in a couple of our applications and are very happy with it.
That's what the extended rights objects are there for anyway :)
-gil
Gil Kirkpatrick
CTO, NetPro
Got DEC?
From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Tue 10/19/2004 7:55 AM
To: [EMAIL
for devices in the
respective domains.
-gil
Gil Kirkpatrick
CTO, NetPro
From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Thu 7/22/2004 5:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] NTP server
Where does everyone have their NTP services come
/products/changeauditor/index.cfm.
/shameless product plug
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: Wednesday, July 07, 2004 11:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Question
Partition heads (usually NC heads) are the AD objects that represent the
root of a domain. So for a domain named foo.bar.baz, the DN of the partition
head object is DC=foo,DC=bar,DC=baz. The replication process, amongst
others, check the ACLs on the partition head before replicating, so the ACLs
And, as I understand it, it is not going to be a free download or Resource
Kit component any more. MSFT is going to charge for it.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, May 28, 2004 11:19 AM
To: [EMAIL PROTECTED]
Uh, congrats for what? And who's Paul?
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Saturday, May 22, 2004 9:01
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
Anyone attending TechEd?
I'm planning to be at
the MIIS talk if I can possibly
I saw there was a thread that referenced the article I
wrote a while ago for Windows .Net mag about how to control the DC location
process. I seem to have lost the thread somehow, but if you'd like a copy of the
article, you can download it from our website at
somehow,
The thread I remember was from this
February, titled logon server discovery
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Friday, May 21, 2004 3:41 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] DC locator
article
I saw there was a thread
The objectClass _expression_ is redundant
and unnecessary. Construct something like ((objectCategory=attributeSchema)((ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
Hey, whaddaya want for 6 in the morning?
:)
WRT objectCategory not being needed, is there a restriction
that a classSchema object cannot have the same ldapDisplayName as an
attributeSchema object?
-g
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, May
Can you say more about how you intend to use the schema
lookup? Someone earlier mentioned that you could just read the schema into
memory and deal with it that way... offhand that sounds like a good
idea.You can even hang a persistent search on the Schema container to get
notified of any
Oh my, this has flamewar written all over it. Oil and water, Palestinians
and Israelis, Microsoft zealots and Novell bigots, dog people and cat
people. This thread can go nowhere but downhill.
But what the heck, I'll give it a little shove.
Joe, I really have trouble putting refined and yakking
Use adsiedit, right click on an object, select Properties, then select the
Security tab. You'll see the security descriptor information there.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, May 12, 2004 7:09 PM
To:
Title: Message
Try
DsAddressToSiteNames() from the platform SDK.
-gil
Gil
Kirkpatrick
CTO,
NetPro
Author
of "Active Directory Programming"
Don't
miss the Directory Experts Conference
March
21-24 Reston, VA
April
25-28 Amsterdam, the Netherlands
http://www.netpro.
Title: Message
Yep, I
copied the images from a single non-domain-member image. I bet you're
right.
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Santhosh SivarajanSent: Wednesday, March 03,
2004 10:56 AMTo: [EMAIL PROTECTED]Subject:
There's a good description of the different strategies you can use to track
AD changes at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/track
ing_changes.asp?frame=true.
Tony, you should add this to the FAQ... It seems to come up every few
months.
-gil
-Original
Title: Message
MACS
is in Beta and AFAIK Microsoft is still accpeting Beta
customers.
-gil
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rich MilburnSent: Thursday, January 08, 2004
1:46 PMTo: [EMAIL PROTECTED]Subject:
[ActiveDir]
The problem with the built-in security model is that in most environments
its easy to get around it by using one of the various LocalSystem
escalations on the DC. All of a sudden the ACLs are meaningless, and AD will
happily replicate the corrupted data for you.
Its hard to do a system wide
that it wouldn't be supported
anymore in W2K3 (I haven't tested to see if it works still). That would be
unfortunate if it isn't supported.
Robbie Allen
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
Kirkpatrick
Sent: Thursday, December 11, 2003 5:38 PM
Sort of like The directory situation has developed not necessarily to our
advantage, to paraphrase Emporer Hirohito.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, December 05, 2003 8:58 AM
To: AD mailing list (Send)
for
papers is at http://www.netpro.com/events/decadspring04/index.cfm.
Press release: http://www.netpro.com/company/press_releases.cfm?prid=216
Conference info and registration at
http://www.netpro.com/events/decadspring04/index.cfm
Hope to see you there!
-gil
Gil Kirkpatrick
CTO, NetPro
Author
Title: Message
We're
putting together the agenda for the next DEC (in DC Mar 21-24, but don't tell
anyone, it hasn't been announced yet). We wanted to do at least one session that
was more interactive,and Stuart suggested we do something along the lines
of Iron Chef...
