Title: Message
Has
anyone on the list ever run into this ? A systems integrator I know told
me that they were trying to integrate Lotus SameTime with AD as part of an
enterprise portal configuration. Apparently SameTime can authenticate
using LDAP binds and also grab user information which
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws3pkibp.mspx#EJAA is a 'best practices' guide that
addresses some of this. It covers some of the high-level decisions, and
then goes through a scenario for a three-tier CA hierarchy that you can
reproduce in a
As I read it, The KB cited does NOT say that 'having a DC in a Virtual
Server environment is not supported'. In fact,
MS has published a paper
(http://www.microsoft.com/downloads/details.aspx?FamilyId=64DB845D-F7A3-
4209-8ED2-E261A117FC6Bdisplaylang=en) with explicit guidance on how to
Title: Message
Whoa...I first read that as "I've also started to get replies to messages
I haven't sent yet..." I know the folks on this list are
good, but not that good...:)
Dave
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Phil
but that is looking for contact
information not a particular group. Perhaps I am missing something.
Jeff
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, August 29, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE
Title: Message
I've
been thinking about the exact same scenario, for the same reasons...Some months
ago, there was a presentation at the local Microsoft office by a large local
company that's using the proxy object method. They put their extranet
users directly in ADAM, and built some
Title: Message
If you
did recently change your pw, look for other places where you might still be
logged in with your old pw (other workstations, etc.). Don't forget about
terminal server sessions...like ones where you thought you logged out
but really only disconnected - not that that one
Title: Message
Noah-
I had
a newly-promotedDC one day that wouldn't register one of the DNS records
(I forget which record), that effectively messed up replication from that server
to the other DC in that test domain. After unsuccessfully trying the old
stop/start netlogon trick and a bunch
Cyrus -
please look at the configuration of your e-mail program and ensure that
your FULL e-mail address (not just cyrus) is specified in the 'reply
to' field.
This has been going on with your posts since at least last July, and has
been discussed on this list at least twice since then. Most of
Have you considered 802.1x with certificates on the authorized machines
? XP supports it natively, and late model switches should support it.
You usually hear about it in the context of wireless, but it works in
wired networks too. Just a thought.
Dave
-Original Message-
From: [EMAIL
Does this provide any permissions above and beyond changing group
membership ? For example, can the person/group that's been named in the
manageBy box do anything else to the group, such as rename it, delete
it, etc. ?
I hope not, 'cause if it ONLY allows management of the membership list
it
?
Roger Seielstad
E-mail Geek
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Fugleberg, David A
Sent: Thursday, April 14, 2005 2:22 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] How much of the DIT is cached in RAM ?
How can I
How can I determine how much of the DIT is being cached in RAM on a
given DC ?
Dave
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Title: Message
Here's
a guess on the mechanism behind your 'Extremely Weird
Problem':
As you
know, GPOs consist of two parts - the part stored in the SYSVOL, and the part
stored as an object in the domain naming context of AD. When a GPO affects
settings that are themselves attributes of
Title: Message
I've
noticed that if you set an account to 'require smart card for interactive
logon', you can't interactively login with that id/password but you can still do
an LDAP bind with that ID - I suspect you could also do a 'net use', runas, or
other such things with it as well.
A common thing to do in a 'hub and spoke' network is to configure the
DCs in 'spoke' sites to NOT register domain-wide SRV records. That way,
if the DC in a spoke site goes down, the client will discover
domain-wide SRV records for only DCs in the hub site. This prevents the
client from
The chicken did make an appearance at the troubleshooting workshop last
night
I have one of the door-prize chickens from the first DEC back in my office-
they make good stress relievers. One squeeze and the squawk transfers the
stress to the people in all the other cubes around you...
I guess watching programmers code would be no more boring than any of
the other reality shows...how about Fear Factoring, or the Amazing
Race Condition ?
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Tuesday, March 01, 2005
Title: Message
Careful, Gil...if they keep you there in those conditions long enough
you'll start to identify with your captors and protect them (see Stockholm
Syndrome).
