[ActiveDir] Identify STATIC records in AD DNS
Hi there, Does anyone know of a way to programmatically identify STATIC records within an AD integrated DNS zone? The DNS manager gui can show if a record has a timestamp or not, but with 100's of thousands of records you can't check them all. I've looked for a property I can search on using ADSI or WMI, but have not found anything consistent. The closest I found is the AD property dnsIsTombstoned. It appears to have 3 values: TRUE = Already tombstoned and will be replicated FALSE = Not tombstoned yet, but can be not set = Will not be scavenged. This is not 100% though, so I think I am missing something else. Thanks, Jef Kazimer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Show the EmployeeID field within ADUC
The request to view attributes outside of the those allowed with the standard ADUC display dll's seems to come up a lot. I am surprised in the newer MMC and tools they did not come up with an SDK that is more obtainable for the admins who are not programmers. I have never liked the idea of using custom script additions, but it's one of the better options if you do not have the programming resources for a custom DLL. I suppose this has always been the arena of 3rd parties to supply their tools for custom management, but it would be nice to have a nice GUI based config for distributing a custom ADUC. We have pretty much abandoned the ADUC tool for most admins in favor a homegrown ASP.NET app because of the need to expose more attributes than the standard ADUC displays. The MMC is such a good concept, but to fully leverage it, it seems you do need programming skillset which many AD shops may not be able to leverage. just my 2c - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 20, 2006 8:34 AM Subject: RE: [ActiveDir] Show the EmployeeID field within ADUC The below is non-trivial, whilst exposing the data via a context menu option (i.e. right click user, select 'show emp id') is far simpler. A good example can be found here: http://www.petri.co.il/add_unlock_user_option_to_dsa.htm You'll need to write a script to go get the emp id and make changes in the Config partition. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 20 July 2006 14:13To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Show the EmployeeID field within ADUC One of our admins has populated the EmployeeID field within AD. We would now like this field to be visible to all of our admins but are unsure how to make it appear on any of the tabs within the user's account in ADUC.Any suggestions on how to make this field appear on a user's account information? BONNIE POHLSCHNEIDERCOPELAND HELP DESK937-493-2333 or Ext. 2333 PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Using non-standard TLDs within Active Directory
Title: Using non-standard TLDs within Active Directory neil, In a re-design we are moving away from using our existing COM TLD, and moving to a CORP TLD. IE - COMPANY.COM is now COMPANY.CORP for the internal Forest name and DNS zone. There are issues with having COMPANY.COM internal and external from a DNS routing perspective, so we want to remove any possibly assumption that they are the same thing. Thanks, Jef - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, July 21, 2006 4:19 AM Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Thanks Peter. Are we referring to same thing? I refer to the suffix at the end of the DNS name - e.g. I refer to 'blob' in 'neil.blob'. I am not referring to the 'neil' part. Does your response still hold? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: 21 July 2006 09:56To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Using non-standard TLDs within Active Directory Ive always gone the opposite way. I like the idea of using a completely non-standard TLD for my forest root so that if the company name changes etc it has no effect on the forest. It also enables you to split the internal DNS from the external DNS structure. If the internal DNS structure is ever published to the Internet it will simply be dropped. I always set mine up with non-standard TLDs and have never had any issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 21 July 2006 10:20To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Using non-standard TLDs within Active Directory Does anyone have experience or comments regarding the use of non-standard TLDs within a production AD forest? E.g. x.nom The name will be used within a production environment - a separate forest will exist for testing and QA. I've always preferred to use standard TLDs in prod [so the name can be registered etc] and permit the non-standard TLD in test forests only. Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer
Re: [ActiveDir] DNS suffix resolution..
just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\
Re: [ActiveDir] Single Space in LDAP query dropped: Why?
Joe, Yup, escaping the character worked like a charm. Joe mentioned that the query appears to be trimmed, so that seems to be what is happening. Thanks, Jef - Original Message - From: Joe Kaplan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 8:33 AM Subject: Re: [ActiveDir] Single Space in LDAP query dropped: Why? I'm pretty sure that's part of the RFC spec. A space at the beginning or end of a query value will be ignored. Your space in this example would be both. Did you try escaping it to see if that works? Joe Kaplan - Original Message - From: Jef Kazimer To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 12:15 AM Subject: [ActiveDir] Single Space in LDAP query dropped: Why? I had posted this today, and I was curious if anyone knew why an LDAP filter drops the query when searching for a single space value? Though I was using Joe's ADfind, I did have the same results in ADSIedit, and thought someone better than I, may know why. It's not really a problem, just a curiousity. Thanks, Jef http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!642.entry LDAP queries are spaced out... I was looking at a metaverse object in MIIS today noticed some admin had set the mail attribute to a single SPACE ( ) character. The Metaverse is stored in a SQL server, so naturally the query structure is different than any constraints of LDAP. I wanted to discover how many other user objects had the same issue, so I decided to pull out ADfind and issue this command: ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail= )) -C 0 found ok, so I thought it was my lack of quoting and tried: ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=' ')) -C 0 found Since it's command line I was sure that the quoting would encapsulate it correctly, so I figure it is being stripped out by the LDAP query (I made this same Query ins ADSIedit and LDP with no luck) so perhaps there is an escape character for such a thing. I have done many queries with filters like description=The Man, and the space was interpreted correctly. Yet it seems, a single space, by itself is not passed to the query correctly. So I check out the uber friendly RFCs and find escape characters for types such as * and NUL, but really no mention of a single space as anything special. I checked the LDAP V3 RFC as well for any real mention of when and when a single space is dropped from the query, finding nothing related. Fortunately, using the escaped sequence in the query (mail=\20) to represent a space worked just fine and returned the object I was looking for. ADFIND -H MYSERVER -DEFAULT -F ((objectCategory=person)(mail=\20)) -C 48 found So LDAP filters can container spaces as the value being queried for, but cannot be a single space without using an escape sequence to represent the value. I suppose it's kind of silly, but I had never really looked for such an occurrence before, so it was an interesting learning experience. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Single Space in LDAP query dropped: Why?
It's .NET - Get it right! ;) - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 10:15 PM Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why? You NET programmers ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, August 18, 2006 11:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Single Space in LDAP query dropped: Why? Me too. I was that lazy. :) Joe Kaplan - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 18, 2006 5:46 PM Subject: RE: [ActiveDir] Single Space in LDAP query dropped: Why? I have it bookmarked. :) LDAP V3 - http://www.faqs.org/rfcs/rfc2251.html LDAP Attribute Syntax - http://www.faqs.org/rfcs/rfc2252.html LDAP DN representation - http://www.faqs.org/rfcs/rfc2253.html LDAP Search Filters - http://www.faqs.org/rfcs/rfc2254.html LDAP URL Format - http://www.faqs.org/rfcs/rfc2255.html LDAP V3 X500 User Schema - http://www.faqs.org/rfcs/rfc2256.html List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Secure LDAP queries from the outside
This might be already tried, but did you try running pkiview.msc from the machine? This checks the availability of the CRL from the current client against the CRL locations of http and/or AD. I had an issue awhile back when trying to read a http based CRL, that it could not connect due to an issue in the internal PAC script, which was not directing the client correctly. Jef - Original Message - From: steve patrick To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 11:53 AM Subject: Re: [ActiveDir] Secure LDAP queries from the outside You cannot remove a CDP extension from a specific template - it is configured for all certs issued from the issuing CA. If he plans to have clients from outside his network access the DC's of LDAPS - he should reconfigure the CA to include a CDP which is available outside of his network. my .02 steve - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 9:14 AM Subject: RE: [ActiveDir] Secure LDAP queries from the outside Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error but I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Tony, I have to wonder what is classified as a special circumstances, since I suppose they are all sort of special. I have used Bind Redirection with MIIS/IIFP for quite a few scenarios: Corportate Spinoff: We needed to split off a portion of our users into a new company, and an entirely new forest. To solve the issue of apps only binding to a single NC, we used MIIS to populate an ADAM instance that contained active users from both forests during the TSA. Corporate Acquisitions: Similar situation, where we needed to combine users into a single NC. Having more than 1 user domain, and an app that can ONLY bind to a single Domain/NC. Custom Schema extensions for an application that is not an enterprise class application. You may not want to extend AD for a small subset of users. Extend the ADAM schema for the application, but proxy the user authentication back to the main AD. It also helps with audit and compliance, where you are really only managing a single user principle, but proxying apps to it. Unfortunately, LDAP seems to be the defacto standard for applications. With that, simple bind seems to be the way of choice. I would say, many are Java apps where I think someone wrote a howto many years ago, and I keep seeing the same thing come in as Authentication. Some big name apps from Lotus/IBM, Documentum all have/had issues with only pointing to a single NC, so I don't want to say it's only smaller developers. Many of the companies I've worked at, have had more than a single domain, so I am surprised that so many enterprise apps assume a single NC for authentication. I can't solve the problems at the app level, but I try to solve it at the centralized directory level. Thanks, Jef - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Joe, FCB works with simple binds, and BR ONLY works with simple binds, so I suppose it's possible. I've never coded to try however, but I could check it out. Jef - Original Message - From: Joe Kaplan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 10:12 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Tony, I have a workshop next week with a vendor to discuss an extranet solution. Unfortunately, LDAP auth is not going to be possible, since there will be no communication across the firewall. I am steering them toward an ADFS solution, which I think will fit the bill better. The issue will be, that it will require a 3rd party middleware to make work, which I am not sure they will be thrilled about. Thanks for the thoughts on this. Glad to know I'm not the only one struggling with bad apps! ;) Jef - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 10:57 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password Yes, I can see that Windows SASL binds might not be universally available ;-) Thinking about it, another problem with the SASL binds is that presumably the ADAM instance must be running on a server that is a member of the authenticating AD domain (or at least one that has a trust back to the authenticating domain). This would limit it's usefulness in extranet scenarios because of the ports that would have to be opened between ADAM and AD (assuming they are on opposite sides of a firewall). Tony -- Original Message -- From: Joe Kaplan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 22:12:34 -0500 The problem is that this happens a lot. There are simply tons of applications out there that don't use Windows SASL binds. It would be nice if it wasn't this way, but that's the reality of LDAP auth, especially with vendors that don't use Microsoft's LDAP libraries. I've got at least 6 of these at work right now. The other thing that is hard to deal with is scenarios where you have a mix of ADAM and AD principals. Since it isn't easy to tell apart ADAM from AD principals except for possibly by naming convention, so it can be hard to know whether an app should do a simple or SASL bind for a given user in this use case. So, the advice from MS is good, but not easy to follow. Also, the feature is there to be used. Another thing is that to use features like Fast Concurrent Bind, you have to do simple bind. It isn't supported with SASL. BTW, does FCB work with bind proxies? I've never tried. Joe K. - Original Message - From: Tony Murray [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 9:27 PM Subject: Re: [ActiveDir] ADAM bind Redirection with a NULL password My impression from reading the on-line documentation is that the use of ADAM Proxy Objects and bind redirection is frowned upon anyway. Proxy users are designed for special circumstances and should only be used as a last resort, when Windows principals cannot be used directly. and ADAM bind redirection should be used only in special cases where an application can perform a simple LDAP bind to ADAM but the application still needs to associate the user with a security principal in Active Directory. From http://technet2.microsoft.com/WindowsServer/en/library/7cfc8997-bab2-4770-aff2-be424fd03cda1033.mspx?mfr=true Is there no way for the application to use the recommended alternative, i.e. where ADAM receives a SASL bind request and forwards the request to Active Directory? Tony -- Original Message -- From: Jef Kazimer [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Thu, 28 Sep 2006 21:17:39 -0500 Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them
RE: [ActiveDir] Password Change for 100% Remote User Workstations
Title: Message Gene, Take a look at your VPN connection. Are you logging into the workstation, opening a tunnel, and doing their work. OR Are you logging into the workstation, opening the tunnel, logging out, and logging back into the now connected workstation? If notthe user will not be flagged that their password is about to expire, and will end up being locked out. We had the same issue, and have solved it. Jef -Original Message-From: Molloy, Gene S. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 17, 2002 10:37 PMTo: [EMAIL PROTECTED]Subject: Password Change for 100% Remote User Workstations We are having problems with users being able to change their passwords when they expire. The users having the problem are 100% remote. Very rarely do they connect to our private network. Most of the time they use VPN over a dial up connection. I am wondering how other people are dealing with this problem. I really do not want to set passwords to never expire. Any help would be greatly appreciated. Thanks, Gene Molloy
Re: [ActiveDir] Active Directory Mapping tool
Title: RE: [ActiveDir] Active Directory Mapping tool Mike, This was a wonderful Tool that was included in the Visio Network Pack for Visio 2000. I think they changed this for the latest version. I remember installing it and scratching my head where that import function was. Check the Visio website for more info before you do the same. :) Jef - Original Message - From: Celone, Mike To: '[EMAIL PROTECTED]' Sent: Thursday, February 13, 2003 1:20 PM Subject: RE: [ActiveDir] Active Directory Mapping tool I think you can do this with Visio. I know Microsoft had a small program that will do this for Exchange and import it all into a Visio file for you. Mike -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 1:02 PM To: '[EMAIL PROTECTED]' Greetings All, I am looking for a tool that would be able to query an AD forest and map out domain constructs, site constructs, DC's and DNS servers. Do any of you know of such a utility. Thanks in advanced Todd Myrick List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Upgrade with bad NetBIOS name
Title: Message Sorry I didnt realize you were doing an inplace upgrade of the domain. I was suggesting using a separate name space (thus a separate netbios name) for migration. Here is a Q article that suggest you might have to any way: Cannot Use Same NetBIOS Name When You Upgrade a Windows NT 4.0 Domain to a Windows 2000 Domain (288443) The information in this article applies to: Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP6a This article was previously published under Q288443 SYMPTOMS When you upgrade a Windows NT 4.0 primary domain controller (PDC) to a Windows 2000 domain controller (DC) by using the same NetBIOS and DNS name, the Active Directory Wizard generates the following error message: The name domain name.com is already in use on this network. Type a name that is not in use. For example, this could occur if your Windows NT 4.0 domain name was testdomain.com and your Windows 2000 domain name was also testdomain.com. RESOLUTION Before you upgrade, change the NetBIOS name so that it is not the same as the Windows 2000 domain name. Also look at this article too: Cannot Alter Down-Level Domain Name During Upgrade from Windows NT 4.0 to Windows 2000 (240156) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Thursday, June 26, 2003 3:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Upgrade with bad NetBIOS name I think you misunderstand. The company's netbios name is company.com -- that's the NT4 domain is company.com. I'm concerned about doing an AD upgrade with a period in the netbios name. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 3:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Upgrade with bad NetBIOS name Why not just use an internal namespace? Ive done it at a few companies use corp.com publicly, and corp.net internally. The only issue is if you dont own corp.net and may in the future have to get to the external net. Company.int is available. J You can use company.com externally and company.int for your internal network. This would provide you a migration path and a separation of internal and external namespaces. Jef From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Thursday, June 26, 2003 1:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Upgrade with bad NetBIOS name Actually, that IS their real name. They are a dot com that has succeeded and is still around. -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 26, 2003 2:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Upgrade with bad NetBIOS name I dont know that its such a bad thing Most or all of the TechNet examples will be personalized for their environmentJ But Seriously, Id consider migrating to a domain that has their real name in it, if not entirely for esthetic reasons. But thats just me Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Thursday, June 26, 2003 11:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Upgrade with bad NetBIOS name I've just retained a client whose NT4 domain name is company.com -- yes, their netbios domain name. I'm seriously concerned about upgrading them to AD. Do I have any worries? I've never seen this one before, and it isn't covered in any of the whitepapers I've quickly perused. Thanks.
RE: [ActiveDir] Manual Replication - Any suggestions?
Thanks for the advice everyone! Unfortunately I just started at this company, and it seems this deicision was made before I got here. I'm trying to get background research done as to why this direction was chosen. I did come from a bigger environment where we made changes to the ISTG timing to avoid some of the issues which worked fine until we were able to consider 2003. Here, I'd rather push forward with the 2003 deployment instead of going manual. Jef No likey da Evil! Original Message: Return-Path: [EMAIL PROTECTED] Thu Sep 04 17:25:29 2003 Received: from mail.activedir.org [64.245.160.7] by mail16.crystaltech.com with SMTP; Thu, 04 Sep 2003 17:25:29 -0700 Received: from mallard.mail.pas.earthlink.net [207.217.120.48] by mail.activedir.org with ESMTP (SMTPD32-7.07) id A3F3EDE010C; Thu, 04 Sep 2003 19:00:03 -0400 Received: from dialup-67.72.217.187.dial1.detroit1.level3.net ([67.72.217.187] helo=mainpro) by mallard.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 19v357-0001zi-00 for [EMAIL PROTECTED]; Thu, 04 Sep 2003 16:00:02 -0700 From: Joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Manual Replication - Any suggestions? Date: Thu, 4 Sep 2003 18:59:59 -0400 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: [EMAIL PROTECTED] Importance: Normal Precedence: bulk Sender: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Hmm that seems kind of small to turn off the KCC. I wouldn't do it myself. In fact we have about 500 sites defined, 375 DC's spread across them, and nine domains. Most of the sites have a DC from one of the five main domains though. If you have a hub and spoke topology and the site links are configured properly and you have site transitivity turned off you shouldn't have an issue. Manually generating your topology is an evil evil thing. Also where did the MS advice come from? Not trying to smash MS but there are only a few people from MS that I will listen to about AD right off. Mostly I make the person I am talking to prove what they are saying. Haven't found anyone in MCS yet with a really strong grasp, only decent. One main person in PSS - JD. Then of course you have the folks like Stuart Kwan and Dave Trulli. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 04, 2003 10:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Manual Replication - Any suggestions? I'm currently working at a company where we have 115 international sites, and 3 domains. The KCC and ISTG are working sub-optimal, and it seems on MS's advice we are going to calculate a manual replication connection model. Anyone have any experience this, and have any gotcha's we should be expecting? Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Secedit Errors
Hello all, I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly. A day or so later, those that were repaired now have the same errors. Anyone have any idea where to halt this cycle? What am I missing? Source: Userenv Name: Unexpected Error applying group policy to machine account Description: The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (1208). There were originally some group policy errors, which were fixed. Policy applies correct as per the winlogon.log after it is fixed, but the problem returns. any help would be appreciated. Jef Kazimer
Re: [ActiveDir] Secedit Errors
Title: Message Darren, Ahhh...that is what 145 meant! I couldn't find a lookup on that one anywhere. I am seeing these come from maybe 30+ servers in a domain. I see a mix of error code #5 which was access denied (this was due to a mistake in a policy setting and is fixed) and then I see the 1208 errors which leads me to find the secedit.sdb file is corrupt and needs to be rebuilt.The "cannot write shadowed header" error would be seen, andan errorcode of "3" made me think this was the case. AV virus scan for I/O is set on the C:\winnt\security directory so I think the secedit.sdb file is being held open when GPO is applied and corrupting the DB. I confirmed with MS that this might be the case, and have informed our security group they need to change this. Yet even if I exclude that directory manually, this corruption and secedit/userenv errors keep coming back. Yes, after cleaning up group policy I had noticed they were not being applied on the boxes where I get these errors. After I fix the SDB they apply, but I will see the errors come back. Looking at the extendedDebugLevel winlogon.log GPO processing dies when the DB is said that it can't be open, and GPO never gets applied unless I fix the DB on that database. I am wondering if there is a central corruption in the template file somewhere..but I don't know how to "verify" a GPO for integrity. Thanks! Jef - Original Message - From: Darren Mar-Elia To: [EMAIL PROTECTED] Sent: Thursday, October 02, 2003 1:54 PM Subject: RE: [ActiveDir] Secedit Errors Jef- I don't know if it helps but the flags (145) thing means the following: Machine Policy is being applied as opposed to user policy This policy is being applied as a background refresh (rather than foreground) No changes were detected to the GPO during this processing cycle (so nothing was applied) The failure status code is just a Win32 error code, which in this case means, "An extended error has occurred."-- Not very helpful. Are you seeing other problems in terms of policy application other than these errors? How often do these errors occur? Darren -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 02, 2003 10:41 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Secedit ErrorsHello all, I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly. A day or so later, those that were repaired now have the same errors. Anyone have any idea where to halt this cycle? What am I missing? Source: UserenvName: Unexpected Error applying group policy to machine accountDescription: The Group Policy client-side extension Security was passed flags (145) and returned a failure status code of (1208). There were originally some group policy errors, which were fixed. Policy applies correct as per the winlogon.log after it is fixed, but the problem returns. any help would be appreciated. Jef Kazimer
[ActiveDir] FRS 2k - What is the Latest version?
Hi all, I'm using Ultrasound to diagnose some Replication problems. One thing I am trying to do is bring FRS up to date on all the DCs. What is the msot current release version of FRS? The latest I am reporting is May-07-2003, but I know where is newer. If I am going to upgrade them, I want to make sure I have the latest. Thank you, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FRS 2k - What is the Latest version?
