Shouldn't that be Semper rubber Pullus... ;-))
-Original Message-
From: Gil Kirkpatrick
To: ActiveDir@mail.activedir.org
Sent: 3/22/2005 7:31 AM
Subject: RE: [ActiveDir] Have fun at DEC
Thanks for all the good words. I haven't ground up the session evals
yet, but my informal polling
Got a shot at it!
i am using a Criticalpath Meta directory server to push the values. so in my
customised perl script extension, I only converted the string to UTF8 using
perl SimpleUTF8 APIs and then pushed this to the destination.
You were right, I didn't require to convert the value to
Thanks for all the help...
I just flowed the UTF8 values to the directory and that solved the problem.
Regards.
- Original Message -
From: Dean Wells [EMAIL PROTECTED]
To: Send - AD mailing list [EMAIL PROTECTED]
Sent: Monday, March 21, 2005 9:15 PM
Subject: RE: [ActiveDir]
Return Receipt
Your RE: [ActiveDir] upgrading domain controllers to windows 2k3
document
:
Title: Scheduling online DIT file defrags
It has been suggested that the online ESE defrag of the DIT file is causing CPU spikes when executed, twice per day within our environment.
I therefore have two questions, relating to the online defrag:
1. Behaviour
I assume a DC performs an online
Hi Neil,
You could modify the 12-hour interval (of tombstone deletion and online defrag)
to be seven days, for example, by modifying the garbageCollPeriod attribute of
CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration,
DC=yourforest. But not longer that 1/3 of the tombstone
Hi,
(I haven sent it again as this mail only went to Neil and the
Activedir-owner)
The garbage collection process first cleans up all tombstones that
exceed the tombstone lifetime and after that it does an online defrag.
To change the garbage collection period you need to be the computergod
of
I made the same mistake as Jorge and sent to the list owner and not the list
itself :)
neil
-Original Message-
From: Ruston, Neil
Sent: 22 March 2005 13:51
To: 'Jorge de Almeida Pinto'; '[EMAIL PROTECTED] '
Subject: RE: [ActiveDir] Scheduling online DIT file defrags
Thanks Jorge and
That's an awesome explanation, but I think there is still the bit about how
to tell what sysvol the client ended up using. Funny thing is, outside of a
trace, I don't see that as information that's accessible. At least not
easily.
I'm still curious however.
Al
-Original Message-
The client receives/uses a referral and must store it somewhere like in a
DFS cache.
For DFS there exist two tools that are available DFSUTIL and DFSCMD. The
latter one can use to manage DFS links and the first one to manage roots and
DFS info
###
Some info about DFSUTIL:
Dfsutil.exe:
On Tue, 22 Mar 2005 01:45:23 +0100, Jorge de Almeida Pinto
[EMAIL PROTECTED] wrote:
To introduce the W2K3 DC you'll need to run:
ADPREP /forestprep on the schemamaster
ADPREP /domainprep on the infrastructure master of each domain.
Worth noting that you only need to do the domainprep in the
Absolutely correct!
It should be:
To introduce the W2K3 DC you'll need to run:
ADPREP /forestprep on the schemamaster
ADPREP /domainprep on the infrastructure master of each domain that will
have a W2K3 DC
Cheers
Jorge
-Original Message-
From: [EMAIL PROTECTED]
To:
Absolutely!
It should be:
To introduce the W2K3 DC you'll need to run:
ADPREP /forestprep on the schemamaster
ADPREP /domainprep on the infrastructure master of each domain that will
have a W2K3 DC
Cheers
Jorge
-Original Message-
From: [EMAIL PROTECTED]
To:
I've used this in that situation. You can change it from the three days on
there to whatever you like and since it uses subtree search, you can use
either a specific OU or the entire domain directory if you want. It is per
domain.
The script will email a notification with a link to the web
We're running a similar product and are looking at what options are
available to us. An email script is good, but hypothetically, a user
could come back from vacation or from maternity leave, not check their
email and still get the pop up box to change their password when they
come back.
In our
Probably the only other way to manage that would be to change the GINA
(write a custom GINA) which is usually not manageable. In this case, I
would have guessed that the lengthy leave of absence cases would be
manageable or at least acceptable.
To recap what you have:
1) you've disabled the
There is an inverse relationship between the number of admins and
the security of your network - the higher the number of admins, the
lower the security.
How long have I been saying this? At least as long as you have known me!!!
Is it that you didn't listen because I never said inverse? My
Ok its official, my head now hurts.
Where's my aspirin?