Joe,
you should be retained just for the entertainment value during breaks and such -
I learned stuff just listening to
That additional bit about multidirectory integration sounds suspiciously
like the 'virtual directory' products on the market. I had always
thought of this as a solution in search of a problem, but someone
recently pointed out to me some interesting scenarios where it could be
useful. For
I'm not exactly sure, but I think what you're saying is that the DNS
name of the domain (blahco.com) does not match the NetBIOS name of the
domain (blah). Is that correct ? If so, it's nothing to worry about -
it's likely because it was upgraded in place from a NT domain called
blah, and whoever
, please ask ... it's lengthy.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Friday, January 07, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject
.. why
;-)
Cheers,
John Reijnders
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Fugleberg, David ASent: donderdag 6 januari 2005 21:32To:
activedir@mail.activedir.orgSubject: [ActiveDir] Forest trusts vs trusts within forests
Happy New
per GC is available by default unless
you start using stuff like MIIS J, extra management,
etc.).
Let us know what you end up with and ... why
;-)
Cheers,
John Reijnders
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
a lot of
great information in there, but I got to the thread too late which makes
it harder to read and tell what was said etc.
Just curious mostly.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Friday, January 07, 2005 3
Is there a way to find out exactly when an object was deleted based on
its tombstone ? For example, if a user object was deleted can I find
it's tombstone somehow and retrieve a timestamp of when it was deleted ?
List info : http://www.activedir.org/mail_list.htm
List FAQ:
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Thursday, December 09, 2004 12:37 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Finding out when an object was deleted
Is there a way to find out exactly when an object
Title: Message
We had
a situation some time ago where much of the DDCP was accidentally changed.
While troubleshooting another issue, PSS had one of our people recreate the
'local' group policy file on a DC, using the procedure in Q278316. PSS
assured him that they do this all the time and
a different policy than the rest of the DCs by purposely
breaking FRS... So maybe these shouldn't be replicated in
FRS...
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David ASent: Wednesday, October 13, 2004 12:00 PMTo:
[EMAIL PROTECTED
Title: Message
Al -
could you elaborate on the comment "why aren't they using Active Directory
security again?" ? When I read Mark's question I assumed (maybe
incorrectly) that these were apps on external systems that simply used AD as an
LDAP server, and made access-control decisions based
Title: Message
Some
LDAP 'consumers' get around these problems by first searching the directory for
the user to get their current full DN, and then doing a bind with that. Of
course, that means that you need to search on something that you know to be
globally unique, like samAccountName.
or come up with some way to allow the user to be uniquely identified
such as allowing anonymous binds to AD.
It's a sticky issue to be sure.
Al
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David ASent: Tuesday, October 19, 2004 1:30 PMTo
Title: Message
That's
all correct, with one addition: if an account is locked out at a DC other than
the PDCE, it uses 'immediate replication' to tell the PDCE about it. This
does not wait for any schedule; it just happens. There's a webcast
transcript out there that details the various
You might want to look at Microsoft's Branch Office Deployment Guide.
There's a lot of good info in there for hub-and-spoke deployment
scenarios. It describes why you might want to disable the Bridge All
Site Links in that situation. We have more than 40 sites in such a
deployment, and disabled
I posted on this topic before but I think I can explain the issue more
clearly now...
If I use the /S switch of DSACLS to restore the ACLS of an object back
to the default as defined in the schema, the object no longer inherits
auditing entries. The simplest test to observe this is:
1. create a
Sorry if this is a dup - didn't see it after several hours..
I posted on this topic before but I think I can explain the issue more
clearly now...
If I use the /S switch of DSACLS to restore the ACLS of an object back
to the default as defined in the schema, the object no longer inherits
Of Fugleberg,
David A
Sent: Monday, July 12, 2004 10:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Scripting new ACE into DACL fails with Account
Op erators
I'm running this directly on a lab DC, so that particular guess
shouldn't apply...I'm not about to start mucking around in c
Sounds like a replication issue to me
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Wednesday, July 14, 2004 4:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Weird KB article
maybe it's useful when you have problems
PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Friday, July 09, 2004 5:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Scripting new ACE into DACL fails with Account
Op erators
I suspect that being a Built-in group has something to do with it...I'm
just looking for a way around
Title: Message
If you
specify subnets in ADSS that 'overlap', the machine will use the most
specific one that applies in order to figure out its site membership. For
example:
subnet
range
site
192.168.0.0/16 192.168.0.1 -
192.168.255.254 HUB
192.168.1.0/24 192.168.1.1 -
192.168.1.254
I'm trying to fix up some user accounts that used to be in one of the
admin groups protected by AdminSDholder. Using Robbie's most excellent
cookbook, I wrote a script to read a list of users and for each one, do
the following:
- set AdminCount to zero
- turn on the Allow Inheritable Permissions
is in effect?
