that extra 10% you would need a child domain account without thehigher security policy in the Domain Admins group.

Of course this can all be done using different ACL's and task groups and what not, but is there a a simpler way that I am missing?

Jef

 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 16:03:13 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  tohaveanemptyforestrootdomainornot...(thingsIjustthoughtof)   POSSIBLESFOR"TOHAVE":  *  Large,complexanddynamicorganizations *  OrganizationwithindependentdepartmentsanddecentralizedITdepartments(becauseofthisoneormoreITdepartmentsdoesnotaccepttheotherasbeingtheforestrootdomain) *  Wishtohaveaforestrootdomainthatisdepartment/region/locationindependent(incl.itsname)(betterpossibilitiestotransferownershipandbetterresistenttoorganizationalchanges) *  Strongersecuritypoliciesforadminaccounts  POSSIBLESFOR"NOTTOHAVE":  *  OrganizationwithacentralizedITdepartment *  Staticorganizations *  Additionalcostsandhardware  YoucouldhavealookattheWindowsServerSystemReferenceArchitecture--http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx DirectoryServicesGuide--http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true(searchforsectioncalled"ForestRootDesign")  my2cents  cheers, jorge  Metvriendelijkegroeten/Kindregards, Ing.JorgedeAlmeidaPinto SeniorInfrastructureConsultant MVPWindowsServer-DirectoryServices  LogicaCMGNederlandB.V.(BURTINCEindhoven) (Tel:+31-(0)40-29.57.777 (Mobile:+31-(0)6-26.26.62.80 *E-mail:seesenderaddress    From:[EMAIL PROTECTED]onbehalfofMarkParris Sent:Wed2006-04-2615:36 To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustificationDoesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Thise-mailandanyattachmentisforauthorisedusebytheintendedrecipient(s)only.Itmaycontainproprietarymaterial,confidentialinformationand/orbesubjecttolegalprivilege.Itshouldnotbecopied,disclosedto,retainedorusedby,anyotherparty.Ifyouarenotanintendedrecipientthenpleasepromptlydeletethise-mailandanyattachmentandallcopiesandinformthesender.Thankyou.Enter the Windows Live Mail beta sweepstakes Upgrade today

RE: [ActiveDir] Root Place Holder justification

2006-04-26 Thread Jef Kazimer 


Guido,

My thoughts exactly. I always start my complaining with "It was designed with what we knew at the time.butif I could it again today, blah, blah".

I think the decisions that would use this model today will most likely stem from political and administrative decisions, where as earlier the infrastructure had a larger impact on such a design.

If only there was the do over button..:)

J


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 17:08:31 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org



 I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making 
 the bold statement of considering collapsing them all into a single domain.

There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model.

/Guido



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Mittwoch, 26. April 2006 17:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

I would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered.

Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. Though I suspect I would be lynched. :(

We have over 160 sites, and around 150k users within 2 domains, with the slowest link today around 256k link to departmental sites (50 users). 

The security requirements are the same throughout all domains, and I believe the 2 domains exist for political reasons that fortunately are fading away. Many bad policies and practices grew from one decision to keep things seperate.

Of course your companies policies and practices for managing the domain globally go a huge way into that consideration. Issues such as account provisioning, group management, and replication convergence times could impact the business if the infrastructure impact is not understood.

If I had a magic wandI'd wish for a single domain. :) 

Jef

 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 09:56:04 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org   Yoursubjectisyouranswer.Theyneedtojustifyarootdomain.Is thereanactualreasonforit?  Thereareonlythreereasonstohaveone,imho(cutandpastedfroma googlesearch)  1.Securityrequirementsaredifferent(password,lockout,andKerberos policiesmustbeappliedatthedomainlevel). 2.Tocontrol/limitreplication(butnotetherecommendationsfornumber of objectsinadomainwithslowlinks-iftheslowestlinkis56kbps, the domainshouldhavenomorethan100,000users). 3.Becauseyouinheritamultipledomainsetup.  Iquestionnumberthreemyself.Iwouldrathercleanitupthancontinue withapastdecisionbutIguessthatdependsupontheimpactto operationsandthecomplexityofconsolidation.-OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20069:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothe justificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseeno reasontoexpandonthat-theyonlyhave6DC'snowina singledomain-yetthepartnertheyhavechosenis recomendingarootplaceholderwith5DC'sandthen8inthe childdomain(theyareNOTevensupplyingthetin)andI wantedsomedecentamo-alittlebitstrongerthanschema andEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandI believeGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/


Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

2006-04-26 Thread Jef Kazimer 


My brother I welcome you into RDA :)

Root Domain Anonymous :)

Though, if the business requires the separation it still has it's place today in certain environments. I would just be more adamant at evaluating those business requirements as it relates to the directory.

Jef


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 12:49:00 -0600From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/




Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: [ActiveDir] Root Place Holder justification

2006-04-26 Thread Jef Kazimer 


RH,

It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process.
Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals. We had to implement an MIIS system to aggregate the active users from 3domains into a single ADAMinstance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory?

If we had a single domain, this would not be an issue.

I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :(

Jef








From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:03:06 -0400





"Where's the harm?"
Don't tell me about economics or overhead or other things.
Tell me where the "harm" is.
Please.

RH
_


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/




Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: [ActiveDir] Root Place Holder justification

2006-04-26 Thread Jef Kazimer 


Gil,

I think he was looking for other reasons besides the obvious ones (More hardware, license, etc.).

It would be interesting to quantify the hidden costs related to administration, data consistency, application integration, security, etc..

But that is a task for a better man than I...

Jef


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:26:57 -0700From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org





Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway...

In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question...

-gil


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

"Where's the harm?"
Don't tell me about economics or overhead or other things.
Tell me where the "harm" is.
Please.

RH
_


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years.  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval."  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC.  AL  AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com  -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's?  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation.  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's  Ihavesearchedthislistandcanfindnorelevantarticles.  Manythanks  Regards  Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/




Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win a trip to Africa Upgrade today

[ActiveDir] Internet Authentication Concepts: Pointers?

2006-04-26 Thread Jef Kazimer 


Ok, here is something I'm just starting to research, and I thought maybe someone here has some pointers or a direction they can steer me in.

We are looking at a potential consolidated directory/database to contain user registrations (Self registration and possible bulk load)for multiple public internet sites for products of our company.



I was wondering if there are any published scenarios that address this solution as a starting point for consideration. We are thinking of using a public AD forest as the potential repository, but I am curious if there are any lessons learned when designed such a scenario.

Thanks,

Jef


Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: Re: [ActiveDir] OT: Windows Vista - Windows Defender

2006-04-27 Thread Jef Kazimer 


I have noticed it is not always in the system tray, except when it had a message for me.

I found the icon (looks like a little castle) on my main Programs Menu on the Start menu.

Jef



 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Windows Vista - Windows Defender Date: Thu, 27 Apr 2006 15:06:16 -0400  shouldbepartofthestartmenuorcontrolpanelaccordingtotheTechNet magazinearticleIreadontheplaneyesterday -OriginalMessage- From:"SusanBradley,CPAakaEbitz-SBSRocks[MVP]" [EMAIL PROTECTED] To:ActiveDir@mail.activedir.org Sent:Thursday,April27,20061:14PM Subject:Re:[ActiveDir]OT:WindowsVista-WindowsDefender   Whichbuild?  It'sonmindinthecorner.  Controlpanel..youshouldseeitinthere.  Salandra,JustinA.wrote:  WeareevaluatingWindowsVistaBetaandaretryingtolocatetheWindows DefenderwhichMicrosoftclaimsisinstalledbydefaultonVista,however itisnotinstalledonourbetaversionanddownloadingitfromtheweb itsaysthatitisnotsupportedonVista.Anyideas?   JustinA.Salandra  MCSEWindows20002003  NetworkandTechnologyServicesManager  CatholicHealthcareSystem  646.505.3681-office  917.455.0110-cell  [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]-- Lettingyourvendorssetyourriskanalysisthesedays? http://www.threatcode.com  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

[ActiveDir] MIIS Workflow applications

2006-04-27 Thread Jef Kazimer 



I was wondering if anyone had any suggestions for workflow applications built on top of MIIS for iDM? We have a rather robust MIIS architecture that utilizes custom coded applications as a front end. We are starting to evaluate off the shelf products, and I was wondering if anyone had any suggestions of good vendors to look at.

I am old that BMC's MIIS iDM suite is a good fit, but have only just begun reading up on it. I was hoping for other recommended apps to compare it against.

Thanks,

Jef
Join the next generation of Hotmail and you could win a trip to Africa Upgrade today

RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

2006-04-27 Thread Jef Kazimer 
Al,
 
I apologize,  as I am going only on what little information I have.  I guess I 
was trying to do some pre-meeting recon work since I had seen it metioned here 
about 25mil internet users for some people.  I had assumed there might be some 
scenario documentation for such a thing.
 
I will know more after the meeting of course, so I'll see if I can explain 
myself better.
 
I understand directory design for an enterprise, but have never done so for a 
internet instance that would have self registration.  I suspect there are some 
different lessons learned from that scenario so was curious.
 