Konichi-wa! Today's
There is acompany in the UK called NTSim that has a pretty cool product that
does simulations of AD operations and tells you how much traffic, CPU, disk
IO, etc a DC will generate. See http://www.ntsim.com/.
This is the product that we (NetPro) originally sold under the name
DirectorySim.
-gil
://support.microsoft.com/default.aspx?scid=kb;EN-US%3B227260
And http://support.microsoft.com/default.aspx?scid=kb;EN-US;227369
-gil
Gil Kirkpatrick
CTO, NetPro
Author of Active Directory Programming
Find AD problems you don't even know you have!
Register today for NetPro's FREE
DirectoryAnalyzer Rapid Deployment
Title: Message
And
don't even think about the bugs and memory leaks!
-gil
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Michael B. SmithSent: Tuesday, October 28, 2003
1:36 PMTo: [EMAIL PROTECTED]Subject:
[ActiveDir] DNS WMI
FullArmor FAZAM GPO Auditor... www.fullarmor.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2003 2:26 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
I believe a GPO was modified by someone with the
Use LDIFDE...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/sgw
_install_ldifde.asp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Juan Ibarra
Sent: Tuesday, October 28, 2003 2:52 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
I'm interested...
-gil
-Original Message-
From: Oliver Marshall [mailto:[EMAIL PROTECTED]
Sent: Friday, October 24, 2003 1:08 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] documenting servers
Just to let you know the Sourceforge site for the Windows Server
Documentation Project
I'm not sure I understand what the point is here...
Are you looking for a backup/restore solution so you can recover a server
after a disaster?
Or are you looking to document a server's configuration so that you can
recover it manually after rebuilding it from distribution media?
Or is the
Title: Message
Is
there some requirement that the peope/devices in the test labs be able to access
the production network? Would a firewall between the two
help?
-gil
-Original Message-From: deji
Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 6:17
PMTo: [EMAIL
Title: Message
Gnerally speaking, all DCs need to be able to contact the RID master
periodically to get a RID allocation. I have some thoughts about how to work
around the problem, but I've never tried them, so you get to be the test pilot
on your first flight :)
1. You
can change the size
of
changes together in one cycle, which saves processing overhead doing mutual
authentication and such
I would say that if your CPU loads are low and update rates aren't
unreasonable, there would be no problem reducing the delay.
-g
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: FDiskThePC
Title: Message
Do you
know if the app has referral-chasing turned on in the LDAP search? If it does,
it should be able to start at the root and search down the tree that
way.
In any
case, why not just point the app to the GC; that's what its there for. Be sure
to set the port properly
Title: Message
Microsoft has a tool called ADSIZER which will give you a DIT size
estimate. See http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/adsizer.asp.
-gil
Gil KirkpatrickCTO, NetPro
-Original Message-From: George Arezina
[mailto:[EMAIL PROTECTED]
I talked to the PM involved last week, and he indicated a couple of weeks.
Grain-of-salt-rules apply.
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Sullivan, Kevin [mailto:[EMAIL PROTECTED]
Sent: Friday, October 10, 2003 6:33 AM
To: [EMAIL PROTECTED]
Subject: RE
I have run network monitor and can not find what the traffic is that I am
receiving.
Meaning that NETMON is not showing any traffic? Or that NETMON can't
identify the traffic?
How are you determining that you are actually receiving this traffic?
PERFMON?
-gil
-Original Message-
From:
sent and my laptop has been on for an hour.
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Monday, October 06, 2003 1:26 PM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] OT Received Packets
I have run network monitor and can not find what
Robbie
Allen, Cisco - LDAP Searching: from Basics to
Profiling
Nelson Ruest, Resolution Enterprises - Redesigning GPO Structure for Improved
Manageability
Gil Kirkpatrick, NetPro - Active Directory
Performance
Guido Grillenmeier, HP CI - Recovering from Active
Directory Disasters
Rex Bachman, HP
There is a white paper coming from Microsoft soon (like in the next couple
of weeks) that contains everything you could possibly want to know about
delgation and access rights in AD. Some people on the list are reviewers, so
they may be able to comment on its usefulness.
-g
Gil Kirkpatrick
CTO
Title: Message
The
DCs definitely need to agree on FSMO ownership. Forcing a replication might
help, but its hard to imagine some changes replicating and others not. Usally
its an all-or-nothing affair between replication partners.
