I would make sure that you do not have any stored credentials on the machine.
You do not mention the version of the OS of the client machine but in Windows
XP and later there is a credential manager that can be used to store
credentials and present them on behalf of the user. Go into control
Since you can get to C$ can you get the dcpromo*.log files which may help
determine what is going on.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Wednesday, January 17, 2007 7:07 AM
To: ActiveDir@mail.activedir.org
Well assuming that the deletion occurred recently I would go look in the
deleted items folder and see if you have an object by that name in there. You
can then look at the replication metadata and see where the delete originated.
From that see if they are all coming from one DC or if there
Password change for the machine account is handled by the client and you could
disable this so that you do not have the problem on the machines that are deep
freezed. We also have a tool that education users often leverage that does
something similar however we implemented a way to update the
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Tuesday, January 16, 2007 5:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Computer accounts getting deleted by unknown process
Password change for the machine account is handled by the client and you
I am also interested in the answers to these questions especially OS version
and SP level. We had a few issues with caching around in RTM and a few others
around SP1. It is a long story but has to do with how the cache entries are
organized in memory. The net affect was that certain lookups
It appears that you are having problems with slow link detection from the log
below. You can try disabling it on the client to see if that corrects the
problem by following the steps in this article for disabling slow link
detection: http://support.microsoft.com/kb/910206/en-us. I would not
As Edward pointed out to really get the authoritative data you want you would
need to have historic audit logs. Another less reliable method that you can
use is to look at the replication metadata for the UserAccountControl
attribute. This is the attribute that gets updated when the account
You can fix the port using DFSrdiag. See the following from:
http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx
Can DFS Replication replicate between branch offices without a VPN connection?
Yes-assuming that there is a private Wide Area Network
You can fix the port using DFSrdiag. See the following from:
http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx
Can DFS Replication replicate between branch offices without a VPN connection?
Yes-assuming that there is a private Wide Area Network
to this list by Steve
Linehan (Microsoft).
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lu, WeiMing
Sent: Friday, December 15, 2006 7:11 PM
To: ActiveDir
changed and therefore
you get generic icons in Vista. Sustained Engineering is aware of the issue
and has an active bug tracking this. I do not have an ETA on when this issue
will be corrected.
Thanks,
-Steve
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent
Windows Server 2003 R2 not only improved on the quota management built into the
product, allowing granularity down to the user, but also added reporting and
file screening. You can find more information on these new features at the
following links:
What service pack level are you at? It will disappear in ~ 14 days due to the
Replication Topology Stay of Execution functionality. You can read more about
it here:
http://technet2.microsoft.com/WindowsServer/en/library/1465d773-b763-45ec-b971-c23cdc27400e1033.mspx
under the section How
You have to upgrade or install one of the servers in each domain to Windows
Server 2003 and then transfer the PDC Emulator role to the upgraded or added
Windows Server 2003 box. When a Windows Server 2003 box takes over the PDC
Emulator FSMO role it will create these new security principals.
is upgraded.
Thanks,
-Steve
From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Steve Linehan [EMAIL
PROTECTED]
Sent: Tuesday, November 21, 2006 8:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing
Create a group that has read and apply policy and assign the
users to that group and leave the boss out. Or you could just deny the boss
the read/apply rights for that GPO. I am not big into denies.
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of
Of Steve Linehan
Sent: Monday, September 25, 2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
I am evidently still recovering from jet lag. Only attributes can be
defined in maycontain. I am guessing that at one point groupofURLs
failed: attribute in
may-contain does not exist.
Hmm...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
objectClass: groupOfURLs
objectClass: group
Let me know if you need anything else.
Thanks,
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 1:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir
:
ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for 20b4
I should be able to get more information for you tomorrow.
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September
should add back group and
groupOfNames as a maycontain to the groupofURLs objectclass?
Thanks,
~Ben
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE
of it. If you need me to get any further information, let me know and
I'll get it immediately.
Thank you
for your help!
~Ben
From: [EMAIL PROTECTED] on
behalf of Steve Linehan
Sent: Fri 9/22/2006 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems
that this object NEVER replicated to other sites. So the
only output I can give you is from the source DC. At least on the surface,
this object seems to be the source of the replication issues.