Thanks,
 
Jef



 Date: Thu, 27 Apr 2006 15:31:33 -0400 From: [EMAIL PROTECTED] To: 
 ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet 
 Authentication Concepts: Pointers?  That's not a lot to go on, Jef.  Can 
 you give some more information?  For example, these public internet sites? 
 Are they web only? What type of authentication is needed? What were your 
 plans for authorization? Are you planning to use something like SiteMinder 
 or Tivoli or ?? to help you deal with authorization if using web sites?  
 Al  On 4/26/06, Jef Kazimer [EMAIL PROTECTED] wrote:Ok, here is 
 something I'm just starting to research, and I thought maybe  someone here 
 has some pointers or a direction they can steer me in. We are 
 looking at a potential consolidated directory/database to contain  user 
 registrations (Self registration and possible bulk load) for multiple  
 public internet sites for products of our company. I 
 was wondering if there are any published scenarios that address this  
 solution as 
a starting point for consideration.  We are thinking of using a  public AD 
forest as the potential repository, but I am curious if there are  any 
lessons learned when designed such a scenario. Thanks, 
Jef  Upgrade for free 
to Windows Live Mail beta and you could win an African  Safari Learn more 
ا~m 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exclude one account from password policy

2006-04-27 Thread Jef Kazimer 


Tom,

Unfortunately No, this is a domain wide setting.

This may help: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx


look under the "Storing Password Policy Information" section.

More than just AD utilize this password policy, as a few LDAP applications do query the policies defined in the domain for setting passwords in their apps which is a nice thing I think. :)Jef


Date: Thu, 27 Apr 2006 15:31:46 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exclude one account from password policy
I know account policies are domain wide but if you put a user in an OU andblock gpoinheritance, can you make that user have a non-expiring password while everyone esle is subject to the normal AD password policy?

I know this is bad security practice but can it be done this way?

ThanksEnter the Windows Live Mail beta sweepstakes Upgrade today

RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

2006-04-28 Thread Jef Kazimer 


Mylo,

Thanks for the information!

I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective.

This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps.

With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that.


I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :)

Thanks again!

Jef



 Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?  Jef,  AsAlpointedout,therearenumerousproductsfromvendorssuchas IBM/BEA/Oracle/RSA/Netegrity/Entrust/BaltimoreLabs(RIP)etcproviding web-basedauthentication/authorisationinfrontofAD.Sincefroma designpoint-of-viewit'sgenerallynotagoodideatostickADtoo closetotheInternet,oftenthesesolutionscompriseapresentation tier,e.g.withIIS(usingsomesortofISAPIplugins)thatthenhooks intoyourbusiness
bsp;logic(e.g.middleware)oryourdatatier(e.g. LDAP/AD/SQL)...ifyouwanttolookatthisfromanMSpurist perspectivethenI'dsuggesthavingalookatn-Tiersolutionswithin theMSDNarea.Although,thishasamoredeveloperemphasisthanyou'll probablywant,itgivesagoodinsightintohowInternetauthentication works,particularly.NETaswellasolderproductssuchasSite Server/Commerce..  TrygooglingonAuthorizationManager(AZMan)togiveagoodexampleof howarole-basedmanagementapproach(assumingawebt
ier)withanAD backendwouldwork.AlsolookatADAMasaninitial'point'solution forInternetusagratherthanADalone.  Youalsomentionedself-registrationandthiskicksoffanentirely differentthread(inmymindanyway)...  1.Whatareyouprovidingaccessto? 2.Whomareyouregisteringandforwhat? 3.Whatauthenticationmechanismdoyouwishtouse(username/password, certs,OTP). 4.Doyouneedtoprovidesomeformofauthorisationonceauthenticated aswell?Whatformdoesthisneedtotake? 
sp; Hopethishelps.  Regards, Mylo  ifyouneedaninitial  JefKazimerwrote:  Al,  Iapologize,asIamgoingonlyonwhatlittleinformationIhave.IguessIwastryingtodosomepre-meetingreconworksinceIhadseenitmetionedhereabout25milinternetusersforsomepeople.Ihadassumedtheremightbesomescenariodocumentationforsuchathing.  Iwillknowmoreafterthemeetingofcourse,soI'llseeifIcanexplainmyselfbetter.  Iunderstanddire
ctorydesignforanenterprise,buthaveneverdonesoforainternetinstancethatwouldhaveselfregistration.Isuspecttherearesomedifferentlessonslearnedfromthatscenariosowascurious.  Thanks,  Jef  Date:Thu,27Apr200615:31:33-0400From:[EMAIL PROTECTED]To:ActiveDir@mail.activedir.orgSubject:Re:[ActiveDir]InternetAuthenticationConcepts:Pointers?That'snotalottogoon,Jef.Canyougivesomemoreinformation?Forexample,thesepublicinternetsites?Are
theywebonly?Whattypeofauthenticationisneeded?Whatwereyourplansforauthorization?AreyouplanningtousesomethinglikeSiteMinderorTivolior??tohelpyoudealwithauthorizationifusingwebsites?AlOn4/26/06,JefKazimer[EMAIL PROTECTED]wrote:Ok,hereissomethingI'mjuststartingtoresearch,andIthoughtmaybesomeoneherehassomepointersoradirectiontheycansteermein.Wearelookingatapotentialconsolidateddirectory/databasetocontain
p;userregistrations(Selfregistrationandpossiblebulkload)formultiplepublicinternetsitesforproductsofourcompany.Iwaswonderingifthereareanypublishedscenariosthataddessthissolutionas   astartingpointforconsideration.WearethinkingofusingapublicADforestasthepotentialrepository,butIamcuriousifthereareanylessonslearnedwhendesignedsuchascenario.Thanks,
JefUpgradeforfreetoWindowsLiveMailbetaandyoucouldwinanAfricanSafariLearnmoreا~m Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/     Novirusfoundinthisincomingmessage. CheckedbyAVGFreeEdition

RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

2006-04-28 Thread Jef Kazimer 


Since it is "LDAP" I did look at some "friendlier" admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want.

In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :)

J



Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?Date: Fri, 28 Apr 2006 09:44:55 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org








That’s a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI “experience”?




J. Fitzgerald (Fitz) Stewart
Systems Architect
IRM/OPS/ENM
Worldwide Information Network Systems
USAID/DoS IT Infrastructure Collaboration Program
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
703-866-7473
703-626-5741 (cell)



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

Mylo,

Thanks for the information!

I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective.

This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps.

With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that.


I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :)

Thanks again!

Jef



 Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?  Jef,  AsAlpointedout,therearenumerousproductsfromvendorssuchas IBM/BEA/Oracle/RSA/Netegrity/Entrust/BaltimoreLabs(RIP)etcproviding web-basedauthentication/authorisationinfrontofAD.Sincefroma designpoint-of-viewit'sgenerallynotagoodideatostickADtoo closetotheInternet,oftenthesesolutionscompriseapresentation tier,e.g.withIIS(usingsomesortofISAPIplugins)
thatth! enhooks intoyourbusinessn bsp;logic(e.g.middleware)oryourdatatier(e.g. LDAP/AD/SQL)...ifyouwanttolookatthisfromanMSpurist perspectivethenI'dsuggesthavingalookatn-Tiersolutionswithin theMSDNarea.Although,thishasamoredeveloperemphasisthanyou'll probablywant,itgivesagoodinsightintohowInternetauthentication works,particularly.NETaswellasolderproductssuchasSite Server/Commerce..  TrygooglingonAuthorizationManager(AZMan)togiveagoodexampleof howa&
nbsp;role-basedmana! gementapproach(assumingawebt ier)withanAD backendwouldwork.AlsolookatADAMasaninitial'point'solution forInternetusagratherthanADalone.  Youalsomentionedself-registrationandthiskicksoffanentirely differentthread(inmymindanyway)...  1.Whatareyouprovidingaccessto? 2.Whomareyouregisteringandforwhat? 3.Whatauthenticationmechanismdoyouwishtouse(username/password, certs,OTP). 4.Doyouneedtoprovidesomeformofauthorisationonceauthenticated as
well?Whatformnb! sp;doesthisneedtotake? nb sp; Hopethishelps.  Regards, Mylo  ifyouneedaninitial  JefKazimerwrote:  Al,  Iapologize,asIamgoingonlyonwhatlittleinformationIhave.IguessIwastryingtodosomepre-meetingreconworksinceIhadseenitmetionedhereabout25milinternetusersforsomepeople.Ihadassumedtheremightbesomescenariodocumentationforsuchathing.  Iwillknowmoreafterthemeetingofcourse,soI'llseeifIcan
explainmyselfbetter.  Iunderstanddire ctorydesignforanenterprise,buthaveneverdonesoforainternetinstancethatwouldhaveselfregistration.Isuspecttherearesomedifferentlessonslearnedfromthatscenariosowascurious.  Thanks,  Jef  Date:Thu,27Apr200615:31:33-0400From:[EMAIL PROTECTED]To:ActiveDir@mail

RE: [ActiveDir] Root Place Holder justification

2006-04-28 Thread Jef Kazimer 


Neil,

In some ways they may be even more harmful. Network outages have their own fixes, hardware failures have replacements, deleted data (should) have backups.

Solutions for bad process and policy due to architecture decisions? Not as cut and dry, and could be most costly in the long run as the problems compound. I know we just did an analysis of the cost of directory remediation due to cleaning up bad data stemming from bad processes. It is easily in the 6 digits when you factor in manpower, systems, delaying of applications due to bad data, etc.

A root domain may not be the cause of such things, but how the environment will be managed and the pitfalls should be thought of.