There may be something helpful here to jog the thought process:
http://www.microsoft.com/technet/community/scriptcenter/user/scrug128.ms
px
-ajm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Friday, July 09, 2004 4
If I understand your original post, some of the workstations are authenticating to the
DC in the other building (same site), and some are using a DC in a completely
different site. The other responses answer the first issue (all DCs are treated the
same within a site), but don't address the
I want to stop a specific DC from authenticating users as part of a test. The server
also provides DNS for the clients, so I don't want to shut down the box during the
test - I just want it to be 'invisible' to clients looking for a DC for the duration
of the test (a couple of days max).
Is
This
was the behavior in Win2K as well. You need to select one of the existing
site links when you create the new site D. You can just pick
one.Then create your new site link and picksites A and D to be in
it. Finally, go to the properties of the site link you picked while
creating Site D
Another possible approach:
use a
unique userID for each such PC, maybe related to the machine name or some such
unique identifier.Poked into the auto-login keys of the registry
upon installation using a script.
Write
a script to create the 'user' accounts in the domain andconfigure them so
We have some DCs in locations that probably no longer justify a local DC. I'm trying
to do some quantitative analysis to see just how busy the DC is in those locations.
I'd like to dcpromo some of them down if possible so the boxes can be used as member
servers. The business want to install
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Thursday, May 27, 2004 12:23 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] NTDS perf counters
We have some DCs in locations that probably no longer justify a local
DC. I'm trying to do some
LDP is great for a quick look-see but isn't really a reporting tool - I don't know of
any way to write the output from the search into a file. That said, it certainly is
possible to have it return specific attributes instead of all attributes. In the
Search dialog, click the Options button
csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r
((objectclass=user)(objectcategory=person)) -l mail,proxyaddresses
Replace the cn=users,dc=yourdomain,dc=com with the place you want to start the
search, or leave out the -r altogether if you want to do the whole domain naming
context of
Or better yet, combine what Al said and what I said, like this:
Csvde -m -f OUTPUT.CSV -d dc=domainname,dc=com -r
((objectclass=User)(objectcategory=person)(mail=*)) -l mail,proxyaddresses
That way you get only the attributes you want, and then only for people who actually
have mail addresses.
:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, May 26, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Can LDP be used to create email report of all users
in AD?
csvde -f outfile.txt -d cn=users,dc=yourdomain,dc=com -r
((objectclass=user)(objectcategory=person)) -l mail
the command
line. If it is different from your shortcut, check your path statement.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg,
David A
Sent: Monday, May 24, 2004 4:06 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT: Runas command not working from
Sorry for the offtopic post but have not been able to find the answer...
On my workstation, the runas command no longer works from the command line. When I
try to run anything using runas from the command line, I get a dialog box titled
runas.exe - Application Error, with the text The exception
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Thursday, May 13, 2004 6:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] HELP ! - password policy changing on replication
Further info - I found a posting
We're experiencing a problem which I'm sure I've seen documented before...just can't
remember where.
Symptom is that people are having passwords expire prematurely - suddenly they're
prompted for id/password when trying to access a resource, and if they log out/in they
are told their password
the correct settings. Can anybody help ? We're working our way to the right
folks at MS PSS at this point...
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David
A
Sent: Thursday, May 13, 2004 3:58 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir
I'm curious what y'all do with those situations where you have to manage credentials
for 'outsiders' - in other words, users from some business partner, vendor, etc. who
must have access to some resource in your company. For example, say you have some
intranet web app that you make available
through and ADM addin) to enable
this setting?
-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]
Sent: Friday, May 07, 2004 12:22 PM
To: [EMAIL PROTECTED]
Subject: RE: LIKELY ADV: RE: [ActiveDir] Need to confirm a behavior in AD
Sites as it pertains to authenti cation
In a hub/spoke situation, you can always tell the DCs in the 'spoke' sites to NOT
register domain-wide SRV records. That way, if a machine is unable to find a DC in
the site-wide SRV records for its site, and goes to the domain-wide list, it will find
only DCs in the 'hub' site, which is
Joe - I certainly agree that LDAP is not a great mechanism for authentication, for the
same reasons. It is, however, available, and meets an immediate need (beats having a
seperate identity store in each app server). Getting everyone to speak Kerberos is
not a small task. Having a single
Eric -
we basically did what you suggest...our CN, name, and sAMAccountName attributes are
the same. WebSphere users can use their LAN ID and password. Since WebSphere also
grabs the group membership info for the user when they log in, it can map this to the
'roles' in the J2EE application,
IIRC, the 'island problem' in W2K happened when a DC that pointed to itself for DNS
registered its GUID CNAME record in its own AD-integrated copy of the _msdcs zone, but
since nobody else knew about it they could never replicate it from there to the rest
of the domain. Can you elaborate on
Joe -
Re your DEC writeup, I grabbed an extra copy of Stuart's survey to show
the folks back home, so if you want the complete thing I've got it - I don't
know if anybody would be opposed to my posting it here or not... (Stuart ? Gil ?
