Hey has anyone been keeping track of the largest AD database? I seem to
remember a few years ago it was an online email company. I'm curious if
that has changed.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
] Largest AD DIT
Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in
the test lab ... in fact he's going to talk about that at DEC.
-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 19, 2007 10
PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 12, 2007 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema
I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment. The plan is to take advantage of the new DFS
extensions.
We
I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment. The plan is to take advantage of the new DFS
extensions.
We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months
Oh great who let you onto this mailing list? Isn't there some kind of
screening process? Sheesh.
Kidding. Hi Steve, welcome.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Szwejbka
Sent: Wednesday, November 29, 2006 1:17 PM
To:
I have a customer who wants to write their authentication DLL using the
WinNT ADSI provider instead of LDAP provider for simplicity. Does
anyone know if there will be any supportability issues with this option
going forward? Is Longhorn going to support it?
BTW, the app is written in vb6 so
]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, October 17, 2006 6:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinNT ADSI provider
Not having to do an LDAP query prior to connecting to the user. So they
will not have to store a lookup account and baseDN
of that would
allow this. LDIFDE might have something with it, but I haven't seen it.
You'd be better off using a different tool in my opinion.
Al
On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote:
Does anyone know if it's possible to set Directory ACLs using an LDIF?
I'm
should be able to do this in an hour You just need to pick the right
hour. ;o)
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour, Joseph
Sent: Thursday
Does anyone know if it's possible to set Directory ACLs using an LDIF?
I'm trying to enforce a process for setting ACLs that is similar to the
process we have for making Schema extensions.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List
in my opinion.
Al
On 10/6/06, Isenhour, Joseph [EMAIL PROTECTED] wrote:
Does anyone know if it's possible to set Directory ACLs using an LDIF?
I'm trying to enforce a process for setting ACLs that is similar to the
process we have for making Schema extensions.
List info : http
Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Thursday, September 14, 2006 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Metadata
That's great
Nevermind, I guess I should learn to spell the attribute name correctly.
Works great, Thanks!
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, September 20, 2006 8:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE
PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Thursday, September 14, 2006 9:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Metadata
That's great info; thanks joe. I'll take a look at
msDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to do
the ;binary
modifier.
If you want to write DC API based code, you can use DsReplicateGetInfo2.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent
I'm using Robbie Allens example for using IADSTools.DCFunctions to read
group object meta data. I just realized that now that we've upgraded to
2003 I can no longer look at the member last changed field to determine
when group membership last changed.
I know that RepAdmin can look at the
with a new attribute named
tracesOfPeanuts, simply so I can see May Contain: tracesOfPeanuts. :-)
-- Original Message --
From: Isenhour, Joseph [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date: Tue, 5 Sep 2006 15:29:01 -0700
Does anyone know
Does anyone know if the seeAlso attribute is used by any specific
application or is it up for grabs? I'm thinking about using it to store
an alternate contact for a user.
List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 5:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Logging successful logons in AD security log
That may work, but it sort of falls under option b. The logs will grow
so large that they will become unmanageable
What is the general consensus on logging successful logon events?
For example if you have a domain with 100K users or so and you use AD as
your primary authentication service for: application, file, email, and
web access then it is plausible that you will end up with up to 100 log
entries per
objLogFile.BackupEventLog(c:\seclogs\ strBackupName _
_security.evt)
objLogFile.ClearEventLog()
Next
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, August 30, 2006 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir
What is the general consensus on the use of back up admin accounts?
This is an account that is hidden to most users and has elevated
privileges in the domain. The purpose of the account is to be able to
quickly react to an attack on the Domain Admin accounts either by a
malicious user, or a bug
I'm trying to write an IPSec editor for the operations folks and I need
to make sure that they can only edit specific rules.
Does anyone know how to delegate rights to modify specific IPSec Filter
Rules and Filter Lists? Are they stored in AD somewhere? Or are they
in the registry on the DCs?
Does anyone know if there is a public API (preferably .NET) that will
allow me to programmatically modify IPSec filter lists and policies in
Active Directory?