The RPC connection errors of the UPSTREAM partner not replication to Sysvol. If on a rebuild or D2, the new DC (downstream) sits there. We know the May 07's fixes this, but if I am going to move forward with an upgrade, I want to fix other issues as well. We've seen the Sharing violation issue as well, and the incomplete Sysvol. It's showing up on our international infrastructure more, and it maybe related to slow links in remote sites as well. J Original Message: From: Travis Riddle [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] FRS 2k - What is the Latest version? Date: Mon, 3 Nov 2003 11:08:15 -0700 From what I have read, 07-May-03 is the latest FRS release, its included with SP4 ( http://support.microsoft.com/?id=811370 ) I don't think you can upgrade FRS beyond this without contacting MS with a need to do so (if they even have anything newer at all) What kind of replication problems are you experiencing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Monday, November 03, 2003 10:12 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] FRS 2k - What is the Latest version? Hi all, I'm using Ultrasound to diagnose some Replication problems. One thing I am trying to do is bring FRS up to date on all the DCs. What is the msot current release version of FRS? The latest I am reporting is May-07-2003, but I know where is newer. If I am going to upgrade them, I want to make sure I have the latest. Thank you, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] vbscript output to html
Rich, I just create a file object, and output Text with HTML code to it to format the HTM file for making web based report. Since HTML is just text anyway you can programatically format it. Here is just a snippet for example: '[Create ASP log file] Set WshShell = WScript.CreateObject(WScript.Shell) Set fso = WScript.CreateObject(Scripting.FileSystemObject) set asplog = fso.OpenTextFile(log\autounlock.asp,8,true) asplog.Writeline(HR) asplog.writeline(centertable border='1' padding='2' align='center') asplog.writeline(tr) asplog.Writeline(td align='center' colspan=4Font color=Blue size=3[ /fontFont color=Red size=3NOW/fontFont color=Blue size=3 ]/Font/td) asplog.writeline(/tr) asplog.writeline(tr) asplog.Writeline(td colspan='4' align='center'HR/td) asplog.writeline(/tr) '[End Create ASP Log File] Original Message: From: Rich Milburn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] vbscript output to html Date: Mon, 3 Nov 2003 13:28:11 -0600 While scripting seems to be a good topic today, perhaps I'll throw this one out there: Does anyone know a q'n'd way to output vbscript results to html? We're trying to get users to change passwords till the average age comes down, and while I have some good tools (courtesy of joeware.net) that will show me the info I need, it would be nice if I could keep this running and put a page up for managers to see how the progress is going Hmm I might this to a csv file or something for graphs... any ideas? (PS yes I am doing research on my own, but my first exposure to vbscript was last Thursday - I managed to avoid it for 10+ years of Windows but I guess it's finally caught up with me! :-) ) Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] Forcing Replication from a Source DC
Well, this is more of a blanket suggestion, than a solution to your problem. After coming to find many tasks that remote admins should be able to do, but that I don't want to give them rights to do, I tend to try and centralize tools. I've created ASP driven admin portal which is nothing more than VB scripts to do the processes. The Remote admins are given access permission to the portal for their specific tasks, but the actual processing of the tasks is done with a service account with the privs, and not the user. So they can kick off the tasks, see the results, but not ever have the permissions themselves. I built in a logging interface, so I can tell when an admin did such a thing, which is much easier than parsing other logs. Replicate the site/DB around the world, and it's proven to be a very good source. I can fix add tools as needed, and not worry about older versions still floating around. I know that's not really going to help you, but with a little scripting experience, you might be able to create a front end utilizing replmon for the same thing. Jef Original Message: From: FDiskThePC [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Forcing Replication from a Source DC Date: Tue, 4 Nov 2003 09:36:02 -0800 (PST) Okay, guys, I've done quite a bit of research here, but I need some help. I don't know about you guys, but I find it frustrating that AD has been out for over three years and so much of this stuff is still undocumented! Argh! First problem was delegating the right for remote admins to synchronize the domain. For those out there that may still be searching, you need to delegate the Replication Synchronization right to your Domain Naming Context (NC) and any other NC's (Schema, Config, etc.) that you may have. Note that if you do not delegate this right to every NC, AD Sites Services will still fail because a Replicate Now tries to sync every NC behind the scenes - there is no way with this tool to sync a particular NC. Note that ADSIEdit will probably be needed to make the delegation. Okay, second problem that I still need an answer to. I need a way to force replication from one source DC to all my other DC's. Ah! Use replmon you say choosing Push Mode and Cross Site Boundaries. That works great, actually, but not for my remote admins. Come to find out, replmon doesn't work unless the remote admin is also given the Replicating Directory Changes and Manage Replication Topology permission. And I am not about to do that. I've also looked at repadmin. It appears that some changes have been made to this command in W2K3, but I'd like to do this in a W2K setting. Unfortunately, the W2K tool requires that you use actual GUIDS, but the more important thing is that I can't figure out how to push changes rather than pull! I did come across one undocumented switch with repadmin. Using repadmin /p /e /d server1.company.com forces server1 to pull any and all changes from every other server (transitively). Any advice on how to best take one DC's changes and push them out to all other DC's would be GREATLY appreciated. Sounds like a script to me. Thanks. -Rick Dayton __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DHCP - DNS - DnsUpdateProxy Group
When specifying DHCP servers in the DnsUpdateProxy, should the ACL For the record show the machine account (DHCPSERV1$) or should it show (DNSUPDATEPROXY)? I'm looking at some Zones, and I see that the DHCP server as having FullControl, and the owner as SYSTEM. Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the record? Also, I am in the middle of scripting converting Reverse zones from a Class B to a more granular Class C scheme. We need to turn on scavenging on only specific zones, and not other to avoid missing records. If I export and re-import these records, my account shows up on the ACL, and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k client can not update these records. Is there a way to import records and retain the DNSUpdateProxy ACL even though it is a system group? Any suggestions? I fear these PTR records would not be able to the refreshed until after they are scavenged Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group
Guido, Thanks for the Response. Since DNS is running AD integrated on the DCS, and runs under the System context, they don't need to be added to this group,correct? I think you meant that Stand alone DNS servers would need to be added to this group to facilitate updates,correct? Since coming to this site, I'm wondering why they have the DCs in the DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was an MS recommendation, but I can't find a reason in my head why this would be required. This would cause that insecurity issue, I'd imagine. Am I missing something? Also, I see the records have Authenticated Users on the ACL as SPECIAL, but no properties/rights are checked. This is the result that the Proxygroup creates, correct? So if I need to re-acl those records, this is the correct ACL? THanks, I appreciate the help. I've setup the proxy group before, but never went into great detail trying to figure out someone elses design choices, so I'm learning more about it as I go. This is 2k, and not 2k3 yet, as I would like to use the service account for DHCP when we can for these reasons. Jef Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 19:13:07 +0100 When you add servers to the DNSUpdateProxy group, it basically REMOVES any security of the objects by granting Authenticated Users Full Control to the DNS record = this is what allows other DNS servers (or whoever is added to the DnsUpdateProxy group) to overwrite these records. As such you should NEVER add DCs to this group (even when hosting your DHCP service on a DC) - otherwise you'll compromise security in your domain. If you want this same insecurity for your imported records, you could also grant these permissions or simply add your user account to the DnsUpdateProxy group. Instead - if you are running 2003 - you should configure you DHCP service to register records with a specific account. This way the records are still secured against changes from all Authenticated Users - only DHCP servers configured to use the same account can update the records. It's not as simple as running the service under an account, but it's some option of the DHCP service - I'd have to look it up, but I'm sure others will fill in the details. /Guido -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 17:29 To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group When specifying DHCP servers in the DnsUpdateProxy, should the ACL For the record show the machine account (DHCPSERV1$) or should it show (DNSUPDATEPROXY)? I'm looking at some Zones, and I see that the DHCP server as having FullControl, and the owner as SYSTEM. Would a 2nd DHCP server in the DNSUPDATEPROXY group be able to update the record? Also, I am in the middle of scripting converting Reverse zones from a Class B to a more granular Class C scheme. We need to turn on scavenging on only specific zones, and not other to avoid missing records. If I export and re-import these records, my account shows up on the ACL, and the owner of SYSTEM. I am going to assume that the DHCP nor a w2k client can not update these records. Is there a way to import records and retain the DNSUpdateProxy ACL even though it is a system group? Any suggestions? I fear these PTR records would not be able to the refreshed until after they are scavenged Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group
Guido, I know my description is not doiong justice to what I am seeing. :) The ACL has an ACE for Everyone, Authenticated users, DnsADmins, etc it lists Authenticated Users as Special and when you look at the properties, it shows the Read All Properties and Write AlL properties, but NONE of the Allow/Deny boxes are checked. So I'm curious what access this actually means. I hope that makes more sense, but I can give you a screen shot. :) J Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 22:15:07 +0100 look at the ACL with ADSIedit - it should not be empty. Is there an Everyone ACL? -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 22:07 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, Thanks. I would agree with you, but being a new person on this site, I'm looking to get my facts straight before I bring it up. The Records show the Authenticated users, with NOTHING set, which is kind of odd to me. I am glad you understand what I am getting at here, as I thought I was misunderstanding how this should work. Jef Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 21:48:13 +0100 Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even if they run DHCP services. Only Stand alone (i.e. normal member servers) should be added to the group. I would sincerely suggest that you remove your DCs from the group as you're currently rather unprotected = you could just as well have configured dynamic DNS without the allow only secure updates option... as any client/user can easily erase or hijack the DC host-records potentially causing a full outage of your domain/forest. It might have been an MS recommendation 4 years ago, when they didn't know the product themselves - but you'll not hear that recommedation today. Have a look what permissions Authenticated Users have in Advanced View - may not be Full Control afterall, but at least write access to most of the attributes of the record. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 20:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, Thanks for the Response. Since DNS is running AD integrated on the DCS, and runs under the System context, they don't need to be added to this group,correct? I think you meant that Stand alone DNS servers would need to be added to this group to facilitate updates,correct? Since coming to this site, I'm wondering why they have the DCs in the DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was an MS recommendation, but I can't find a reason in my head why this would be required. This would cause that insecurity issue, I'd imagine. Am I missing something? Also, I see the records have Authenticated Users on the ACL as SPECIAL, but no properties/rights are checked. This is the result that the Proxygroup creates, correct? So if I need to re-acl those records, this is the correct ACL? THanks, I appreciate the help. I've setup the proxy group before, but never went into great detail trying to figure out someone elses design choices, so I'm learning more about it as I go. This is 2k, and not 2k3 yet, as I would like to use the service account for DHCP when we can for these reasons. Jef Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 19:13:07 +0100 When you add servers to the DNSUpdateProxy group, it basically REMOVES any security of the objects by granting Authenticated Users Full Control to the DNS record = this is what allows other DNS servers (or whoever is added to the DnsUpdateProxy group) to overwrite these records. As such you should NEVER add DCs to this group (even when hosting your DHCP service on a DC) - otherwise you'll compromise security in your domain. If you want this same insecurity for your imported records, you could also grant these permissions or simply add your user account to the DnsUpdateProxy group. Instead - if you are running 2003 - you should configure you DHCP service to register records with a specific account. This way the records are still secured against changes from all Authenticated Users - only DHCP servers configured to use the same account can update the records. It's not as simple as running the service under an account, but it's some option of the DHCP service - I'd have to look it up, but I'm sure others will fill in the details. /Guido -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5
RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group
I did look at it with both the DNS MMC, and then went into ADSI Edit as you suggested. They have the same empty boxes. Weirdness I tell you! Weirdness!!! Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 22:38:17 +0100 it does makes sense, as you've probably got a permission set that's filtered from the UI (via the dssec.dat file in you sytems32 folder...) - that's why you should look at it via ADSIedit, which doesn't filter any permissions in the UI. I don't have anything to test around here right now so I can't compare what the ACL should be. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 22:29 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, I know my description is not doiong justice to what I am seeing. :) The ACL has an ACE for Everyone, Authenticated users, DnsADmins, etc it lists Authenticated Users as Special and when you look at the properties, it shows the Read All Properties and Write AlL properties, but NONE of the Allow/Deny boxes are checked. So I'm curious what access this actually means. I hope that makes more sense, but I can give you a screen shot. :) J Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 22:15:07 +0100 look at the ACL with ADSIedit - it should not be empty. Is there an Everyone ACL? -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 22:07 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, Thanks. I would agree with you, but being a new person on this site, I'm looking to get my facts straight before I bring it up. The Records show the Authenticated users, with NOTHING set, which is kind of odd to me. I am glad you understand what I am getting at here, as I thought I was misunderstanding how this should work. Jef Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 21:48:13 +0100 Yes, you DON'T want your DCs to be added to the DNSupdateProxy group, even if they run DHCP services. Only Stand alone (i.e. normal member servers) should be added to the group. I would sincerely suggest that you remove your DCs from the group as you're currently rather unprotected = you could just as well have configured dynamic DNS without the allow only secure updates option... as any client/user can easily erase or hijack the DC host-records potentially causing a full outage of your domain/forest. It might have been an MS recommendation 4 years ago, when they didn't know the product themselves - but you'll not hear that recommedation today. Have a look what permissions Authenticated Users have in Advanced View - may not be Full Control afterall, but at least write access to most of the attributes of the record. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 5. November 2003 20:15 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Guido, Thanks for the Response. Since DNS is running AD integrated on the DCS, and runs under the System context, they don't need to be added to this group,correct? I think you meant that Stand alone DNS servers would need to be added to this group to facilitate updates,correct? Since coming to this site, I'm wondering why they have the DCs in the DnsUpdateProxy Group, as well as the the DHCP servers. Apparently it was an MS recommendation, but I can't find a reason in my head why this would be required. This would cause that insecurity issue, I'd imagine. Am I missing something? Also, I see the records have Authenticated Users on the ACL as SPECIAL, but no properties/rights are checked. This is the result that the Proxygroup creates, correct? So if I need to re-acl those records, this is the correct ACL? THanks, I appreciate the help. I've setup the proxy group before, but never went into great detail trying to figure out someone elses design choices, so I'm learning more about it as I go. This is 2k, and not 2k3 yet, as I would like to use the service account for DHCP when we can for these reasons. Jef Original Message: From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP - DNS - DnsUpdateProxy Group Date: Wed, 5 Nov 2003 19:13:07 +0100 When you add servers to the DNSUpdateProxy group, it basically REMOVES any security of the objects by granting Authenticated Users Full Control to the DNS record = this is what allows other DNS servers (or whoever is added to the DnsUpdateProxy group
RE: [ActiveDir] Bindview and ADMT
I would second that about making sure the users are logged off. The earlier betas of 2.0 really flaked out on that, so make sure you did use the 2.0 release. We've had issues with RPC timeouts and not finding PCs on the net, but we think it's related to a global networking layout. When migrating stations, we have pre-test which verifies their on the network, wakes any machines or laptops out of sleep mode, and does a Force Logoff and Reboot of the boxes we want. Since doing that, our migration % haave increased greatly. jef Original Message: From: Coleman, Hunter [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bindview and ADMT Date: Fri, 7 Nov 2003 11:11:31 -0700 Can't speak to Bindview, but for your listed problems: 1-All migrated accounts, accessing all resources in the source domain show the problem? Can you verify with ADSIEdit that the SIDHistory attribute is populated on the migrated accounts? 2-We occasionally ran into profile migration problems, but it was a low percentage. You definitely want the user to be logged off, and you will increase your chances of success if you reboot the macine prior to the migration and don't login until after it automatically reboots post-migration. This insures that the ntuser.dat files aren't held by processes preventing the migration agent from acting. _ From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 10:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Bindview and ADMT Have any of your guys used the Bindview Migration tool? We have been testing the newest ADMT but have run into several problems that are listed below. Have any of you had similar problems? 1. If a member of the domain admin or domain user group is migrated, there are problems with accessing the resources in the source domain. SIDhistory was migrated and instructions from ADMT were followed. 2. There are problems migrating the local profiles on the user's desktops. It shows they were migrated over and no error message in the log files, but they were not migrated. We have tried with the user logged off and logged on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bindview and ADMT
Ted, Sure, I'll clean it up and post it here. Do you want it as a Text, or as an attachment. It's nothing crazy.but it certainly helped. It takes a list of Computers and then Does an NBTSTAT check Does a Ping Test If Online then Checks to see if the RPC service is running Uses RPC ping to verify it's accepting RPC calls And connects to the box using WMI, and pulls the Machine name and verifies it the name expect (in case the WINS/DNS entries were old and another box is responding to PING) Then spits out a CSV of all the tests, and a list of GOOD and BAD PCs. You need RPCPING and the script. RPCping came from the Win2k3 resource kit. Jef Original Message: From: Strand, Ted [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bindview and ADMT Date: Fri, 7 Nov 2003 14:11:31 -0500 Jef, Can you share the pre-test code? -Ted- -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 1:50 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bindview and ADMT I would second that about making sure the users are logged off. The earlier betas of 2.0 really flaked out on that, so make sure you did use the 2.0 release. We've had issues with RPC timeouts and not finding PCs on the net, but we think it's related to a global networking layout. When migrating stations, we have pre-test which verifies their on the network, wakes any machines or laptops out of sleep mode, and does a Force Logoff and Reboot of the boxes we want. Since doing that, our migration % haave increased greatly. jef Original Message: From: Coleman, Hunter [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Bindview and ADMT Date: Fri, 7 Nov 2003 11:11:31 -0700 Can't speak to Bindview, but for your listed problems: 1-All migrated accounts, accessing all resources in the source domain show the problem? Can you verify with ADSIEdit that the SIDHistory attribute is populated on the migrated accounts? 2-We occasionally ran into profile migration problems, but it was a low percentage. You definitely want the user to be logged off, and you will increase your chances of success if you reboot the macine prior to the migration and don't login until after it automatically reboots post-migration. This insures that the ntuser.dat files aren't held by processes preventing the migration agent from acting. _ From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Friday, November 07, 2003 10:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Bindview and ADMT Have any of your guys used the Bindview Migration tool? We have been testing the newest ADMT but have run into several problems that are listed below. Have any of you had similar problems? 1.If a member of the domain admin or domain user group is migrated, there are problems with accessing the resources in the source domain. SIDhistory was migrated and instructions from ADMT were followed. 2.There are problems migrating the local profiles on the user's desktops. It shows they were migrated over and no error message in the log files, but they were not migrated. We have tried with the user logged off and logged on. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] User Profile