Jef


Subject: RE: [ActiveDir] Root Place Holder justificationDate: Fri, 28 Apr 2006 15:20:45 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org





I doubt a root domain would represent 'harm' in your terms, but then again, harm may mean different things to different people.

From anarchitectural stance, harm means a whole lot more.What about added admin overhead; additional hardware costs, support and maintenance; additional complexities which are the result of deploying extra domains; etc etc. These are 'harmful' to the firm in the same way as a network outage is, IMHO.



my 2 penneth,
neil


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 28 April 2006 14:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Gil,

I hear that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. 

Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, "Dear God, thank you for not putting me into Disaster Recovery Mode today!" harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important.

In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technicallyI could have lived without.

Ineed concrete, specific reasons why it is detrimental to have a root domain.

Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me?

RH

__


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification
Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway...

In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question...

-gil


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

"Where's the harm?"
Don't tell me about economics or overhead or other things.
Tell me where the "harm" is.
Please.

RH
_


-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Jef,

We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion.
J

AL


Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification

Al,

If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did.

Maybe they should re-evaluate their service offerings. :) I admit I was wrong :)

Jef



 Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  Mark,  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploym

RE: [ActiveDir] OT: Windows Vista - Windows Defender

2006-04-28 Thread Jef Kazimer 


works nice...but still no Xbox 360 support :(

I want to test that piece :) 




Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






Have you tested MCE on it? 5342 MCE on a beefy box is like useless


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 28, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

Yes. I loaded it two nights ago. Pretty cool. First build I’ve found comfortable to use (old POS box – no aero).





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, April 28, 2006 12:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

I heard its techbeta only 


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 27, 2006 9:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

I just (like an hour ago) loaded Vista 5365 and it is in the Windows Security Center with the firewall, auto updates, and AV whiner. 

5365 became available on connect a couple of days ago. It isn't up on MSDN yet.



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, April 27, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Windows Vista - Windows Defender
We are evaluating Windows Vista Beta and are trying to locate the Windows Defender which Microsoft claims is installed by default on Vista, however it is not installed on our beta version and downloading it from the web it says that it is not supported on Vista. Any ideas?

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]
Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

2006-04-28 Thread Jef Kazimer 


Joe,

Good question. I would assume something similar to ADUC (dsa.msc) where you can use a standardized interface to manage users and the associated attributes.
The problem I suppose is that ADAM can be utilized for many custom scenarios, that it would be hard to have a "standard" interface.

this is why we have a simple web gui that just builds builds a tree view control to traverse the directory. Then selecting an object displays the templated attributes for that object type. Then we have some canned functionality (password reset, enable/disable,etc) on a toolbar for that user.

I could build the same thing in a winForms gui, but that brings other headaches related to updates of different attributes added, etc. Since the app really can only function online, web based seemed an easier management and deployment task.

I've always wanted to write custom ADUC DLLs because there is much more than I'd have liked to have done with ADUC, but alas, I only know .NET stuff.


I am a CMD line purist so most of my stuff is done that way. Yet trying to get helpdesks to get understand switches versus pretty buttons isn't the easiest.:)


Though I have to say...I've been having alot of fun with new stuff in te winFX gui programming :)

Jef





From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers?Date: Fri, 28 Apr 2006 15:46:16 -0400



I have some curiosity in this realm... 

What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI.

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

Since it is "LDAP" I did look at some "friendlier" admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want.

In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :)

J



Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?Date: Fri, 28 Apr 2006 09:44:55 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org







That’s a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI “experience”?




J. Fitzgerald (Fitz) Stewart
Systems Architect
IRM/OPS/ENM
Worldwide Information Network Systems
USAID/DoS IT Infrastructure Collaboration Program
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
703-866-7473
703-626-5741 (cell)



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

Mylo,

Thanks for the information!

I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective.

This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps.

With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that.


I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :)

Thanks again!

Jef



 Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: P

RE: [ActiveDir] Cleanup of AD accounts

2006-04-28 Thread Jef Kazimer 


We use "employeeType" with values of

EMPLOYEE
CONTRACTOR
VENDOR
SERVICE
OTHER
ADMIN

Jef



Subject: RE: [ActiveDir] Cleanup of AD accountsDate: Fri, 28 Apr 2006 16:04:42 -0500From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org

Is there an attribute that's generallysafe to use, or are you suggesting we request an OID from Microsoftand make our own boolean "ourcompanyServiceAccount" attribute?


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, April 28, 2006 2:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cleanup of AD accounts

And I look and see that I received it. Glad you like oldcmp btw... :)

First off, you don't need the -f option with the user filter in there, the -users will take care of that for you.

Second off, no there is no mechanism in it right now to allow you to exclude accounts based on a text file. 

I would highly recommend to you as I have recommended to countless others that if you have accounts that aren't updating their passwords because they are set to non-expiring or you don't have a password policy and they are supposed to not be getting updated that you set up an attribute in AD to note that they are special like that. Most larger companies requires some sort of registration process for non-expiring Service IDs so that people can chase them down later and then you just stamp some attribute (existing or something you add) to the directory to flag them as special. Then you just use the -af switch to add the piece of the filter that lets you ignore them, alternatively put them in a special OU and either avoid that OU with the base you set in oldcmp or use the exclude DN switch whichshould be-excldn if I wasn't completely intoxicated when I coded it. :)

You are welcome a bunch.

 joe




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, April 28, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cleanup of AD accounts

Joe - I sent you an e-mail, I figured maybe going to this list might get more input on this question as well:



If I wanted to run an oldcmp -report 120 -users -sort cn -f "((objectcategory=person)(objectclass=user))" -format csv -delim ,

and then send it out to our remote administrators to 'remove any accounts you don't want disabled'

and then take the final list and disable all remaining accounts that they didn't flag as still being used, how would I accomplish that?

Is there a way to have oldcmp use a modified file as an import file for the accounts to disable? Our problem is we don't want to disable any service accounts that are actively being used, but we have a LOT of cleanup to do. How does everyone else handle this?

Thanks a bunch,
Russ



~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~



~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: [ActiveDir] OT: Windows Vista - Windows Defender

2006-04-28 Thread Jef Kazimer 


You have me salivating

What is the program name? I do not see it under the availiable programs listing.




Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 19:00:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






Do you have access to connect? If you do you can nominate yourself to test said functionality. 


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

works nice...but still no Xbox 360 support :(

I want to test that piece :) 






Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org

Have you tested MCE on it? 5342 MCE on a beefy box is like useless


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 28, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

Yes. I loaded it two nights ago. Pretty cool. First build I’ve found comfortable to use (old POS box – no aero).





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, April 28, 2006 12:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

I heard its techbeta only 


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 27, 2006 9:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

I just (like an hour ago) loaded Vista 5365 and it is in the Windows Security Center with the firewall, auto updates, and AV whiner. 

5365 became available on connect a couple of days ago. It isn't up on MSDN yet.



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, April 27, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Windows Vista - Windows Defender
We are evaluating Windows Vista Beta and are trying to locate the Windows Defender which Microsoft claims is installed by default on Vista, however it is not installed on our beta version and downloading it from the web it says that it is not supported on Vista. Any ideas?

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]





Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: [ActiveDir] OT: Windows Vista - Windows Defender

2006-04-28 Thread Jef Kazimer 


Just curious

Does the Vista MCE allow Divx playback for the extender?

The MCE Transcoder is a life saver to play Divx and Xvid on the Xbox 360 MCE-E.




Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 19:03:07 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






What is it you’re going to put on the command prompt background anyway? A semi transparent playboy centerfold to look at while you program? 

I’m downloading 5365 now since I busted my MCE I’m either going to fix it with that or revert to SP2. 


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, April 28, 2006 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

If someone would just write some XBOX 360 Admin tools for Active Directory we would have a whole giant pool of amazing AD Admins. The way my brothers and cousins master those games it would be amazing to see them go after AD that way. 

Haven't tried the MCE stuff yet but was going to play for a week and then install, now Brian has scared me. 

I just have to say again that this interface is beautiful. I am a command prompt guy and think that if you log into a server all you should see is black and white (orblack andgreen if you are one of those green screen weird types) text but the workstation should look amazing. 

Still want my transparent command prompts with custom backgrounds though... 

With all of the RSS stuff built in I have to start thinking about what cool kind of things I can publish through RSS from AD to have it just feed in and display for me. I am visualizing object add counts, etc that would normally be in a report you have to go chase down. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender
works nice...but still no Xbox 360 support :(

I want to test that piece :) 






Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org

Have you tested MCE on it? 5342 MCE on a beefy box is like useless


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 28, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

Yes. I loaded it two nights ago. Pretty cool. First build I’ve found comfortable to use (old POS box – no aero).





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, April 28, 2006 12:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

I heard its techbeta only 


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 27, 2006 9:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender

I just (like an hour ago) loaded Vista 5365 and it is in the Windows Security Center with the firewall, auto updates, and AV whiner. 

5365 became available on connect a couple of days ago. It isn't up on MSDN yet.



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, April 27, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Windows Vista - Windows Defender
We are evaluating Windows Vista Beta and are trying to locate the Windows Defender which Microsoft claims is installed by default on Vista, however it is not installed on our beta version and downloading it from the web it says that it is not supported on Vista. Any ideas?

Justin A. Salandra
MCSE Windows 2000  2003
Network and Technology Services Manager
Catholic Healthcare System
646.505.3681 - office
917.455.0110 - cell
[EMAIL PROTECTED]





Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win a trip to Africa Upgrade today

RE: Re: [ActiveDir] How Secure is a Domain Controller?