Anyone?)
It was
good to meet you and your manager at
Joe - care to elaborate on the error that didn't become obvious until it replicated ?
I'm just curious what to watch for - maybe I'll add some steps to my schema change
testing process...
Dave
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent:
Rich,
one other consideration - sometimes it's *preferable* to define your own
attribute rather than using an existing one - depends on how good a match the
datais to the existing attribute you're considering. For example, if
they want to add a user's title, there's a perfectly good
Can anyone enlighten me about the account option store passord using reversible
encryption ? As I understand it, some kinds of clients and some kinds of remote
access solutions that use CHAP require that this option be enabled. Just the sound of
it makes me uncomfortable.
What are the
perhaps I missed something in quickly reading this thread, but is it possible that you
were still able to get answers for bestbuy.com simply because they were already in the
caching resolver on your workstation? You mentioned that you removed the forwarders,
cleared cache, and restarted the
Amen to that - full disclosure on the content of schema extensions is a must.
BTW, Robbie, my copy of the Tuna book showed up from Amazon yesterday - Having read
the chattter on the list, I preordered it awhile ago. After all the praise and
anticipation on this list, it wasn't exactly what I
Rick - this brings up an interesting point...it seems like every time I want to do
something like this (figure out exactly what permissions to set to allow group X to do
task Y and no more), I have to hunt, dig, experiment, etc.
I don't own every AD book ever printed, and barely have time to
PROTECTED] On Behalf Of Fugleberg,
David ASent: Monday, August 25, 2003 11:00 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Number of
Interactive Logons
Rick
- I'm not trying to beat a dead horse here...just want to make sure I
understand how it really works. Since I trust your experie
Title: Message
And
the correct answer is
This
setting has nothing to do with how many times a given user can log in when no DC
is available. It has everything to do with how many users will
have their credentials cached on the workstation while it is
connected.
Try
this simple
))
Jerry Welch
CPS Systems
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David
A
Sent: Thursday, August 14, 2003 1:59 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP search filter for enabled accounts ?
Is there anything I can use in a LDAP
Is there anything I can use in a LDAP search filter to include only accounts that are
enabled ? For example, a filter like
((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ)) will
find all user objects whose office is in building MSPJ - I'd like to add an argument
We had a discussion involving this very issue on this list last week - MS has a KB
article that describes this:
http://support.microsoft.com/?scid=812499
There is a hotfix (referenced in this article), and the fix is included in Win2K SP4.
Hope this helps...we're updating all our DCs to SP4 now,
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David
A
Sent: Friday, August 15, 2003 2:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP search filter for enabled
Dean -
given all that, why not just do the whole ADPrep /forestprep and /domainprep
? Even if the domain stays Win2K forever, would there be any harm in doing
so? From what I've seen, there isn't.
I
guess the question is, why is it more acceptable (to your customer) to do a
subset of these
Sounds like you've got it covered. No problem with bringing in the other domain later
- my comment about 'works well for a single domain' was *as opposed to* a situation
with lots of domains that you might want to restructure and collapse - in that case,
many folks opt for a brand new AD and
Title: Message
I
think the key point for Chris is that the GPO must be linked to a Site, Domain,
or OU where the user exists if it is to have any bearing on that
user. You can filter by group to prevent a given GPO from being
applied, but only if it WOULD have been applied in the absence of
Title: Strange Inherited Permissions Problem
Were
these users ever a member of one of the admin groups (like Domain Admins)
? If so, you're probably being bitten by the adminSDHolder process - once
an hour, the DC with the PDC FSMO looks for accounts that belong to one of
several
Title: Message
In
ADUC, go to the View menu and make sure "Advanced Features" is
checked. Then find the object and look at its Properties dialog - there's
a tab called"Object"- the object's full name is listed there in the
form domain/container/container.../object (example:
Hmmm...in all of my forests, EmployeeID is already an optional attribute of the
abstract class organizationalPerson. The ntfaq article recommended below tells you
to add it as an optional attribute to the abstract class person.