It's that Mysterious error they talk about in the ADMT 2.0 docs, that they say is unknown cause of it. Do a shutdown and reboot of your workstations before you migrate them, and it solves this problem. I meant to send out verification and reboot scripts this week since someone asked this earlier, but I forgot I am in training this week. Send me a noten ext week, and maybe it can be of help. J Original Message: From: Ellis, Debbie [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: [ActiveDir] User Profile Date: Wed, 12 Nov 2003 14:30:39 -0500 Does anyone know of a process or service that locks a user profile even when logged off? We are trying to migrate local profiles using ADMT and are receiving an error message that the profile is in use. We have even tried rebooting the pc and not logging on and still receive the same error message. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] dns aging with 01/7/1601
Have you done the Age All Records (DNSCMD /AgeAllrecords command) Records with TS before Scavenging was turned on at the server/domain level will not be scavenged, so you need to AgeAllRecords after enabling scavenging. It will inherit the scavengeing attributes from the zone itself. your new timestamp will be that of when you ran the command, and if it is not refreshed between then and scavenging date, it will be cleaned up. Make sure you remove the Age this record check box thingy (I forgot the syntax) on the record for any static records you don't want to disapear. Jef Original Message: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] dns aging with 01/7/1601 Date: Wed, 12 Nov 2003 14:35:22 -0600 Hi, I am tryign to resolve the dns aging timestamp 01/7/1601 --. Can any one explain why I am still seeing the 01/7/1601 timestamp at the aging property after I have already enabled the aging/scavenging feature at our dns server , forward zones and some selective ( want to see the impact first before the full implementations) reverse lookup zones? This is a win2k sp4 active directory domain but the dns server is not integrated with active directory . Would this even matter? The dns server is win2k with sp4 and it allows dynamic udpates from win2k clients. I need to clean up the PTR because many stale ptr records exist at many zones. Any help is welcome. Thank you. Sandy Email:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] dns aging with 01/7/1601
Sandy, Sorry for no Reply... The Scavenge date will be on the Zone properties. The TS on the record tells the zone that the record is availiable to be scavenged. So if the Scavenge date on the record is greater than the date for the zone, it will be scavenged. So If the Scavenge date on the zone is 11-14-2003, it will be availiable to be scavenged on that date/time. Then when scavenging is done, it looks at the records, and it's time stamps. If your TTL is 7 days, and it finds a record that has not been updated/refreshed in GREATER than 7 days, it will be scavenged. For scavenging to take place, The Server, Zone, and Record must have scavenging turned on. Records without a Timestamp will be ignored during scavenging. And scavenging will NOT scavenge records with Timestamps older than when Scavenging was turned on for the zone. This is why you need to age all records after turning it on. So the Scavenge date for the zone is 11-14-2003. your scavenging date is 7/7. you run the age all records for the zone command, and it adds the timestamp of 11-13-2003. On 11-14-2003 no records will be scavenged since the records timestamp is only 1 day old. But when it scavenges in 7 days from now on the 11-21-2003, If a record has not been refreshed with a newer timestamp than 11-13-2003, all those records will be scavenged on 11-21 since the 7/7 period is set. If a record has a newer timestamp (11-17-2003..) it will remain, or if it has no timestamp it will remain. You can use DNSCMD to export all the records if you need too. Or use the DNSRESOURCE.VBS to export it as well. If you reload the records make sure you are part of the DNSUPDATEPROXY group so that DHCP/users can update (refresh the timestamp) the records otherwise they will be scavenged during the next period. J Original Message: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: re: [ActiveDir] dns aging with 01/7/1601 Date: Thu, 13 Nov 2003 11:03:18 -0600 Ok, I have now run the dnscmd /ageallrecords in one reverse lookup zone. With this command , I see the time stamp on each record under this zone has been changed to today's date. But my question is still not answered. The Timestamp for the zone ( at zone aging/scavengign property page) is till 01/7/1601. According to MS, I am supposed to see the next scavenging date from this page so I can have an idea about when to happen. Anyone out there has done this dns aging/scavenging before ? I would really appreciate your thoughts. Thanks. Sandy +-+ Sandy Wu/section13/lado td/us To [EMAIL PROTECTED] 11/13/2003 07:18 cc AM Subject re: [ActiveDir] dns aging with 01/7/1601(Document link: Sandy Wu) Jef, Thank you very much for your reply. Your thought is really pointing me to a closer track now. Nope, I have not done ageallrecords. If I am reading you right, it sounds like in addition to turn on the aging/scavenging at dns level, zone level , I also need to do ageallrecords to take care the pre-existing records. Also the timestamp ( at zone aging/scavengign property page) will not reflect the current date if ageallrecords step is missing. Is this correct ? I will need to back up my DNS first , before making any changes. Please advise if I am mis-interpreting anything. Thanks Sandy +-+ Jef Kazimer [EMAIL PROTECTED] Sent by: To [EMAIL PROTECTED] [EMAIL PROTECTED], ail.activedir.org [EMAIL PROTECTED
re: [ActiveDir] dns aging with 01/7/1601
Sandy, I just re-read thatit's the ZONE that doesn't have a TS on it,eh? Hmmyou could try changing the Server scavenging period, then changing it back. This is an Integrated zone or a stand-a-lone? I'm curious about it's details. would you mind posting a ZoneInfo output for that zone? C:\classdnscmd tunis /zoneinfo 2.168.192.in-addr.arpa Zone query result: Zone info: ptr = 00083050 zone name = 2.168.192.in-addr.arpa zone type = 1 update= 2 DS integrated = 1 data file = (null) using WINS= 0 using Nbstat = 0 aging = 1 refresh interval= 168 no refresh = 168 scavenge available = 3531621 Zone Masters NULL IP Array. Zone Secondaries NULL IP Array. secure secs = 3 directory partition = AD-Legacy flags 0012 zone DN = DC=2.168.192.in-addr.arpa,cn=MicrosoftDNS,cn=Sys tem,DC=nwtraders,DC=msft Command completed successfully. Original Message: From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: re: [ActiveDir] dns aging with 01/7/1601 Date: Thu, 13 Nov 2003 11:03:18 -0600 Ok, I have now run the dnscmd /ageallrecords in one reverse lookup zone. With this command , I see the time stamp on each record under this zone has been changed to today's date. But my question is still not answered. The Timestamp for the zone ( at zone aging/scavengign property page) is till 01/7/1601. According to MS, I am supposed to see the next scavenging date from this page so I can have an idea about when to happen. Anyone out there has done this dns aging/scavenging before ? I would really appreciate your thoughts. Thanks. Sandy +-+ Sandy Wu/section13/lado td/us To [EMAIL PROTECTED] 11/13/2003 07:18 cc AM Subject re: [ActiveDir] dns aging with 01/7/1601(Document link: Sandy Wu) Jef, Thank you very much for your reply. Your thought is really pointing me to a closer track now. Nope, I have not done ageallrecords. If I am reading you right, it sounds like in addition to turn on the aging/scavenging at dns level, zone level , I also need to do ageallrecords to take care the pre-existing records. Also the timestamp ( at zone aging/scavengign property page) will not reflect the current date if ageallrecords step is missing. Is this correct ? I will need to back up my DNS first , before making any changes. Please advise if I am mis-interpreting anything. Thanks Sandy +-+ Jef Kazimer [EMAIL PROTECTED] Sent by: To [EMAIL PROTECTED] [EMAIL PROTECTED], ail.activedir.org [EMAIL PROTECTED] cc 11/12/2003 03:18 Subject PMre: [ActiveDir] dns aging with 01/7/1601 Please respond to [EMAIL PROTECTED] tivedir.org
re: [ActiveDir] cleanup AD connections after move server to different site
Cindy, Verify the Subnet data is replicated, and then trigger the KCC (repadmin /kcc server or in Replmon) you can just delete the connection that was created by the KCC, and whe nti rusn again it will add them if needed. If you moved it to a new site, and you created the proper site-link, it wll need a connection to the other site BTw. Jef Original Message: From: Rittenhouse, Cindy [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] cleanup AD connections after move server to different site Date: Thu, 13 Nov 2003 15:50:01 -0500 A computer consultant in a remote dept decided to promote his member server to a DC without telling anyone in advance. Since the dept was part of the default first site, that is where the DC was placed. Not good. Users started authenticating across the WAN. I created a site for that dept, linked the subnet, and moved the server. All seems to be well, but the original Active Directory RPC connections to the other servers in the first site are still listed under the server NTDS settings. I'm having difficulty finding documentation on how to clean up or remove these settings. Can someone point me in the right direction. Thanks Cynthia Rittenhouse MCSE,CCNA LAN Administrator County of Lancaster Lancaster, PA 17602 Phone: (717)293-7274 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] Directory Services Restore Password
HmmI think the setpwd was a hack they threw together to address the issue quickly. You'll now found this ability to reset the password in the ntdsutil command on win2003. the setpwd doesn't exist in 2003 either. I am not running SP4, but if you are, you might want to check ntdsutil to see if that option was added to it. It was on the main menu, and I believe it was reset DSRM password was the command. just a thought... Jef Original Message: From: Rocky Habeeb [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Directory Services Restore Password Date: Fri, 14 Nov 2003 11:47:48 -0500 Good People Of The List, Please consider answering the following question if you have the time and inclination: You've lost control of your Directory Services Restore Password, however, not to worry, because everything is up and healthy. So you go to the DC and log on, switch to %SystemRoot%\System32 and run setpwd. The system says Put in the new password. However, unlike most other password entry procedures, the system does not echo anything, even asterisks and it does not ask you to confirm the password. Is there a method, or tool that you can run to query the DC after the fact to confirm the password, where it says OK, what is it? Yes that's correct. Thanx in advance for anything you can offer. - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Directory Services Restore Password
Rocky, That was my question too. :) I know it does not work with W2k SP3, but since I don't have an SP4 box handy, I can't check if this option is now in NTDSUTIL. Does anyone here who has an SP4 box handy mind checking out if you can reset the DSRM password in NTDSUTIL, or if it's only in W2k3. Jef Original Message: From: Rocky Habeeb [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Services Restore Password Date: Fri, 14 Nov 2003 12:46:43 -0500 Yikes. I forgot to mention, I'm talking W2K not W2K3. Do you know if that will work in W2K? Thanks for responding. RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jef Kazimer Sent: Friday, November 14, 2003 12:11 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: re: [ActiveDir] Directory Services Restore Password HmmI think the setpwd was a hack they threw together to address the issue quickly. You'll now found this ability to reset the password in the ntdsutil command on win2003. the setpwd doesn't exist in 2003 either. I am not running SP4, but if you are, you might want to check ntdsutil to see if that option was added to it. It was on the main menu, and I believe it was reset DSRM password was the command. just a thought... Jef Original Message: From: Rocky Habeeb [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Directory Services Restore Password Date: Fri, 14 Nov 2003 11:47:48 -0500 Good People Of The List, Please consider answering the following question if you have the time and inclination: You've lost control of your Directory Services Restore Password, however, not to worry, because everything is up and healthy. So you go to the DC and log on, switch to %SystemRoot%\System32 and run setpwd. The system says Put in the new password. However, unlike most other password entry procedures, the system does not echo anything, even asterisks and it does not ask you to confirm the password. Is there a method, or tool that you can run to query the DC after the fact to confirm the password, where it says OK, what is it? Yes that's correct. Thanx in advance for anything you can offer. - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] Sun Formatted Zone Files: Can DNSDump Help?
I'm currently using the DNSresource.vbs to dump zones to a text file, then I use another VBS I wrote to parse the text file, and re-import the Reverse zones. The syntax I am using is: DnsResource /LIST PTR %2.%1.10.in-addr.arpa /S SERVER /O zone\%2-%1-10.dns %1 and %2 are the B and C octets since I just run it from a command line batch file. The output creates an entry for each record like this: Record Name : 101.176.251.10.in-addr.arpa Host Name : gprdapm998624.northamerica.intra.company.com. DNS Server : abtapdcn02.northamerica.intra.company.com Zone: 176.251.10.in-addr.arpa Domain : 176.251.10.in-addr.arpa TTL : 900 If your output comes like this, I can give you the VBS to reimport them, but I don't know if DnsResource.vbs works on unix. If you can send me the output of a DIG dump I can rewrite the syntax for yout oo. J Original Message: From: Jordan, Jason [EPM/AUS] [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: [ActiveDir] Sun Formatted Zone Files: Can DNSDump Help? Date: Fri, 14 Nov 2003 11:49:33 -0600 I have a challenge for the group. I'm sure that someone else out there has seen this same issue. We are migrating from an NT 4.0 domain and Sun DNS to Windows Server 2003 Active Directory and DNS. The Sun admins gave us a text file of the DNS zones, and we were able to successfully import the forward lookup zones to Windows 2003. However, the reverse lookup zone import fails with the error 0xc011d501. My research into this error leads me to believe that the problem is with the formatting of the text file but I have been unable to find an example of what a properly formatted DNS zone text file should look like. So here is my question. Will the DNSDump utility referenced in this message, http://www.mail-archive.com/[EMAIL PROTECTED]/msg09084.html http://www.mail-archive.com/[EMAIL PROTECTED]/msg09084.html , help us to import reverse lookup zones from the Sun formatted text files? Is there a specification for what a properly formatted DNS zone text file should look like, and if so, where can I find it? Please let me know if I left out any pertinent information. Thanks in advance for all of your help. jasonjordan MCSE, MCP+I, MCP Sr. SQL DBA/Windows Network Administrator Emerson Process Management, Process Systems Division, Austin Data Center (512) 832-3191 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] FRS and Ultrasound
Sooo... I've finally deployed the latest FRS version (june 2003) and already I am seeing things clean up nicely! Only problem has been with Ultrasound (I LOVE free tools like these!) that once the provider is deployed, I can't get data and the provider gives these errors: Recording NtFrs Performance Counters Failed to add FRS perfcounter \FileReplicaSet(_Total)\KB of Staging Space In Use (0xcbb8): (CWMIPerfCounterSet::GetData 468) 11/19/2003 3:03:15 PM not set True 00:00:4127.6 KB (28,232 bytes) It's trying to add it to WMI providers, but fails. I don't know how to manually correct this, as de-installing and re-installing the provider fails with the same error. Any thoughts? Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Mirror OU structure to Test
Hi all, I have an urgent need to mirror our production OU structure to our Test Platform. Is anyone aware of a script or tool where I can export and import the structure? If sowould they share? :) I think I can write something, but if anyone has a pointer in the right direction to an already existing one, that would help out alot! Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mirror OU structure to Test
Hunter, Awesome! I was just looking at the syntax for LDIFDE too, but this was easy! :) Jef Original Message: From: Coleman, Hunter [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Mirror OU structure to Test Date: Fri, 21 Nov 2003 14:00:43 -0700 http://support.microsoft.com/?kbid=237677 has an example of how to do this with LDIFDE. Very easy and fast Hunter -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2003 1:32 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] Mirror OU structure to Test Hi all, I have an urgent need to mirror our production OU structure to our Test Platform. Is anyone aware of a script or tool where I can export and import the structure? If sowould they share? :) I think I can write something, but if anyone has a pointer in the right direction to an already existing one, that would help out alot! Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS, Reverse and Limit
okTry to stick with me, as I explain this mess. Having inherited DNS, it appears that scavenging was never put on for the DHCP scopes, and there are over 60k of dead PTR records to clean up. Unfortunately it was never turned on, since the fear of static records being wiped in the process if addresses had time stamps on them. Originally they had Class B addresses, but there is a clear designation of Dynamic subnets and static subnets, so we are converting the class B to class C's since the zone level is where we can set scavenging times, and what not. The problem with this is, it will create a HUGE number of reverse zones (looking at around 600-1000!) My question is, is there are a hard limit as to how many zones that can be handled? With the cleaned up zones there might be only a few records per zone (some had over 1500!!!), so the data might not be that high. It's just spread out amongst many zones. Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static Records
Roger, Thanks for the Reply! Well I can say it can handle well over a 100. :) I'm just second guessing this strategy, but unfortunately it's the only way I can think of cleaning up records. A problem was, that with the Class B zones, I needed to AgeAll records to clean up the thousands of dead records via scavenging. This would then Age even the Static records, and then I'd be hosed once it scavenged. :( I'm talking 115,000 PTR records and 33,000 A records, so it was a huge mess when I came to this place. So I've identified each of the DHCP zones, and broke them off into their own class C subnet, and set their scavenging times to what the Lease teams are for that zone. This definitely seems to keep them clean, and tidy, which is a huge relief. The support folks were constantly complaining about the dead PTR records and everyone is happy now. I've written WMI scripts to pull the records into a SQL backend, where I can keep count of how many records are in each zone. This way I can identify the problem zones and convert them.The process of conversion is pretty simple, just an export, and import, and an AgeAll to the records (this is my concerns here, if a static was there it would be wiped too), and let the scavenging time expire. So, My next quest will be to determine just how many static records there are in the AD zones. WMI seems blind to this, as I can't find any property of the MicrosoftDNS_PTRType to tell me this. Since they are AD zones, each record does have a property called dnsTombstone.I believe this is what sets the GUI flag for the Delete this record after. The Values seem to be True,False, and null. I'm not sure what the difference between Null or False are yet, but I suspect this might be the searchable value to pull a list of static entries out of AD. Any experience with that? I'm wondering if and when we get these zones clean, if it would be better to ClassB the DHCP zones, and create classC's for the Static zones and turn scavenging off. Jef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, November 26, 2003 6:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS, Reverse and Limit Two things. I've not noticed a limit to the number of zones, but I've also only tried about 100 (but that was in production, so take that for whatever its worth). Second - manually entered records don't get scavenged, only those which are dynamically registered. Therefore, you should be able to enable scavenging then use dnscmd.exe from the reskit to force age all records. When I've migrated DNS from Unix/BIND to Windows 2000, I've always done it via a zone transfer from BIND to Windows, then changing the zone to AD Integrated. In that experience, none of the records brought over via the xfer process are marked for aging, so I see no reason to worry about it at this point. Personally, I'd keep the supernetted reverse zones - we use class B ranges for our hub offices, and I just roll all the subnets (usually between 5 and 20) into a single reverse zone. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 4:17 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] DNS, Reverse and Limit okTry to stick with me, as I explain this mess. Having inherited DNS, it appears that scavenging was never put on for the DHCP scopes, and there are over 60k of dead PTR records to clean up. Unfortunately it was never turned on, since the fear of static records being wiped in the process if addresses had time stamps on them. Originally they had Class B addresses, but there is a clear designation of Dynamic subnets and static subnets, so we are converting the class B to class C's since the zone level is where we can set scavenging times, and what not. The problem with this is, it will create a HUGE number of reverse zones (looking at around 600-1000!) My question is, is there are a hard limit as to how many zones that can be handled? With the cleaned up zones there might be only a few records per zone (some had over 1500!!!), so the data might not be that high. It's just spread out amongst many zones. Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS, Reverse and Limit