2006-04-30 Thread Jef Kazimer 
This has been making the rounds as of late, so I am not sure if it has been 
posted here:
 
Security Myths and Passwords by Prof. Spafford
 
and something from 2002:
 
Ten Windows Password Myths
 
 
Now...where I am,  Smart Card integration into physical building access is 
becoming a reality, so I'm really interested to see how this pans out.



 Date: Sun, 30 Apr 2006 12:33:45 -0400 From: [EMAIL PROTECTED] To: 
 ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain 
 Controller?  The answer to that last isn't terribly difficult.  Just ask 
 yourself what is it that every administrator has to take to work every day? 
 Likely, it's an id badge/card key.  Very few companies issue keys any longer 
 because it's too expensive to maintain and too difficult to change as 
 employees leave or you move buildings. But administrators often need 
 all-hours access so what to do? Go to card key access.  So it would be a 
 far stretch to issue administrators (possibly only administrators?) card 
 keys that are also smart cards.  You may be wondering if it's better than a 
 Securid? Depends, but chances are good you'll need to have something added 
 to the servers regardless of the method whether it's a piece of software or 
 usb key reader, or... ?  Anyhow, there are ways to do that for 
 administrators, but you do have to figure out what comes to work with the 
 admin
.  Nobody gets in the door without a card key in many places I've seen.  If 
you let just anybody in the door regardless of identification or physical 
device (key) then what's the point of locking the applications again?  I 
don't think I've yet bought into the longnastypasswords yet. In theory and 
concept it seems great.  But I've seen mixed results and I've seen some of the 
same issues that users have when it comes to complex passwords - they find 
convenience in subversion.  Is that right? No, but you'll have to take the 8th 
layer into account if you're going to come up with a good solution to this 
problem.  Some more definition of the problem is helpful as well.  Al  
P.S. Can you read this one, joe? :)  On 4/28/06, joe [EMAIL PROTECTED] 
wrote:  This is old, I sort of apologize. This is a topic some of us have 
debated in  circles over on the MVP / MS Private Security List Server 
multiple times as  well. It is always fun because the opinions are all over. 
I have some  thoughts for it.   1. A passphr
ase is just like a password only you have bigger chunks or  password 
building blocks, as soon as this becomes common practice or is  forced across 
an entire environment the cracking tools just need to work  towards adopting 
this mechanism as well, instead of looping through letters,  you loop through 
words. This is done to a limited extent now but it could be  done much more 
efficiently, especially if the domain policy says you need 20  characters or 
something. \   2. You don't set 90 day password expiration to only prevent 
brute force  attacks. You use it to lessen how far out a password reaches. 
People are  horrible with secrets, how many of you as support techs have 
walked up to a  desk and said, yeah what is your password and then gotten it? 
Or maybe  looked at the sticky notes on the monitor, or if the person was 
really  secure look in the bottom drawer. Now, assume you aren't the only 
person  smart enough to ask for that password or look. So now the password is 
out  there... How long do you wan
t it to be valid for before knocking it down?  For normal users I don't like 
policies less than 91 days (user exercise to  figure out why 91 instead of 90 
days , I have mentioned it before), it is  just plain annoying and a 30 or 60 
day normal user policy is almost  guaranteeing some sort of pattern or 
written down password.   Now for admin accounts password changes every 30 
days I don't have much  trouble with. With service/application IDs I don't 
have a problem with  password changes every day. It can be implemented, I 
have done it. It just  isn't easy nor the default. Certainly I cringe 
whenever I hear about someone  who has a very important very powerful service 
ID and are asking how to make  it non-expiring... Just kills me. There was 
one critical application  (Corporate Web Portal) whose password I accidently 
saw when doing a trace on  a domain controller looking at LDAP packets (LDAP 
simple bind in the clear)  and it was a very memorable password, it was the 
name of an enemy of  Superman; the on
e who didn't have any vowels in his name. I immediately  approached the app 
owners to say bad bad bad from many angles. They said  thanks. I was fired 
from that position... Then I got rehired 6 months later,  did another network 
trace and guess what ID and password I saw again... Why  didn't they change 
the password? Because the app made it difficult. That is  not a good reason. 
   The reference to the -500 accounts is accurate. Very long nasty 
passwords  that got locked into envelopes. Never used

RE: Re: [ActiveDir] How Secure is a Domain Controller?

2006-04-30 Thread Jef Kazimer 


HmmmI think my links got stripped there :

SecurityMythsandPasswordsbyProf.Spafford

http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/


TenWindowsPasswordMyths

http://www.securityfocus.com/infocus/1554




 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] How Secure is a Domain Controller? Date: Sun, 30 Apr 2006 11:44:55 -0500  Thishasbeenmakingtheroundsasoflate,soIamnotsureifithasbeenpostedhere:  SecurityMythsandPasswordsbyProf.Spafford  andsomethingfrom2002:  TenWindowsPasswordMyths   Now...whereIam,SmartCardintegrationintophysicalbuildingaccessisbecomingareality,soI'mreallyinterestedtoseehowthispansout.Date:Sun,30Apr200612:33:45-0400From
:[EMAIL PROTECTED]To:ActiveDir@mail.activedir.orgSubject:Re:[ActiveDir]HowSecureisaDomainController?Theanswertothatlastisn'tterriblydifficult.Justaskyourselfwhatisitthateveryadministratorhastotaketoworkeveryday?Likely,it'sanidbadge/cardkey.Veryfewcompaniesissuekeysanylongerbecauseit'stooexpensivetomaintainandtoodifficulttochangeasemployeesleaveoryoumovebuildings.Butadministratorsoftenneedall-hoursaccesssowhattodo?Gotocardkeyaccess.Soitwouldbeafar
stretchtoissueadministrators(possiblyonlyadministrators?)cardkeysthatarealsosmartcards.Youmaybewonderingifit'sbetterthanaSecurid?Depends,butchancesaregoodyou'llneedtohavesomethingaddedtotheserversregardlessofthemethodwhetherit'sapieceofsoftwareorusbkeyreader,or...?Anyhow,therearewaystodothatforadministrators,butyoudohavetofigureoutwhatcomestoworkwiththeadmin .NobodygetsinthedoorwithoutacardkeyinmanyplacesI'veseen.If
p;youletjustanybodyinthedoorregardlessofidentificationorphysicaldevice(key)thenwhat'sthepointoflockingtheapplicationsagain?Idon'tthinkI'veyetboughtintothelongnastypasswordsyet.Intheoryandconceptitseemsgreat.ButI'veseenmixedresultsandI'veseensomeofthesameissuesthatusershavewhenitcomestocomplexpasswords-theyfindconvenienceinsubversion.Isthatright?No,butyou'llhavetotakethe8thlayerintoaccountifyou'regoingtocomeupwithagoodsolutiontothis
problem.Somemoredefinitionoftheproblemishelpfulaswell.AlP.S.Canyoureadthisone,joe?:)On4/28/06,joe[EMAIL PROTECTED]wrote:Thisisold,Isortofapologize.ThisisatopicsomeofushavedebatedincirclesoverontheMVP/MSPrivateSecurityListServermultipletimesaswell.Itisalwaysfunbecausetheopinionsareallover.Ihavesomethoughtsforit.1.Apassphr aseisjustlikeapasswordonlyyouhavebigger"chunks"
orpasswordbuildingblocks,assoonasthisbecomescommonpracticeorisforcedacrossanentireenvironmentthecrackingtoolsjustneedtoworktowardsadoptingthismechanismaswell,insteadofloopingthroughletters,youloopthroughwords.Thisisdonetoalimitedextentnowbutitcouldbedonemuchmoreefficiently,especiallyifthedomainpolicysaysyouneed20charactersorsomething.\2.Youdon'tset90daypasswordexpirationtoonlypreventbruteforceattacks.Youusei
ttolessenhowfaroutapasswordreaches.Peoplearehorriblewithsecrets,howmanyofyouassupporttechshavewalkeduptoadeskandsaid,yeahwhatisyourpasswordandthengottenit?Ormaybelookedatthestickynotesonthemonitor,orifthepersonwasreallysecurelookinthebottomdrawer.Now,assumeyouaren'ttheonlypersonsmartenoughtoaskforthatpasswordorlook.Sonowthepasswordisoutthere...Howlongdoyouwan tittobevalidforbeforeknocking
itdown?FornormalusersIdon'tlikepolicieslessthan91days(userexercisetofigureoutwhy91insteadof90days,Ihavementioneditbefore),itisjustplainannoyinganda30or60daynormaluserpolicyisalmostguaranteeingsomesortofpatternorwrittendownpassword.Nowforadminaccountspasswordchangesevery30daysIdon'thavemuchtroublewith.Withservice/applicationIDsIdon'thaveaproblemwithpasswordchangeseveryday.Itcanbeimplemented,Ihave
sp;doneit.Itjustisn'teasynorthedefault.CertainlyIcringewheneverIhearaboutsomeonewhohasaveryimportantverypowerfulserviceIDandareaskinghowtomakeitnon-expiring...Justkillsme.Therewasonecriticalapplication(CorporateWebPortal)whosepasswordIaccidentlysawwhendoingatraceonadomaincontrollerlookingatLDAPpackets(LDAPsimplebindintheclear)anditwasaverymemorablepassword,itwasthenameofanenemyofSuperman;theon ewhodidn'thave
bsp;anyvowelsinhisname.Iimmediatelyapproachedtheappownerstosaybadbadbadfrommanyangles.Theysaidthanks.Iwasfiredfromthatposition...ThenIgotrehired6monthslater,didanothernetworktraceandguesswhatIDandpasswordIsawagain...Whydidn'ttheychangethepassword?Becausetheappmadeitdifficult.Thatisnotagoodreason.Thereferencetothe-500accountsisaccurate.Verylongnastypasswordsthatgotlockedintoenvelopes.Neverusedthoseaccou
ntsinthe5orsoyearsImighthaveneededareason.Whynotworryaboutchangingthem?Therewasn'tasoulthatcouldrememberthemandnooneusedtheaccountssowesimplymonitoredauthentications(goodandbad)andpasswordchangesfortheaccount.Anyhitonanyofthemmeantsomethingtolookintothoughbadhitswereprettycommon.Thoughtson2-factor?Thesecondfactor(nottheoneyouknowbuttheoneyouhave)needstobesomethingpeoplecan'tforgettobring
sp;toworkw

RE: [ActiveDir] TScmd help

2006-05-03 Thread Jef Kazimer 


Mike,

Can you use ADfind and ADmod for this?

ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath

Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings.

just an Idea



 Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername.  ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated.  MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: [ActiveDir] TScmd help

2006-05-03 Thread Jef Kazimer 


Mike,

Scratch that. It is not the string I was thinking about.

I'm sure Joe will know though :)


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500



Mike,

Can you use ADfind and ADmod for this?

ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath

Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings.

just an Idea




 Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername.  ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated.  MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/

Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn moreEnter the Windows Live Mail beta sweepstakes Upgrade today

RE: [ActiveDir] TScmd help

2006-05-03 Thread Jef Kazimer 


My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it.

The solution? Just clear the userParameters attribute for all affected users if I remember.

I think there is a KB article on it now.


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400



Joe? joe?me?

The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. 

Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. 

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help

Mike,

Scratch that. It is not the string I was thinking about.

I'm sure Joe will know though :)


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500


Mike,

Can you use ADfind and ADmod for this?

ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath

Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings.

just an Idea




 Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername.  ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated.  MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/

Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

Enter the Windows Live Mail beta sweepstakes Upgrade today Join the next generation of Hotmail and you could win a trip to Africa Upgrade today

RE: [ActiveDir] TScmd help

2006-05-04 Thread Jef Kazimer 


I meant that was the advice we were given from PSS on how to solve the problem. :)

Though...we did end up clearing it after finding out they were not TS users.




From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Thu, 4 May 2006 21:17:34 -0400



Yes some Novell stuff can be found in there as well as some other things I have heard of through the years. Just clearing that attribute is a great idea... especially if you use Novell stuff as well as TS stuff. :)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help

My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it.

The solution? Just clear the userParameters attribute for all affected users if I remember.

I think there is a KB article on it now.


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400


Joe? joe?me?

The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. 

Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. 

 joe


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help

Mike,

Scratch that. It is not the string I was thinking about.

I'm sure Joe will know though :)


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500


Mike,

Can you use ADfind and ADmod for this?

ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath

Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings.

just an Idea




 Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org  IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername.  ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated.  MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/

Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

Enter the Windows Live Mail beta sweepstakes Upgrade today 

Join the next generation of Hotmail and you could win a trip to Africa Upgrade today Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more

RE: [ActiveDir] TScmd help

2006-05-05 Thread Jef Kazimer 


Joe,

I don't remember if they told us to check if they are TS users or not to be honest as this was almost 2 years ago. I do remember that he symptoms were quite odd in that the error message dialog box would throw out an obscure error that could not be found in any online resource. They said they had to pull it out of a source code comment reference which lead them down the NWCLIENT trail. I remember writing something to identity the users in the directory that culd be affected by this issue, an someone did remediate them.

Through the years of getting support ( and giving it) I've found it best to ALWAYS question the actions you are being told, because people do make mistakes. I hate the excuse "Well I was told to do this." and they didn't think it through before doing it.

This reminds me of a tech who noticed a certain service was using alot of CPU time on our Domain Controllers. He figured it might be a problem, so he killed the exe that was eating the CPU time because the OPs guy suggested it. I guess he thought this little exe would just restart and be fine because it had an obscure name he did not recognize..LSASS.EXE :)

And then he wondered why authentication problem tickets came in at that site...
J


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Fri, 5 May 2006 08:24:47 -0400



Oh sorry, yes, I completely understand that advice came from PSS from your previous post, I should have put the "Thanks PSS" on there too. :)

Did PSS actually say to check of they were TS Users? I wouldn't be surprised if they hadn't. A lot of the help and direction doesn't come with much insight unless you get the "right" PSS people. Which ones are the "right" ones... the ones that are good of course, I don't believe MSFT breeds for them or even tests for them, they just sort of happen and then once you find them you don't want to let go. 

I once received an email from an old coworker still working for the former employeer asking if I heard this from PSS what would I have done... Keep in mind that this employee was in the USA and there was no local support where the server was other than say a janitor and a secretary nor hardware level remote control capability "This server you have in insert name of some small almost third world European nation, you want to disable NET LOGON and then reboot it and then we can check out the results..." and then 30-60 minutes later a call back from PSS "Hold on, don't do that yet, that may not be a good idea...". Then the coworker responding to PSS, "We already did, what now???" 

My response was that I would have openly laughed at the PSS guy as soon as he said the first thing and said go get your dad, I need to talk to a grownup. Yes that is insulting but if you are paying for best in class support, you better get it, if not, you insult them until they get you someone who will give you that support. I was once told, but if you insult them, they will remember you and won't want to work with you again. My response to that... If I am at the point that I am going to insult them, I would rather they not work with me again and better they spend their time filtering themselves out from me than spending my time while I filter them out. Plus I have learned that just asking for someone else isn't going to help you as evidenced by a problem I have been working through my current employer with PSS, the problem is approaching the one year point now, I have to be nice though, those are the rules I have to follow. If I didn't have to be nice, I can pretty much guarantee I wouldn't still be waiting for responses. I would have talked to the top person and they would either correct or have said no. Instead, I am treated like any customer who doesn't know better and sitting here not knowing anything about what PSS is doing. I have accomplished great things or at least brought great visibility to things within MSFT by being an extreme pain in the tush and making engineers feel stupid and making them want to "prove me wrong". I dislike very much that I have to do things that way but have been taught, that is how I can get results with them. Ditto for the Exchange Dev folks. The DS Dev folks on the other hand, they are great, you talk to them and they listen. They may not agree with you but they will talk to you and explain why they can't do what you are asking or what is wrong with what you want changed. They have some bad apples of course, but in that case, the barrel is mostly good apples and you aren't trying to pick and choose who you deal with, you can take a random deal and almost always be ok.

 joe




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Thursday, May 04, 2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir

RE: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?

2006-05-08 Thread Jef Kazimer 


Hmm.reading the PDF at : http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8a8f6bbfe1f4/ADRAP_Datasheet_v1.0t_English.pdf


Is this something to have running where MOM is not running? It seems alot of his can be done via MOM, thought not as slick of a consolidated interface.

Sort of like a all in one package?

Jef



 Date: Mon, 8 May 2006 21:35:13 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?  FreddyHARTONOwrote: Isitusefulatall?Wearedoingtheadriskassessmentfrommicrosoft (adrap)-anyonehasexperiencesorisusingthemextensively?Seemsto beguimodeonly?  Thankyouandhaveasplendidday!  Isawitinactionasoneofengineersuseditanditisusefultoolto gatherdataandpresentis-itutilizesalotofLDAPqueriesaswell asoutputfromvariousothertoolsandscripts,andgivesYouthis"on thehand"innicelook.  IMOforpeoplewhoknowsalittleaboutADthismaybereallynicetool touse.  -- TomaszOnyszko http://www.w2k.pl/blog/-(PL) http://blogs.dirteam.com/blogs/tomek/-(EN) Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Enter the Windows Live Mail beta sweepstakes Upgrade today

RE: [ActiveDir] GPO

2006-05-10 Thread Jef Kazimer 


John,

Just curious, was these option *ONLY* availiable in XP SP2? Any hope it exists in Windows Server 2003 SP1? :)

Thanks,

Jef



 From: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO To: ActiveDir@mail.activedir.org Date: Wed, 10 May 2006 08:49:21 -0500  HiPeter...  IftheclientsareSP2,youcanusethebottombox,touseitadditively. Theyfinallyfixedit.  Youusethebottombox,kindabackwardsrelativetothetop...So,youwould sayforthegroupDomainUsers,thenthatitisalwaysamemberofthe localpowerusersgroup.Youcanevenjustbrowsetothat,ifyoujust pickthelocalmachineasthelocation.  Hopethishelps, John   "PeterJohnson" [EMAIL PROTECTED] Sentby:To [EMAIL PROTECTED]ActiveDir@mail.activedir.org ail.activedir.orgcc  Subject 05/10/200608:39RE:[ActiveDir]GPO AM   Pleaserespondto [EMAIL PROTECTED] tivedir.org   HiJohn  Istheresomewaytodefineadditiveversusreplacementasthelasttime Itriedthisitdidahardreplacement.  -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOf [EMAIL PROTECTED] Sent:10May200614:57 To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]GPO  HiChristine..  Youcanusetherestrictedgroupsfunctiontoaddsaydomainusersto the powerusersgrouponthelocalmachine.It'salittletrickyasone functionofitwillreplaceanyothermembersofthepowerusersgroup, shouldtherebeany.AsofXPSP2though,youcandoitadditive, instead ofreplacing.  Hopethishelps...  John   "ChristineAllen"  Christine.Allen@  bmchp.org To Sentby:"ActiveDir@mail.activedir.org"  [EMAIL PROTECTED]'ActiveDir@mail.activedir.org'  ail.activedir.org ccSubject 05/10/200607:46[ActiveDir]GPO  AM  Pleaserespondto  [EMAIL PROTECTED]  tivedir.org  Hello,   Isthereawaytochangelocalcomputerrightsviaagpo.Wewouldlike to addouruserstothePowerusersgrouptodistributesoftware,thentake aboutthatrightafterthesoftwarehasbeendeployed.   -Christine   ChristineN.Allen SystemsEngineer BMCHealthNetPlan 2CopleyPlace Boston,MA02116 617-748-6034 617-293-4407   [EMAIL PROTECTED]Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/   Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.

