Hi people,
Has anyone had logon problems with Windows 2003 server with
AD installed? I have a test environment with Windows 2003 servers and Windows
XP Pro workstations, no W2K/NT servers or workstations. After installing AD,
users are taking around 20 minutes to logon to the domain. I
can you do a dcdiag and post the results
Rob
George Arezina
ok
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 11:27 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
can you do a dcdiag and post the results
Rob
Almost
anytime there is an issue around latency with AD the answer is almost always
DNS. Verify that all of your DNS entries are correct and proper and that all SRV
records exist and are as they should be. Do this either by eyeballing DNS or
using DCDIAG or any other
According to Robbie Allen's cook book, you
could be experiencing Kerberos UDP fragmentation. You should really test your
network connectivity, run portqry against your domain controllers testing ports
88, 389, 3268. Check your DNS make sure your GC's are published
correctly. And as
Hello all,
I am getting repeated secedit errors which seem to be due to a corrupted secedit.sdb file on the DCs. After using ESENTUTL to repair the DB, and group policy applies correctly.
A day or so later, those that were repaired now have the same errors. Anyone have any idea where to halt
Title: Message
No
fair :-( The rest of us haven't had a chance to read Robbie's
book.
Dan
-Original Message-From: Myrick, Todd
(NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Thursday, October 02,
2003 4:25 AMTo: '[EMAIL PROTECTED]'Subject:
RE: [ActiveDir] Logon Takes too
Hi
I'm new to the list so excuse me if I come across as a lame-o!
We have a win2k environment w/ exchange 2k.
There's only one little problem I'm having with active directory, we would like to
have our Admins (read administrative assistants, not sys-admins) do the chores of
maintaining the
I currently administer a child domain within a forest. Samba 3 is
working great. One problem. Before we upgraded to 3, we could utilize
accounts from the forest root to access the shares. Now, that is not
working. Has anyone tried this before? This is the error that shows up
in the logs:
Shadow,
Welcome Shadow. I am new to the list, too.
You should be able to accomplish this with delegations. Right click an OU
that has user objects that you want to have your admins maintain, and choose
delegate control. The delegation wizard has some common tasks that you can
delegate, or you
You can create a group, add your admins to that group and then delegate
permissions to the AD structure for only those options.
-Original Message-
From: Shadow Roldan [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 11:48 AM
To: [EMAIL PROTECTED]
Subject:
Hi guys,
Does anyone have info about
the DS conference that was recently held ?
Any comments ???
Yusuf
__
For information about the Standard Bank
Title: Message
I'm
betting Gil will chime in here shortly (since I believe you're talking about his
company's conference).
http://www.netpro.com
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
I was there and must say it was very worthwhile!
Michael Parent MCSE MCT
Analyst I - Web Services
ITOS - Systems Enablement
Maritime Life Assurance Company
(902) 453-7300 x3456
Roger Seielstad [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
10/02/2003 01:32 PM
Please respond to ActiveDir
Barring a better way someone may suggest, typically you would grant the
permission granularly at the attribute level. I prefer to create a group
and grant the perms at the OU level for what they are going to update.
Al
-Original Message-
From: Shadow Roldan [mailto:[EMAIL PROTECTED]
Title: Message
I was
there too! Learned a lot.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 9:42 AMTo:
[EMAIL PROTECTED]Cc: '[EMAIL PROTECTED]';
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: DS
ConferenceI was
We are having a debate on whether or not to make all of our DC's gc's in our
new e2k environment. I would like to hear feedback from current e2k
administrators. It is my contention that we have sufficient DC resources to
NOT make all of our DC's gc's for exchange. Is there any drawback to doing
Excellent. The delegation wizard definitely seems to be where I need to be.
Is there any resource I can look at to help me identify what these objects actually
are?
I am currently unable to identify what I should be delegating control of? I have no
idea what these objects actually represent.
Probably a good conversation for an Exchange group as well, but any GC's
over 10 are not going to provide much in the way of value. Exchange 2K
discovery keeps track of 10 of them for it's use and for giving information
out to the clients.
Depending on what you want the clients to be able to do
I think some clarification is fair here. I've already posted one about the
processor and won't bore you with a repeat. I'd take that a bit further and
say the same network segment which isn't necessarily the same thing as same
site. Reason? Because you know that Exchange will use the heck out
Title: Message
Jef-
I
don't know if it helps but the flags (145) thing means the
following:
Machine Policy is being applied as opposed to user
policy
This
policy is being applied as a background refresh (rather than
foreground)
No
changes were detected to the GPO during this processing
The best treatment of the Delegation Wizard I have seen so far is in a book by Sakari
Kouti and Mika Seitsonen Inside Active Directory http://www.kouti.com/ Must have
book IMHO.
You can download some tables from their website that would probably help you with the
attribute mapping-
Greetings, and welcome to the best place on the Internet to get help on AD.
No question is too new or old IMHO. The way it works here is that you must
be self managed, and when someone answers your question, you say thank
you... Then if you ever see the same question asked, respond with the
I made a slight error when creating a group policy, and now need some advice on how to
fix it. Hopefully some one will be kind enough to help out. I have a single domain
with 2 sites. I created a Default Policy for the entire domain with fairly minimal
settings (such as password policy,
Title: Message
The
Final Chicken hopes to make a cameo appearance at the next DEC.