Michael, Sheez...The Zone Transfers alone must be mind boggling :) Do you see any performance hits with so many zones? I'm not seeing any so far, but I am curious if I will. I do notice the startup time of DNS is wretched, but that I expected on bootup. Jef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, November 26, 2003 7:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS, Reverse and Limit I've got 809 zones in production, right now. Standard primaries tho (not A/D integrated). -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 7:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS, Reverse and Limit Two things. I've not noticed a limit to the number of zones, but I've also only tried about 100 (but that was in production, so take that for whatever its worth). Second - manually entered records don't get scavenged, only those which are dynamically registered. Therefore, you should be able to enable scavenging then use dnscmd.exe from the reskit to force age all records. When I've migrated DNS from Unix/BIND to Windows 2000, I've always done it via a zone transfer from BIND to Windows, then changing the zone to AD Integrated. In that experience, none of the records brought over via the xfer process are marked for aging, so I see no reason to worry about it at this point. Personally, I'd keep the supernetted reverse zones - we use class B ranges for our hub offices, and I just roll all the subnets (usually between 5 and 20) into a single reverse zone. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 25, 2003 4:17 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] DNS, Reverse and Limit okTry to stick with me, as I explain this mess. Having inherited DNS, it appears that scavenging was never put on for the DHCP scopes, and there are over 60k of dead PTR records to clean up. Unfortunately it was never turned on, since the fear of static records being wiped in the process if addresses had time stamps on them. Originally they had Class B addresses, but there is a clear designation of Dynamic subnets and static subnets, so we are converting the class B to class C's since the zone level is where we can set scavenging times, and what not. The problem with this is, it will create a HUGE number of reverse zones (looking at around 600-1000!) My question is, is there are a hard limit as to how many zones that can be handled? With the cleaned up zones there might be only a few records per zone (some had over 1500!!!), so the data might not be that high. It's just spread out amongst many zones. Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static Records
They can't be, unless you use the /AgeAll in DNSCMD. It adds a timestamp to ALL records within that zone.This makes them ready for scavenging (if the zone and server have it on). Since scavenging was not on originally, the PTR records have no timestamps. Even so, the zones had it off, so I had to turn it on the zones/server, and then /AgeAll the zones. If I didn't the PTR records would never be scavenged. But, since there is no way to determine if it was a static record or one created by DHCP/client they all would get the timestamp. The case would be in the smaller offices, where they would have maybe 10 legacy servers, and 90 clients on one subnet. Aging all those records would make sure those PTRs are clean, but the server records would get timestamps as well, and be wiped. If after I cleaned the zone, set scavenging on for new dynamic record, then used DNSCMD to add in the static records, they would no be scavenged since they would not have a timestamp, and life would be good. :) I just need to be 100% sure that I got all the static records, and I'm not putting faith in the DNS admins that they recorded all the records they put in. :( http://www.tburke.net/info/suptools/topics/dnscmd_ageallrecords.htm1 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, November 26, 2003 8:03 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static Records I wasn't aware that staticly entered records could be scavenged - wouldn't that defeat the purpose of it being static? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS, Reverse and Limit, and Searching for Static Records Roger, Thanks for the Reply! Well I can say it can handle well over a 100. :) I'm just second guessing this strategy, but unfortunately it's the only way I can think of cleaning up records. A problem was, that with the Class B zones, I needed to AgeAll records to clean up the thousands of dead records via scavenging. This would then Age even the Static records, and then I'd be hosed once it scavenged. :( I'm talking 115,000 PTR records and 33,000 A records, so it was a huge mess when I came to this place. So I've identified each of the DHCP zones, and broke them off into their own class C subnet, and set their scavenging times to what the Lease teams are for that zone. This definitely seems to keep them clean, and tidy, which is a huge relief. The support folks were constantly complaining about the dead PTR records and everyone is happy now. I've written WMI scripts to pull the records into a SQL backend, where I can keep count of how many records are in each zone. This way I can identify the problem zones and convert them.The process of conversion is pretty simple, just an export, and import, and an AgeAll to the records (this is my concerns here, if a static was there it would be wiped too), and let the scavenging time expire. So, My next quest will be to determine just how many static records there are in the AD zones. WMI seems blind to this, as I can't find any property of the MicrosoftDNS_PTRType to tell me this. Since they are AD zones, each record does have a property called dnsTombstone.I believe this is what sets the GUI flag for the Delete this record after. The Values seem to be True,False, and null. I'm not sure what the difference between Null or False are yet, but I suspect this might be the searchable value to pull a list of static entries out of AD. Any experience with that? I'm wondering if and when we get these zones clean, if it would be better to ClassB the DHCP zones, and create classC's for the Static zones and turn scavenging off. Jef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, November 26, 2003 6:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS, Reverse and Limit Two things. I've not noticed a limit to the number of zones, but I've also only tried about 100 (but that was in production, so take that for whatever its worth). Second - manually entered records don't get scavenged, only those which are dynamically registered. Therefore, you should be able to enable scavenging then use dnscmd.exe from the reskit to force age all records. When I've migrated DNS from Unix/BIND to Windows 2000, I've always done it via a zone transfer from BIND to Windows, then changing the zone to AD Integrated. In that experience, none of the records brought over via the xfer process are marked
[ActiveDir] ADMap 1.6.2
Actually I just used the ADmap 1.6.2 utility last night. I believe it came out of MS consulting services from Germany. (it says so in the about) It reads your Sites structure and builds it into a rather unwieldly VISIO map. You will need a Plotter to print it out, and it's not perfect. Not bad for an automap tool though. It doesn't do OU structure, just your sites, connections, and server diagrams. I don't know where I came across this utility, but it should be around. Original Message: From: Mark Caldwell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Diagraming Date: Wed, 3 Dec 2003 12:45:53 -0800 Official word on this subject from MS site- Microsoft Office Visio(r) 2003 One question we hear often about Visio 2003 is what happened to the Autodiscovery feature? The short answer is that it is no longer available. Visio 2003 cannot import directory services information, such as an existing Active Directory structure. Visio 2003 also cannot discover and diagram a network using SNMP. These features were part of the Visio Enterprise Network Tools add-on to Visio 2002 and Visio 2000 Enterprise Edition (but not Visio Professional 2002, Visio for Enterprise Architects, or Visio 2000 Professional Edition). Based on customer feedback, we invested our resources in improving the other network diagramming tools and creating new features that benefit a broad cross-section of Visio users, like being able to track comments or publish diagrams to a SharePoint workspace. For Visio 2003, we did make several improvements to the network diagramming tools, including a new rack diagramming template, a new library of network diagramming shapes that look much better than the earlier ones and have a consistent set of custom properties, and three new pre-defined reports for extracting data from your network diagrams. If you want to use Visio to map your network, you might want to check out the various third-party products that are available, such as the Optiview Console (formerly Network Inspector) and LAN MapShot products from Fluke Networks. Both of these products use Visio to generate detailed diagrams of discovered network devices. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, December 03, 2003 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Diagraming Understood. For discovery, that's why I recommended something like Ecora. Usually during discovery, you have a lot more information that's required other than topology and OU structure. Not everyone has that requirement I suppose... al -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Diagraming I see what you mean Al, but like where I used to work, sometimes you don't have the budget to buy yet another 3rd party add-on tool when you just need basic functionality. I imagine MS has to be more careful to leave room for 3rd party development in light of the fact everyone wants to sue them it seems, but sometimes it makes it more difficult on the tech who just wants to do his job... (the whole JavaVM issue is maybe an example of 3rd party adding complexity at the expense of the admins?) Visio 2000 has the ability to do AD diagramming, though I've personally never used it for discovery, just diagramming. I liked the 2002 look and feel but stuck with my copy of 2000 Enterprise Edition. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 1:48 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Diagraming Now that's a pretty broad statement, don't you think? They didn't break anything by removing further development of the visio enterprise network tools (that's what it's called). As was said in the thread, it does a fine job of diagramming the OU structure, but doesn't really look at the larger picture anyway. Hence the recommendation to look at the product I posted the link for. What's really typical here, is a strategy to create and sell products that do what the customers want, but also to leave room for third party developers to make a living by writing products that work with Microsoft products. I'm not seeing the issue, but maybe I'm alone with that view? Al -Original Message- From: Steck, Herb [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 12:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Diagraming Typical MS. Break something that works, but don't fix what is broke. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 03, 2003 11:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Diagraming That does suck, doesn't it? Some tools that I've seen that work well (but aren't free) come with this product http://www.ecora.com/ecora/products/reporter.asp Gathers a lot of useful
re: [ActiveDir] Userenv.log error
Usually a Failure of 5 is Access Denied turn on Winlogon Logging, and then use secedit to reapply security policies. It will create the winlogon.log in the C:\winntt\security\logs directory. Read through the log and you should see where the error is happening. Search Technet for the keywords of winlogon.log and you should find the KB article with the registry keylocation. Sorry I don't remember it off hand. :) Jef Original Message: From: ActiveDirList-PPC [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [ActiveDir] Userenv.log error Date: Fri, 12 Dec 2003 16:18:33 -0500 Anybody know of good resources for finding more info on the following error USERENV(52e8.5f2c) 15:32:55:476 RegisterGPNotification: CreateEvent failed with 5 I've been having some GP oddities today and the userenv.log files on the affected systems are covered up with this. Google returns some sites, but most seem to be msdn sites about API programming reference, and a security paper in German which I have not been able to decipher yet. Thanks, KC Brown List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UF_MNS_LOGON_ACCOUNT userflag
Thanks for the link. I saw the reference to the Node set too, but it made no sense to me. We haven't rolled 2003 out in any of production, and even so, this userflag seems like it was around in 2000 and maybe before that too. Stupid cross naming stuff! grrr I see it referenced with alot of SAMBA info, but it always related back to the same description from the MSDN win32API which is useless Perhaps it's a userflag for backwards compat, but it's no longer really used so it's not in the GUI? So where did it come from. These users were migrated from Nt4 to win2000 AD, so maybe there is a link there?! When the Account ops go to reset these users passwords in the MMC they get the The procedure cannot be found but if I do it from a DA, it works fine. You'd think it's an account access problem right? well, the ACLs are the same on all the users in that OU, and the only difference I Can see is that they have that flag...AND there is a 4 hour window on 1 day they are not permitted to logon. I tried duplicating that schedule on a user to see if it caused the flag to appear, but it didn't. I don't want to remove the flag to see if it fixes the problem, if I don't know what it is there for in the first place... Thanks again though. Original Message: From: Rich Milburn [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] UF_MNS_LOGON_ACCOUNT userflag Date: Fri, 9 Jan 2004 16:58:39 -0600 Search on Majority Node Set - here's an article - http://tinyurl.com/2knrw - Server Clusters: Majority Node Set Quorum It is a ... new quorum type available in Windows Server 2003 clusters - majority node set (MNS) clusters. I'm with you, I'm not sure where to find it in the GUI, or what exactly it's for. I think the references I've seen to it have been copied from others (defining constants in VBScripts). Do you have Windows Server 2003 clusters there? Could it be related to them? Anyway, happy hunting :) Rich -Original Message- From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, January 09, 2004 4:28 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] UF_MNS_LOGON_ACCOUNT userflag Does anyone know what the UF_MNS_LOGON_ACCOUNT Userflag is, and how it's set in a GUI? I'm seeing weird errors with some users and noticed they have this userflag set. I don't know what it is, and all documentation I can find gives a description of Not an MNS user on the web. What is an MNS user? What is MNS? How did this get set? and what is it doing? I can set the flag with an ADSI script, but other than that, I don't know where it came from? Thanks, Jef List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MNS user flag - fixed
Rich, I have to say the latest MS rep we had was absolutely excellent. :) I won't say his name, but he's out of the Dallas offices, and we all would request him again in the future. He really tried to sit there and troubleshoot, and when he couldn't he got all the right resources together to solve most of our issues. Jef -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, January 19, 2004 7:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MNS user flag - fixed Nice to hear that they did look at the source code though when they felt they needed to - I've seen other companies pass around a call for weeks trying to figure out something like command line parameters of their own product, and a simple query to the developers would have resolved the issue. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, January 16, 2004 4:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MNS user flag - fixed Thanks for the info, I was curious on that after seeing the initial post. That shouldn't have required them to look at source code... That sucks. Good example of poor documentation both publicly and internally. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Friday, January 16, 2004 11:54 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [ActiveDir] MNS user flag - fixed Last week I posted here questioning what the UF_MNS_ACCOUNT user flag was and how it got on my users. We were getting the Procedure cannot be found error when resetting their passwords. After talking with MS, they looked at the source code to determine it is related to the Netware services from a previous domain. There are KB articles related to it, but it never references the User flag so I could not find it. Searching on NWLOGIN will bring it up in the KB. Anyway, the corruption we had was due to userparameters for the user obkect containing values related to the Netware that the DLL no longer existed for. Writing scripts to grab the UP's parse them to validate they only contained NW info, and then NULLing them solved our problem. I am going to assume MNS stands for Microsoft Netware Services. :) I just wanted to share in case anyone here runs into this problem in the future, and it should be googled in the archive. :) Jef Abbott Labs List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to track object deletion?
I've been looking at ways for tracking static DNS record changes. So far I've been focusing on the dnsTombestone property which has 3 values of NULL, TRUE, and FALSE. Perhaps you can see if that object has a similar property? I'm not at an AD terminal now, so I can't check, but it might be something you can check on. Just an Idea. :) J -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 19, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How to track object deletion? Hello, AD gurus. I' ve been developing a DirSync program that tracks for object changes in AD. Everything is fine except for object deletion. When AD object is deleted, as everybody knows here, it is tombstoned. As I figured out that means that the object is moved to the hidden container called 'Deleted Objects'. So when I delete an object DirSync returns me the following CN=user1\DEL:5fce35d1-42dc-4d42-b4d6-fd4a5c773acd,CN=Deleted Objects,DC=sbhbd1,DC=local as the DN of changed object. In the example above I deleted object with DN: CN=user1,CN=Users, DC=sbhbd1,DC=local. But I've lost some part of original object DN like: * ,CN=Users, * The question is: How to track AD objects deletion? I need to know object original DN, but AD hides it from me. I don't want to keep a copy of original AD or whatever similar to it. Thanks in advance! -- Best regards, (mailto:[EMAIL PROTECTED])19.01.2004, 18:27 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ntfrsutl inlog command - How to clear old files? FRS problems
We have some servers with slow connections due to some political site link connections times. What I believe is happening is that the replication window is not sufficient to propagate all the changes, and when the changes reach to the box, the files it's expecting to change are no longer there. Ultrasound reports these as Sharing Violations due to the fact they are in IBCO_INSTALL_RETRY. It assume a process is holding them open, when in fact they are not. The question is how do I clear these out of the ntfrs db to ignore those changes? One article I found (and can't refind!) suggested clearing the connection on the server, and restarting FRS service to clear the entries. This worked for a few servers, but it seems those with manual connections it will not clear the inlog. Anyone know a better way? Or if anything, where to find more documentation? the ntfrsutl I would expect to maybe have a switch to clear entries like this, but it does not. I have entries dating back to 2002ugh... Here is an example of 1 inlog result. I have this on 80 some servers. Notice the old dates, and 0'd out info. Any help would be greatly appreciated, as I am having reservation on moving forward with a 2003 upgrade, until FRS is happy. --- able Type: Inbound Log Table for DOMAIN SYSTEM VOLUME (SYSVOL SHARE) (1) SequenceNumber : 1291 Flags: 004a Flags [VVAct Locn Retry ] IFlags : 0001 Flags [IFlagVVRetireExec ] State: 000f CO STATE: IBCO_INSTALL_DEL_RETRY ContentCmd : Flags [Flags Clear] Lcmd : 0003 D/F 1 Delete FileAttributes : 0030 Flags [DIRECTORY ARCHIVE ] FileVersionNumber: 0006 PartnerAckSeqNumber : 0012e131 FileSize : FileOffset : FrsVsn : 01c3b10e 7cd46dbf FileUsn : 82386de8 JrnlUsn : 9edfe1a0 JrnlFirstUsn : 9edfe1a0 OriginalReplica : 1 [???] NewReplica : 1 [???] ChangeOrderGuid : 8bbb9663-f7ee-498b-92b10db4077d4c1b OriginatorGuid : 656571a6-cac6-418b-950e50a8729c476e FileGuid : 47a88a6c-2a59-4847-99752abc6e089242 OldParentGuid: 104f9971-95ad-4edc-934e073d9f62963f NewParentGuid: 104f9971-95ad-4edc-934e073d9f62963f CxtionGuid : 9a9ddaf7-96c9-4730-a897861cf726df42 Spare1Ull: Sat Nov 8, 2003 14:01:00 MD5CheckSum : MD5: RetryCount : 0 FirstTryTime : Thu Dec 18, 2003 20:05:35 EventTime: Thu Dec 18, 2003 18:31:43 FileNameLength : 76 FileName : {74F20E4C-B574-4A73-8879-C4330F02519A} List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Identify STATIC records in AD DNS
Ugh...Why do I get blinded by complexity?! I didn't even think to use the /Detail switch! This is perfect, as I can parse the output and identify them J Original Message: From: Deji Akomolafe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Identify STATIC records in AD DNS Date: Mon, 7 Jun 2004 20:22:37 -0700 Have you tried parsing the output of dnscmd DNSServerName /ZonePrint ZoneName /Detail ? Records without scavenging timestamp will have the following clue: dwTimeStamp = 0 ([ 0: 0: 0] [ 1/ 1/1601]) HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Jef Sent: Mon 6/7/2004 6:44 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Identify STATIC records in AD DNS Hi there, Does anyone know of a way to programmatically identify STATIC records within an AD integrated DNS zone? The DNS manager gui can show if a record has a timestamp or not, but with 100's of thousands of records you can't check them all. I've looked for a property I can search on using ADSI or WMI, but have not found anything consistent. The closest I found is the AD property dnsIsTombstoned. It appears to have 3 values: TRUE = Already tombstoned and will be replicated FALSE = Not tombstoned yet, but can be not set = Will not be scavenged. This is not 100% though, so I think I am missing something else. Thanks, Jef Kazimer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Account Expiration Date Mismatch?
I was brought this little problem today, which doesn't make alot of sense to me so far.It appears that ADUC displays the User Expiration date differently than a VBS script does. An in house coded application is being questioned because these values do not match.ADUC says 8/8/2004VBS says 8/9/2004The script is simply:Set objUser = GetObject _ (rs.fields("adspath"))wscript.echo(objUser.AccountExpirationDate)Does anyone know what the code is to return the same value as USers Computers MMC?I have a feeling it's an estimate based on the time offset, but I am unsure.Jef
RE: [ActiveDir] Account Expiration Date Mismatch?
Thanks :)Shortly after I wrote the message, I noticed the naming difference in the MMC. It makes sense now, but I just have to explain it. :)Silly me :) But thanks againJef From: "Coleman, Hunter" [EMAIL PROTECTED]Sent: Friday, August 06, 2004 8:39 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Account Expiration Date Mismatch? From http://msdn.microsoft.com/library/default.asp?url=""> "NoteThe accountExpires attribute contains the account expire date. The Active Directory Users and Computers MMC snap-in displays the date that the account will expire at the end of. That is, the Active Directory Users and Computers MMC snap-in will display the account expiration date as one day earlier than the date contained in the accountExpires attribute." Hunter From: Jef Kazimer [mailto:[EMAIL PROTECTED] Sent: Friday, August 06, 2004 9:19 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Account Expiration Date Mismatch? I was brought this little problem today, which doesn't make alot of sense to me so far.It appears that ADUC displays the User Expiration date differently than a VBS script does. An in house coded application is being questioned because these values do not match.ADUC says 8/8/2004VBS says 8/9/2004The script is simply:Set objUser = GetObject _ (rs.fields("adspath"))wscript.echo(objUser.AccountExpirationDate)Does anyone know what the code is to return the same value as USers Computers MMC?I have a feeling it's an estimate based on the time offset, but I am unsure.Jef
RE: [ActiveDir] how to report on scheduled jobs?