Thanks again,
~Ben
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Friday
Of Steve Linehan
Sent: Saturday, September 23, 2006 2:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects
Ben,
It would appear that the schema was modified on the source servers but does
not match on the destination servers. I am not aware
You could also turn up additional logging which would give more details as to
what the internal error is. I would suggest starting with the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
1. Locate the 5 Replication Events value under the above key.
2. On the
The following documentation describes this in detail: http://technet2.microsoft.com/WindowsServer/en/library/c238f32b-4400-4a0c-b4fb-7b0febecfc731033.mspx
Read-only and Writable Replicas
When computing the replication topology, the KCC must consider
whether a replica is writable or
:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Steve Linehan
Sent: Wednesday, August 30, 2006 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site replication settings/costs
The following documentation describes this in detail: http://technet2.microsoft.com
There was a bug in Windows XP where
netlogon would register SRV records which are documented here: http://support.microsoft.com/kb/825675/en-us
. That is the only time I have seen that.
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
The tracing code still fires even if the data is cached, i.e. an LDAP
request is still made. What I believe you are seeing is the report
compiler summarizing the results. You can change to expert level to 10
which will cause the report to have all entries in it.
Thanks,
-Steve
-Original
Furthermore the current implementation of wldap32 in Windows Server 2003
SP1 does not request that the certificate be verified. This has been
changed in a QFE for Windows Server 2003 SP1 and will be addressed in
the next service pack for Windows Server 2003, SP2. So you may see a
change in
Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Wednesday, August 23, 2006 10:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside --
problem
: +44 (0) 8456 440 331
F: +44 (0) 8456 440 332
M: +44 (0) 7974 249 494
E: [EMAIL PROTECTED]
W: www.quostar.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 11 August 2006 03:00
How long ago did you remove the user? Phantom cleanup can take a while.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Presley, Steven
Sent: Friday, August 11, 2006 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Microsoft provides several options for scanning your machines for
security patches which can be found here:
http://www.microsoft.com/technet/security/tools/default.mspx
Take a look at the section Security Update Detection Solutions and
find the one that best meets your environment. There are of
Well all I can say is that we have several partners that have built
password and pin reset capabilities on top of Microsoft Speech Server
2004 and have customers that are very satisfied with them:
http://www.microsoft.com/speech/solutions/password/default.mspx . It is
something that I get asked
Title: [ActiveDir] LDAP query struggle
Also insure you are putting the full DN of
the user that you are searching for in publicDelegates= since that is a linked
attribute.
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de
For the last one does including the following in the LDIF file when adding or
updating the attribute not accomplish what you want?
searchFlags: 1
Thanks,
-Steve
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Fri 7/28/2006 9:46 AM
To:
= 0
QUESTIONS:
server1.nyc.test.com, type = A, class = IN
*** dns1.int.mycorp.com can't find server1.nyc.test.com: Server
failed
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 24 Jul 2006 3:58
To: ActiveDir
@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue
Hi Steve
Binary version is 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)
Clearing the cache does not fix the issue.
Thanks
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent
I believe that the documentation that you are looking for that describes these
transitive trusts and the inability to alter them is contained here:
From:
http://technet2.microsoft.com/WindowsServer/en/library/f5c70774-25cd-4481-8b7a-3d65c86e69b11033.mspx
Automatic Trusts
By default, two-way
What version of the DNS binary are you running and if you clear the cache
instead of restart DNS does it resolve the issue?
Thanks,
-Steve
From: [EMAIL PROTECTED] on behalf of Wyatt, David
Sent: Fri 7/21/2006 4:39 AM
To: ActiveDir@mail.activedir.org
Subject:
that advanced searching and
filtering are still beyond my grasp at this point.
Thanks,
~Ben
From:
[EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Thu 7/6/2006 10:19 PM
To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
Subject: RE: [ActiveDir] Forestprep Failure
Ben,
een doing my
best to study the schema over the past few days thanks to Joe's Active
Directory book, however I'll readily admit that advanced searching and
filtering are still beyond my grasp at this point.
