More likely DNS than WINS. Trying bouncing the new Server, then restart netlogon on it(in case the MS04-011 is hurting you), then checkDNS for the relevant SRV records. I know you said you looked in DHCP, but I have to ask if you made sure that the dead DC is no listed as a DNS server in your
Title: Message
Just
disable the sharing and it will never display the share tab.
Good
luck,
Athif
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday,
18 May 2004 5:12 PMTo:
[EMAIL PROTECTED]Subject: [ActiveDir] Remove Share
Tab
Title: Message
Hi All,
Well I'm at that stage again - reviewing backup and data storage. I'm
hunting for duplicate files, old unmodified files, greediest user,
etc.
I'm basically looking for some software that can report such things in
one package. any experiences or recommendations?
i bounced the server, srv records are all there. the old server is not in dhcp and an
nslookup in safe mode shows me there is connectivity to dns server and all the prpoer
srv reords are enumerated.
i hahdn't hpought of ms04-011. what are some other symptoms?
thanks
-Original
Wow! This looks like the real answer. Thanks for that! Looks like our WAN
dept gets to do some work.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fuller, Stuart
Sent: Tuesday, May 18, 2004 11:52 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] VPN
Eric Fleischman would like to recall the message, [ActiveDir] Anonymous bind.
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Title: firma
Sorry for the double post.please dont
CC the alias I accidentally CCd when I first sent this.
Thanks!
~Eric
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman
Sent: Wednesday, May 19, 2004 6:51
AM
To: [EMAIL PROTECTED]
Subject: RE:
Title: firma
I'd
tend to agree with Eric here though it is somewhat dependant upon how much
sensitive data you intend on dumping from AD into the other
directory.
PS -
With regard to Eric's point; "1)
Flip 7th bit
of dsHeuristics to 2, enabling the ability to have anonymous binds ... ";
Id probably recommend a few action items
here:
1) On DC, perform a dcdiag /v and netdiag /v as well; look for
failure and be sure to clear them up
2) On client, point to same place that DC is pointed for DNS
3) If all else fails, a userenv log and network trace of client boot
(trace
Title: firma
Im going to respectfully disagree with
the approach being taken here. It is, IMHO, misguided.
What has been described as a security hole
(opening your AD for a subset of operations being allowed by ANONYMOUS) has
somehow been justified in the OpenLDAP world. Make no
Title: firma
I agree with Eric, any anonymous access is a start down the
path to insecurity. K3 tries to lock down the anonymous access that was
available in 2K.
I think for Eric's 1, mucking with dsheuristics is actually
to enable anonymous queries on K3 correct? By default you can do
Title: firma
Heh. Dean, stop reading my mind man...
In ~Eric's defense, the original publishing of the KB
article for doing this said specifically flip the 7th bit as well. I recall
hitting that and sending in a correction to MS aftersmiling fora
bit.
joe
From: [EMAIL PROTECTED]
I hate to say it but when I see endpoint mapper issues one
of my first responses is a reboot of the offensive box. Hopefully ~Eric or
otherswill come along and club me for that and say a good way to
troubleshoot it that doesn't include debugging LSASS.
The fact that you had machines not
i know this has been sopken of before, but i can't seem to find a pertinet email in
the archives, so i apologize for this retread.
what are the issuses with ms04-011 hot fix?
i ask because i have some clients that are preptually stuck at the applying security
settings screen and never log on.
Hey all,
Ok I have a LDAP
filter that works but I am sure it can get faster, the likes of Joe , Roger etc
I am sure we can make it really fast.
Now the point of the
filter ---
From the schema I
need to return a list of attributes that match a list of ldapdisplay names, So I
Title: firma
Fix the BAS app. is the only real solution if security is
ever going to be a concern. You can see from the post that there are many
ways to work around, but only one real solution. Fix the BAS app.
Interesting info regarding workarounds though.
I'd have to say Eric, if it
Brian presented a great plan.
I fully agree with building the new infrastructure and hooking up the
replication between them and make sure it is all working properly. Drop in a
few records and make sure they make it around properly. You can do that by
either pointing a machine at one of the new
The objectClass _expression_ is redundant
and unnecessary. Construct something like ((objectCategory=attributeSchema)((ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))
-gil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
Here are all of the published issues:
http://support.microsoft.com/default.aspx?kbid=835732
Most applicable for you (i think):
http://support.microsoft.com/default.aspx?kbid=841382
Kern, Tom wrote:
i know this has been sopken of before, but i can't seem to find a pertinet email in
the archives,
Mike.