Does the SCHTASKS.EXE do what you want? perhaps with the /V switch SCHTASKS /Query [/S system [/U username [/P password]]] [/FO format] [/NH] [/V] [/?] Description: Enables an administrator to display the scheduled tasks on the local or remote system. Parameter List: /S system Specifies the remote system to connect to. /U username Specifies the user context under which the command should execute. /P password Specifies the password for the given user context. /FO format Specifies the output format to be displayed. Valid values: TABLE, LIST, CSV. /NH Specifies that the column header should not be displayed in the output. Valid only for TABLE and CSV formats. /V Specifies additional output to be displayed. /? Displays this help/usage. Examples: SCHTASKS /Query SCHTASKS /Query /? SCHTASKS /Query /S system /U user /P password SCHTASKS /Query /FO LIST /V /S system /U user /P password SCHTASKS /Query /FO TABLE /NH /V Subject: [ActiveDir] how to report on scheduled jobs? Date: Mon, 17 Apr 2006 14:31:25 -0500 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Isthereascripttooutputscheduledjobinformation?Maybesomething Icouldcallina"for"loopdrivenbyalistofservers.Ideally,I wouldliketoseethejobandwho'scredentialsitisrunningunder, withmaybetheschedule. MikeThommes Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] stupid ldap queries
It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it… J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we got the go ahead from Microsoft that it was supported. That was years ago. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, April 18, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries No. isMemberOfPartialAttributeSet just means that the attribute is replicated into the GC. Being in the GC does not imply that the attribute is indexed. There’s an attribute (I think “isIndexed”) which says the attribute should be indexed in the database. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Tuesday, April 18, 2006 2:15 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] stupid ldap queries bummer! I meant adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=TRUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: sorry that was meant to be adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Thanks for the reply. In that case why does adfind -schema -f "(objectclass=attributeschema)(ismemberofpartialattributeset=T RUE)" ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b. Thanks M@ On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do: ((objectCategory=person)(objectClass=user)) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, April 18, 2006 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] stupid ldap queries All Could someone please explain how Non-indexed queries (e.g. "objectClass=user") fall in this category? I saw this mentioned in some slides by Gil and couldnt quite understand what he meant. Isn't objectclass indexed as part of the partial attribute set? Thanks M@ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
Myke, You could write a script to do such a thing I suppose. Something to the effect of if lastLogonTimeStamp value is greater than 180 days, disable account kind of thing. We utilize MIIS in house for this and for SOX deactivations, but it is certainly something you could write a script or a quick .NET exe for if you wanted. Jef Date: Wed, 19 Apr 2006 11:38:58 -0300 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: [ActiveDir] automatic account disable higuys, it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool? thanks Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: [ActiveDir] Setting Wireless Config via GPO
We are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they get prompted to relogon periodically but too bad for them :) So far from what I hear, the response has been excellent since all the people have to do is walk into a conference room and they get access to the WLAN if their radio is on. Jef Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Wed, 19 Apr 2006 11:32:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org You really got that to work well? I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. Using Cisco 1220 x (27) with cisco 350 client cards x (80) Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk** Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] automatic account disable
I'm curious, how would you show activitity other than the last time the user authenticated? Since disabling the account would only affect the ability to authenticate (not including any external logic or process built on account status), I'm curious what other ways you would show account inactivity if not by lastlogon or lastlogontimestamp? Thanks, Jef Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:25:24 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policyornopolicy,heislookingatexternalintervention-third-partyor aroll-your-own.Rollinghisownmaybeburdensomebecausenowhehasto accountforthenumberofwaysanaccountcanbeactivewithoutnecessarily loggingin.LookingatLastlogonorlastlogontimestampisinsufficient. Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon From:[EMAIL PROTECTED]onbehalfofAlMulnick Sent:Wed4/19/20061:13PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisable LOL.You'reright,itisoftenadvisabletodisablefirst.Igotcaughtup inthemoment;) Myke,therewasalongconversationaboutsuchthingsafewmonthsago.You mightwanttosearchthearchivestoseewhatwassaidandseeifyouagree aboutwhatitsaysandsuggests. Anadditionalpointtoconsider:startwithpolicyasNeilsuggests.Ifyou haveapolicythatsaystodisableaccountsandthendeletelater,ordelete basedondisuse,enforcementisprettymuchaneasythingtodo.Withoutthe policyfirst,itcanbeadifficulttraintoride.-ajm On4/19/06,[EMAIL PROTECTED][EMAIL PROTECTED]wrote: Wouldyounotdisabletheaccountinsteadoflockingit? Alockedaccountmaybeunlockedintime(dependsuponpolicy), whereasadisabledaccountneedsadminintervention. my2penneth, neil From:[EMAIL PROTECTED][mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]OnBehalfOfAlMulnick Sent:19April200615:52 To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisableIt'spossible.What'syourcriteria? DSQUERY,DSMODaretwotoolsthataretoutedasbeingabletodothis prettyeasily.Joewaretoolsarebetter(http://www.joeware.net http://www.joeware.net/)forthistaskIMHO.Scripts,etccanalsobe usedsuccessfully. Al On4/19/06,Myke[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: higuys, it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool? thanks Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASEREAD:Theinformationcontainedinthisemailisconfidential and intendedforthenamedrecipient(s)only.Ifyouarenotanintended recipientofthisemailpleasenotifythesenderimmediatelyand deleteyour copyfromyoursystem.Youmustnotcopy,distributeortakeany further actioninrelianceonit.Emailisnotasecuremethodof communicationand NomuraInternationalplc('NIplc')willnot,totheextentpermitted bylaw, acceptresponsibilityorliabilityfor(a)theaccuracyor completenessof, or(b)thepresenceofanyvirus,wormorsimilarmaliciousor disabling codein,thismessageoranyattachment(s)toit.Ifverificationof this emailissoughtthenpleaserequestahardcopy.Unlessotherwise stated thisemail:(1)isnot,andshouldnotbetreatedorrelieduponas, investmentresearch;(2)containsviewsoropinionsthataresolely thoseof theauthoranddonotnecessarilyrepresentthoseofNIplc;(3)is intended forinformationalpurposesonlyandisnotarecommendation, solicitationor offertobuyorsellsecuritiesorrelatedfinancialinstruments. NIplc doesnotprovideinvestmentservicestoprivatecustomers.Authorised and regulatedbytheFinancialServicesAuthority.RegisteredinEngland no.1550505VATNo.447249235.RegisteredOffice:1St Martin's-le-Grand, London,EC1A4NP.AmemberoftheNomuragroupofcompanies. Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] automatic account disable
Ahhh...I thought you were aluding to some magical attribute in the 3rd dimension I did not know about in the Directory. :) Yes, I agree, Process and policy needs to govern activity not just what the directory reports. :) Thanks, Jef Subject: RE: [ActiveDir] automatic account disable Date: Wed, 19 Apr 2006 14:56:20 -0700 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org None.Thisiswherethepolicy/processelementcomein.Youknowwhichof youraccountsare"Serviceaccounts"andwhichofyourusersareonvacation. Youdoaperiodicqueryofyourlastlogon/timestamp,youfilteroutyour "servicesaccounts"andyourvacationingusersfromthelist,sendemailsto therestandwaitforaresponse.Ifnoresponse,youmovethemtoacommon stagingarea,andprocessthemperyourpolicy(changetheirpasswords, disablethem,lockthemout,etc) It'saprocessthing.Iwanttoassumethatthereisaproductouttherewith thislogicbuilt-in.ThatproductissimplynottheOS-yet. Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon From:[EMAIL PROTECTED]onbehalfofJefKazimer Sent:Wed4/19/20062:37PM To:ActiveDir@mail.activedir.org Subject:RE:[ActiveDir]automaticaccountdisableI'mcurious,howwouldyoushowactivitityotherthanthelasttimetheuser authenticated?Sincedisablingtheaccountwouldonlyaffecttheabilityto authenticate(notincludinganyexternallogicorprocessbuiltonaccount status),I'mcuriouswhatotherwaysyouwouldshowaccountinactivityifnot bylastlogonorlastlogontimestamp?Thanks,Jef Subject:RE:[ActiveDir]automaticaccountdisable Date:Wed,19Apr200614:25:24-0700 From:[EMAIL PROTECTED] To:ActiveDir@mail.activedir.org Still,thereisnothing"automatic"nativelyintheOStolethimdothis. Policyornopolicy,heislookingatexternalintervention-third-party or aroll-your-own.Rollinghisownmaybeburdensomebecausenowhehasto accountforthenumberofwaysanaccountcanbeactivewithoutnecessarily loggingin.LookingatLastlogonorlastlogontimestampisinsufficient. Sincerely, _ (,/|/)/)/) /---|(/__//_//_ )/|_/(__(_)//(_(_)(/_(_(_/(__(/_ (_//) (/ MicrosoftMVP-DirectoryServices www.readymaids.comhttp://www.readymaids.com-weknowIT www.akomolafe.comhttp://www.akomolafe.com DoyounowrealizethatTodayistheTomorrowyouwereworriedabout Yesterday?-anon From:[EMAIL PROTECTED]onbehalfofAlMulnick Sent:Wed4/19/20061:13PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisable LOL.You'reright,itisoftenadvisabletodisablefirst.Igotcaught up inthemoment;) Myke,therewasalongconversationaboutsuchthingsafewmonthsago. You mightwanttosearchthearchivestoseewhatwassaidandseeifyouagree aboutwhatitsaysandsuggests. Anadditionalpointtoconsider:startwithpolicyasNeilsuggests.If you haveapolicythatsaystodisableaccountsandthendeletelater,or delete basedondisuse,enforcementisprettymuchaneasythingtodo.Without the policyfirst,itcanbeadifficulttraintoride.-ajm On4/19/06,[EMAIL PROTECTED][EMAIL PROTECTED]wrote: Wouldyounotdisabletheaccountinsteadoflockingit? Alockedaccountmaybeunlockedintime(dependsuponpolicy), whereasadisabledaccountneedsadminintervention. my2penneth, neil From:[EMAIL PROTECTED][mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]]OnBehalfOfAlMulnick Sent:19April200615:52 To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]automaticaccountdisableIt'spossible.What'syourcriteria? DSQUERY,DSMODaretwotoolsthataretoutedasbeingabletodothis prettyeasily.Joewaretoolsarebetter(http://www.joeware.net http://www.joeware.net/)forthistaskIMHO.Scripts,etccanalsobe usedsuccessfully. Al On4/19/06,Myke[EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: higuys, it'spossibletomakeaautomaticlockoutinuseraccountsby inactivity,orIneedathirdpartytool? thanks Myke Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/PLEASEREAD:Theinformationcontainedinthisemailisconfidential and intendedforthenamedrecipient(s)only.Ifyouarenotanintended recipientofthisemailpleasenotifythesenderimmediatelyand deleteyour copyfromyoursystem.Youmustnotcopy,distributeortakeany further actioninrelianceonit.Emailisnotasecuremethodof communicationand NomuraInternationalplc('NIplc')willnot,totheextentpermitted bylaw, acceptresponsibilityorliabilityfor(a)theaccuracyor completenessof, or(b)thepresenceofanyvirus,wormorsimilarmaliciousor disabling codein,thismessageoranyattachment(s)toit.Ifverificationof this emailissoughtthenpleaserequestahardcopy.Unlessotherwise stated thisemail:(1)isnot,andshouldnotbetreatedorrelieduponas, investmentresearch;(2)containsviewsoropinionsthataresolely thoseof theauthoranddonotneces
RE: [ActiveDir] Setting Wireless Config via GPO
Dave, The certs can be used in fifferent ways. If you are using EAP-TLS which uses the Certs to authenticate the user and the server, you will need a CA to issue this. This would require a PKI solution to be in place. While not hard or impossible in 2003, just something you want to be cautious about. using EAP-PEAP method, the Cert is only used to identify the server to the client, and open a secure tunnel so the password credentials can be sent over. Once the user is authenticated, then the connection is secured through the 2 choices of wireless encryption. You do not need a CA For this, and can request an IAS certificate from Verisign I believe still. Yes, XP SP2 would be great, especially being able to configure GPOs in the domains. With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules. Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively. Jef Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Thu, 20 Apr 2006 10:36:06 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Thanks for the input so far, and sorry I left the "read receipt" on on the e-mail. I guess I will be getting those for years to come. (I did that on an internal list two years ago and still get receipts from that one...) I don't want people on my Wireless who are not on the domain. I assumeI stop that happening with certificates? I was also going to make sure all the laptops were on XP SP2 so I didn't need any third party utilities... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: 19 April 2006 17:07To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO We are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they get prompted to relogon periodically but too bad for them :) So far from what I hear, the response has been excellent since all the people have to do is walk into a conference room and they get access to the WLAN if their radio is on. Jef Subject: RE: [ActiveDir] Setting Wireless Config via GPODate: Wed, 19 Apr 2006 11:32:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org You really got that to work well? I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a fewseconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did. Using Cisco 1220 x (27) with cisco 350 client cards x (80) Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, JimSent: Wednesday, April 19, 2006 10:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Setting Wireless Config via GPO Only way to fly, imho. Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's. User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Wednesday, April 19, 2006 4:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Setting Wireless Config via GPO Folks, Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this. Dave Wade **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk** Confidentiality Notice: The information contained
RE: [ActiveDir] stupid ldap queries
My recent favorite was a rather "popular" software vendor told me I needed to increase my maxIdleConnectionTime for the Directory higher than 900s (15 mins)because their connection was timing out while processing the first page of 1000 users, and having the connection dropped before they went back for the next. I basically told them if they can't process 1000 users in less than 15 minutes, then they surely could not handle my entire user population which they were trying to loop through. I think we calculated we would have to increase that time to to over 32 hours so their crapplication could complete. :) I'll let you guess what did not happen in that situation. :) Jef From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queriesDate: Thu, 20 Apr 2006 09:07:09 -0400 Oh I love those! The app dev folks (or vendor) tell you that your AD is broken because it is so slow... Yep I have been there. Indexing is fine, just index things you regularly query on, no reason to suck up resources and perf for indexes that aren't used. For instance, indexing all attributes doesn't make sense but if you have a crit app or a bunch of apps using a query with no indexed attributes or having a specific attribute that could seriously help perf it is good to add. Wook, I think, is being a trifle facetious and plugging his creative work. :) Schema updates are goodness when done correctly and smartly. There is no reason to be scared of doing them, just be scared of doing them wrong. g -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 19, 2006 10:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries It’s only been that one. Okay, maybe one other that was indexed, but that was because a very large network/voip vendor that required a schema extension subsequently used one of these attributes in all of their queries. In a large implementation (which they clearly had never seen) the query would take a year to complete. Of course, in their lab with 5 objects, it completed in milliseconds. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Wednesday, April 19, 2006 11:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries Adding indices will start you down the slippery slope that ultimately leads to custom schema extensions. Do you like new OIDs? J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, April 19, 2006 4:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries Exactly, you can tell you AD to do it efficiently versus trying to train everyone who writes a query that goes against AD. I mean you want to try and train everyone because there are other bad things they can do that you can't easily handle but this is a nice quick easy thing to do to help. I HIGHLY HIGHLY HIGHLY recommend folks use adfind or ldp to test their queries and have the STATS output generated and displayed when they are doing dev work to figure out how good their queries are, in adfind, look at the -STATS* set of switches. Seriously, they are very cool. You will learn a lot about how the queries are working whether you intend to or not. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 19, 2006 12:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries It’d the same relative gain running a query using objectcategory versus objectclass. Most of the time, I would run into queries that people were using, utilizing objectclass instead of objectcategory. Indexing objectclass made this moot. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Tuesday, April 18, 2006 5:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries It seems like an obvious idea to implement. Sad we never thought about it. :) Has anyone done any tests to reveal what performance gains this yields on queries? Thanks, Jef Subject: RE: [ActiveDir] stupid ldap queriesDate: Tue, 18 Apr 2006 17:03:35 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I did the same after I saw some of the activedir folks post about doing it… J :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Tuesday, April 18, 2006 4:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] stupid ldap queries I never understood why Microsoft chose not to index objectclass by default. I indexed it in our directory as soon as we
RE: [ActiveDir] Setting Wireless Config via GPO (Also update schema to 2003 level....)
The thought of a complete PKI has put us off this --- Many people tend to be in the same boat. We are looking at integrating our Badge IDs and Smart Cards so I see a a full blown PKI initiative in the works. This seems O.K.We generateda cert internally, andthis is how we intend to proceed... Yes, XP SP2 would be great, especially being able to configure GPOs in the domains. You still seem to need to run the GPO Editor on a W2003 Server. Is there a way to run this on an XP-SP2 Workstation? I have not found one. And since my original post I have been looking at what is needed to update the Schema to the Windows2003 Level. This seems to be really horrid. Has any one any good pointers on how-to and gotcha articles on this? The more I read the more nervous I get, and the further up the scale the risk assessment on my draft change request goes... --- I'm not understanding this problem. Is this because you don't have the Admin Templates loaded on your XP workstation to modify the GPO settings? With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules. Does this still workfor domains in 2K mode. I don't seem to get any access unless the "remote access" flag is on in AD even though I have set policies on IAS... when I first started this project we were in 2K mode for the domain, but the IAS box was a windows 2003 Member Server. You need to have the users Remote Access Flag set to "Determine by Policy" for IAS to work. In 2K mode user's are created with the defaiult of "Deny", while in 2K3 mode they are defaulted with "Determine by Policy". Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively. 1. If you allow the machine to authenticate, won't policy apply and logon scripts run any way? (That is set to machine access with user re-authentication in the GPO). -- The old VPN scenario applies here. The user has to logon to the box with cache'd credentials (logon Script can't run since the machine is not connected yet), once they are logged on the WLAN connects and authenticates based on the logged on user. The GINA plugin just allows a pre-auth to open the WLAN connection before the Windows Logon happens. We are using user authentication, not Machine authentication so I need user interaction. 2. I have not tried any W2k boxes, but I have not managed to get any XP boxes to authenticate with WPA/EAP-PEAP when using third party tools to config the cards. I have tried IBM, Intel 3-COM cards but all seem to fail to authenticate. As soon as I enable the Zero Config windows takes over and all works fine... -- We have used both the DELL client piece, and the 3COM client piece with success. though the management of these is horrible due to the lack of good replication of configurations. Jef Dave, Hoping some of this makes sense,**This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] Root Place Holder justification
Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
The problem I always had with the idea of a tighter security for a root domain for admins is that it doesn't always flow down correctly for all tasks in the child domains. IE You have your Admins in the ROOT domain which has a tighter security policy than your child domain. Yet you can't place these users in the Domain Admins group of the child domain since it is a global group and is not accepting users from the root domain. you can place the users in the Administrators group, but this does not get you everything in the child domain since most things are ACL'd by Domain Admins by default and not the domain's Administrator group. So you can use these Admins with a tighter security policy to do actions that are 90% of the job because they are Administrators, but for that extra 10% you would need a child domain account without thehigher security policy in the Domain Admins group. Of course this can all be done using different ACL's and task groups and what not, but is there a a simpler way that I am missing? Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 16:03:13 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org tohaveanemptyforestrootdomainornot...(thingsIjustthoughtof) POSSIBLESFOR"TOHAVE": * Large,complexanddynamicorganizations * OrganizationwithindependentdepartmentsanddecentralizedITdepartments(becauseofthisoneormoreITdepartmentsdoesnotaccepttheotherasbeingtheforestrootdomain) * Wishtohaveaforestrootdomainthatisdepartment/region/locationindependent(incl.itsname)(betterpossibilitiestotransferownershipandbetterresistenttoorganizationalchanges) * Strongersecuritypoliciesforadminaccounts POSSIBLESFOR"NOTTOHAVE": * OrganizationwithacentralizedITdepartment * Staticorganizations * Additionalcostsandhardware YoucouldhavealookattheWindowsServerSystemReferenceArchitecture--http://www.microsoft.com/technet/itsolutions/wssra/raguide/default.mspx DirectoryServicesGuide--http://www.microsoft.com/technet/itsolutions/wssra/raguide/DirectoryServices/igdrbp.mspx?mfr=true(searchforsectioncalled"ForestRootDesign") my2cents cheers, jorge Metvriendelijkegroeten/Kindregards, Ing.JorgedeAlmeidaPinto SeniorInfrastructureConsultant MVPWindowsServer-DirectoryServices LogicaCMGNederlandB.V.(BURTINCEindhoven) (Tel:+31-(0)40-29.57.777 (Mobile:+31-(0)6-26.26.62.80 *E-mail:seesenderaddress From:[EMAIL PROTECTED]onbehalfofMarkParris Sent:Wed2006-04-2615:36 To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustificationDoesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Thise-mailandanyattachmentisforauthorisedusebytheintendedrecipient(s)only.Itmaycontainproprietarymaterial,confidentialinformationand/orbesubjecttolegalprivilege.Itshouldnotbecopied,disclosedto,retainedorusedby,anyotherparty.Ifyouarenotanintendedrecipientthenpleasepromptlydeletethise-mailandanyattachmentandallcopiesandinformthesender.Thankyou.Enter the Windows Live Mail beta sweepstakes Upgrade today
RE: [ActiveDir] Root Place Holder justification
Guido, My thoughts exactly. I always start my complaining with "It was designed with what we knew at the time.butif I could it again today, blah, blah". I think the decisions that would use this model today will most likely stem from political and administrative decisions, where as earlier the infrastructure had a larger impact on such a design. If only there was the do over button..:) J Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 17:08:31 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. There is nothing wrong with a past decision that was based on the knowledge and recommendations available at the time. I've designed and implemented empty root forest-models myself and I believe most companies have implemented this model in the early days of AD. But with the knowledge we have about this infrastructure today, there's hardly a reason to stick to this model. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Mittwoch, 26. April 2006 17:48To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification I would tend to agree that a single domain is optimal with the current AD and infrastructure that is available. Other than security, legacy, and most importantly political issues, for most a single domain should be considered. Where I am, we have 3 domains in a single forest, with one being a root domain. I believe many of our headaches stem from this past decision (in place before I was here) and often ponder making the bold statement of considering collapsing them all into a single domain. Though I suspect I would be lynched. :( We have over 160 sites, and around 150k users within 2 domains, with the slowest link today around 256k link to departmental sites (50 users). The security requirements are the same throughout all domains, and I believe the 2 domains exist for political reasons that fortunately are fading away. Many bad policies and practices grew from one decision to keep things seperate. Of course your companies policies and practices for managing the domain globally go a huge way into that consideration. Issues such as account provisioning, group management, and replication convergence times could impact the business if the infrastructure impact is not understood. If I had a magic wandI'd wish for a single domain. :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 09:56:04 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Yoursubjectisyouranswer.Theyneedtojustifyarootdomain.Is thereanactualreasonforit? Thereareonlythreereasonstohaveone,imho(cutandpastedfroma googlesearch) 1.Securityrequirementsaredifferent(password,lockout,andKerberos policiesmustbeappliedatthedomainlevel). 2.Tocontrol/limitreplication(butnotetherecommendationsfornumber of objectsinadomainwithslowlinks-iftheslowestlinkis56kbps, the domainshouldhavenomorethan100,000users). 3.Becauseyouinheritamultipledomainsetup. Iquestionnumberthreemyself.Iwouldrathercleanitupthancontinue withapastdecisionbutIguessthatdependsupontheimpactto operationsandthecomplexityofconsolidation.-OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20069:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothe justificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseeno reasontoexpandonthat-theyonlyhave6DC'snowina singledomain-yetthepartnertheyhavechosenis recomendingarootplaceholderwith5DC'sandthen8inthe childdomain(theyareNOTevensupplyingthetin)andI wantedsomedecentamo-alittlebitstrongerthanschema andEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandI believeGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
My brother I welcome you into RDA :) Root Domain Anonymous :) Though, if the business requires the separation it still has it's place today in certain environments. I would just be more adamant at evaluating those business requirements as it relates to the directory. Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 12:49:00 -0600From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] Root Place Holder justification
RH, It comes in the management issues. I currently deal with people creating a secondary account in the peer domain because they do not want to bother (or understand that they can) to use the existing account. I think alot of this stems from lack of centralized policy and process that was not capable due to process. Also a common problem is multiple partitions. I deal with many 3rd party applications that can only bind to a SINGLE directory partition and cannot chase referrals. We had to implement an MIIS system to aggregate the active users from 3domains into a single ADAMinstance so that a very popular 3 letter application could utilize them for authentication. This brings into it's own problems of duplicate account names since without a secondary process AD does not enforce uniqueness on samaccountname in a forest. So which account wins when you have a duplicate and flow it into an aggregation directory? If we had a single domain, this would not be an issue. I suppose I am going to give you more gripes than hard facts as to why I think it causes problems right now though. :( Jef From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:03:06 -0400 "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] Root Place Holder justification
Gil, I think he was looking for other reasons besides the obvious ones (More hardware, license, etc.). It would be interesting to quantify the hidden costs related to administration, data consistency, application integration, security, etc.. But that is a task for a better man than I... Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Wed, 26 Apr 2006 15:26:57 -0700From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
[ActiveDir] Internet Authentication Concepts: Pointers?