Dan
Original Message
Subject: RE: [ActiveDir] Have fun at DEC
From: joe [EMAIL PROTECTED]
Date: Tue, March 22, 2005 9:22 am
To: ActiveDir@mail.activedir.org
There is an inverse relationship between the number of
And, Rick, thanks a bunch for your late-night assistance. I owe you
one.
And I don't even want to know what this is about...
Now this is one heck of a dirty mind.. ;-)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday,
Joe-
You're forgetting to include Plonk's (sic) Constant into your equation, as so:
I=9S/((M^c)*(r^2))P
Where P = Plonk's constant--a factor that accounts for the (significant)
percentage of admins that drink heavily on the job.
-Original Message-
From: [EMAIL PROTECTED]
I just performed recent windows updates on my Windows 2003 Active Directory
Server
this was a machine that had already been patched
the LSASS NT
Security Shutdown thing came back. Anybody else seen this? Man I was just
starting to ponder the idea of the auto updates
but wow!
Here is a list
How come the #1 high statement below I read and heard a very polite German
accent?
The wireless did suck. I am disappointed that some of us didn't hack the
environment and then sell it to others for $5 a day. The idea just came too
late. We could have paid our way doing that alone. People were
Yes. I sent an email that implied it was domain dependent, which is
wrong. Sorry 'bout that!
-DaveC
ReutersCIO
Infrastructure
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
PintoSent: Monday, March 21, 2005 7:45 PMTo:
ActiveDir@mail.activedir.orgSubject:
I am trying to authorize a DHCP server at one of our remote locations (256K
connection) after having completed an AD 2003 migration last night however I
keep receiving the error that the server is not authorized. However, it is
in the list of my authorized DHCP servers (if you use the DHCP MMC to
Hello:
Does anyone have experience with a product called Altiris Protect (formerly FSLogic
Protect)? I have client asking about it. It appears to create completely
independent user sessions based off of a master image. The idea
is that users can make as big a mess as they want within
Yep, that sounds good!
Imagine this:
* a nice sigar
* One nice drink (e.g. cognac/scotch)
* lazy chair
* sunny wheather (heck, it was to cold to smoke outside in vancouver at
night, I started shaking. maybe next time I should get my jacket first! ;-))
)
* some sign saying: Get lost... folks
Start by looking at the event log on the machine. From there, can you
remote to the machine? If so, try looking at the MMC from that machine's
perspective.
You may also want to look at replication and make sure that it's consistent
(AD repl).
Al
-Original Message-
From: [EMAIL
Hello all,
Ive been asked to retire a win2000 DC. My understanding
is that I just need to run DCPromo. Ive done this at home in my lab with
no ill effects. The server doesnt really hold any roles other that being
a DC. Am I missing something? Is there more to it? Is there a doc or
Did you really expect anything less from joe?
Wook
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Tuesday, March 22, 2005 8:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have fun at DEC
Ok its official, my head
I think you have to be a local admin on the box in that domain or a dhcp admin
for it to work.
--
Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net)
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List
Not really. The other thing to consider
would be anyone hard coded to point to this DC for anything (apps using it
explicitly, DNS, WINS, etc.) but thats about it really.
After Id probably confirm it is
gone from the directory, both NTDS settings object and computer account, as
well as
Title: RE: [ActiveDir] Have fun at DEC
I also had a blast, in spite of the
intense pressure and the $%*( anagram challenge that took me all night to
put together. J
I was thinking that maybe next time for
the AD UP-All-Nighter we could disaster-recover a screwed up forest of two or
Paul Gonzalez wrote:
Ive been asked to retire a win2000 DC. My understanding is that I just
need to run DCPromo. Ive done this at home in my lab with no ill
effects. The server doesnt really hold any roles other that being a DC.
Am I missing something? Is there more to it? Is there a doc or URL
Never expect less from joe! :)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Tuesday, March 22, 2005 10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have fun at DEC
Did you really expect anything less from joe?
Wook
BTW, what is the DC going off to do? If it is retiring, it
has a retirement plan of some sort? I suggest Florida, maybe
in the Palm Beach area. It is beautiful this time of year.
Key West all the way, man, with a stop in Key Largo for snorkeling.
But back on topic - the only thing that's
This is just for those who are interested
in the outcome of this query.
Following further investigations it was
found to be a schema issue (as thought). A VBscript had been run to update
some entries in the schema for the Radia product. This had overwritten auxiliary
class settings
Title: Message
Have
you ever actually had to clean up dozens of DCs using
ntdsutil???
Maybe
Microsoft should implement an environment variable called
"ADMIN_BACKGROUND"
If
ADMIN_BACKGROUND is set to "unix", all tools default to "advanced" mode, and all
safety checking is turned off.