RE: Re: [ActiveDir] DNS on a DC or NOT

2006-05-17 Thread Jef Kazimer 


We have it on all of our DCs as well worldwide and have not seen an issue.

But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to verify it was not being used. 

I thought about putting auditing on for the CNAME in question, and then just collect the logs from the DNS servers. Unfortunately it was a non integrated zone and this could not be done. :(

Does anyone use DNS Application partitions for certain zones?




Date: Wed, 17 May 2006 09:56:16 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS on a DC or NOT

Depending on how many DCs youhave in your environment, this might be a non-issue overall.

We have DNS on all our DCs, and no adversity has been observed thus far...

-ASB
On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote: 



This one

http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx 



From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS on a DC or NOT


Which blog entry...

-ASB
On 5/17/06, Krenceski, William [EMAIL PROTECTED]  wrote: 



I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's.If that is NOT truemy face is red for believing so for so long.  





William Krenceski
Network Administrator
[EMAIL PROTECTED]

Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta

RE: Re: [ActiveDir] DNS on a DC or NOT

2006-05-17 Thread Jef Kazimer 


joe,

I had considered the cache issue, but I figured that since it would be an integrated zone, it would exist on multiple DNS servers. So if eachDNS serverread the record once, it would generate enough audit flags to let us know it is still being used globally. :)

As I said, it was a standard primary zone, so it was not a viable option anyway. :(

I forget that auditiing applies to integrated zones, so I never think of utilizing it anyway.

thanks,

Jef


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] DNS on a DC or NOTDate: Wed, 17 May 2006 12:13:49 -0400



Too bad you couldn't enable request logging in DNS itself. Auditing the entry is only going to tell you at least one thing asked for it, once in the cache, who knows how many asked. Scale is everything. :)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 17, 2006 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] DNS on a DC or NOT
We have it on all of our DCs as well worldwide and have not seen an issue.But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to verify it was not being used. I thought about putting auditing on for the CNAME in question, and then just collect the logs from the DNS servers. Unfortunately it was a non integrated zone and this could not be done. :(Does anyone use DNS Application partitions for certain zones?


Date: Wed, 17 May 2006 09:56:16 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS on a DC or NOT

Depending on how many DCs youhave in your environment, this might be a non-issue overall.

We have DNS on all our DCs, and no adversity has been observed thus far...

-ASB
On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote: 



This one

http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx 



From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS on a DC or NOT


Which blog entry...

-ASB
On 5/17/06, Krenceski, William [EMAIL PROTECTED]  wrote: 



I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's.If that is NOT truemy face is red for believing so for so long.  





William Krenceski
Network Administrator
[EMAIL PROTECTED]



Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta

RE: [ActiveDir] [OT] DNS on a DC or NOT

2006-05-17 Thread Jef Kazimer 


I think my company users Lotus Notes just because it doesn't integrate with anything so less headaches. :(





 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] DNS on a DC or NOT Date: Wed, 17 May 2006 15:32:15 -0400  NoIsaveupmyDstrengthsoICANtalkaboutExchange.Italkaboutand troubleshootExchangemorethananyADpersonwhohatesExchangethatI know.:o)  DeanandIjusthadourannual(orisitquarterly)IMdebateonADIDNS.We apparentlyhavenoinfluenceovereachother'sopinionsinthismatter.   joe  -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm   -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfLauraE.Hunter Sent:Wednesday,May17,20063:08PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]DNSonaDCorNOT  On5/17/06,joe[EMAIL PROTECTED]wrote:  ButenoughaboutDNS,Idon'tspeakaboutservicesthatstartwithD. Youhavetodrawthelinesomewhere.DFS,DNS,DHCP,DamnSQL Server...Yougetthedrift.;)   Doesn't'Exchange'startwithan'E',though?Orarewedismissingthatas an"Offby1"error?  Laura Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta

RE: [ActiveDir][OT] DNS on a DC or NOT

2006-05-17 Thread Jef Kazimer 



http://dictionary.reference.com/search?q=mucker

mucker
\Muck"er\, n. A term of reproach for a low or vulgar labor person. [Slang]


Let the Ragin' begin!

(Thought I could have sworn it was a lazy way to say "mofo" :) )




 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] DNS on a DC or NOT Date: Wed, 17 May 2006 15:45:01 -0400  IgnoreDean.He'sgoingtotryandD.O.S.acoupleofcompaniesIspecified tohim.IfyouseeDean'snameinthepapersnexttobuildingsthatare burningtothegroundthenyoucanlistentotheconspiracytheoriesthat requirerunningS-DDNS.;o)HowmanytimeswasyourNTenvironmentDOS'ed bypurposefulattacksonWINS?IfyouhadanissuewithWINSbeing unauthenticatedatanypointitwasoneofacoupleofitems  1.YouscrewedupWINSyourselfsomehowbydoingsomethingstupidor throughinactionallowingsomethingstupidtohappen. 2.SomeonefiredupaSAMBAboxandhadnoflippingcluewhattheywere doingonLinuxORWindows. 3.SomeonetriedtosetupatestdomainusingproductionWINSandusingthe realnameoftheproductiondomains.  EvenwiththosethreeitemsIcanthinkof2casesin10yearsofthese thingsandonewasclearedupinaboutaweekandtheotherwasclearedup inabout15minutes.Thefirstshouldhavebeenclearedupin15minutestoo exceptthepeopleworkingonitdidn'tunderstandWindowsnorWINSnordid theAlliancepeopleworkingtheissue.  Inthemeanwhile,ifanemployeeofacompanywantstohurtAD,thereare moresubtleandlesstrackablemechanismstodosothangoingafterDNS. AnyonethatattackedADbygoingafterADisjustascriptkiddiepunkwith novision.Heckeventhescriptkiddiesaren'tgoingafterit.  BTW,anyoneknowwhatamuckeris?IamtryingtofigureoutifIam supposedtobemorallyoutraged.eg  joe   -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm   -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfDeanWells Sent:Wednesday,May17,20062:55PM To:Send-ADmailinglist Subject:RE:[ActiveDir]DNSonaDCorNOT  Ignorejoe...he'sjustanLDAP/DSpurist...asageneralruleofthumb, keeptheADrepresentativeDNSzoneswithinthedirectoryconfiguredto acceptsecureupdatesonly.Useapp.NCsordon'tdependinguponthe forest'sconfig.,toomanyvariablesandmuchdiscussionformerightnowon thatoneI'mafraid...butsufficeittosaythatforme;Ipreferapp.NCs wherepossible.  -- DeanWells MSEtechnology *Email:[EMAIL PROTECTED] http://msetechnology.com-OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfjoe Sent:Wednesday,May17,200610:01AM To:ActiveDir@mail.activedir.org Subject:RE:[ActiveDir]DNSonaDCorNOT  SOyouareconcernedaboutoverallloadthen.Thisissomethingthat isaddressedinlargerorgsoftenbysegregatingthePDCoffinits ownlogicalsitewhichishungoffthemainsiteitwouldnormallybe partof.Thatmeansitwillusuallynotbeusedforautocoverageof otherWANsitesanditwillnotbecomealargesitebridgehead[1]and naturallyavoidedbyanyExchangeinthatsiteifExchangeforsome reasondecidestobeatonitduetosomebaddecisionbyanExchange adminduringconfiguration.Thisisespeciallyhelpfulifyouhavea largelegacyclientloadorlotsofstupidapplicationsthatareusing theoldNETAPI(orWinNTprovider)primarilywhichalreadyoverly targetPDCs.  joe   [1]Irecallaskingwaybackatthe2003RAP/RDPconferencefora switchtosayuseallDCsbutthesespecialonesforbridgeheads,I wouldrathermanageexceptionsthanmanagetheonesthataretheones tobeused.Bestistobeabletospecifyeitherway.   -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm   -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOf CarlosMagalhaes Sent:Wednesday,May17,20069:44AM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]DNSonaDCorNOT  Letmeputthatintoperspective(andfromreadingthepost againIthoughtitcameacross),theblogentryrefersto networkswithalargeclientload. Idon'tmeandoNOThaveDNSonyourserveritrecommends (Option2)releasingsomeoftheloadwiththetworegistry settings,i.e. *LdapSrvPriority*and*LdapSrvWeight*.whichisexplainedin theentry:)  ThesesettingsIhaveonlyeverusedonlargenetworkswhenI havenoticedalargeamountofDNStrafficbeingroutedto thePDCDNSService.:)  Doesthatexplainthepostifnotjustletmeknowwhatmore informationyouneedandIwillexplainit:)  CarlosMagalhaes  ASBwrote: Whichblogentry...  -ASB   On5/17/06,*Krenceski,William*[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]wrote:  IwasreadingCarlos'sblogaboutnotrunningDNSonthePDC emulator.ItallmakesperfectsensetonothaveDNSrunningon it.Inmyrelativelysmallsetupwehave@60servers, 560pc's,on 8networks(someremotesomevlans).Ihave2DC'sat mymainsite withoneateachremotesite.AllDC'sareGCandDNS.Ialways thoughtthatinorderforDNStoworkasADintegrated you'reDNS servershadtobeDC's.IfthatisNOTtruemyfaceisredfor believingsoforsolong.** ** *WilliamKrenceski* *NetworkAdministrator* [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]   Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:

RE: [ActiveDir] OldCmp question

2006-05-19 Thread Jef Kazimer 



hmmm

How about -onlyenabled? :)

Ya know...just because...