Right now I'm just using netsh.exe. It works but it seems like the
right way to do it is to call the actual API (if it exists).
Thanks
it might have gone underground. I don't think I
will post any more on it and let ~Eric or Brett put out in the
public whatever they think should be available.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, May 31, 2006 12:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Thanks Joe,
That's a little bit further than I want to go ;-)
I wrote
=Partitions,CN=Configuration,DC=joe,DC=com
nCName: DC=child1,DC=joe,DC=com
systemFlags: 3 [XREF_NC_NTDS(1);XREF_NC_Domain(2)]
2 Objects returned
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, May 31, 2006 12:18 PM
would also set that new attribute to be
saved on tombstone as well. :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, May 30, 2006 9:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] tokenGroups field
Thanks
Yep your examples are helpful, that's what I'm using :-)
It looks like hitting a GC for each domain in the forest is the way to
go in order to get the local group membership from other domains.
So just out of curiosity, when Windows builds your token, does it
include the local groups from other
the rootdse attribute
tokengroups and look at what is returned...
adfind -h adammachine:port -rootdse -resolvesids tokengroups
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, May 30, 2006 7:27 PM
To: ActiveDir
I'm back with another development question ;-)
Quick background: I've recently started using the tokenGroups field in
AD in order to determine group membership of a user. I just convert the
byte array to a string. I found that this is faster than doing a
recursive LDAP enumeration because it's
objects depending on how they are asked.
Just as
the Exchange Dev guys. eg
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, May 26, 2006 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] tokenGroups field
: Re: [ActiveDir] Force NTLM over Kerberos
It is up to the application as to what it will choose for authN - if you
are
asking about negotiate - which tries kerb first, you cannot change this.
steve
- Original Message -
From: Isenhour, Joseph [EMAIL PROTECTED]
To: ActiveDir
I have a somewhat interesting and complicated issue. I won't go into
all of the details because there are many, I'll just ask this one
question:
Does anyone know of a way to force the operating system to always choose
to use NTLM before trying Kerberos? Basically make it always choose
NTLM
/ad3e.htm
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, April 05, 2006
11:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question
about the win32 api Ds functions.
So I just went to the trouble of writing some .Net classes
WMI Actually has an asynronous call that you can use to monitor specific
objects. It will notify you when the object changes and what the
original and new values are. Adam Lissoir wrote some scripts that
demonstrate this. I think these links still work:
http://www.LissWare.Net
See Sample
Oops. I meant Alain Lissoir. Sorry Alain.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar
)
for good performance.
/Alain
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Tuesday, July 19, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Programmatic auditing of AD changes similar to
what Quest/NetPro
Title: LDAP performance
The application owner says that they are not seeing any
extended error info. The connections are simply being disconnected.
Here is part of the network trace the network guys sent me. This basically
shows the same connection attempting to connect to 389 from port
Title: LDAP performance
Great articlejoe. It definitely sounds like it
could be relevant in our scenario. On that note, do you know of any perf
counter that can tell me how many active ports above 1024 are being used at any
given time?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: LDAP performance
So I'm assuming if i'm hitting the error mentioned in the
article I should see approx 5000 entries in netstat. I'm actually only
seeing 390.
I ran spa on one of the DCs and recived a warning in the
report that concerned me:
Type
Item
Warning
Title: safest disk configuration
We use RAID 10. 6 disks. 1 logical drive.