The
infrastructure master should not be on a GC, although
DC forest :)
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: John Reijnders [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 23, 2003 2:32 PM
To: '[EMAIL PROTECTED] '
Subject: RE: [ActiveDir] DSQuery shows wrong DC as holding role
dsquery queries AD directly. You might use
would show that pretty quick, but so would asking the BIND admin if
there is any such settings in place.
Al
-Original Message-From: Gil
Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, September
10, 2003 7:00 PMTo:
'[EMAIL PROTECTED]'Subject: RE
Title: Message
The
only change in 2003 re SRV publication that I can recall is that the default
update interval is 15 minutes in W2K3 vs. 60 minutes in W2K.
Some
questions:
Is it
the same BIND server that worked with W2K?
Did
you check the BIND logs?
And if
there was nothing there,
Title: Message
Does
BIND provide for ACLs on RRs? I didn't know that...
-g
Gil KirkpatrickCTO, NetPro
-Original Message-From: Mulnick, Al
[mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003
12:40 PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] Windows 2003
us so far (knock on wood).
DCs are still at Win2K.
Diane
-Original Message-----From: Gil Kirkpatrick
[mailto:[EMAIL PROTECTED]Sent: Wednesday, September 10, 2003 3:35
PMTo: '[EMAIL PROTECTED]'Subject: RE:
[ActiveDir] Windows 2003 DC issue
Does BIND provide for A
the topology so that random admins can't change it to make it
better
4) Have a fall back topology when critical links or DCs go down.
5) Monitor, monitor, monitor. (Yes, I'm biased, but you'll hear the same
thing from Microsoft)
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Jef Kazimer
Time values in AD are stored as 64-bit 100msec intervals since Jan 1, 1601.
That date looks like time zero + 7 days. I'm guessing that somewhere there a
0 is showing up in the calculation where it shouldn't.
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Myrick, Todd (NIH/CIT
Three Random
Words
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: John Parker [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 04, 2003 12:54 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Interop Exception
Flatulent Pork
Sluggo
John Parker, MCSE
IS Admin.
Senior
servers with updatable zones?
Based on some of the CNAME records not showing up, it sounds like some may
not.
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 30, 2003 7:30 AM
To: ActiveDir (E-mail)
Subject
Title: Message
Hey
Joe,
Wow,
thanks for the compliment dude.
Is the
SID bind part of the ADSI ADsPath syntax, or is it something supported in LDP? I
haven't seen it before as part of ADSI.
-g
Gil KirkpatrickCTO, NetPro
-Original Message-From: Joe
[mailto:[EMAIL
Title: Message
You
can alter the SRV priority and weight settings for the DC so that clients will
select one DC over another. See the Windows .NET mag article I wrote in the
March issue, or DL it from http://www.netpro.com/forum/files/authentication_topology.pdf.
-gil
Gil KirkpatrickCTO,
Alain Lissoir's two books are great:
Understanding WMI Scripting
Leveraging WMI Scripting
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Raymond McClinnis [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 8:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir
Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 07, 2003 2:44 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Home Labs Interconnected
Interesting idea I would think that trust isn't so much of an issue as
configuration management. If you have 20 people link
Interesting idea I would think that trust isn't so much of an issue as
configuration management. If you have 20 people link their 100 servers into
a couple of AD forests (for instance), how do you make sure no one
reconfigures the replication topology right when you're in the middle of
testing
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 03, 2003 9:26 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Special DEC offer (was ADAM Doc)
Getting' kinda loose and happy with *my* tab aren't you Todd?
Tell you what. Anyone who has posted to this list
I knew that... I was just pulling your chain :)... No apologies necessary.
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Monday, August 04, 2003 6:28 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Special DEC
Thanks for the kind words...
We haven't scheduled the next European DEC. Best guess would be next fall...
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Monday, August 04, 2003 5:18 AM
To: '[EMAIL PROTECTED]'
Subject
That would be cool. I'll check into it.
-g
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Monday, August 04, 2003 5:20 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Special DEC offer (was ADAM Doc)
You know
, 2003 11:52 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Special DEC offer (was ADAM Doc)
Hey, I've seen movies of his toys. He can afford a beer or two.
Off we go, into the wild blue yonder...
Dan
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Monday
Getting' kinda loose and happy with *my* tab aren't you Todd?
Tell you what. Anyone who has posted to this list in the past month and
shows up in Ottawa gets a round on the house. Just mention this special
offer...
-g
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Myrick, Todd
If you bring the DC back online, you run the risk of resurrecting deleted
objects in the Config NC and in the global catalog (if the machine is a GC).
If you need the domain data, perhaps you can run LDIF to extract the domain
data, rebuild the DC, then import the LDIF file.