Ok, here is something I'm just starting to research, and I thought maybe someone here has some pointers or a direction they can steer me in. We are looking at a potential consolidated directory/database to contain user registrations (Self registration and possible bulk load)for multiple public internet sites for products of our company. I was wondering if there are any published scenarios that address this solution as a starting point for consideration. We are thinking of using a public AD forest as the potential repository, but I am curious if there are any lessons learned when designed such a scenario. Thanks, Jef Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: Re: [ActiveDir] OT: Windows Vista - Windows Defender
I have noticed it is not always in the system tray, except when it had a message for me. I found the icon (looks like a little castle) on my main Programs Menu on the Start menu. Jef From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Windows Vista - Windows Defender Date: Thu, 27 Apr 2006 15:06:16 -0400 shouldbepartofthestartmenuorcontrolpanelaccordingtotheTechNet magazinearticleIreadontheplaneyesterday -OriginalMessage- From:"SusanBradley,CPAakaEbitz-SBSRocks[MVP]" [EMAIL PROTECTED] To:ActiveDir@mail.activedir.org Sent:Thursday,April27,20061:14PM Subject:Re:[ActiveDir]OT:WindowsVista-WindowsDefender Whichbuild? It'sonmindinthecorner. Controlpanel..youshouldseeitinthere. Salandra,JustinA.wrote: WeareevaluatingWindowsVistaBetaandaretryingtolocatetheWindows DefenderwhichMicrosoftclaimsisinstalledbydefaultonVista,however itisnotinstalledonourbetaversionanddownloadingitfromtheweb itsaysthatitisnotsupportedonVista.Anyideas? JustinA.Salandra MCSEWindows20002003 NetworkandTechnologyServicesManager CatholicHealthcareSystem 646.505.3681-office 917.455.0110-cell [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]-- Lettingyourvendorssetyourriskanalysisthesedays? http://www.threatcode.com Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
[ActiveDir] MIIS Workflow applications
I was wondering if anyone had any suggestions for workflow applications built on top of MIIS for iDM? We have a rather robust MIIS architecture that utilizes custom coded applications as a front end. We are starting to evaluate off the shelf products, and I was wondering if anyone had any suggestions of good vendors to look at. I am old that BMC's MIIS iDM suite is a good fit, but have only just begun reading up on it. I was hoping for other recommended apps to compare it against. Thanks, Jef Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Al, I apologize, as I am going only on what little information I have. I guess I was trying to do some pre-meeting recon work since I had seen it metioned here about 25mil internet users for some people. I had assumed there might be some scenario documentation for such a thing. I will know more after the meeting of course, so I'll see if I can explain myself better. I understand directory design for an enterprise, but have never done so for a internet instance that would have self registration. I suspect there are some different lessons learned from that scenario so was curious. Thanks, Jef Date: Thu, 27 Apr 2006 15:31:33 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers? That's not a lot to go on, Jef. Can you give some more information? For example, these public internet sites? Are they web only? What type of authentication is needed? What were your plans for authorization? Are you planning to use something like SiteMinder or Tivoli or ?? to help you deal with authorization if using web sites? Al On 4/26/06, Jef Kazimer [EMAIL PROTECTED] wrote:Ok, here is something I'm just starting to research, and I thought maybe someone here has some pointers or a direction they can steer me in. We are looking at a potential consolidated directory/database to contain user registrations (Self registration and possible bulk load) for multiple public internet sites for products of our company. I was wondering if there are any published scenarios that address this solution as a starting point for consideration. We are thinking of using a public AD forest as the potential repository, but I am curious if there are any lessons learned when designed such a scenario. Thanks, Jef Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more ا~m List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exclude one account from password policy
Tom, Unfortunately No, this is a domain wide setting. This may help: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspx look under the "Storing Password Policy Information" section. More than just AD utilize this password policy, as a few LDAP applications do query the policies defined in the domain for setting passwords in their apps which is a nice thing I think. :)Jef Date: Thu, 27 Apr 2006 15:31:46 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exclude one account from password policy I know account policies are domain wide but if you put a user in an OU andblock gpoinheritance, can you make that user have a non-expiring password while everyone esle is subject to the normal AD password policy? I know this is bad security practice but can it be done this way? ThanksEnter the Windows Live Mail beta sweepstakes Upgrade today
RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Jef, AsAlpointedout,therearenumerousproductsfromvendorssuchas IBM/BEA/Oracle/RSA/Netegrity/Entrust/BaltimoreLabs(RIP)etcproviding web-basedauthentication/authorisationinfrontofAD.Sincefroma designpoint-of-viewit'sgenerallynotagoodideatostickADtoo closetotheInternet,oftenthesesolutionscompriseapresentation tier,e.g.withIIS(usingsomesortofISAPIplugins)thatthenhooks intoyourbusiness bsp;logic(e.g.middleware)oryourdatatier(e.g. LDAP/AD/SQL)...ifyouwanttolookatthisfromanMSpurist perspectivethenI'dsuggesthavingalookatn-Tiersolutionswithin theMSDNarea.Although,thishasamoredeveloperemphasisthanyou'll probablywant,itgivesagoodinsightintohowInternetauthentication works,particularly.NETaswellasolderproductssuchasSite Server/Commerce.. TrygooglingonAuthorizationManager(AZMan)togiveagoodexampleof howarole-basedmanagementapproach(assumingawebt ier)withanAD backendwouldwork.AlsolookatADAMasaninitial'point'solution forInternetusagratherthanADalone. Youalsomentionedself-registrationandthiskicksoffanentirely differentthread(inmymindanyway)... 1.Whatareyouprovidingaccessto? 2.Whomareyouregisteringandforwhat? 3.Whatauthenticationmechanismdoyouwishtouse(username/password, certs,OTP). 4.Doyouneedtoprovidesomeformofauthorisationonceauthenticated aswell?Whatformdoesthisneedtotake? sp; Hopethishelps. Regards, Mylo ifyouneedaninitial JefKazimerwrote: Al, Iapologize,asIamgoingonlyonwhatlittleinformationIhave.IguessIwastryingtodosomepre-meetingreconworksinceIhadseenitmetionedhereabout25milinternetusersforsomepeople.Ihadassumedtheremightbesomescenariodocumentationforsuchathing. Iwillknowmoreafterthemeetingofcourse,soI'llseeifIcanexplainmyselfbetter. Iunderstanddire ctorydesignforanenterprise,buthaveneverdonesoforainternetinstancethatwouldhaveselfregistration.Isuspecttherearesomedifferentlessonslearnedfromthatscenariosowascurious. Thanks, Jef Date:Thu,27Apr200615:31:33-0400From:[EMAIL PROTECTED]To:ActiveDir@mail.activedir.orgSubject:Re:[ActiveDir]InternetAuthenticationConcepts:Pointers?That'snotalottogoon,Jef.Canyougivesomemoreinformation?Forexample,thesepublicinternetsites?Are theywebonly?Whattypeofauthenticationisneeded?Whatwereyourplansforauthorization?AreyouplanningtousesomethinglikeSiteMinderorTivolior??tohelpyoudealwithauthorizationifusingwebsites?AlOn4/26/06,JefKazimer[EMAIL PROTECTED]wrote:Ok,hereissomethingI'mjuststartingtoresearch,andIthoughtmaybesomeoneherehassomepointersoradirectiontheycansteermein.Wearelookingatapotentialconsolidateddirectory/databasetocontain p;userregistrations(Selfregistrationandpossiblebulkload)formultiplepublicinternetsitesforproductsofourcompany.Iwaswonderingifthereareanypublishedscenariosthataddessthissolutionas astartingpointforconsideration.WearethinkingofusingapublicADforestasthepotentialrepository,butIamcuriousifthereareanylessonslearnedwhendesignedsuchascenario.Thanks, JefUpgradeforfreetoWindowsLiveMailbetaandyoucouldwinanAfricanSafariLearnmoreا~m Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Novirusfoundinthisincomingmessage. CheckedbyAVGFreeEdition
RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
Since it is "LDAP" I did look at some "friendlier" admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?Date: Fri, 28 Apr 2006 09:44:55 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org That’s a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI “experience”? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Jef, AsAlpointedout,therearenumerousproductsfromvendorssuchas IBM/BEA/Oracle/RSA/Netegrity/Entrust/BaltimoreLabs(RIP)etcproviding web-basedauthentication/authorisationinfrontofAD.Sincefroma designpoint-of-viewit'sgenerallynotagoodideatostickADtoo closetotheInternet,oftenthesesolutionscompriseapresentation tier,e.g.withIIS(usingsomesortofISAPIplugins) thatth! enhooks intoyourbusinessn bsp;logic(e.g.middleware)oryourdatatier(e.g. LDAP/AD/SQL)...ifyouwanttolookatthisfromanMSpurist perspectivethenI'dsuggesthavingalookatn-Tiersolutionswithin theMSDNarea.Although,thishasamoredeveloperemphasisthanyou'll probablywant,itgivesagoodinsightintohowInternetauthentication works,particularly.NETaswellasolderproductssuchasSite Server/Commerce.. TrygooglingonAuthorizationManager(AZMan)togiveagoodexampleof howa& nbsp;role-basedmana! gementapproach(assumingawebt ier)withanAD backendwouldwork.AlsolookatADAMasaninitial'point'solution forInternetusagratherthanADalone. Youalsomentionedself-registrationandthiskicksoffanentirely differentthread(inmymindanyway)... 1.Whatareyouprovidingaccessto? 2.Whomareyouregisteringandforwhat? 3.Whatauthenticationmechanismdoyouwishtouse(username/password, certs,OTP). 4.Doyouneedtoprovidesomeformofauthorisationonceauthenticated as well?Whatformnb! sp;doesthisneedtotake? nb sp; Hopethishelps. Regards, Mylo ifyouneedaninitial JefKazimerwrote: Al, Iapologize,asIamgoingonlyonwhatlittleinformationIhave.IguessIwastryingtodosomepre-meetingreconworksinceIhadseenitmetionedhereabout25milinternetusersforsomepeople.Ihadassumedtheremightbesomescenariodocumentationforsuchathing. Iwillknowmoreafterthemeetingofcourse,soI'llseeifIcan explainmyselfbetter. Iunderstanddire ctorydesignforanenterprise,buthaveneverdonesoforainternetinstancethatwouldhaveselfregistration.Isuspecttherearesomedifferentlessonslearnedfromthatscenariosowascurious. Thanks, Jef Date:Thu,27Apr200615:31:33-0400From:[EMAIL PROTECTED]To:ActiveDir@mail
RE: [ActiveDir] Root Place Holder justification
Neil, In some ways they may be even more harmful. Network outages have their own fixes, hardware failures have replacements, deleted data (should) have backups. Solutions for bad process and policy due to architecture decisions? Not as cut and dry, and could be most costly in the long run as the problems compound. I know we just did an analysis of the cost of directory remediation due to cleaning up bad data stemming from bad processes. It is easily in the 6 digits when you factor in manpower, systems, delaying of applications due to bad data, etc. A root domain may not be the cause of such things, but how the environment will be managed and the pitfalls should be thought of. Jef Subject: RE: [ActiveDir] Root Place Holder justificationDate: Fri, 28 Apr 2006 15:20:45 +0100From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org I doubt a root domain would represent 'harm' in your terms, but then again, harm may mean different things to different people. From anarchitectural stance, harm means a whole lot more.What about added admin overhead; additional hardware costs, support and maintenance; additional complexities which are the result of deploying extra domains; etc etc. These are 'harmful' to the firm in the same way as a network outage is, IMHO. my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 28 April 2006 14:51To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Gil, I hear that all the time, plus "Hey Rocky, where's Bullwinkle?" Heehee hee. Anyway, for people like me who couldn't see Dean and joe and all the rest of youse guys even if I had the Hubble telescope, because you're so far out there, and who go to bed each night praying, "Dear God, thank you for not putting me into Disaster Recovery Mode today!" harm means the network is down. Period. Case closed. End of story. That's harm in my book. Forget the actual reason, it's not important. In that situation, I don't care about economics or the fact that I have a couple extra servers in a root domain that technicallyI could have lived without. Ineed concrete, specific reasons why it is detrimental to have a root domain. Where am I gonna get hurt, in such a fashion that I won't have to worry about praying at night because I'll be spending all night at work rebuilding a Forest with a phone glued to my ear and some guy from Zimbabwe who claims to be working for PSS trying to help me? RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, April 26, 2006 6:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We don’t have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploym
RE: [ActiveDir] OT: Windows Vista - Windows Defender
works nice...but still no Xbox 360 support :( I want to test that piece :) Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Have you tested MCE on it? 5342 MCE on a beefy box is like useless Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 28, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender Yes. I loaded it two nights ago. Pretty cool. First build I’ve found comfortable to use (old POS box – no aero). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, April 28, 2006 12:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender I heard its techbeta only Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 27, 2006 9:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender I just (like an hour ago) loaded Vista 5365 and it is in the Windows Security Center with the firewall, auto updates, and AV whiner. 5365 became available on connect a couple of days ago. It isn't up on MSDN yet. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, April 27, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Windows Vista - Windows Defender We are evaluating Windows Vista Beta and are trying to locate the Windows Defender which Microsoft claims is installed by default on Vista, however it is not installed on our beta version and downloading it from the web it says that it is not supported on Vista. Any ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?
Joe, Good question. I would assume something similar to ADUC (dsa.msc) where you can use a standardized interface to manage users and the associated attributes. The problem I suppose is that ADAM can be utilized for many custom scenarios, that it would be hard to have a "standard" interface. this is why we have a simple web gui that just builds builds a tree view control to traverse the directory. Then selecting an object displays the templated attributes for that object type. Then we have some canned functionality (password reset, enable/disable,etc) on a toolbar for that user. I could build the same thing in a winForms gui, but that brings other headaches related to updates of different attributes added, etc. Since the app really can only function online, web based seemed an easier management and deployment task. I've always wanted to write custom ADUC DLLs because there is much more than I'd have liked to have done with ADUC, but alas, I only know .NET stuff. I am a CMD line purist so most of my stuff is done that way. Yet trying to get helpdesks to get understand switches versus pretty buttons isn't the easiest.:) Though I have to say...I've been having alot of fun with new stuff in te winFX gui programming :) Jef From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires.. WAS: Internet Authentication Concepts: Pointers?Date: Fri, 28 Apr 2006 15:46:16 -0400 I have some curiosity in this realm... What would everyone consider good things and requirements for an ADAM management tool. Even assuming, cough, GUI. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 10:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Since it is "LDAP" I did look at some "friendlier" admin tools, but none really hit the mark for me. I believed that group looked at Softerra's tool, and there is the web based PHP LDAP manager, and also the C# LDAP manager tool. You can Live search the names or I can post the links here if you want. In the end I wrote my own as a .NET web app since I found them lacking. Yet as I said if I want to go global, I don't know if I want to position what I wrote without some major changes. :) J Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?Date: Fri, 28 Apr 2006 09:44:55 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org That’s a very good point. Does anyone know of any 3rd parties which improve the ADAM administrative UI “experience”? J. Fitzgerald (Fitz) Stewart Systems Architect IRM/OPS/ENM Worldwide Information Network Systems USAID/DoS IT Infrastructure Collaboration Program [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 703-866-7473 703-626-5741 (cell) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 9:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers? Mylo, Thanks for the information! I have setup ADAM utilizing a custom web UI utilizing AZman for a small project before, but I have concerns about scalabilty. The issues are not with the ADAM instance at all, but the UI that is needed to manage ADAM. ADSIedit is great for someone who understands the directory, but it's not that user friendly for web application owners, helpdesk, etc. This was for a simple application of about 500 users, and it met their needs but I don't see this as a scalable solution from a global perspective. This will be a backend data store that contains the user identity, but the applications that utilize it will be of different flavors from DMZ hosted web apps, to externally hosted apps. The flavors of web apps will range from websphere, ColdFusion, .NET and I suspect some PHP apps. With AD, I guess I was thinking it has a well known support interface (though I am sure I would need to customize anyway...so I'm not sure that value is really there). So I was expecting to maybe find 3rd parties that do sit in front of this to manage the IDs stored. Though this could be AD or ADAM with ADAM being the most cost effective. This looks like siteMinder might be a good solution to manage all of these environments but I will need to look into that. I suppose I am getting ahead of myself, because I do not know the requirements as of yet, and I'm making assumptions that could be totally off the mark here. I guess it's a new environment and wanted to get some info ahead of before it was needed. :) Thanks again! Jef Date: Fri, 28 Apr 2006 01:40:09 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Internet Authentication Concepts: P
RE: [ActiveDir] Cleanup of AD accounts
We use "employeeType" with values of EMPLOYEE CONTRACTOR VENDOR SERVICE OTHER ADMIN Jef Subject: RE: [ActiveDir] Cleanup of AD accountsDate: Fri, 28 Apr 2006 16:04:42 -0500From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Is there an attribute that's generallysafe to use, or are you suggesting we request an OID from Microsoftand make our own boolean "ourcompanyServiceAccount" attribute? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, April 28, 2006 2:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cleanup of AD accounts And I look and see that I received it. Glad you like oldcmp btw... :) First off, you don't need the -f option with the user filter in there, the -users will take care of that for you. Second off, no there is no mechanism in it right now to allow you to exclude accounts based on a text file. I would highly recommend to you as I have recommended to countless others that if you have accounts that aren't updating their passwords because they are set to non-expiring or you don't have a password policy and they are supposed to not be getting updated that you set up an attribute in AD to note that they are special like that. Most larger companies requires some sort of registration process for non-expiring Service IDs so that people can chase them down later and then you just stamp some attribute (existing or something you add) to the directory to flag them as special. Then you just use the -af switch to add the piece of the filter that lets you ignore them, alternatively put them in a special OU and either avoid that OU with the base you set in oldcmp or use the exclude DN switch whichshould be-excldn if I wasn't completely intoxicated when I coded it. :) You are welcome a bunch. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Friday, April 28, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cleanup of AD accounts Joe - I sent you an e-mail, I figured maybe going to this list might get more input on this question as well: If I wanted to run an oldcmp -report 120 -users -sort cn -f "((objectcategory=person)(objectclass=user))" -format csv -delim , and then send it out to our remote administrators to 'remove any accounts you don't want disabled' and then take the final list and disable all remaining accounts that they didn't flag as still being used, how would I accomplish that? Is there a way to have oldcmp use a modified file as an import file for the accounts to disable? Our problem is we don't want to disable any service accounts that are actively being used, but we have a LOT of cleanup to do. How does everyone else handle this? Thanks a bunch, Russ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] OT: Windows Vista - Windows Defender
You have me salivating What is the program name? I do not see it under the availiable programs listing. Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 19:00:32 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Do you have access to connect? If you do you can nominate yourself to test said functionality. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender works nice...but still no Xbox 360 support :( I want to test that piece :) Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Have you tested MCE on it? 5342 MCE on a beefy box is like useless Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 28, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender Yes. I loaded it two nights ago. Pretty cool. First build I’ve found comfortable to use (old POS box – no aero). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, April 28, 2006 12:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender I heard its techbeta only Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 27, 2006 9:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender I just (like an hour ago) loaded Vista 5365 and it is in the Windows Security Center with the firewall, auto updates, and AV whiner. 5365 became available on connect a couple of days ago. It isn't up on MSDN yet. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, April 27, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Windows Vista - Windows Defender We are evaluating Windows Vista Beta and are trying to locate the Windows Defender which Microsoft claims is installed by default on Vista, however it is not installed on our beta version and downloading it from the web it says that it is not supported on Vista. Any ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] OT: Windows Vista - Windows Defender
Just curious Does the Vista MCE allow Divx playback for the extender? The MCE Transcoder is a life saver to play Divx and Xvid on the Xbox 360 MCE-E. Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 19:03:07 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org What is it you’re going to put on the command prompt background anyway? A semi transparent playboy centerfold to look at while you program? I’m downloading 5365 now since I busted my MCE I’m either going to fix it with that or revert to SP2. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, April 28, 2006 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender If someone would just write some XBOX 360 Admin tools for Active Directory we would have a whole giant pool of amazing AD Admins. The way my brothers and cousins master those games it would be amazing to see them go after AD that way. Haven't tried the MCE stuff yet but was going to play for a week and then install, now Brian has scared me. I just have to say again that this interface is beautiful. I am a command prompt guy and think that if you log into a server all you should see is black and white (orblack andgreen if you are one of those green screen weird types) text but the workstation should look amazing. Still want my transparent command prompts with custom backgrounds though... With all of the RSS stuff built in I have to start thinking about what cool kind of things I can publish through RSS from AD to have it just feed in and display for me. I am visualizing object add counts, etc that would normally be in a report you have to go chase down. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, April 28, 2006 1:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender works nice...but still no Xbox 360 support :( I want to test that piece :) Subject: RE: [ActiveDir] OT: Windows Vista - Windows DefenderDate: Fri, 28 Apr 2006 12:15:52 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org Have you tested MCE on it? 5342 MCE on a beefy box is like useless Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 28, 2006 9:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender Yes. I loaded it two nights ago. Pretty cool. First build I’ve found comfortable to use (old POS box – no aero). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, April 28, 2006 12:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender I heard its techbeta only Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 27, 2006 9:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Windows Vista - Windows Defender I just (like an hour ago) loaded Vista 5365 and it is in the Windows Security Center with the firewall, auto updates, and AV whiner. 5365 became available on connect a couple of days ago. It isn't up on MSDN yet. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Thursday, April 27, 2006 1:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Windows Vista - Windows Defender We are evaluating Windows Vista Beta and are trying to locate the Windows Defender which Microsoft claims is installed by default on Vista, however it is not installed on our beta version and downloading it from the web it says that it is not supported on Vista. Any ideas? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More. Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
RE: Re: [ActiveDir] How Secure is a Domain Controller?