Our Dit is about 6GB. Provides fast read/write with fault
tolerance.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
MarkSent: Tuesday, June 14, 2005 1:57 PMTo:
Title: LDAP performance
The client OS is BlueCoat. Are you saying that 42217
is too high a port for windows to accept? I thought it could go all the
way up to 65535?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Tuesday, June 14, 2005 6:04 PMTo:
Title: LDAP performance
We're running into what appears to be some performance issues. We have several AD servers that we dedicate to doing LDAP authentications for various applications. We recently added a new application that performs a large number of binds. The day we cut the application
Title: LDAP performance
Oops one correction:
100 binds per second is the upper limit that I've
found. Average of 10 binds per second.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
JosephSent: Monday, June 13, 2005 4:55 PMTo:
ActiveDir@mail.activedir.orgSubject:
Is this W2k3? If I'm not mistaken this value was removed in Windows
Server 2003.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Thursday, June 09, 2005 8:38 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] LDAP
Title: LDAPS question
After a lot of time spent testing I finally figured out how
to make this work with an external CA. The main issue is that the third
party CA does not allow you to use the certreq.exe utility to submit the
request. Instead I had to paste the CSR directly into their web
Title: LDAPS question
I think I may have figured it out. I was able to
repro this on my Microsoft CA. The certificate will not load unless you
provide a valid host name and GUID in the SAN. In my case I also added my
alias.
Guy,
I know you said to include the GUID so shame on me for not
Title: LDAPS question
Thanks Guy. That is a really helpful blog.
After a little fuss I was able to get the cert to recognize and honor the
Subject Alternative Name using your steps. Do you know if these same steps
will work against a third party CA? In any case I plan on trying it out on
a
Title: LDAPS question
Thanks Guy,
I've spent about 12hours trying to write a script that will
include the Subject Alternative Name in the CSR. I found the ICEnroll COM
interface on MSDN and am using it to generate my request. The request
works fine; however, the Subject Alternative Name
Title: LDAPS question
We currently provide LDAPS to our customers. Right now the certificates that we load on our DC uses the DC name and the clients connect using that name. We'd like to set up a DNS alias like: ldap.company.net. I tried generating a cert named ldap.company.net and loaded
This has been a great thread. I've really enjoyed reading it.
This question is going to illustrate my extreme ignorance; however, the
answer is worth it. What is Squeaky Lobster?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent:
for that handy?
al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Thursday, April 28, 2005 1:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
This has been a great thread. I've really
be available.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Thursday, April 28, 2005 1:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM
Title: NTDS Diagnostics
Hello,
Has anyone out there found a book or a web site that contains a comprehensive list of what each of the NTDS debug levels will show you. I'd like to know what information will be revealed if Field Engineering is set to 3 for example.
Careful Al, Do you really want to spin this discussion
up again? The last time this came up I had to create a new.pst just for
that thread ;-)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick,
AlSent: Friday, April 08, 2005 9:13 AMTo:
Title: Compelling arguments?
Not only is being able to register it important, but also
that DNS resolves to the correct SPN. Let's say you have a SQL server that
is a member of the us.widget.net domain; however, in DNS it is registered as
sql1.sea.widget.net. If you look in AD it's likely
Title: Storing dates in AD
I really appreciate all of the opinions on this. I've
been playing around with these different types in my sandbox. I've used
VBS, C#, VB.NET, and pretty much all of the languages that we hack programmers
use :)
The generalized date type worked really well. From
Title: Compelling arguments?
True,
I've had the same experience with SQL and Kerberos.
On the bright side the issues forced all of our server admins to understand
Kerberos and engage my team to make sure that it's working
properly.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: Compelling arguments?
This is a bit off the topic of the thread, but since we are
talking about using BIND DNS with AD I'll go ahead and ask. Has anyone
figured out a good way of delegating the update DNS right to your DCs? At
my company the DNS admins are on a completely different
Title: Kerberos and proxy servers
Hello,
I was wondering if anyone knows why Microsoft removed kerb auth to a proxy from Internet Explorer. I believe that they did support it with the early versions of IE5.
Here's the MS explanation (which really isn't an explanation)
Title: Compelling arguments?
If you're also talking about servers don't forget that by
defaultcomputers register their SPN using the AD domain name. So if
you have a server that registers HOST/someserver.myadname.net and the server
actually resolves to someserver.mydnszone.net Kerberos will
Title: Storing dates in AD
We are going to be modifying the field programmatically so
from what Gil said it sounds like the large integer method is appropriate.
As a follow up question, do you think I should use nano seconds from the Jan 2,
1970 (UNIX style) or January 1, 1601 (The date used
Title: Storing dates in AD
Actually I just googled this and found something
interesting that I didn't know:
Windows NT uses a 64-bit integer to track time.