We had a similar issue in our environment.
We implemented a log off script that checked for password expiration.
If the users password is within 14 days of expiration the user is
notified and the password change page is launched.
This actually has two benefits. One, it solved the notification
I was thinking that maybe next time for the AD UP-All-Nighter we could
disaster-recover a screwed up forest of two or three domains.
now that sounds interesting!!!
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 21, 2005 10:31 PM
To:
Return Receipt
Your RE: [ActiveDir] OT: Exchange 2003 Forestprep
document
:
Gotcha, thanks.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Tuesday, March 22, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Retiring a DC
BTW, what is the DC going off to do? If it is retiring, it
Thanks.Im
thinking BocaJ
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, March 22, 2005
12:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Retiring
a DC
Not really. The other thing to consider
would be anyone
Title: Message
Not dozens, but several. When we had to do dozens, we wrote
a custom tool/script to do it. The point being anyone can use ntdsutil so it
shouldn't be an easy way to torch the forest. Takes a bit more knowledge to
write a tool or script to clean that same stuff up though many
well people on my network at work keep saying they when they create a =
document save it to like y:/cases open/dodson .
then they will move that document to y:/cases open/dodson/pleadings and =
the next day
we have the document in both places.
Then the day before that my Boss tells me she deleted
Title: Using LDAPS
We use external Verisign certs on several of our DCs so that we can support LDAPS for certain clients. Once in a while the cert does not seem to work and it's for no apparent issue.. I'm currently experiencing the issue with one of our DCs. I've already checked the
Title: Using LDAPS
What is the unhelpful Schannel error
message? Usually that is the most helpful thing to me. J
Also, is the schannel error on the server
or client? Seeing both sets is very helpful.
Joe K.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Hi,
It's me again. I have another problem ;)
I would like to delegate 3 actions to the technicians in the AD. The 2
first are easy to set, the third is the one that cause me a problem.
1- reset the users password
2- set the must change password at next logon
3- enable account that
Maybe that should be a competition between the various methods of forest
recovery. Virtual versus Lag/Hot Site versus MS white paper full rebuild
etc Although I think Dean's total VM scripted method would probably win
:-)
-Stuart Fuller
-Original Message-
From: [EMAIL
Title: Using LDAPS
The Error is only showing up on the
server:
Event Type:WarningEvent Source:SchannelEvent
Category:NoneEvent
ID:36872Date:3/22/2005Time:11:08:33
AMUser:N/AComputer:XDescription:No
Solved...
I would like to delegate 3 actions to the technicians in the AD. The 2
first are easy to set, the third is the one that cause me a problem.
1- reset the users password
2- set the must change password at next logon
3- enable account that was disabled due to the password policy
Hey all I was wondering what everyones
thoughts were about using RPC over HTTP vs Outlook Web Access? Is one
more secure than the other? What were the reasons you implemented one and not
the other?
Any insight is always much appreciated!
Thanks!
Joe
Pelle
Senior Infrastructure
Hi Michel,
Care to explain the steps you took?
Thanks!
Francis
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: 22 mars 2005 14:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ad delegation
Solved...
I would like
On Tue, 22 Mar 2005 13:34:12 -0500, Paul Gonzalez [EMAIL PROTECTED] wrote:
Thanks.I'm thinking BocaJ
Sarasota/Siesta Key :)
Best beaches.
As Eric mentioned, check for other services that may be running on the
box (WINS, DHCP, File Shares, scripts, scheduled tasks). Also if you
have any
The third is not enabling a user account, but I think you mean UNLOCKING the
account. For that you need read and write permission on the lockoutTime
property.
In W2K3 this delegation IS available
For more info on how to configure this see:
* How to grant help-desk personnel the specific right to
Thanks, I was just thinking the same thing. I've had it down for an hour and
nothing so far.
PG
PS How are the school systems there? I have a 6 year old to think about :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March
OWA allows for two-factor authentication such as SecurID
and Windows Password. RPC over HTTP does not have that capabaility that I have
seen.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle,
JoeSent: Tuesday, March 22, 2005 2:52 PMTo:
Here it is:
Set these to the UO for the group/user you want
* allow Reset Password permission for user objects-grants permission to
reset an account's password
* allow Write lockoutTime permission for user objects-grants permission to
unlock an account
* allow Write pwdLastSet
Hey that's fun.. I'm the the subject! ;-)
I would like to help you but I don't understand what you're saying
Cheers
Jorge
-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 3/22/2005 8:01 PM
Subject: Re: [ActiveDir] Jorge de Almeida Pinto
well people
I wouldn't say either was more secure than the other. I haven't used it in
a while, but last I checked the client didn't support two-factor
authentication unlike putting some other authentication in front of the OWA
server. Other than that, I would view the two as being equal in terms of
You're right, I meant UNLOCKING accounts not enabling them! As for the
lockout time... it is available in 2k too.