Thanks,
~Ben
From:
[EMAIL PROTECTED] on behalf of Steve Lineha
If the client is modern, Windows XP SP1 or later then you can type
domain\username in the username field and it will crack it as well just
in case your users do not want to type their UPN or it is to long. :-)
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
I believe I covered most of this on a
previous posting to ActiveDir but here are all of the details into what change
was made and why:
First of all the change that was
made requires that an Initial Sync is completed before DNS will load the
zones. This change was made after a customer
Title: Replication Problem After DC Demotion
From that machine can you run and post the output of repadmin /showreps
/v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP
levels? I assume you also did not set any preferred bridgehead settings? You
could also use
Depending on your needs and what you are specifically trying to
accomplish you may want to look at the Internet Printing Protocol functionality
that is built into Windows 2000 and Windows Server 2003: http://www.microsoft.com/windowsserver2003/techinfo/overview/internetprint.mspx
Ben,
These errors generally occur when a third party application has extended
the schema and it conflicts with the base schema we are trying to put in
place. There were many conflicts found during the initial upgrades to
Windows Server 2003 which is why additional information was put into
for the largest volume available.
Thank
you for taking the time to reply,
Jose
:-)
-
Original Message -
From: Steve Linehan
To: ActiveDir@mail.activedir.org
Sent: Wednesday, June 28,
2006 7:54 PM
Subject: RE: [ActiveDir] NTFS
( 16 Exabyte's
Jose,
This is due to the fact that MBR disks are limited to 2 TB in
size. You would need to go to GPT disks to see a larger disk, http://www.microsoft.com/whdc/device/storage/GPT-on-x64.mspx
. Unfortunately we do not support GPT disks on cluster servers at this time for
the shared disks.
I would suggest taking a look at Server
Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using
it to collect and analyze the data for the DCs in question. This tool combines
performance counters and the tracing data that Joe is referring to which will
allow you to
Perfomon trace logs will generate the raw
binary trace data but it has to be processed. The easiest way to get at this
data is to use SPA which will collect the binary trace data and process it into
human readable format.
Thanks,
-Steve
From:
[EMAIL PROTECTED]
spa on monday and see
if i can log some ldpa activities (errors, connections pb,etc...).
Will this version of spa work on a w2k3 sp1 French version ?
Regards,
Yann
Steve
Linehan [EMAIL PROTECTED] a
écrit:
I would suggest taking a look at Server
Performance
Website: http://www.windowsserverfaq.org
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Wednesday, May 31, 2006 5:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Machine Psswd Age
Just to add some additional detail
Just to add some additional detail. The machine account password is
actually changed every 30 days plus a random offset of up to 24 hours so
~31 days as a maximum by default with Windows 2000 and later OSes. This
is done by the netlogon service on the client and there is a scavenger
thread that
and useful tool, is going to talk
about the session information which may or may not be the same as what Exchange
is using. It would be coincidence if it was the same. Mostly.
-ajm
On 5/25/06, Steve Linehan [EMAIL PROTECTED] wrote:
The following method will show you what GCs
Title: How To Determine What GC a Server is Using?
The following method will show you what GCs Exchange has
discovered and believes are viable servers: http://support.microsoft.com/kb/316300/en-us
. While this will not tell you the exact GC Exchange is using, it could
be using multiple
Take a look at the following Knowledge Base article and online
help that covers all of the scenarios below: http://support.microsoft.com/kb/816592
http://technet2.microsoft.com/WindowsServer/en/Library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true
. Your Linux clients can be
The This Organization security principal is used for selective
authentication. More details on this can be found here:
http://technet2.microsoft.com/WindowsServer/en/Library/1f33e9a1-c3c5-431
c-a5cc-c3c2bd579ff11033.mspx
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
You can enable password history of at least 3 and then we will not
increment the bad password count in those instances.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/bpactlck.mspx
Password history check (N-2): Before a Windows Server 2003 operating
system
;Be the
change you want to see in the
World"~~~~~
On 4/24/06, Steve
Linehan [EMAIL PROTECTED]
wrote:
Are you
running Windows Server 2003 SP1? We fixed a number of scenarios where
this attribute was not updated for other logon types in SP1. Here is
causes a
change?You imply that the application of R2 causes additional changes in
the default behavior?(and just so you know the reason why I'm being
nitpicky... SBS 2003 gets disk quotas now out of the R2 bits...but nothing
else)Steve Linehan wrote:
If you are running SharePoint and are
Are you running Windows Server 2003 SP1? We fixed a
number of scenarios where this attribute was not updated for other logon types
in SP1. Here is just one example: http://support.microsoft.com/default.aspx?scid=kb;[LN];886705
Thanks,
-Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL
Just be aware that the %Logonserver% value is not updated if the secure
channel drifts after logon and does not necessarily mean that the server
has always had its secure channel with that machine. This can happen if
the machine experiences and error communicating with that logon server.