However, it uses 100 nanoseconds as its increment and the beginning of time is
January 1, 1601, so NT suffers from the Year 2184
Title: Kerberos and proxy servers
Yes, although I haven't tried yet. According to the
article it is not possible. Our proxy vendor supports Kerberos auth mainly
because IE used to support. And notonly that, using kerb solves a
bunch of latency issues because the proxy doesn't need to keep
Title: Storing dates in AD
Joe,
You make a good point. What would an LDAP =
filter look like using this data type? I'm familiar with VB and
VBScript. So are you saying that I can simply create a date type in script
and use ADSI for example and set my variable to the AD attribute and it will
Title: Storing dates in AD
I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options.
Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet
Title: Storing dates in AD
Good suggestions,
Thanks everyone
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
KirkpatrickSent: Monday, March 28, 2005 12:44 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in
AD
Depends on the domain of the date
We had a similar issue in our environment.
We implemented a log off script that checked for password expiration.
If the users password is within 14 days of expiration the user is
notified and the password change page is launched.
This actually has two benefits. One, it solved the notification
Title: Using LDAPS
We use external Verisign certs on several of our DCs so that we can support LDAPS for certain clients. Once in a while the cert does not seem to work and it's for no apparent issue.. I'm currently experiencing the issue with one of our DCs. I've already checked the
Title: Using LDAPS
The Error is only showing up on the
server:
Event Type:WarningEvent Source:SchannelEvent
Category:NoneEvent
ID:36872Date:3/22/2005Time:11:08:33
AMUser:N/AComputer:XDescription:No
Title: Using LDAPS
I did. I used the MS tool to req and then import the
cert into the local machine store. I do this often and succeed most of the
time. Problem is when it does not work I have no idea how to troubleshoot
it.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
.
If you are seriously concerned, it is a guess, but you could spin up
AD/AM and try it there. I would expect it will work there as well.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, March 09, 2005 12:56 PM
] On Behalf Of Isenhour,
Joseph
Sent: Wednesday, March 09, 2005 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Creating a backlink and forwardlink
Ok my LDIF file is done and I'm ready to pull the trigger in my
development environment; however, I have a couple of questions.
Does
Of Isenhour,
Joseph
Sent: Friday, March 04, 2005 8:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Creating a backlink and forwardlink
Got it. I love magical programming features :) You guys rock! I did a
bunch of googles on this subject and came up with nothing.
-Original
Title: Message
If you want to lock down a group and add auditing you can
take the Restricted Group approach. Programatically control the members of
your admin groups. You can use just about any scripting language to do
this and if you go the script route you can add things like logging and
How would you get around AD telling me that something
changed? You can modify a group; however, if I register to recieve changes
for that object, there's nothing an admin can do to prevent that is
there?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL
You can do it with an asynchronous WMI call although I
believe under the covers it's doing a DirSynch operation. Basically you
are receiving the replication metadata. You can specify a specific object
to monitor so in this case you would specify the admin groups. I did this
at my company
It's not an alert that I configure. You can make an
asynchronous WMI call witch basically sends you replication events for any
object. So you end up with the replication meta data. You can see
the previous value, the new value, and the DC that made the change. I
don't believe there is a way
Title: Creating a backlink and forwardlink
I'm trying to figure out how to extend our schema with a forwardlink attribute and a corresponding backlink attribute.
I understand how to create an attribute with a DN syntax and I even understand how the two are linked in Active Directory. What
/ADLinkID.asp
Yours, Sakari
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, March 04, 2005 10:45 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Creating a backlink and forwardlink
Sorry I missed the link to the info in your first message.
Thanks joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, March 04, 2005 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Creating a backlink
]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, March 04, 2005 3:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Creating a backlink and forwardlink
Sorry I missed the link to the info in your first message.
Thanks joe
-Original Message-
From: [EMAIL
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, March 04, 2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Creating a backlink and forwardlink
One more question about autolinking.
In the example that is shown on the blog you sent, the forward
84 matches
Mail list logo