 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Date: Fri, 19 May 2006 11:41:21 -0400  Disabledaccountsaremarkedbyhavingbit1listonuserAccountControl (value2)  Toexcludethemyouwant-af"useraccountcontrol:AND:=2"and-bit   IjustrealizedIhavean-onlydisabledswitch,Ishouldadda -onlynotdisabledIguess...-- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm   -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfRimmerman,Russ Sent:Friday,May19,200611:25AM To:ActiveDir@mail.activedir.org Subject:[ActiveDir]OldCmpquestion  Anyoneknowawaytoeasiblyfilteroutdisabledaccountsfromtheoldcmp -usersreport?Wouldonehavetousesomesortofbitwisefilterfroma translationofauseraccountcontrol66048valueorsomething?   ~~ Thise-mailisconfidential,maycontainproprietaryinformationofCameron anditsoperatingDivisionsandmaybeconfidentialorprivileged.  Thise-mailshouldberead,copied,disseminatedand/orusedonlybythe addressee.Ifyouhavereceivedthismessageinerrorpleasedeleteit, togetherwithanyattachments,fromyoursystem. ~~  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Express yourself instantly with MSN Messenger! MSN Messenger

RE: [ActiveDir] OldCmp question

2006-05-19 Thread Jef Kazimer 


Hmm...then you could add -notonlynotdisabled to return disabled users just to keep with the flow...


Subject: RE: [ActiveDir] OldCmp questionDate: Fri, 19 May 2006 17:08:03 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org






+1 for –onlynotdisabled g


Thanks,Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 19, 2006 3:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question

Hmm that may work. I will have to send it into the design committee and see what they think. ;o)

TGIF.




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, May 19, 2006 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question
hmmmHow about -onlyenabled? :)Ya know...just because...



 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Date: Fri, 19 May 2006 11:41:21 -0400  Disabledaccountsaremarkedbyhavingbit1listonuserAccountControl (value2)  Toexcludethemyouwant-af"useraccountcontrol:AND:=2"and-bit   IjustrealizedIhavean-onlydisabledswitch,Ishouldadda -onlynotdisabledIguess...-- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm   -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfRimmerman,Russ Sent:Friday,May19,200611:25AM To:ActiveDir@mail.activedir.org Subject:[ActiveDir]OldCmpquestion  Anyoneknowawaytoeasiblyfilteroutdisabledaccountsfromtheoldcmp -usersreport?Wouldonehavetousesomesortofbitwisefilterfroma translationofauseraccountcontrol66048valueorsomething?   ~~ Thise-mailisconfidential,maycontainproprietaryinformationofCameron anditsoperatingDivisionsandmaybeconfidentialorprivileged.  Thise-mailshouldberead,copied,disseminatedand/orusedonlybythe addressee.Ifyouhavereceivedthismessageinerrorpleasedeleteit, togetherwithanyattachments,fromyoursystem. ~~  Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/



Express yourself instantly with MSN Messenger! MSN Messenger Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta

RE: [ActiveDir] [OT] RAID 5 Best Practice

2006-05-22 Thread Jef Kazimer 


Speaking of Exchange...

Any good resources for Exchange info?(IE real world lessons, etc) I just got told today that we are going to be leaving a company we just bought on Exchange instead of migrating them to lotus notes (Talk about dodging a bullet). Sadly I have not done Exchange work since E2000, since I have been working at a large Notes shop for the past few years.

My excitement isI will get back to Exchange and outlook as Lotus Notes feels like I am using Email/Calendaring circa 1998. :(

I'm going to grab the deployment guides, but I am concerned with catching up all I don't know, and how it will affect my AD environment. I'm afraid the timelines are quite aggressive so I need to get moving.

Jef
-
http://www.jeftek.com


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] RAID 5 Best PracticeDate: Mon, 22 May 2006 23:33:09 -0400

There is quite a bit of docs out there on designing good disk subsystems for Exchange. It comes down to how many IOPS are needed. If your design isn't around that, you will probably end up with issues. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Thursday, May 18, 2006 6:56 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] RAID 5 Best Practice
Sorry to bounce off topic.But what would you recommend for Exchange hard drive config ?even better where i can look for information on how to troubleshoot ( what to look for ) the diisk subsystem on an exchange box. Thanks.
On 5/18/06, joe [EMAIL PROTECTED] wrote: 
Classic Exchange type design. ;o)For AD, I pretty generally recommend people do a single 0+1/10[1] first andthen 5 second and go with either because usually they don't have enoughslots for the disk internally to break it all up into a bunch of 1's and I prefer the disk internal for AD and you want as many spindles in the set aspossible.The good thing is that 0+1 will stand up to the IO (mostly DIT read) loadthat you get out of even really busy DCs. I may change my thoughts after I start seeing big x64 machines cruising along, haven't seen any yet incustomer sites. The log load on DCs is usually miniscule except in cases Ihave heard of ~Eric testing some funky stuff in EEC and actually getting log write ops into triple digits. Ditto for OS too unless you are doing a bunchof other stuff on the DC.For file sharing, I would consider 0+1 but 5 would be more likely since youprobably want/need the space more than the speed. File sharing doesn't really beat the disks up relative to a busy DC even in large multi-thousanduser file servers I have seen. It is why most normal server admins reallyhave no clue what to look for in terms of IO load on servers but any Exchange Admin worth anything is looking at that right away in a problemsituation and able to quote IOPS stats off the top of their head and knowwhat they can get from the underlying disk subsystem. Exchange disk configs are critical.Anyway, I don't have a problem with 5 for file servers. There is definitelya hit on rebuild but you have to ask yourself how often you expect that andwhether or not it is acceptable that you take a hit when you are in that mode. I consider the fault tolerance for emergencies, not something I haveto deal with weekly. If there are other benefits I want from 5 (say reducedcost for the space) and having slower rebuild is acceptable then that is perfectly fine. If you need something that is entirely transparent then youlook at other solutions and you start spending more money.As for logically partitioning the underlying disk. Not sure what kind of security gains you are expecting there. Nothing I can think of off the topof my head. No perf gain except for the possible perf gains in doing avolume chkdsk or backup/restore of individual volumes maybe. Thepartitioning for logical separate of binaries in data can be a good thing.Kind of nice to know that you absolutely need the D drive back but the Ccould be a complete fresh rebuild. joe[1] Assuming they wouldn't consider a straight stripe set, recall DCs are all duplicates and a big stripe set is going to be the fastest...--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Carlos MagalhaesSent: Thursday, May 18, 2006 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] RAID 5 Best PracticeI know this is not exactly the RAID 5 Best practices but this is how Iusually setup and recommend the customers to setup their disks (if they canafford the hardware)RAID1 for the OSRAID1 for the logsRAID0+1 for the databaseCarlosBrian Desmond wrote: I always do 12GB for C and the rest for D for 'Data'. I can format C and not worry about the Data. *Thanks,** *Brian Desmond**  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *c - 312.731.3132

RE: [ActiveDir] UNITY SERVERS

2006-05-25 Thread Jef Kazimer 


I'm not sure how you mean "Unity Server"?

Can you give more details in what context? 

I did a quick Live Search on Unity Server and Active Directory and I thought it could possibly be a Cisco product?

http://www.live.com/?q=Unity+Server#q=Unity%20Server%20Active%20Directoryoffset=1

There also seems to be a http://www.unityserver.com

Thanks,
Jef


From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgDate: Thu, 25 May 2006 22:14:02 -0500Subject: [ActiveDir] UNITY SERVERS
Hi All,

Can any one tell me what is a unity server.I want to every detail of that.

Thanks
Hitender Saxena-- 
___Play 100s of games for FREE! http://games.mail.com/Join the next generation of Hotmail and you could win a trip to Africa Upgrade today

RE: [ActiveDir] DNS suffix resolution..

2006-07-31 Thread Jef Kazimer 


Another FYI - Suffix Search List GPO is only available on Windows XP and up OS's.

It was not in Win2000 versions. We had to use scripts/reg keys to man age these back in the day.JefKazimer---http://www.jeftek.com


Date: Mon, 31 Jul 2006 10:46:38 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS suffix resolution..Hey -from the machines, i can defintely ping the FQDN.If you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. its for this purpose i still use wins.how are your clients tcp/ip properties set at child domains ? at HQ sites ?i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. 
On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: 



just as an FYI:

If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix.