This has been making the rounds as of late, so I am not sure if it has been posted here: Security Myths and Passwords by Prof. Spafford and something from 2002: Ten Windows Password Myths Now...where I am, Smart Card integration into physical building access is becoming a reality, so I'm really interested to see how this pans out. Date: Sun, 30 Apr 2006 12:33:45 -0400 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How Secure is a Domain Controller? The answer to that last isn't terribly difficult. Just ask yourself what is it that every administrator has to take to work every day? Likely, it's an id badge/card key. Very few companies issue keys any longer because it's too expensive to maintain and too difficult to change as employees leave or you move buildings. But administrators often need all-hours access so what to do? Go to card key access. So it would be a far stretch to issue administrators (possibly only administrators?) card keys that are also smart cards. You may be wondering if it's better than a Securid? Depends, but chances are good you'll need to have something added to the servers regardless of the method whether it's a piece of software or usb key reader, or... ? Anyhow, there are ways to do that for administrators, but you do have to figure out what comes to work with the admin . Nobody gets in the door without a card key in many places I've seen. If you let just anybody in the door regardless of identification or physical device (key) then what's the point of locking the applications again? I don't think I've yet bought into the longnastypasswords yet. In theory and concept it seems great. But I've seen mixed results and I've seen some of the same issues that users have when it comes to complex passwords - they find convenience in subversion. Is that right? No, but you'll have to take the 8th layer into account if you're going to come up with a good solution to this problem. Some more definition of the problem is helpful as well. Al P.S. Can you read this one, joe? :) On 4/28/06, joe [EMAIL PROTECTED] wrote: This is old, I sort of apologize. This is a topic some of us have debated in circles over on the MVP / MS Private Security List Server multiple times as well. It is always fun because the opinions are all over. I have some thoughts for it. 1. A passphr ase is just like a password only you have bigger chunks or password building blocks, as soon as this becomes common practice or is forced across an entire environment the cracking tools just need to work towards adopting this mechanism as well, instead of looping through letters, you loop through words. This is done to a limited extent now but it could be done much more efficiently, especially if the domain policy says you need 20 characters or something. \ 2. You don't set 90 day password expiration to only prevent brute force attacks. You use it to lessen how far out a password reaches. People are horrible with secrets, how many of you as support techs have walked up to a desk and said, yeah what is your password and then gotten it? Or maybe looked at the sticky notes on the monitor, or if the person was really secure look in the bottom drawer. Now, assume you aren't the only person smart enough to ask for that password or look. So now the password is out there... How long do you wan t it to be valid for before knocking it down? For normal users I don't like policies less than 91 days (user exercise to figure out why 91 instead of 90 days , I have mentioned it before), it is just plain annoying and a 30 or 60 day normal user policy is almost guaranteeing some sort of pattern or written down password. Now for admin accounts password changes every 30 days I don't have much trouble with. With service/application IDs I don't have a problem with password changes every day. It can be implemented, I have done it. It just isn't easy nor the default. Certainly I cringe whenever I hear about someone who has a very important very powerful service ID and are asking how to make it non-expiring... Just kills me. There was one critical application (Corporate Web Portal) whose password I accidently saw when doing a trace on a domain controller looking at LDAP packets (LDAP simple bind in the clear) and it was a very memorable password, it was the name of an enemy of Superman; the on e who didn't have any vowels in his name. I immediately approached the app owners to say bad bad bad from many angles. They said thanks. I was fired from that position... Then I got rehired 6 months later, did another network trace and guess what ID and password I saw again... Why didn't they change the password? Because the app made it difficult. That is not a good reason. The reference to the -500 accounts is accurate. Very long nasty passwords that got locked into envelopes. Never used
RE: Re: [ActiveDir] How Secure is a Domain Controller?
HmmmI think my links got stripped there : SecurityMythsandPasswordsbyProf.Spafford http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ TenWindowsPasswordMyths http://www.securityfocus.com/infocus/1554 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] How Secure is a Domain Controller? Date: Sun, 30 Apr 2006 11:44:55 -0500 Thishasbeenmakingtheroundsasoflate,soIamnotsureifithasbeenpostedhere: SecurityMythsandPasswordsbyProf.Spafford andsomethingfrom2002: TenWindowsPasswordMyths Now...whereIam,SmartCardintegrationintophysicalbuildingaccessisbecomingareality,soI'mreallyinterestedtoseehowthispansout.Date:Sun,30Apr200612:33:45-0400From :[EMAIL PROTECTED]To:ActiveDir@mail.activedir.orgSubject:Re:[ActiveDir]HowSecureisaDomainController?Theanswertothatlastisn'tterriblydifficult.Justaskyourselfwhatisitthateveryadministratorhastotaketoworkeveryday?Likely,it'sanidbadge/cardkey.Veryfewcompaniesissuekeysanylongerbecauseit'stooexpensivetomaintainandtoodifficulttochangeasemployeesleaveoryoumovebuildings.Butadministratorsoftenneedall-hoursaccesssowhattodo?Gotocardkeyaccess.Soitwouldbeafar stretchtoissueadministrators(possiblyonlyadministrators?)cardkeysthatarealsosmartcards.Youmaybewonderingifit'sbetterthanaSecurid?Depends,butchancesaregoodyou'llneedtohavesomethingaddedtotheserversregardlessofthemethodwhetherit'sapieceofsoftwareorusbkeyreader,or...?Anyhow,therearewaystodothatforadministrators,butyoudohavetofigureoutwhatcomestoworkwiththeadmin .NobodygetsinthedoorwithoutacardkeyinmanyplacesI'veseen.If p;youletjustanybodyinthedoorregardlessofidentificationorphysicaldevice(key)thenwhat'sthepointoflockingtheapplicationsagain?Idon'tthinkI'veyetboughtintothelongnastypasswordsyet.Intheoryandconceptitseemsgreat.ButI'veseenmixedresultsandI'veseensomeofthesameissuesthatusershavewhenitcomestocomplexpasswords-theyfindconvenienceinsubversion.Isthatright?No,butyou'llhavetotakethe8thlayerintoaccountifyou'regoingtocomeupwithagoodsolutiontothis problem.Somemoredefinitionoftheproblemishelpfulaswell.AlP.S.Canyoureadthisone,joe?:)On4/28/06,joe[EMAIL PROTECTED]wrote:Thisisold,Isortofapologize.ThisisatopicsomeofushavedebatedincirclesoverontheMVP/MSPrivateSecurityListServermultipletimesaswell.Itisalwaysfunbecausetheopinionsareallover.Ihavesomethoughtsforit.1.Apassphr aseisjustlikeapasswordonlyyouhavebigger"chunks" orpasswordbuildingblocks,assoonasthisbecomescommonpracticeorisforcedacrossanentireenvironmentthecrackingtoolsjustneedtoworktowardsadoptingthismechanismaswell,insteadofloopingthroughletters,youloopthroughwords.Thisisdonetoalimitedextentnowbutitcouldbedonemuchmoreefficiently,especiallyifthedomainpolicysaysyouneed20charactersorsomething.\2.Youdon'tset90daypasswordexpirationtoonlypreventbruteforceattacks.Youusei ttolessenhowfaroutapasswordreaches.Peoplearehorriblewithsecrets,howmanyofyouassupporttechshavewalkeduptoadeskandsaid,yeahwhatisyourpasswordandthengottenit?Ormaybelookedatthestickynotesonthemonitor,orifthepersonwasreallysecurelookinthebottomdrawer.Now,assumeyouaren'ttheonlypersonsmartenoughtoaskforthatpasswordorlook.Sonowthepasswordisoutthere...Howlongdoyouwan tittobevalidforbeforeknocking itdown?FornormalusersIdon'tlikepolicieslessthan91days(userexercisetofigureoutwhy91insteadof90days,Ihavementioneditbefore),itisjustplainannoyinganda30or60daynormaluserpolicyisalmostguaranteeingsomesortofpatternorwrittendownpassword.Nowforadminaccountspasswordchangesevery30daysIdon'thavemuchtroublewith.Withservice/applicationIDsIdon'thaveaproblemwithpasswordchangeseveryday.Itcanbeimplemented,Ihave sp;doneit.Itjustisn'teasynorthedefault.CertainlyIcringewheneverIhearaboutsomeonewhohasaveryimportantverypowerfulserviceIDandareaskinghowtomakeitnon-expiring...Justkillsme.Therewasonecriticalapplication(CorporateWebPortal)whosepasswordIaccidentlysawwhendoingatraceonadomaincontrollerlookingatLDAPpackets(LDAPsimplebindintheclear)anditwasaverymemorablepassword,itwasthenameofanenemyofSuperman;theon ewhodidn'thave bsp;anyvowelsinhisname.Iimmediatelyapproachedtheappownerstosaybadbadbadfrommanyangles.Theysaidthanks.Iwasfiredfromthatposition...ThenIgotrehired6monthslater,didanothernetworktraceandguesswhatIDandpasswordIsawagain...Whydidn'ttheychangethepassword?Becausetheappmadeitdifficult.Thatisnotagoodreason.Thereferencetothe-500accountsisaccurate.Verylongnastypasswordsthatgotlockedintoenvelopes.Neverusedthoseaccou ntsinthe5orsoyearsImighthaveneededareason.Whynotworryaboutchangingthem?Therewasn'tasoulthatcouldrememberthemandnooneusedtheaccountssowesimplymonitoredauthentications(goodandbad)andpasswordchangesfortheaccount.Anyhitonanyofthemmeantsomethingtolookintothoughbadhitswereprettycommon.Thoughtson2-factor?Thesecondfactor(nottheoneyouknowbuttheoneyouhave)needstobesomethingpeoplecan'tforgettobring sp;toworkw
RE: [ActiveDir] TScmd help
Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] TScmd help
Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn moreEnter the Windows Live Mail beta sweepstakes Upgrade today
RE: [ActiveDir] TScmd help
My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it. The solution? Just clear the userParameters attribute for all affected users if I remember. I think there is a KB article on it now. From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400 Joe? joe?me? The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more Enter the Windows Live Mail beta sweepstakes Upgrade today Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
RE: [ActiveDir] TScmd help
I meant that was the advice we were given from PSS on how to solve the problem. :) Though...we did end up clearing it after finding out they were not TS users. From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Thu, 4 May 2006 21:17:34 -0400 Yes some Novell stuff can be found in there as well as some other things I have heard of through the years. Just clearing that attribute is a great idea... especially if you use Novell stuff as well as TS stuff. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 10:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help My first travesty with said blos, was when an admin could not reset a users password via the MMC. After some PSS support, it turns out it was the NWCLIENT attributes stored in the userParameters field. As it turns out these users in the NT4 days had the Netware client piece, and when they were migrated with ADMT to 2000, this nugget came with it. The solution? Just clear the userParameters attribute for all affected users if I remember. I think there is a KB article on it now. From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 19:05:10 -0400 Joe? joe?me? The TS Attributes are stored in an amazingly efficient and highly useful format called a blob. Blob as you may or may not know stands for Big Lump of a, Ok, for now on we will call what the TS attributes are stored in a Blos. So this Blos is keptin the userParameters attribute. It is a form of a name value pair setup but is entirely undocumented by MS and dorking with it is surely going to impact how PSS supports you when you encounter an issue. Instead of hearing the ubiquitous "That is By Design" or "I need you to crash the server and send us a dump" you will hear the almost as ubiquitous "That is unsupported" or "You are Unsupportable in that state". There have been some attempts in the SAMBA space to decode that information and I am not at liberty to say how they are doing on it but keep in mind, they may not have access to all different configs using that attribute because TS attributes are not the only ones that go in there. Yes, Microsoft had the opportunity to fix the issues with that and userAccountControl 6+ years ago with the release of AD and yes they did refuse that opportunity. On the positive side some thought is now going into userAccountControl nowadays with ADAM though it is still quite quite. quite rough. TS attributes unfortunately, are still dorked. I don't see that they are attempting to clean it up either, maybe they (MSFT) are hoping they (the attributes) will just get sick and tired of being treated like second class citizens and just go away. When people ask me about setting them with admod I tend to say, go away, don't come back until you grow up and become real attributes. You can set it with admod right now, you just need to know the actual binary chunk to send into admod to do it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 03, 2006 5:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd help Mike, Scratch that. It is not the string I was thinking about. I'm sure Joe will know though :) From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Wed, 3 May 2006 16:38:42 -0500 Mike, Can you use ADfind and ADmod for this? ADfind -h DC -Default -f "(TSpath=Blah)" -dsq | ADMOD tspath::NewPath Now I don't remember f TS path (I know it's not the attribute name so you will need to look at it) is a string value or if t's contained in that blob value with the other TS settings. just an Idea Subject: [ActiveDir] TScmd help Date: Wed, 3 May 2006 15:12:42 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org IneedtotryandfinduserswhohaveacertainTSProfilepathand changetheservername. ItisW2K/W2K3mixed. Ihavegoogledandhavetscmd,butcantellIwillbeneedingtodosome voodooalso.Anyhelpisappreciated. MikeHutchins SysAdmin [EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more Enter the Windows Live Mail beta sweepstakes Upgrade today Join the next generation of Hotmail and you could win a trip to Africa Upgrade today Upgrade for free to Windows Live Mail beta and you could win an African Safari Learn more
RE: [ActiveDir] TScmd help
Joe, I don't remember if they told us to check if they are TS users or not to be honest as this was almost 2 years ago. I do remember that he symptoms were quite odd in that the error message dialog box would throw out an obscure error that could not be found in any online resource. They said they had to pull it out of a source code comment reference which lead them down the NWCLIENT trail. I remember writing something to identity the users in the directory that culd be affected by this issue, an someone did remediate them. Through the years of getting support ( and giving it) I've found it best to ALWAYS question the actions you are being told, because people do make mistakes. I hate the excuse "Well I was told to do this." and they didn't think it through before doing it. This reminds me of a tech who noticed a certain service was using alot of CPU time on our Domain Controllers. He figured it might be a problem, so he killed the exe that was eating the CPU time because the OPs guy suggested it. I guess he thought this little exe would just restart and be fine because it had an obscure name he did not recognize..LSASS.EXE :) And then he wondered why authentication problem tickets came in at that site... J From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] TScmd helpDate: Fri, 5 May 2006 08:24:47 -0400 Oh sorry, yes, I completely understand that advice came from PSS from your previous post, I should have put the "Thanks PSS" on there too. :) Did PSS actually say to check of they were TS Users? I wouldn't be surprised if they hadn't. A lot of the help and direction doesn't come with much insight unless you get the "right" PSS people. Which ones are the "right" ones... the ones that are good of course, I don't believe MSFT breeds for them or even tests for them, they just sort of happen and then once you find them you don't want to let go. I once received an email from an old coworker still working for the former employeer asking if I heard this from PSS what would I have done... Keep in mind that this employee was in the USA and there was no local support where the server was other than say a janitor and a secretary nor hardware level remote control capability "This server you have in insert name of some small almost third world European nation, you want to disable NET LOGON and then reboot it and then we can check out the results..." and then 30-60 minutes later a call back from PSS "Hold on, don't do that yet, that may not be a good idea...". Then the coworker responding to PSS, "We already did, what now???" My response was that I would have openly laughed at the PSS guy as soon as he said the first thing and said go get your dad, I need to talk to a grownup. Yes that is insulting but if you are paying for best in class support, you better get it, if not, you insult them until they get you someone who will give you that support. I was once told, but if you insult them, they will remember you and won't want to work with you again. My response to that... If I am at the point that I am going to insult them, I would rather they not work with me again and better they spend their time filtering themselves out from me than spending my time while I filter them out. Plus I have learned that just asking for someone else isn't going to help you as evidenced by a problem I have been working through my current employer with PSS, the problem is approaching the one year point now, I have to be nice though, those are the rules I have to follow. If I didn't have to be nice, I can pretty much guarantee I wouldn't still be waiting for responses. I would have talked to the top person and they would either correct or have said no. Instead, I am treated like any customer who doesn't know better and sitting here not knowing anything about what PSS is doing. I have accomplished great things or at least brought great visibility to things within MSFT by being an extreme pain in the tush and making engineers feel stupid and making them want to "prove me wrong". I dislike very much that I have to do things that way but have been taught, that is how I can get results with them. Ditto for the Exchange Dev folks. The DS Dev folks on the other hand, they are great, you talk to them and they listen. They may not agree with you but they will talk to you and explain why they can't do what you are asking or what is wrong with what you want changed. They have some bad apples of course, but in that case, the barrel is mostly good apples and you aren't trying to pick and choose who you deal with, you can take a random deal and almost always be ok. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Thursday, May 04, 2006 10:28 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir
RE: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
Hmm.reading the PDF at : http://download.microsoft.com/download/5/8/e/58ededaf-4de0-4fd3-b500-8a8f6bbfe1f4/ADRAP_Datasheet_v1.0t_English.pdf Is this something to have running where MOM is not running? It seems alot of his can be done via MOM, thought not as slick of a consolidated interface. Sort of like a all in one package? Jef Date: Mon, 8 May 2006 21:35:13 +0200 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? FreddyHARTONOwrote: Isitusefulatall?Wearedoingtheadriskassessmentfrommicrosoft (adrap)-anyonehasexperiencesorisusingthemextensively?Seemsto beguimodeonly? Thankyouandhaveasplendidday! Isawitinactionasoneofengineersuseditanditisusefultoolto gatherdataandpresentis-itutilizesalotofLDAPqueriesaswell asoutputfromvariousothertoolsandscripts,andgivesYouthis"on thehand"innicelook. IMOforpeoplewhoknowsalittleaboutADthismaybereallynicetool touse. -- TomaszOnyszko http://www.w2k.pl/blog/-(PL) http://blogs.dirteam.com/blogs/tomek/-(EN) Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Enter the Windows Live Mail beta sweepstakes Upgrade today
RE: [ActiveDir] GPO
John, Just curious, was these option *ONLY* availiable in XP SP2? Any hope it exists in Windows Server 2003 SP1? :) Thanks, Jef From: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GPO To: ActiveDir@mail.activedir.org Date: Wed, 10 May 2006 08:49:21 -0500 HiPeter... IftheclientsareSP2,youcanusethebottombox,touseitadditively. Theyfinallyfixedit. Youusethebottombox,kindabackwardsrelativetothetop...So,youwould sayforthegroupDomainUsers,thenthatitisalwaysamemberofthe localpowerusersgroup.Youcanevenjustbrowsetothat,ifyoujust pickthelocalmachineasthelocation. Hopethishelps, John "PeterJohnson" [EMAIL PROTECTED] Sentby:To [EMAIL PROTECTED]ActiveDir@mail.activedir.org ail.activedir.orgcc Subject 05/10/200608:39RE:[ActiveDir]GPO AM Pleaserespondto [EMAIL PROTECTED] tivedir.org HiJohn Istheresomewaytodefineadditiveversusreplacementasthelasttime Itriedthisitdidahardreplacement. -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOf [EMAIL PROTECTED] Sent:10May200614:57 To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]GPO HiChristine.. Youcanusetherestrictedgroupsfunctiontoaddsaydomainusersto the powerusersgrouponthelocalmachine.It'salittletrickyasone functionofitwillreplaceanyothermembersofthepowerusersgroup, shouldtherebeany.AsofXPSP2though,youcandoitadditive, instead ofreplacing. Hopethishelps... John "ChristineAllen" Christine.Allen@ bmchp.org To Sentby:"ActiveDir@mail.activedir.org" [EMAIL PROTECTED]'ActiveDir@mail.activedir.org' ail.activedir.org ccSubject 05/10/200607:46[ActiveDir]GPO AM Pleaserespondto [EMAIL PROTECTED] tivedir.org Hello, Isthereawaytochangelocalcomputerrightsviaagpo.Wewouldlike to addouruserstothePowerusersgrouptodistributesoftware,thentake aboutthatrightafterthesoftwarehasbeendeployed. -Christine ChristineN.Allen SystemsEngineer BMCHealthNetPlan 2CopleyPlace Boston,MA02116 617-748-6034 617-293-4407 [EMAIL PROTECTED]Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: Re: [ActiveDir] DNS on a DC or NOT
We have it on all of our DCs as well worldwide and have not seen an issue. But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to verify it was not being used. I thought about putting auditing on for the CNAME in question, and then just collect the logs from the DNS servers. Unfortunately it was a non integrated zone and this could not be done. :( Does anyone use DNS Application partitions for certain zones? Date: Wed, 17 May 2006 09:56:16 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS on a DC or NOT Depending on how many DCs youhave in your environment, this might be a non-issue overall. We have DNS on all our DCs, and no adversity has been observed thus far... -ASB On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote: This one http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS on a DC or NOT Which blog entry... -ASB On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote: I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's.If that is NOT truemy face is red for believing so for so long. William Krenceski Network Administrator [EMAIL PROTECTED] Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: Re: [ActiveDir] DNS on a DC or NOT