-gil
-Original
Making the same change on multiple DCs is bone-headed, but I don't think it
will generate much additional replication traffic. Aren't the password
changes forwarded to the PDC FSMO role owner for the domain and then
replicated from there? If that's true, then the redundant changes coming
into the
Title: Message
Not
sure where its written, but essentially the authenticating DC merges the SIDs
contained in the sIDHistory attribute, along with the SIDs of the groups the
principal is a member of, into the security token for the authenticating
process. When Windows does an access check,
Title: Message
Nope.
The problem is that applying a GPO to a group does NOT cause the members of the
group to inherit those policies. A user will get policy settings from GPOs on
the user's domain, the AD Site the user authenticates from, and the OU(s) the
user object is contained in. The
made a copy of the user object and put it in another container. You
could use ADSIEdit to find and delete the spurious object.
-gil
Gil Kirkpatrick
CTO, NetPro
-Original Message-
From: Thomas [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 20, 2003 11:37 AM
To: [EMAIL PROTECTED]
Subject
Title: Message
That's
a silly requirement that makes no sense from a security standpoint. Ifthe
server teamhas the ability to install services and updates on a DC, they
have (or can easily get) privileges to do anything in the domain, and more or
less anything in the forest. See the MSFT AD
Title: Message
All
the zone data is replicated with the domain (unless you're using application
partitions in WS2K3), so there is nothing "extra". Traffic depends on if
youstore client A and PTR records. If you do, the replication traffic can
be substantial depending on lease times,
Title: Message
I may
have missed something,but the snotty tone seems
inappropriate...
In any
case, to reduce the apparent confusion:
GC-less sites have always been possible with AD since W2K.The
facility iscalled site coverage.
GC-less logon is new in WS2K3 and occurs because DCs can
That's consistent with my experience as well. Consulting $$$ often get out
of control, and complete implementation is rarely achieved. A statistic I
recall from last year was that approx 30% of all Tivoli sales concluded with
a successful deployment within the first year. 70%... didn't
-gil
Title: Message
Deji,
I took
the comment: "Yes, you did indeed
miss it. So, go find it. Yourself, this time with no help. " as being snotty,
and it seems that wasn't intended.
Mea culpa (Latin for "my bad").
My comment re: DC-less sites was to distinguish
between "GC-less sites", which
Title: Message
I
didn't take it as snotty towards myself, but towards another list member (Brian
in this case). As I said before, my bad.
And I
think we've used up enough bits on this topic. Agreed?
-g
-Original Message-From: deji Agba
[mailto:[EMAIL PROTECTED] Sent:
doing them.
Todd
-Original Message-----From: Gil
Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07,
2003 5:30 PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity
Management using AD
MSFT internally uses SQL Server as the aut
Title: Message
MSFT
internally uses SQL Server as the authoritative store for identity information,
and populates AD from that.
-Original Message-From: Glenn Corbett
[mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003
7:00 AMTo: [EMAIL PROTECTED]Subject:
[ActiveDir]
Title: Message
Shouldn't be a problem. Just make sure the DC doesn't hold any FSMO roles
when you pull it. After that, use NTDSUTIL to clean up the metadata, and be sure
to delete the related DNS records as well. There are at least a couple of KB
articles on doing this.
Title: Message
Scripting, or one of the AD admin tools like Javelina Software's
ADVantage (http://www.javelinasoftware.com/advantage.html)
-g
-Original Message-From: Daniel Chaveco
[mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 10:04
AMTo: [EMAIL PROTECTED]Subject:
be fun. I personally am waiting for a
Gil Kirkpatrick siting, I hear he wanders these halls ADFIND (and
every other LDAP joeware tool) wouldn't exist except for Gil and his
book and that would be a sadthing for me because I love those
tools.
joe
-Original Message
Hey Tony,
What's the thinking behind the recommendation not to use Deny for group
filtering?
-gil
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 12:17 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] OU and GPO Design Comments
If you use
Thanks...
-g
-Original Message-
From: Tony Murray [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 10, 2003 9:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU and GPO Design Comments
The short answer: Because BJ Whalen (Group Policy Program Manager) told me
not to at TechEd last
A better (read: more extensible) scheme would be create a single application
object for each application you wish to secure, and use the ACLs on the
objects to control access to the application. For instance, if the
application is domain specific, you might put the application object in the
RSN*
-gil
*real soon now
-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2003 7:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Single sign-on
Is MMS3 general availability yet?
Roger
From a network traffic point of view, it doesn't it makes sense to put DCs
at the remote sites. The concern I would have is the reliability of the
links... No linky, no login.