So if you just specify:
domain2.domain1.com
domain3.domain1.com

and not

domain1.com

it will not search domain1.com since it is not specified in the Suffix Search List.

So if you want to still search the parent suffix, be sure to include it in the SSL.

Jef


- Original Message - 
From: Matheesha Weerasinghe 
To: ActiveDir@mail.activedir.org 

Sent: Monday, July 31, 2006 4:13 AM 
Subject: Re: [ActiveDir] DNS suffix resolution..


I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving.

What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... 

You can also specify a list of search suffixes to go through in a certain order if you wish.
M@
On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: 

I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- 
HBooGz:\ 
-- HBooGz:\ Express yourself instantly with Windows Live Messenger! Windows Live Messenger!

[ActiveDir] Single Space in LDAP query dropped: Why?

2006-08-17 Thread Jef Kazimer 



I had posted this today, and I was curious if 
anyone knew why an LDAP filter drops the query when searching for a single space 
value? Though I was using Joe's ADfind, I did have the same results in 
ADSIedit, and thought someone better than I, may know why. It's not really 
a problem, just a curiousity.

Thanks,

Jef


http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!642.entry

LDAP queries are spaced out...

I was looking at a metaverse object in MIIS today noticed some admin had 
setthe mail attribute to a single SPACE ( )character.The 
Metaverse is stored in a SQL server, so naturally the query structure is 
different than any constraints of LDAP. 
I wanted to discover how many other user objects had the same issue,so 
I decided to pull outADfind and issue this command: 
ADFIND -H MYSERVER -DEFAULT -F 
"((objectCategory=person)(mail= ))" -C 
0 found 
ok, so I thought it was my lack of quoting and tried: 
ADFIND -H MYSERVER -DEFAULT -F 
"((objectCategory=person)(mail=' '))" -C 
0 found 
Since it's command line I was sure that the quoting would encapsulate it 
correctly, so I figure it is being stripped out by the LDAP query (I made this 
same Query ins ADSIedit and LDP with no luck) so perhaps there is an escape 
character for such a thing. I have done many queries with filters 
like "description=The Man", and the space was interpreted correctly. Yet 
it seems, a single space, by itself is not passed to the query correctly. 
So I check out the uber friendly RFCs 
and find escape characters for types such as * and NUL, but reallyno 
mention ofa single space as anything special. I checked the LDAP V3 
RFC as well for any real mention of when and when a single space is 
dropped from the query, finding nothing related. 
Fortunately, using the escaped sequence in the query 
("mail=\20")to represent a space worked just fine and returned the object 
I was looking for. 
ADFIND -H MYSERVER -DEFAULT -F 
"((objectCategory=person)(mail=\20))" -C 
48found
So LDAP filters can container spaces as the value being queried for, but 
cannot be a single space without using an escape sequence to represent the 
value. 
I suppose it's kind of silly, but I had never really looked for such an 
occurrence before, so it was an interesting learning 
experience.

Re: [ActiveDir] splitting a domain into two

2006-09-19 Thread Jef Kazimer 



Just to add some info here..

I am currently in the middle of an "integration" where one IT group 
suggested a split the network to clone the AD environment on both sides.

Thankfully this has been abandoned after being evaluated.

I believe Microsoft Consulting Services called this solution "Dangerous" 
and "Disaster Prone", and more importantly, unsupported in a production 
environment.

While this is a common scenario in a Prod to Isolated Lab replica, the 
dangers are too great to have those domains talk to each other, and potentially 
wipe each other out.

If you are dealing with MCS, I can get you the case # for a company 
who attempted this, and had a disaster of a time resulting in 10 days of 
downtime. In the end, they were left with a limping AD, so it would 
have to be rebuilt because it was not sure the true state of this.

Jef

  - Original Message - 
  From: 
  Al 
  Mulnick 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Saturday, September 16, 2006 8:34 
  PM
  Subject: Re: [ActiveDir] splitting a 
  domain into two
  
  Yeah. See the problem with that "policy" concept is that in your 
  environment you've already noticed that good ideas are seldom given a chance 
  to live long enough to make it to your level :)
  
  That said, I would think it's extremely dangerous to try and break it 
  like that. Although, it could work, the risk is pretty high that your 
  networks will be connected long before you have a chance to decommission the 
  domains leaving you with a potentially difficult name resolution issue to 
  resolve. There would likely be much wailing and gnashing of teeth as well. 
  
  
  I think in this case, option 3 would be preferred: 
  3) Leave the domains alone and allow the break of network to occur. When 
  the WAN links are created to the central hub, migrate as fast as your legs 
  will carry you. Remember that at that time, your replication will likely 
  resume. Try to keep a change freeze as long as you can if the networks 
  will be able to see each other. 
  
  It might not be a bad idea to check on the tombstone time and raise that 
  if you can. WAN links are known to take longer to bring up than any 
  planning might assume. Put another way, network folks tend to be overly 
  optimistic when it comes to timing of WAN link configurations. 
  
  Be sure to communicate as much as possible about the risks and 
  tradeoffs. That way you can stick your tongue out later and sing, "I 
  told ya so!" at the top of your lungs (likely after work and out of earshot of 
  those that might take offense, but you can at least do so with a clear 
  conscience.) 
  
  
  My $0.04 (USD) anyway. 
  
  Al
  On 9/16/06, Kamlesh 
  Parmar [EMAIL PROTECTED] wrote: 
  

Well :-)
I suppose, you are looking at tiny figure of 300 users and why not 
choosing option 1 straight away.
If only every IT manager was as forceful and articulate about danger of 
short term decisions as you are.
About migrating to corporate domain, that is achievable as both sites 
are not going to get links simultaneously
so who ever gets link first, it gets migrated first with security 
translation as preferred method, and we basically have a policy to remove 
sidhistory along withdemotion of old domain. And here it will be 
serialized migration one after another rather than simultaneous. 

Assumption here being, once the trust with one domain is established, 
machines migrated, trust broken. 
I suppose creating trust again with same domain name at different site 
should not be a issue.

--

Kamlesh

On 9/16/06, joe 
[EMAIL PROTECTED] wrote: 

  
  
  First 
  impression: Yuck.
  
  The 
  main thing that caught my attention is the "migrate into a corporate 
  domain at a later time". I assume you mean both of these "separated" 
  domains would be migrated? If so, how do you plan to do the migration? You 
  won't be able to have name res for the trusts, even if you could you would 
  most likely run into SID issues if you maintained SID History. 
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] splitting a domain into two
  
  Dear All,Scenario : Single regional domain , two 
  sites , both sites having separate links to Internet and direct WAN 
  connectivity with each other.AD Integrated DNSsite1: 300 
  userssite2: 400 users Now, due to restructuring, they have 
  decided to get rid of WAN link joining the two sites immediately, as both 
  sites will have separate individual

[ActiveDir] ADAM bind Redirection with a NULL password

2006-09-28 Thread Jef Kazimer 
Since there has been talk of LDAP Authentication as of late, I figured I'd 
post my issue of poorly developed applications allowing a null password to 
an ADAM instance using Bind Redirection.


http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry

I'd be curious if a bit flip to shut down this possibility could be put in 
control of the directory Admin, instead of relying on the developers.


Thanks,

Jef Kazimer 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADAM bind Redirection with a NULL password

2006-09-28 Thread Jef Kazimer 

Eric,

The problem stems from lack of ability to modify the application to correct 
the behavior.  If I had the ability to force this, I would simply require 
null/blank not to be passed to the ADAM server from the application.


I've been at odds about the DCR myself, for all the reasons you mentioned. 
Yet, without the ability to control the applications, the only thing I can 
control is the directory itself.  Without a mechanism to disable such 
behavior, I am without recourse unfortunately.


So far, I've been able to avoid this problem, because the 2 apps I had this 
happen with, the developer was able to modify the authentication dialog.  I 
have had other apps with other issuers, where modification was not possible. 
These did not suffer this poor design issue, but I wonder if I will get such 
an app eventually.  I suppose I am just trying to solve a problem, I have 
not been forced to solve by this method, which means it cane wait.


I could go into how it would be nice to have enterprise application minimum 
standards, and application owners involve infrastructure staff BEFORE an app 
is purchased, instead of after when it doesn't work, but I won't :)


Jef


- Original Message -
From: Eric Fleischman [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Thursday, September 28, 2006 8:48 PM
Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password

One solution would be to ACL all objects such that SELF can read them,
then have the app, after it has authenticated as the user, try and read
something on the user itself. This way you know you are in fact that
user (or someone else that has read access, which presumably won't work
as anonymous).

In terms of your DCR...could such a bit be put in? I guess. But DCRs
that are filed with the intentional intent of going again an RFC
typically have a rough time getting through even with a very strong
business impact. And you have a workaround already in the app, and
another solution I mentioned above. Just setting expectations...

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: Thursday, September 28, 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADAM bind Redirection with a NULL password

Since there has been talk of LDAP Authentication as of late, I figured
I'd
post my issue of poorly developed applications allowing a null password
to
an ADAM instance using Bind Redirection.

http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry

I'd be curious if a bit flip to shut down this possibility could be put
in
control of the directory Admin, instead of relying on the developers.

Thanks,

Jef Kazimer

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  1   2   >