If you
The following series of articles on passwords vs. pass phrases by Jesper
also discusses this:
http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka
You can also query the setting using w32tm.exe /tz
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, April 03, 2006 8:57 PM
To: ActiveDir@mail.activedir.org
Subject: Re:
You can however use something like DSRevoke to build a
report: http://www.microsoft.com/downloads/details.aspx?FamilyID=77744807-c403-4bda-b0e4-c2093b8d6383DisplayLang=en.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee,
WookSent: Thursday, March 23,
So there is a reason that this occurs and I am one of the people
responsible for the change in behavior, I did not write the code but did
track down the cause and worked to rectify it after a customer took an
outage because of it. As others have stated using that registry key can
be dangerous and
Well one way to accomplish it would be to use IPSEC in
require mode and define a rule that only that workstation could contact it as
well as any other systems you want to admin it from. You could specify ESP
Null so that you do not have the encryption overhead and simply use IPSEC for
You can encrypt the password used for autologon. There is an API to do
this but it is also included in the tweakui power toy.
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Thursday, February 16, 2006 5:44 AM
To:
You can reset the machine account password a few ways even for member
servers:
1) Use nltest /SC_CHANGE_PWD:DomainName
2) Edit the following registry value setting it to 0 and then restart
netlogon:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
\maximumpasswordage
This error is benign as long as you are not enforcing
quotas for Active Directory objects and if you are the only downside is that a
user may be able to create more or lessobjects than they should. The
issue can occur on a DC or a GC and one of the ways it occurs is when SDProp
fixes-up
We do not replicate corruption so if you have local
corruption as noted below there is no worry that it would replicate around to
other servers in the environment.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil
RenoufSent: Monday, December 05, 2005
organization. Not that it changes the answer below.
:-)
Thanks,
-Steve
Steve
Linehan | Technology
Specialist Directories Identities | South Central District | Microsoft
Corporation
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Monday, December 05, 2005 2:38 PMTo
As I recall the tweakUI powertoy that can be downloaded
from the microsoft.com web site will allow you to set autologon credentials that
are encrypted as described below.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mitch
ReidSent: Thursday, December
Another good way to see what is going on when this occurs is to get your
hands on a tool called adperf which was the predecessor to Server
Performance Advisor and runs on Windows 2000. It will help analyze what
is pegging the CPU. Since you appear to have a support incident open
with Microsoft
Just out of curiosity when you go back an hour later is the
box unchecked? This really sounds like the work of AdminSDHolder and the
users in question are likely members of protected groups. If you have not
looked at the following Knowledge Base article youmay wantto see if
this is what you
Just to clarify you do not have a Cross Forest Trust in place but instead a
down level trust between domains in the two separate forests? If a cross
forest one way trust is in place then yes you should see a referral if it is a
down level trust then no you will not see a referral but as you
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571
. The fix allows the automatic archiving of the log files but does not explain
why the problem occurs. The issue is around the fact that a contiguous block
of memory is needed for all of the log
:[EMAIL PROTECTED] On Behalf Of Steve
Linehan
Sent: Tuesday, October 18, 2005
10:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Security
Log file size not reaching the maximum log file size
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571
Title: Domain Controller Consolidation utilizing Dual Core CPUs
In my opinion the biggest bang for the
buck is consolidation of servers to the 64bit platform assuming of course that
you have a large enough database, greater than 3 GB, and put enough memory in
the servers to cache the
shadow any user in organization?