-gil
-Original Message-
From: Carstensen, Pete [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2003 8:41 AM
From what I've heard (no personal experience), MMS 2.x was a pain, MMS 2003
is quite easy for common scenarios. There are other meatdirectories (Novell,
CriticalPath, Siemens, IBM, etc.) They are industrial strength
metadirectories but are time consuming (read: expensive) to implement. There
are
Raymond, Roger,
Perhaps I'm missing the significance of a bridged WAN, but why not disable
the KCC and create your own connection objects to control which DCs
replicate with each other?
-gil
-Original Message-
From: Raymond McClinnis [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04,
for authentication.
Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 1:59 PM
To: '[EMAIL
.
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 3:49 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Replication Problems...
Raymond,
If you can set up meaningful sites (which I guess you can),
then a potential strategy would
link from his remote offices to his HQ, and disable
site link bridging. This would let him leave his KCC
active.
John WitasickProject Manager - Windows Networking Services
Group
- Original Message -
From:
Gil Kirkpatrick
To: '[EMAIL PROTECTED
You might start here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/active_directory_schema.asp
-gil
-Original Message-
From: Pennell, Ronald B. [mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 03, 2003 1:27 PM
To: [EMAIL PROTECTED]
Subject:
Greetings all,
We've put the European DEC on hold for a bit and have added another DEC for
North America in Ottawa this September. The presentation lineup will include
about 50-75% of the content of this past April's DEC US, which means I'm
looking for fresh meat to fill out the rest of the card.
Title: Message
Jennifer,
The decision depends entirely on what you want to accomplish with
resepect to security, autonomy, and delegation of administration. The best
reference is Design Considerations for "Delegation of
Administration in Active Directory" at
objects not having any group members that does not
get updated. The non-updated groups I have looked at does not have parent
groups either.
This is only a guess. Does it make sense?
/ Jonas
On Tue, 1 Apr 2003, Gil Kirkpatrick wrote:
Joan,
Re: the url attribute not being updated... That's
Stephen,
The answers to almost all your questions lie in the realm of access control
lists (ACLs). The security mechanisms in AD are quite flexible; you can
control access down to specific attributes, operations, and users. To answer
your specific questions...
1. Use ACLs to make the information
Title: Message
Hi
Daniel,
When
you use TS for management, you get 2 sessions. AFAIK, if you want more sessions,
you have to start buying additional TS licenses.
-gil
-Original Message-From: Daniel Chaveco
[mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003
2:15
Hi Jonas,
I don't have any experience with Java and AD, but I can give some
sugestions.
1. Doing an LDAP_MOD on a value to replace it with the same value does not
actually change anything; AD throws the operation out, no timestamps are
updated, and no replication takes place.
2. Do you have
: Tuesday, April 01, 2003 10:02 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Problem updating object attributes in Active Dire
ctory -Using Directory SDK
On Tue, 1 Apr 2003, Gil Kirkpatrick wrote:
Hi Gil,
Hi Jonas,
I don't have any experience with Java and AD, but I can give some
lastLogon is defined as systemMayContain attribute of the user class. The
Computer class inherits this from User. Nothing needs to be added to the
schema.. Its already there.
-gil
-Original Message-
From: Jones, Rick J.(Desktop Engineering) [mailto:[EMAIL PROTECTED]
Sent: Friday, March
Title: Message
The
errors indicates that one or more of the DNS locator records are not in DNS.
These are independent of any A records for the DC. Are you sure that all the
records are there? There should be about 10 or so SRV records for each
DC.
-Original Message-From:
that
from the Schema.
I looked through that one as well not there. :(
Rick J. Jones
-Original Message-
From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED]
Sent: Friday, March 28, 2003 9:31 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Last Logon Details
lastLogon is defined
Just to clarify something...
lastLogon is an optional attribute, meaning that any particular object may
or may not have a value for that attribute. In LDAP directories, if an
attribute does not have a value, the attribute doesn't exist for that
object; there is no notion of a null or empty value.
Title: Message
Hi
John,
I
would have thought that it was read-only, but I didn't see anything in the
schema or the SD that would make it read-only. What kind of errors are you
getting?
-gil
-Original Message-From: John F. Hann
[mailto:[EMAIL PROTECTED] Sent: Thursday,
of Windows .NET magazine has an
article by Gil Kirkpatrick on AD Authentication Topology that is definitely
worth a read.
http://www.winnetmag.com/Articles/Index.cfm?ArticleID=37935 is the article online. Good stuff Gil!
John A. Bjelke
Systems administrator
Unisys
50
201 - 300 of 396 matches
Mail list logo