joe, I had considered the cache issue, but I figured that since it would be an integrated zone, it would exist on multiple DNS servers. So if eachDNS serverread the record once, it would generate enough audit flags to let us know it is still being used globally. :) As I said, it was a standard primary zone, so it was not a viable option anyway. :( I forget that auditiing applies to integrated zones, so I never think of utilizing it anyway. thanks, Jef From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] DNS on a DC or NOTDate: Wed, 17 May 2006 12:13:49 -0400 Too bad you couldn't enable request logging in DNS itself. Auditing the entry is only going to tell you at least one thing asked for it, once in the cache, who knows how many asked. Scale is everything. :) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, May 17, 2006 10:37 AMTo: ActiveDir@mail.activedir.orgSubject: RE: Re: [ActiveDir] DNS on a DC or NOT We have it on all of our DCs as well worldwide and have not seen an issue.But a question about integrated zones. I had an issue recently where a system owner wanted to know if people were resolving an old CNAME for one of their systems. They wanted to remove it from the zone, but wanted to verify it was not being used. I thought about putting auditing on for the CNAME in question, and then just collect the logs from the DNS servers. Unfortunately it was a non integrated zone and this could not be done. :(Does anyone use DNS Application partitions for certain zones? Date: Wed, 17 May 2006 09:56:16 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS on a DC or NOT Depending on how many DCs youhave in your environment, this might be a non-issue overall. We have DNS on all our DCs, and no adversity has been observed thus far... -ASB On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote: This one http://blogs.dirteam.com/blogs/carlos/archive/2006/05/10/939.aspx From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of ASBSent: Wednesday, May 17, 2006 9:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS on a DC or NOT Which blog entry... -ASB On 5/17/06, Krenceski, William [EMAIL PROTECTED] wrote: I was reading Carlos's blog about not running DNS on the PDC emulator. It all makes perfect sense to not have DNS running on it. In my relatively small setup we have @60 servers, 560pc's, on 8 networks (some remote some vlans). I have 2 DC's at my main site with one at each remote site. All DC's are GC and DNS. I always thought that in order for DNS to work as AD integrated you're DNS servers had to be DC's.If that is NOT truemy face is red for believing so for so long. William Krenceski Network Administrator [EMAIL PROTECTED] Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: [ActiveDir] [OT] DNS on a DC or NOT
I think my company users Lotus Notes just because it doesn't integrate with anything so less headaches. :( From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] DNS on a DC or NOT Date: Wed, 17 May 2006 15:32:15 -0400 NoIsaveupmyDstrengthsoICANtalkaboutExchange.Italkaboutand troubleshootExchangemorethananyADpersonwhohatesExchangethatI know.:o) DeanandIjusthadourannual(orisitquarterly)IMdebateonADIDNS.We apparentlyhavenoinfluenceovereachother'sopinionsinthismatter. joe -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfLauraE.Hunter Sent:Wednesday,May17,20063:08PM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]DNSonaDCorNOT On5/17/06,joe[EMAIL PROTECTED]wrote: ButenoughaboutDNS,Idon'tspeakaboutservicesthatstartwithD. Youhavetodrawthelinesomewhere.DFS,DNS,DHCP,DamnSQL Server...Yougetthedrift.;) Doesn't'Exchange'startwithan'E',though?Orarewedismissingthatas an"Offby1"error? Laura Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: [ActiveDir][OT] DNS on a DC or NOT
http://dictionary.reference.com/search?q=mucker mucker \Muck"er\, n. A term of reproach for a low or vulgar labor person. [Slang] Let the Ragin' begin! (Thought I could have sworn it was a lazy way to say "mofo" :) ) From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] DNS on a DC or NOT Date: Wed, 17 May 2006 15:45:01 -0400 IgnoreDean.He'sgoingtotryandD.O.S.acoupleofcompaniesIspecified tohim.IfyouseeDean'snameinthepapersnexttobuildingsthatare burningtothegroundthenyoucanlistentotheconspiracytheoriesthat requirerunningS-DDNS.;o)HowmanytimeswasyourNTenvironmentDOS'ed bypurposefulattacksonWINS?IfyouhadanissuewithWINSbeing unauthenticatedatanypointitwasoneofacoupleofitems 1.YouscrewedupWINSyourselfsomehowbydoingsomethingstupidor throughinactionallowingsomethingstupidtohappen. 2.SomeonefiredupaSAMBAboxandhadnoflippingcluewhattheywere doingonLinuxORWindows. 3.SomeonetriedtosetupatestdomainusingproductionWINSandusingthe realnameoftheproductiondomains. EvenwiththosethreeitemsIcanthinkof2casesin10yearsofthese thingsandonewasclearedupinaboutaweekandtheotherwasclearedup inabout15minutes.Thefirstshouldhavebeenclearedupin15minutestoo exceptthepeopleworkingonitdidn'tunderstandWindowsnorWINSnordid theAlliancepeopleworkingtheissue. Inthemeanwhile,ifanemployeeofacompanywantstohurtAD,thereare moresubtleandlesstrackablemechanismstodosothangoingafterDNS. AnyonethatattackedADbygoingafterADisjustascriptkiddiepunkwith novision.Heckeventhescriptkiddiesaren'tgoingafterit. BTW,anyoneknowwhatamuckeris?IamtryingtofigureoutifIam supposedtobemorallyoutraged.eg joe -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfDeanWells Sent:Wednesday,May17,20062:55PM To:Send-ADmailinglist Subject:RE:[ActiveDir]DNSonaDCorNOT Ignorejoe...he'sjustanLDAP/DSpurist...asageneralruleofthumb, keeptheADrepresentativeDNSzoneswithinthedirectoryconfiguredto acceptsecureupdatesonly.Useapp.NCsordon'tdependinguponthe forest'sconfig.,toomanyvariablesandmuchdiscussionformerightnowon thatoneI'mafraid...butsufficeittosaythatforme;Ipreferapp.NCs wherepossible. -- DeanWells MSEtechnology *Email:[EMAIL PROTECTED] http://msetechnology.com-OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfjoe Sent:Wednesday,May17,200610:01AM To:ActiveDir@mail.activedir.org Subject:RE:[ActiveDir]DNSonaDCorNOT SOyouareconcernedaboutoverallloadthen.Thisissomethingthat isaddressedinlargerorgsoftenbysegregatingthePDCoffinits ownlogicalsitewhichishungoffthemainsiteitwouldnormallybe partof.Thatmeansitwillusuallynotbeusedforautocoverageof otherWANsitesanditwillnotbecomealargesitebridgehead[1]and naturallyavoidedbyanyExchangeinthatsiteifExchangeforsome reasondecidestobeatonitduetosomebaddecisionbyanExchange adminduringconfiguration.Thisisespeciallyhelpfulifyouhavea largelegacyclientloadorlotsofstupidapplicationsthatareusing theoldNETAPI(orWinNTprovider)primarilywhichalreadyoverly targetPDCs. joe [1]Irecallaskingwaybackatthe2003RAP/RDPconferencefora switchtosayuseallDCsbutthesespecialonesforbridgeheads,I wouldrathermanageexceptionsthanmanagetheonesthataretheones tobeused.Bestistobeabletospecifyeitherway. -- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOf CarlosMagalhaes Sent:Wednesday,May17,20069:44AM To:ActiveDir@mail.activedir.org Subject:Re:[ActiveDir]DNSonaDCorNOT Letmeputthatintoperspective(andfromreadingthepost againIthoughtitcameacross),theblogentryrefersto networkswithalargeclientload. Idon'tmeandoNOThaveDNSonyourserveritrecommends (Option2)releasingsomeoftheloadwiththetworegistry settings,i.e. *LdapSrvPriority*and*LdapSrvWeight*.whichisexplainedin theentry:) ThesesettingsIhaveonlyeverusedonlargenetworkswhenI havenoticedalargeamountofDNStrafficbeingroutedto thePDCDNSService.:) Doesthatexplainthepostifnotjustletmeknowwhatmore informationyouneedandIwillexplainit:) CarlosMagalhaes ASBwrote: Whichblogentry... -ASB On5/17/06,*Krenceski,William*[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]wrote: IwasreadingCarlos'sblogaboutnotrunningDNSonthePDC emulator.ItallmakesperfectsensetonothaveDNSrunningon it.Inmyrelativelysmallsetupwehave@60servers, 560pc's,on 8networks(someremotesomevlans).Ihave2DC'sat mymainsite withoneateachremotesite.AllDC'sareGCandDNS.Ialways thoughtthatinorderforDNStoworkasADintegrated you'reDNS servershadtobeDC's.IfthatisNOTtruemyfaceisredfor believingsoforsolong.** ** *WilliamKrenceski* *NetworkAdministrator* [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:
RE: [ActiveDir] OldCmp question
hmmm How about -onlyenabled? :) Ya know...just because... From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Date: Fri, 19 May 2006 11:41:21 -0400 Disabledaccountsaremarkedbyhavingbit1listonuserAccountControl (value2) Toexcludethemyouwant-af"useraccountcontrol:AND:=2"and-bit IjustrealizedIhavean-onlydisabledswitch,Ishouldadda -onlynotdisabledIguess...-- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfRimmerman,Russ Sent:Friday,May19,200611:25AM To:ActiveDir@mail.activedir.org Subject:[ActiveDir]OldCmpquestion Anyoneknowawaytoeasiblyfilteroutdisabledaccountsfromtheoldcmp -usersreport?Wouldonehavetousesomesortofbitwisefilterfroma translationofauseraccountcontrol66048valueorsomething? ~~ Thise-mailisconfidential,maycontainproprietaryinformationofCameron anditsoperatingDivisionsandmaybeconfidentialorprivileged. Thise-mailshouldberead,copied,disseminatedand/orusedonlybythe addressee.Ifyouhavereceivedthismessageinerrorpleasedeleteit, togetherwithanyattachments,fromyoursystem. ~~ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/Express yourself instantly with MSN Messenger! MSN Messenger
RE: [ActiveDir] OldCmp question
Hmm...then you could add -notonlynotdisabled to return disabled users just to keep with the flow... Subject: RE: [ActiveDir] OldCmp questionDate: Fri, 19 May 2006 17:08:03 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.org +1 for –onlynotdisabled g Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, May 19, 2006 3:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question Hmm that may work. I will have to send it into the design committee and see what they think. ;o) TGIF. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Friday, May 19, 2006 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OldCmp question hmmmHow about -onlyenabled? :)Ya know...just because... From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OldCmp question Date: Fri, 19 May 2006 11:41:21 -0400 Disabledaccountsaremarkedbyhavingbit1listonuserAccountControl (value2) Toexcludethemyouwant-af"useraccountcontrol:AND:=2"and-bit IjustrealizedIhavean-onlydisabledswitch,Ishouldadda -onlynotdisabledIguess...-- O'ReillyActiveDirectoryThirdEdition- http://www.joeware.net/win/ad3e.htm -OriginalMessage- From:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]OnBehalfOfRimmerman,Russ Sent:Friday,May19,200611:25AM To:ActiveDir@mail.activedir.org Subject:[ActiveDir]OldCmpquestion Anyoneknowawaytoeasiblyfilteroutdisabledaccountsfromtheoldcmp -usersreport?Wouldonehavetousesomesortofbitwisefilterfroma translationofauseraccountcontrol66048valueorsomething? ~~ Thise-mailisconfidential,maycontainproprietaryinformationofCameron anditsoperatingDivisionsandmaybeconfidentialorprivileged. Thise-mailshouldberead,copied,disseminatedand/orusedonlybythe addressee.Ifyouhavereceivedthismessageinerrorpleasedeleteit, togetherwithanyattachments,fromyoursystem. ~~ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Express yourself instantly with MSN Messenger! MSN Messenger Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
RE: [ActiveDir] [OT] RAID 5 Best Practice
Speaking of Exchange... Any good resources for Exchange info?(IE real world lessons, etc) I just got told today that we are going to be leaving a company we just bought on Exchange instead of migrating them to lotus notes (Talk about dodging a bullet). Sadly I have not done Exchange work since E2000, since I have been working at a large Notes shop for the past few years. My excitement isI will get back to Exchange and outlook as Lotus Notes feels like I am using Email/Calendaring circa 1998. :( I'm going to grab the deployment guides, but I am concerned with catching up all I don't know, and how it will affect my AD environment. I'm afraid the timelines are quite aggressive so I need to get moving. Jef - http://www.jeftek.com From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] RAID 5 Best PracticeDate: Mon, 22 May 2006 23:33:09 -0400 There is quite a bit of docs out there on designing good disk subsystems for Exchange. It comes down to how many IOPS are needed. If your design isn't around that, you will probably end up with issues. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGzSent: Thursday, May 18, 2006 6:56 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] RAID 5 Best Practice Sorry to bounce off topic.But what would you recommend for Exchange hard drive config ?even better where i can look for information on how to troubleshoot ( what to look for ) the diisk subsystem on an exchange box. Thanks. On 5/18/06, joe [EMAIL PROTECTED] wrote: Classic Exchange type design. ;o)For AD, I pretty generally recommend people do a single 0+1/10[1] first andthen 5 second and go with either because usually they don't have enoughslots for the disk internally to break it all up into a bunch of 1's and I prefer the disk internal for AD and you want as many spindles in the set aspossible.The good thing is that 0+1 will stand up to the IO (mostly DIT read) loadthat you get out of even really busy DCs. I may change my thoughts after I start seeing big x64 machines cruising along, haven't seen any yet incustomer sites. The log load on DCs is usually miniscule except in cases Ihave heard of ~Eric testing some funky stuff in EEC and actually getting log write ops into triple digits. Ditto for OS too unless you are doing a bunchof other stuff on the DC.For file sharing, I would consider 0+1 but 5 would be more likely since youprobably want/need the space more than the speed. File sharing doesn't really beat the disks up relative to a busy DC even in large multi-thousanduser file servers I have seen. It is why most normal server admins reallyhave no clue what to look for in terms of IO load on servers but any Exchange Admin worth anything is looking at that right away in a problemsituation and able to quote IOPS stats off the top of their head and knowwhat they can get from the underlying disk subsystem. Exchange disk configs are critical.Anyway, I don't have a problem with 5 for file servers. There is definitelya hit on rebuild but you have to ask yourself how often you expect that andwhether or not it is acceptable that you take a hit when you are in that mode. I consider the fault tolerance for emergencies, not something I haveto deal with weekly. If there are other benefits I want from 5 (say reducedcost for the space) and having slower rebuild is acceptable then that is perfectly fine. If you need something that is entirely transparent then youlook at other solutions and you start spending more money.As for logically partitioning the underlying disk. Not sure what kind of security gains you are expecting there. Nothing I can think of off the topof my head. No perf gain except for the possible perf gains in doing avolume chkdsk or backup/restore of individual volumes maybe. Thepartitioning for logical separate of binaries in data can be a good thing.Kind of nice to know that you absolutely need the D drive back but the Ccould be a complete fresh rebuild. joe[1] Assuming they wouldn't consider a straight stripe set, recall DCs are all duplicates and a big stripe set is going to be the fastest...--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Carlos MagalhaesSent: Thursday, May 18, 2006 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] RAID 5 Best PracticeI know this is not exactly the RAID 5 Best practices but this is how Iusually setup and recommend the customers to setup their disks (if they canafford the hardware)RAID1 for the OSRAID1 for the logsRAID0+1 for the databaseCarlosBrian Desmond wrote: I always do 12GB for C and the rest for D for 'Data'. I can format C and not worry about the Data. *Thanks,** *Brian Desmond** [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *c - 312.731.3132
RE: [ActiveDir] UNITY SERVERS
I'm not sure how you mean "Unity Server"? Can you give more details in what context? I did a quick Live Search on Unity Server and Active Directory and I thought it could possibly be a Cisco product? http://www.live.com/?q=Unity+Server#q=Unity%20Server%20Active%20Directoryoffset=1 There also seems to be a http://www.unityserver.com Thanks, Jef From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgDate: Thu, 25 May 2006 22:14:02 -0500Subject: [ActiveDir] UNITY SERVERS Hi All, Can any one tell me what is a unity server.I want to every detail of that. Thanks Hitender Saxena-- ___Play 100s of games for FREE! http://games.mail.com/Join the next generation of Hotmail and you could win a trip to Africa Upgrade today
RE: [ActiveDir] DNS suffix resolution..
Another FYI - Suffix Search List GPO is only available on Windows XP and up OS's. It was not in Win2000 versions. We had to use scripts/reg keys to man age these back in the day.JefKazimer---http://www.jeftek.com Date: Mon, 31 Jul 2006 10:46:38 -0400From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS suffix resolution..Hey -from the machines, i can defintely ping the FQDN.If you have hundreds even thousands of workstations, the easiest way to distribute dns suffix search order listing is thhrough group policy ?if you don't have a wins server specified and don't have the dns suffix search order, then name resolution won't work by simply typing in the netbios name -- that can't be default behavior for a windows domain that purportedly doesn't "need" wins. its for this purpose i still use wins.how are your clients tcp/ip properties set at child domains ? at HQ sites ?i'm curious to know how other admins are setting up dns/tcpip properties in their network/domain. On 7/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: just as an FYI: If you specify suffix search list it will override the searching of appending the parent suffix of primary DNS suffix. So if you just specify: domain2.domain1.com domain3.domain1.com and not domain1.com it will not search domain1.com since it is not specified in the Suffix Search List. So if you want to still search the parent suffix, be sure to include it in the SSL. Jef - Original Message - From: Matheesha Weerasinghe To: ActiveDir@mail.activedir.org Sent: Monday, July 31, 2006 4:13 AM Subject: Re: [ActiveDir] DNS suffix resolution.. I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving. What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc... You can also specify a list of search suffixes to go through in a certain order if you wish. M@ On 7/30/06, HBooGz [EMAIL PROTECTED] wrote: I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone. if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq = company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name. how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,-- HBooGz:\ -- HBooGz:\ Express yourself instantly with Windows Live Messenger! Windows Live Messenger!
[ActiveDir] Single Space in LDAP query dropped: Why?
I had posted this today, and I was curious if anyone knew why an LDAP filter drops the query when searching for a single space value? Though I was using Joe's ADfind, I did have the same results in ADSIedit, and thought someone better than I, may know why. It's not really a problem, just a curiousity. Thanks, Jef http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!642.entry LDAP queries are spaced out... I was looking at a metaverse object in MIIS today noticed some admin had setthe mail attribute to a single SPACE ( )character.The Metaverse is stored in a SQL server, so naturally the query structure is different than any constraints of LDAP. I wanted to discover how many other user objects had the same issue,so I decided to pull outADfind and issue this command: ADFIND -H MYSERVER -DEFAULT -F "((objectCategory=person)(mail= ))" -C 0 found ok, so I thought it was my lack of quoting and tried: ADFIND -H MYSERVER -DEFAULT -F "((objectCategory=person)(mail=' '))" -C 0 found Since it's command line I was sure that the quoting would encapsulate it correctly, so I figure it is being stripped out by the LDAP query (I made this same Query ins ADSIedit and LDP with no luck) so perhaps there is an escape character for such a thing. I have done many queries with filters like "description=The Man", and the space was interpreted correctly. Yet it seems, a single space, by itself is not passed to the query correctly. So I check out the uber friendly RFCs and find escape characters for types such as * and NUL, but reallyno mention ofa single space as anything special. I checked the LDAP V3 RFC as well for any real mention of when and when a single space is dropped from the query, finding nothing related. Fortunately, using the escaped sequence in the query ("mail=\20")to represent a space worked just fine and returned the object I was looking for. ADFIND -H MYSERVER -DEFAULT -F "((objectCategory=person)(mail=\20))" -C 48found So LDAP filters can container spaces as the value being queried for, but cannot be a single space without using an escape sequence to represent the value. I suppose it's kind of silly, but I had never really looked for such an occurrence before, so it was an interesting learning experience.
Re: [ActiveDir] splitting a domain into two
Just to add some info here.. I am currently in the middle of an "integration" where one IT group suggested a split the network to clone the AD environment on both sides. Thankfully this has been abandoned after being evaluated. I believe Microsoft Consulting Services called this solution "Dangerous" and "Disaster Prone", and more importantly, unsupported in a production environment. While this is a common scenario in a Prod to Isolated Lab replica, the dangers are too great to have those domains talk to each other, and potentially wipe each other out. If you are dealing with MCS, I can get you the case # for a company who attempted this, and had a disaster of a time resulting in 10 days of downtime. In the end, they were left with a limping AD, so it would have to be rebuilt because it was not sure the true state of this. Jef - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Saturday, September 16, 2006 8:34 PM Subject: Re: [ActiveDir] splitting a domain into two Yeah. See the problem with that "policy" concept is that in your environment you've already noticed that good ideas are seldom given a chance to live long enough to make it to your level :) That said, I would think it's extremely dangerous to try and break it like that. Although, it could work, the risk is pretty high that your networks will be connected long before you have a chance to decommission the domains leaving you with a potentially difficult name resolution issue to resolve. There would likely be much wailing and gnashing of teeth as well. I think in this case, option 3 would be preferred: 3) Leave the domains alone and allow the break of network to occur. When the WAN links are created to the central hub, migrate as fast as your legs will carry you. Remember that at that time, your replication will likely resume. Try to keep a change freeze as long as you can if the networks will be able to see each other. It might not be a bad idea to check on the tombstone time and raise that if you can. WAN links are known to take longer to bring up than any planning might assume. Put another way, network folks tend to be overly optimistic when it comes to timing of WAN link configurations. Be sure to communicate as much as possible about the risks and tradeoffs. That way you can stick your tongue out later and sing, "I told ya so!" at the top of your lungs (likely after work and out of earshot of those that might take offense, but you can at least do so with a clear conscience.) My $0.04 (USD) anyway. Al On 9/16/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Well :-) I suppose, you are looking at tiny figure of 300 users and why not choosing option 1 straight away. If only every IT manager was as forceful and articulate about danger of short term decisions as you are. About migrating to corporate domain, that is achievable as both sites are not going to get links simultaneously so who ever gets link first, it gets migrated first with security translation as preferred method, and we basically have a policy to remove sidhistory along withdemotion of old domain. And here it will be serialized migration one after another rather than simultaneous. Assumption here being, once the trust with one domain is established, machines migrated, trust broken. I suppose creating trust again with same domain name at different site should not be a issue. -- Kamlesh On 9/16/06, joe [EMAIL PROTECTED] wrote: First impression: Yuck. The main thing that caught my attention is the "migrate into a corporate domain at a later time". I assume you mean both of these "separated" domains would be migrated? If so, how do you plan to do the migration? You won't be able to have name res for the trusts, even if you could you would most likely run into SID issues if you maintained SID History. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, September 15, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] splitting a domain into two Dear All,Scenario : Single regional domain , two sites , both sites having separate links to Internet and direct WAN connectivity with each other.AD Integrated DNSsite1: 300 userssite2: 400 users Now, due to restructuring, they have decided to get rid of WAN link joining the two sites immediately, as both sites will have separate individual
[ActiveDir] ADAM bind Redirection with a NULL password
Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADAM bind Redirection with a NULL password
Eric, The problem stems from lack of ability to modify the application to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx