Agreedbut the poster specifically asked for proactive
measures. I merely offered such a measure.
:)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
GuidoSent: 13 December 2005 20:18To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD
Defrag
I
Thanks Jorge
I was aware of these. The provide good detail, but both of them assume that
the DCs in the second forest to which referrals are made are available. For
example,
5. Workstation1 contacts a domain controller in ForestRootDC1 (its parent
domain) for a referral to a domain
I'm not sure that there are additional DNS related pieces of the
equation, not documented by Gil.
The process is more of a referral than a DNS lookup per se, as per the
steps below. i.e. the client always talks to a DC in its own domain,
which then talks to a DC in the other forest. [I believe
I currently have a single domain (w2k3 FFL) with approx 40 DC's. (1 for every site) They are all configured as GC's. I have approx 3500 usersThe WAN connection speed ranges from 512k to 2mb. I read somewhere that having every DC as a GC is unnecessary due to the increased amounts of
Frank,
This should not be an issue in your environment as you have a single domain. By
definition a GC holds only a partial replica of the other domains in the forest
and you have none.
Regards
Mark
-Original Message-
From: Frank Abagnale [EMAIL PROTECTED]
Date: Wed, 14 Dec 2005
This script is part of a another script
that upon logon, checks certain registry values, then if the values are not
set, the script then sets the value and logoff the current user. Like I said
before, it works on Windows XP but not servers. Why?
From:
[EMAIL PROTECTED]
In a single domain forest you should have all DCs as a GC. Why? There is no
additional overhead in terms of replication and/or disk space needed. Only
benefits. I would leave it as is
cheers,
jorge
From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Wed
Have you
tried your script as a plain admin on server? I wonder if it is not a question
of privileges ...
Try to add to
your script the following before connecting to the Root\CIMv2 namespace. Then
retry ...
Set objWMILocator=CreateObject
("WbemScripting.SWbemLocator")
Frank,
We currently have a similar topology to yours. All of my
DC's are GC's. There is no disadvantage to this regarding replication
traffic as you are a single domain. I would continue using your current
model of every DC being a GC.
Regards,
Dave Chianese
From: [EMAIL PROTECTED]
Steve,
Thanks much for the sample script.
-Dave
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
RochfordSent: Wednesday, December 14, 2005 8:36 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf
converter
Script the whole thing! This
script
I use PsShutdown.exe from www.systeminternals.com(free). Create
single batch file and run it.
Here is my batch script to reboot all servers at once.
c:\tools\shutdown -r \\server1 (-r restart the machine)
c:\tools\shutdown -r \\server2
c:\tools\shutdown -r \\server3
c:\tools\shutdown -r
dsHeuristics can be used to control whether the 'list contents' ACE has an affect. So if the attribute is set to 001 then this means that if you haven't got list contents permission on a container then you can't see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list
Below is a quote from the WindowsITPro magazine.
If you have just one domain, Microsoft recommends that you make all
the domain controllers (DCs) GC servers so that your network won't incur
any extra space usage or processing. In essence, the infrastructure
Flexible Single Master Operation
Wow who wrote that article in the magazine? That is pretty bad.
The end result is the same though as stated by everyone so far. If you have
a single domain there is only slight overhead if you make all DCs into GCs.
The only overhead I can really think of is that you will have more global
catalog
have you seen the following:
http://www.windowsitlibrary.com/Content/667/04/2.html
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_object_visibility.asp
also look at: http://www.kimberry.co.uk/Downloads/Index.aspx -- Implementing
Server Security focusing on
I still get the same error running on a
server:
Generic Error
It seem to be giving an error right at
this point: objSystem.Win32Shutdown 0
Here is the whole script:
Set objWMILocator = CreateObject
(WbemScripting.SWbemLocator)
objWMILocator.Security_.Privileges.AddAsString
Who wrote it?
*J
John Savill
John Savill is Director of Technical Infrastructure for Geniant. He is a
CISSP, a Security and Messaging MCSE on Windows Server 2003, a six-time
MVP, and a
It sounds like this is an Inter-forest move, but just to make sure you are talking about migrating users from one forest to another correct? If so then Brian has already answered your question.
If you are talking about migrating users between domains in the same forest that procedure is actually
John is right though. If all DCs are GCs, putting the IM role on a GC
isn't a problem.