De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joe
Envoyé: Tuesday, March 22,
2005 3:13 PM
À:
ActiveDir@mail.activedir.org
Objet: RE: [ActiveDir]
Interesting I saw your solved post before I saw the question post.
1. Delegate reset password extended right
2. Delegate WP on pwdLastSet (so they can write a 0 to the attribute)
3. Delegate WP on lockoutTime (so they can write a 0 to the attribute) -
note this is called unlocking, not
Our Org is using both
RPC and OWA and I have to say that RPC with ISA 2004 is sweet. My 2 Cents.
Dave
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Tuesday, March 22, 2005 2:22
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Hi,
I found DEC an interesting experience too, one of the off the cuff remarks
that I picked up on was I think by Stuart Kwan (sorry if it was not) on Sox
compliance. It was stated that under Sox rules the number of AD
administrators equated to two domain admins per domain\forest.
This kind of
In windows 2003 SP1 the default tombstone
will be 180 days. This should be fun.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: 22 March 2005 04:41
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active
Directory Lab Recommendations
Return Receipt
Your RE: [ActiveDir] Active Directory Lab Recommendations
document:
Hi Everyone:
I have several computers that are having a
problem with Internet Explorer not connecting correctly. It sits and hangs and
I get the Application Hang Event ID 1002.
I have looked to prior errors like the
message says and can not find any information on it.
I am
Return Receipt
Your [ActiveDir] IExplore RSOP Error?
document:
See the article 888254
You cannot set the Folder Redirection policy setting on a
Windows XP-based computer that also uses Group Policy settings to customize
Internet Explorer
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dale, Rick
Sent: 22 March 2005 21:41
Title: Using LDAPS
Im going to guess that this is some
kind of a certificate store configuration problem then as well. Unfortunately,
Im not the guy here who configures this stuff, so Im not sure
what to look for here.
Did you follow the KB article on
configuring the DC for a third
If anyone is using
Outlook 2003 and experiences any connectivity issues, Right Clicking the
Outlook Icon in the Notification Area (System Tray), whilst holding down
the CTRL key enables a hidden option to show connectivity status great if
you need to know what GCs and DCs your client
Title: Using LDAPS
I did. I used the MS tool to req and then import the
cert into the local machine store. I do this often and succeed most of the
time. Problem is when it does not work I have no idea how to troubleshoot
it.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Title: Using LDAPS
This is also part of the same statement as well
In domains where no enterprise CA exists, this is an
expected event and you can safely ignore the message.
Is it a 3rd party certificate?
Mark
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf
Hi all. I've posted on this list alot and I know the fears about disclosing
potential security threatening info but I have a favor to ask.
I'm at a DR site and I attempting to recover a child domain. I'm the domain
admin(but not enterprise admin of Forest) of said child domain and the
Replied offline
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, March 22, 2005 4:18 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:strange favor
Hi all. I've posted on this list alot and I know the fears about
disclosing
Good idea Gil.
Waiting for someone from the forest root domain to come into the office to
answer the question wouldn't have been bad either for the realistic edge to
the DR experiment. Doing DR testing domain by domain probably isn't optimal.
Maybe this will scare someone into thinking a little
You can have just about any TLS value you want as long as
you know that your end to end convergence is less than the value and you make
sure any DCs are not down or not replicating longer than that period of time. If
you have a TLS of 60 days, strongly consider having a policy in place that
To All:
Is there a way to script the setting of the Delete this record when it
becomes stale checkbox?
I am attempting to setup a test forest with multiple domains to do some
testing/learning about DNS scavenging. I have found a script that creates
resource records (thank you Robbie
Looks like the only thing left to check
is the name, you might check the port ?
Thank You ! And have a nice day !
**
Mark Lunsford
KAISER PERMANENTE
Directory Services Identify Management (DSIM/NOS)
Email: [EMAIL PROTECTED]
Outside
Title: Message
I am feeling lost right now.
Without LDAP over SSL enabled, does AD pass
LDAP traffic around in plain text? If so, exactly what information would that
be (that is being passed in clear text)?
I have been wondering if I should implement
a CA and LDAP over SSL, but I
our IT dept's realtionship with the root admins is tenditious at best.
and these little hiccups do nothing to change the matter on either side.
personally, i think we should've just been given an OU and have complete
authority delegated to that.
but my opnion matters very little in an ORG that
80 matches
Mail list logo