In any event, it is not visible in any of the 'stock' GUIs that
If it's really bridged, as in one big, happy IP subnet, how would you create sites ?
Maybe I'm just confused...happens a lot lately.
Dave
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 3:03 PM
To: '[EMAIL PROTECTED]'
Subject: RE:
youextend the schema using
LDIF files? could you show me an example, because i had failed to do that, so
i have to program it by C++ , thanks
very much~
- Original Message -
From: Fugleberg, David A
To: [EMAIL PROTECTED]
Sent: Friday, May 30, 2003 3:43 AM
I'm
not the expert either, but I do have some experience with this. Normally,
like Rick said, GUIDs are simply assigned by the system upon object
creation. SchemaIDGUID is kind of a special case, though - it's the GUID
of the classSchema or attributeSchema object itself. If you ever want to
Title: Message
Roger,
can you expand on your last paragraph a bit ? We're going to be turning on
a password filter with more rigid complexity requirements before too long.
Does this mean that everyone whose current password doesn't meet the new rules
will be unable to change their password
Does anybody use the Schemadoc tool from MS
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/schemadoc.asp)
to document their private extensions ? If I use the XSL stylesheet included with the
download to format the output, it never shows the attributes in the
The extensions installed by the Exchange2K forestprep process DO include items that
are part of the PAS, so it will trigger a complete GC replication. This may or may
not be a big deal, depending on your topology and how much bandwidth you have to spare.
In a single-domain forest, all DCs
with MSFT.
-gil
-Original Message-
From: Fugleberg, David A [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 06, 2003 11:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add attributes or use existing ExtensionAttribute s
?
Thanks Robbie, Gil, and Alan for your replies...I
is
that they use VMWare to set up a small test forest, save the image
files,
extend the schema and test the apps, and if they need to redo
the schema
extension, they just revert to the saved VM images. Pretty painless.
-gil
-Original Message-
From: Fugleberg, David A [mailto:[EMAIL
We've gotten by so far (2 years plus) without making any 'custom' schema changes to
our forest - only changes have been due to E2K.
We now have a need to store some company-specific user attributes (some codes
regarding each person's place in the organization that are defined in our payroll
Title: Message
I'm
hoping to - just waiting to see if my conference request has been approved by
the people with the purse strings. If not, at least I still have my
chicken from last year hanging prominently in my cube...
Dave
-Original Message-From: Gil Kirkpatrick
The issue described by both Roger and Linton is called the 'island problem', and is
described in KB article 275278. Basically, it involves specific DNS records
registered by the domain controllers in the _Msdcs.ForestDnsName DNS domain. These
CNAME records are required for replication. Let's
Roger- can you elaborate ? If a domain does NOT have the complex password filter
enabled, and then chooses to enable it, are you saying the users with existing
non-complex passwords are unable to change them ? Is that behaviour XP-specific, or
does it affect Win2K or NT4 clients ? Any
Title: Message
We had
no issues when we went native...similar situation: Single domain, lots of NT4
clients and member servers, as well as W2K clients and member servers. A
month or so afterthe last of the NT4 BDCs was removed, we made the switch
with no complaints. This domain had been
I'm
not a JNDI expert, but here's a thought...are you able to create an entry of
your new objectclass via any other means ? For example, can you
successfully create one by making an LDIF file and importing it with LDIFDE or
ldapmodify ? If so, then at least you know your schema definitions
Title: Message
Or
they had a terminal server session and closed it without logging
out...
-Original Message-From: Hutchins, Mike
[mailto:[EMAIL PROTECTED]]Sent: Wednesday, January 15, 2003
9:06 AMTo: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] User's Account Locked out Every
I'm a little curious too...if you turn off the 'bridge all site links' feature and set
up site links from each site to the hub site, the KCC doesn't create connection
objects between the DCs in the 'spoke' sites anyway. At least, that's been our
experience (single domain). We don't restrict
I know that more than one of us approached Robbie after his talk at the Directory
Experts Conference and told him how great it would be of Cisco to document and release
the scripts they use for that process (hint, hint, Robbie!). Even when the AD folks
and the network folks enjoy a good
It explains the whole area of LDAP referrals very clearly (well, as clear as
anything can be with LDAP).
Tony
-- Original Message --
From: Fugleberg, David A [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Wed, 23 Oct 2002 15:25:09 -0500
It's running
1 - 100 of 125 matches
Mail list logo