Thank You,
Anthony Scott
Berbee
4690 E. Fulton Dr., Bldg. C
Ada, Michigan 49301
(616) 481-9722
(616) 464-6369
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Why not use shutdown.exe?
Thank You,
Anthony Scott
Berbee
4690 E. Fulton Dr., Bldg. C
Ada, Michigan
49301
(616) 481-9722
(616) 464-6369
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday, December 14, 2005
10:39 AM
To:
Aha. It is down to shoddy cut and pastes then. Sorted.The 3rd bit controls the "list object"behaviour not "list contents". The former is only available to use in an ACE if the 3rd bit is set to 1. If it's set to 0 or "not set" then "list contents" is available but not "list object".This
The issue with IM on GCs is solved in Windows 2003 for multi-domain
forests...
Chuck
I think John's article is pseudo-accurate but *very* badly worded, if I
can be candid.
I had to re-read it several times.
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: 14 December 2005 15:45
To: ActiveDir@mail.activedir.org
Subject:
I would have to call that .exe from the
script, which is what I was trying to avoid. Rather use built in wmi calls.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott, Anthony
Sent: Wednesday, December 14, 2005
11:01 AM
To: ActiveDir@mail.activedir.org
Subject:
Note that the *client* will talk to the DC in the other forest as
well...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 14, 2005 1:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Cross forest
I don't think Joe is disagreeing with THAT point. John has the general idea,
but his description/explanation is somewhat shall we say ..glossy.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now
Here is scenario that is currently being played in my company. We have W2K AD in place,
we are not using GPOs except one or two. Now suddenly they (read managers) realized that
we need to implement GPO extensively. There are issues with current AD infrastructure like
replication is not proper, DNS
The aim here
is to logoff users with the WMI method Win32Shutdown (parameter 0 = Logoff), not
to shutdown the machine :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za
VueSent: Wednesday, December 14, 2005 7:05 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
Batch file would do .I am finding that, in
general, some of the commend line tools included with 2003 are much easier to
work with than wmi or _vbscript_ depending on what you are trying to
achieve.
Thank You,
Anthony Scott
Berbee
4690 E. Fulton Dr., Bldg. C
Ada, Michigan
49301
Title: FSMO Role Transfer GUI
Anyone interested in testing a FSMO Role Transfer GUI? If so, please email me at [EMAIL PROTECTED] and I'll send you a copy.
Essentially a front end for the NETDOM and NTDSUTIL exe and was generally an exercise in working with external exe and discovering the
SBS has VSC built in and yes it's one of the ways along with the nightly
backup and the manual scripted robocopy that I do to an alternative
location.
Based on VSC coverage that does snaps on those folders every two hours
I'm about as covered as I can be on the data side to minimize loss.
Only I need it to just logoff, not reboot.
Its a very simple script. Doesnt make sense how it works on XP
but not Win2000 or Win2003.
Here it is again
Set objSystemSet = GetObject(winmgmts:{impersonationLevel=impersonate,(Shutdown)}).InstancesOf(Win32_OperatingSystem)For Each objSystem
Same error
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Wednesday, December 14, 2005
11:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Win32Shutdown Method Win2003
On 2003? Or 2000?
Hmmm ... can you try with
Ideally I would recommend fixing your current environment, making
it stable and make sure it stays stable. During this time plan an upgrade to
2003. I would recommend not implementing any extensive GPO implementations
until your current environment is stable.
Thank You,
Anthony
Actually I prefer that all DCs be GCsand can't see why you wouldn't
do that globally at this point in time.
Chuck
Perhaps hiring an experience MCSE contractor will help. Replications and
other issues with AD is almost always a start with DNS.
You are talking about redoing the who AD structure and loosing accounts
and passwords? How large is the company? How will you implement Windows
2003 differently
Title: FSMO Role Transfer GUI
We could make it available as a download at ActiveDir.org
if you like. I'm sure a lot of people would be
interested.
Tony
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WILLIAMS,
J.D.Sent: Thursday, 15 December 2005 6:27 a.m.To:
Let me ask if there is any issue with IM
if all your DCs are GCs in your domain, which is a child, but not
all the DCs in the forest are GCs? We have been refreshing our DCs
and making all GCs but the IM is running on the last one to refresh
which is not a GC. We plan on transferring this
Yep. Basically the end result is the same, just don't agree with the
phrasing much.
The best descriptions I have seen have been by Dean Wells. If you search the
newsgroups and adorg archives for Dean and Infrastructure Master and
Phantoms you will find some pretty in depth discussions. He even
We went through that a while back. If your current environment is not
running properly group policies won't apply correctly. They will be hit and miss as to which workstations they
apply to. AD problems usually track back to DNS
problems
Fix your current problems
first..
Mike
David,
Novell also do a perl-based script in their Cool Solutions archive if
you're interested
http://www.novell.com/coolsolutions/tools/14462.html
Regards,
Mylo
CHIANESE, DAVID wrote:
Steve,
Thanks much for the sample script.
-Dave
Absolutely -- you must fix DNS and other core service issues in Windows
2000 or your migration could experience difficulties.
Chuck
Devon-
Are you getting an actual error or just that it doesn't
work? I ran your script on my test W2003 box and it worked just fine. I ran it
as administrator at the server's console. How are you running this script? At
the console or in a TS session? The latter may be problematic. Also, you
In large multidomain
corporate environments with hundreds of DCs and WAN sites tend to have very
limited bandwidth (or bandwidth is allocated to some critical LOB and AD and
everything else picks up the scraps)or lesser equipment and honestly there
is no reason for a 10GB or bigger DIT in a
FWIW If you are sitting at the console
of the server the method works fine. However it consistently fails with the
generic error if you are logged in via TS to session 0 or another.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon
Sent: Wednesday,
Jitendra,
I noticed you stated that the Win2K environment is almost
non-existent if that's true then a side-by-side migration may be a
possiblity.
If you're keeping the Win2K solution, I'd definitely stabilise first...
don't touch Group Policy until you've resolved any DNS issues first,
No issue.
Thank You,
Anthony Scott
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Simpsen, Paul A. (HSC)
Sent: Wednesday, December 14, 2005
2:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reducing
number of Global Catalogs
Let me ask
I agree, hire a contractor. Get it done right while things are still in their
infancy.
:)
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, December 14, 2005 1:13 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] W2K
If you have just one domain, Microsoft recommends that you make all the
domain controllers (DCs) GC servers so that your network won't incur any
extra space usage or processing. In essence, the infrastructure Flexible
Single Master Operation (FSMO) role still checks the GC for many
operations.
The IM is a domain FSMO role. SO the only concern is WITHIN the domain
No matter what forest structure you have for each domain the following applies:
* If all DCs in a domain are GC, there is no other choice where to put the IM.
So no issue here
* If at least other DCs in a domain (besides
Not being a fan of WMI I can't say why, I can offer this
though
http://www.joeware.net/win/free/tools/qlogoff.htm
which I made available here previously.
I call exes from scripts all of the time. Most often it is
the fastest, easiest, and cleanest solution.
From: [EMAIL PROTECTED]
HmmYoure rightit
works fine from the console. Many of our admins logon through rdp though. Is
there a workaround for TS sessions?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 14, 2005
2:16 PM
To:
Company is large and distributed across the globe in around 66 countries. Here is
other thing, I just joined the team about say 3 months back and found out many
things that need urgent attention to state a few, first was replication which right
now is fixed. Not perfect but working okay for the
YUP, you should add 4, Here is some code
Const LOGOFF = 0Const SHUTDOWN = 1Const REBOOT = 2Const FORCE = 4Const POWEROFF = 8For Each objPC In GetObject(winmgmts:{(shutdown)}).ExecQuery(Select * from Win32_OperatingSystem)
objPC.Win32Shutdown LOGOFF + FORCENext
On 12/15/05, Darren Mar-Elia
Can you define your goals and objectives when you say secure my W23K serves ??
Security is not a product you can buy or apply, but rather it's a
product you develop based on your needs and resources.
Al
On 12/12/05, Ravi Dogra [EMAIL PROTECTED] wrote:
And do i only need to run MBSA for
Title: OT: Printing to a CNAME
Hi all,Sorry for the OT but I can't think of a better place to ask...We're combining the printers from four old servers onto one new server. We hope to use CNAMEs to avoid modifications to the clients. I've seen kb870911 but I was wondering if anyone
It was never done right from the start that is why you are having
problems. Sounds like the IT team lacks AD knowledge. First thing you
need to would worry about is DNS before anything else. When DNS is
working properly things will fall into places a lot more smoothly.