Thanks again!
On 9/29/05, Steve Linehan [EMAIL PROTECTED] wrote:
Take a look at limitlogon that is described in this article: http://www.microsoft.com/technet/technetmag/issues/2005/05/UtilitySpotlight/default.aspx.
It also has a link
This is a hard problem to solve today. You can do things like 802.1x so that
devices have to authenticate before getting on the network however there are
many obstacles here. The future direction is a solution called Network Access
Protection (NAP) which is being worked on for then next
Take a look at limitlogon that is
described in this article: http://www.microsoft.com/technet/technetmag/issues/2005/05/UtilitySpotlight/default.aspx.
It also has a link to download the tool.
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
What user name are you testing with? Is
it unique meaning that the stand alone server you are trying to hit does not
have a local account by the same name? If the user account name is on both
machines we will not fall back to guest. Also if the names are unique have you
tried giving
I also find this article helpful: http://msdn.microsoft.com/library/default.asp?url="">
Thanks,
-Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Bernard, Aric
Sent: Monday, September 26, 2005
4:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
That is the acronym for a Microsoft Technical Account
Manager (TAM). Customers with custom support such as Premier
Supportgenerally have a TAM that is assigned to them.
Thanks,
-Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano,
DanSent: Friday, September
Here is a sample VBS script that can do
this: http://support.microsoft.com/default.aspx?scid=kb;en-us;295758
Thanks,
-Steve
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 24, 2005
10:02 PM
To:
The documentation is wrong and I thought
it had been cleaned up in all places but apparently not. A good summary of
group scope for cross forest trusts is:
Scenario: Forest
A B have a cross forest trust.
Security Group usage:
Only the following security principals from Forest
A can
- 2 hours later they started failing again. This is
very weird. The Windows event logs are of no help.
Any other ideas?
al
Steve Linehan wrote:
I should clarify that I would not expect the MIT KDCs to be using the
SRV records however we have seen problems where load from Windows
changes?
Steve Linehan wrote:
A network trace from the server getting the error would be helpful. I
imagine you are not getting past the MIT KDC who should be passing
back a referral to the Windows KDC. With a trace from the client we
can see what is being requested and what errors
If you are running Windows Server 2003 SP1 I would investigate using the
confidential attribute setting. Take a look at the Confidential
attributes section of this resource
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T
echRef/e3525d00-a746-4466-bb87-140acb44a603.mspx
If you want to split hairs the largest token a user can have may only
contain 1024 SIDs that is if they want to logon. This is a hard coded
limitation and we actually publish 1015 since there are built-in groups
that get added to every user token. This is documented here:
Well the first thing I always recommend is
to try an offline defrag as it is possible that the corruption is in an index,
i.e. metadata, that can be rebuilt. If the offline defrag fails then
restoring from backup or repromoting will be your next step.
Thanks,
-Steve
From:
Can you verify that the version of SP1 on the problematic machine is actually
the RTM version of SP1. There was a report of this problem with beta versions
of SP1 but it was fixed by RTM of SP1. Can you run winver and report the full
build number?
Thanks,
-Steve
-Original Message-
I am not aware of any changes in SP4 or the security patch that would
cause the failure you mention below. It is normally a DNS name
resolution issue that causes that error. Can you verify that the
Windows KDCs can be resolved from the UNIX boxes? Would it be possible
to get a network trace of
] On Behalf Of Steve Linehan
Sent: Thursday, August 18, 2005 10:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] w2k sp4 Kerberos changes?
I am not aware of any changes in SP4 or the security patch that would
cause the failure you mention below. It is normally a DNS name
resolution issue
. Services / Security
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Linehan
Sent: Thursday, August 18, 2005 8
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Thursday, August 18, 2005 10:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] w2k sp4 Kerberos changes?
Actually it is possible that you are running into this issue:
http://support.microsoft.com/default.aspx?scid=KB;EN
1 - 100 of 138 matches
Mail list logo