;-)
-Original Message-From: Sullivan, Kevin
[mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003
10:56 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] OT: DS Conference
Second
I think that was the old rule for Exchange 2000 SP1. Exchange 2000 SP3 and
Exchange 2003 is different.
We were told by Microsoft it is recommended that you base your AD/Exchange
GC deployment on number of processors for exchange mailbox servers. Not
number of servers.
1 GC (Dual Proc IMHO) for
Can you set the expiration date out far enough to allow you to have an
expiration date.
Then run a script that will expire a portion of the users in say two weeks.
Re-run the script with a different set of users with expiration set to 4
weeks aways and so on??
Dan
-Original Message-
Hi Travis,
If I'm understanding correctly, that password policy isn't going to force them to all
of a sudden change their passwords. It will commence its expiry and complexity and
history awareness upon subsequent password change. Don't sweat it.
I'm certain someone smarter than me will
Title: Message
A lot
of people asked why I didn't attend this years Fall DEC so I will say it one
time, it wasn't my doing... Believe me.
I was
asked to come and be a booth expert or something, so I began the process of
government red tape to get approval. What I got was 10 boxes of Toilet
Title: Message
Thanks
for the compliments!
I
think this was our best Directory Experts Conference to date... the
presentations were generally stronger than the previous DEC, and the logistics
were nearly flawless, thanks to Christine and Stella (still got to get the
wireless thing going
The DEC is the absolute killer conference on everything that has to do with
AD! It's the only conference I know that focusses on this topic and is able
to come up with new/relevant/interesting information for even the most
experienced AD engineers! I've been to the DEC in Amsterdam last year and
You are correct, your company passwords would expire.
The solution I suggest is to crack all the passwords, then reset the
original password to each account to reset expiration. Then implement the
Domain Account policy again. Also remember that NTLM and Kerberos
authentications count double.
I don't know the cause of this problem but you could try restoring an older
version of the GPOs using the GPMC (Group Policy Management Console)... (if
you made backups of your GPOs).
If you haven't implemented this GPO management tool yet you should
definitely have a look at it! It's the way to
Really,
I was under a different impression. Easy way to test it is in a small AD
environment. Set it to one day then change the date.
Todd
-Original Message-
From: Tom Meunier [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 3:27 PM
To: [EMAIL PROTECTED]
Subject: RE:
There is a white paper coming from Microsoft soon (like in the next couple
of weeks) that contains everything you could possibly want to know about
delgation and access rights in AD. Some people on the list are reviewers, so
they may be able to comment on its usefulness.
-g
Gil Kirkpatrick
CTO,
Um... Interesting. I think that depends on what you consider reasonable
scale up vs. reasonable scale out doesn't it? I've seen many shops that
scale up to consolidate server hardware (funny little thing going on in IT
shops these days unless you work for DELL) and I've also seen some that
I think I will give it a test by creating a new OU and setting block inheritance,
moving one of the users over then taking it off. I will let you know how it works
out. If that doesn't work I may just bite the bullet and send them an email telling
them that sometime next week they will be
I don't have a spare AD environment to test on. This has been my impression for a
long time, but I can't verify it beyond saying that the NSA thinks so, too:
http://nsa2.www.conxion.com/win2k/guides/w2k-3.pdf
Page 25.
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL
I imagine that you could also create additional domain-level password policies, and
deny the apply group policy security right to the objects you don't want the policy
to affect. That way, you'll still be able to have domain policies for users in those
OUs.
There are also more robust
Title: Message
one
word - Haiku
-Original Message-From: Gil Kirkpatrick
[mailto:[EMAIL PROTECTED] Sent: Thursday, October 02, 2003 12:36
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] OT: DS Conference
Thanks for the compliments!
I
think this was our best
Title: Message
Hey Toddler,
Thanks for the info towards my
problem. Your solution, rather info, was right on the money. Im
originally from Canada, which is
the Mecca of hockey.
Therefore, according to your scoring system below you get a Good Solutionpoint.
In other words, credit for a
Shadow depending on how much delegation you will end up doing and how big
your environment and how deeply you want to get into it you will either want
to do this by hand, script it, or buy a product to do it.
The delegation you asked for here specifically is pretty basic as others
have layed
Title: Message
Ditto
only my toilet paper is spelled Exchange 2000...
:oP
I will
be at the next one and Gil... I want a chicken damnit. And a nice NetPro Polo,
my last one (kind of blue green) disintegrated and had to be put
down.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Alright Joe, I would be interested in hearing how to do the reset on the
password timestamp. Privately if you think this could be abused?
Toddler
-Original Message-
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 02, 2003 9:30 PM
To: [EMAIL PROTECTED]
Subject: RE:
Assign the pwdLastSet attribute a value of 0 per necessary user. At next
logon, user's password will remain intact and pwdLastSet will be assigned
current date and time (represented in FileTime) by the authenticating DC
effectively setting user's next password expiry date to (now + password
expiry
45 matches
Mail list logo