Z.V.
Jitendra
Regarding DNS, ultimately you should
really move it to MS AD integrated DNS.
You can do something like this:
http://truetechsolutions.supersized.org/archives/34-Use-BIND-as-an-AD-DNS-server!!.html
Thank You,
Anthony Scott
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Unfortunately the addition of the force
flag does not resolve this issue.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Wednesday, December 14, 2005
12:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Win32Shutdown Method
Appreciate the input, it verified what I
had thought. But when I started seeing if single
domain, etc. well I had to ask. And yes refreshing = dcpromo out and
dcpromo on new HW.
Thanks
Paul
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
Windows 2003 AD
How do you go about viewing the users you have set as delegates for an
OU?
I setup a test earlier with a delegate on a test OU, it worked but I
dont see where you can see who is a delegate.
List info : http://www.activedir.org/List.aspx
List FAQ:
Force (4) also gives the same result.
Generic Error. And does not log off the user.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Wednesday, December 14, 2005
3:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Win32Shutdown
I think this has to do with the APIs that are used by
WMI to initiate the Shutdown, andthe
special nature of TSsessions. The
ExitWindowEX API, which I suspect WMI is calling under the covers, since it
takes the same parameters as that function, only works for console sessions.
However, TS
The DSheuristics setting activates or de-activates the
List Object permission, not the List Content permission - however, you have to
use both in conjunction to reach most goals in respect to hiding data in AD.
I've created this table for other stuff I'm
working on to clarify the confusion
the if single domain... means
-- make all DCs a GC as there is no replication overhead and no additional HD
space is needed
which IS the case (additional replication and additional HD space) in a multi
domain forest environment.
The IM thing is as I stated below in the otherpost
jorge
In ADUC, goto viewadvanced features, right click the OU, properties,
security tab.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss
Sent: Wednesday, December 14, 2005 5:12 PM
To:
You could use dsrevoke with the /report switch on a particular OU or Domain.
On 12/14/05, Craig Gauss [EMAIL PROTECTED] wrote:
Windows 2003 ADHow do you go about viewing the users you have set as delegates for anOU?
I setup a test earlier with a delegate on a test OU, it worked but Idont see
Where is Dean, have not seen him on this list for weeks?
-Original Message-
From: joe [EMAIL PROTECTED]
Date: Wed, 14 Dec 2005 14:10:38
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reducing number of Global Catalogs
Yep. Basically the end result is the same, just don't agree
Are you going to use new netbios names for the DC's ?.
-Original Message-
From: Simpsen, Paul A. \(HSC\) [EMAIL PROTECTED]
Date: Wed, 14 Dec 2005 16:07:52
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reducing number of Global Catalogs
Appreciate the input, it verified what I
Hi
I
have about 10 users that left the company. Their AD accounts are disabled. I
would like to use Exmerge to archive their email to PST and then delete them. However,
Exmerge kicks back an error: Error opening message store (MSEMS). These
accounts have the same permissions as the
He is really busy on a contract at the moment. It should be wrapping up shortly
though and after his shellshock wears off he will probably bound back into
action with his perverse british humour. It has been a joy for me watching him
work on that contract as it is big business trials and
Sorry about the absence ... will be back at some point in the near future.
In regards to Joe's comment, I've worked with many large organizations and
haven't found this engagement to be particularly different ... just your
typical slow-moving, v. large company. Joe's just happy that he's not
To
clarify, note the syntax of dsHeuristics(Unicode string) ... it requires
that you enter a sequence of characters (bytes not bits ... nor the decimal
representation of those bits), e.g. - 01000.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
How so?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, December 14, 2005 8:15
AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir]
Reducing number of
Ok. I think
we are facing a bug in the TS context with WMI. Let me investigate. I will file
a bug about this. I gonna get back to you but this may take a little
while.
I understand
that:
-You
are an admin of the box.
- The WMI
privileges are granted in the script
- You are
TSing into a
Beware of the fact that many spammers now target low priority MX records on the
assumption that they will be backup devices and perhaps doing less spam
checking.
Over the past 7 days, an average of 61% of all mail delivered to our secondary
MX has been Spam compared to 39% of that to the 1y
76 matches
Mail list logo