I would set up a new WINS server in one of the datacenters. Configure one WINS server
in each of the other datacenters to replicate w/ this new server. Systematically
remove WINS servers from the BU's. Once you are down to the desired number of WINS
server, replace the older serverb
forgot about the 2nd part of yr. question
see this thread:
http://www.mail-archive.com/[EMAIL PROTECTED]/msg15769.html
Kern, Tom wrote:
i know this has been sopken of before, but i can't seem to find a pertinet email in
the archives, so i apologize for this retread.
what are the issuses with
Gil good catch thanks!
CM
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
KirkpatrickSent: Wednesday, May 19, 2004 3:23 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP
filter
The objectClass
_expression_ is redundant and unnecessary. Construct something like
Not a lot to monkey around with here though I wouldn't mind
hearing ~Eric's thoughts andDmitry Gavrilov's / Don
Hatcherl'sthoughts if they lurk here as it might point out some previously
unknown to me AD optimizer / query engine internals info...
It is kind of a trick question because the
Hey Gil is playing today. :o)
Always like hearing from Gil.
One small typo...
((objectCategory=attributeSchema)(|(ldapDisplayName=foo)(ldapDisplayName=bar)(ldapDisplayName=baz)(ldapDisplayName=quux)))
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
The issue is that some of the SRV records may not get registered for DCs.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q841395
I have sent MS a note to link that in with
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
joe
-Original Message-
From:
still doesn't work. when i try to join a win2k worstation to a domain, i get domain
cannot be contacted. check dns error.
dns settings are fine, i can ping my dc's and dns servers from the pc.
i rebooted my dc, diabled ipsec policy agent, checked the srv records in my domain, no
replication
could this affect my child domain from logging in if the root dc's have this issue?
-Original Message-
From: joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ms04-011
The issue is that some of the SRV records may not get
all srv records are in my dns zone and the root zone.
i'm truly at a loss. aside from the long and non logons(win2k and win98) and the
inability to join the domain, everything seems fine.
and the long logons are only affecting certain users, not everyone.
-Original Message-
From: joe
This could affect a ton of things. Remember, AD is very DNS dependent.
Something you may consider doing is going to your DNS servers and setting up
a network sniffer and look for DNS calls, what is being asked for, what is
not being answered correctly.
joe
-Original Message-
From:
For the first part of this question, look at the TCP/IP properties of the new client you are trying to join to the Domain. Make sure that "Enable LMHosts lookup" is unchecked, then make sure you are pointing at the correct INTERNAL DNS server ONLY (no ISP DNS in there), reboot the machine and
My personal thought would be to do a network trace on both issues. If there
is a name res issue or a slow responding DC it should show up rather
quickly.
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004
the syntax should be:
netdom query /domain:nameofdomainhere
Kern, Tom
[EMAIL PROTECTED]
M
Title: Message
Treesize Pro will do almost everything
http://www.jam-software.com/treesize/
From: Rutherford,
Robert [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 2:59
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OT :
File/Folder/Storage Reporting
Hi All,
Yup that's what I meant, we'd want to do that logging on affected
client. And network trace of that client (perhaps from second box on a
simple little hub) of the boot/logon would also be telling if the
userenv doesn't give us the answer (could go either way).
-Original Message-
From:
Hey, whaddaya want for 6 in the morning?
:)
WRT objectCategory not being needed, is there a restriction
that a classSchema object cannot have the same ldapDisplayName as an
attributeSchema object?
-g
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Wednesday, May
Title: Message
Yeh
I've used it before... I don't think it does file age, duplicate finding etc?
Its probably more that side of things I'm looking for.
Thanks
Larry
-Original Message-From: Passo, Larry
[mailto:[EMAIL PROTECTED] Sent: 19 May 2004
16:13To: [EMAIL
Title: Message
Ooh
just checked and it does..
That'll do.
Thanks
-Original Message-From: Rutherford,
Robert Sent: 19 May 2004 16:46To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT :
File/Folder/Storage Reporting
Yeh
I've used it before... I don't think it does
here's some more weirdness-
now when i want to join a pc to a domain, i have to enter the fqdn. before i would
just enter domainname. now i have to enter domainname.parentdomain.rootdomain.
when i just enter the domainname and do a trace, i see in dns that the
srv_msdc_ldap.domainname cannot be
Yeah, that's from a Win2K3 client.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
From:
I can conceive of a scenario (maybe more,
you tell me) where lDAPDisplayName is not unique.
Anyone want to take a swing at it?
Attached is my first answerno peaking!
~Eric
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19,
Debugging lsass is highly underrated. Thats right, under. Sure
its not for the faint of heart, but man the fun stuff you get in there. I
say just attach and have fun just for the heck of it. Thats what I do on
my weekends (sad yet true).
So the error below, is that from netdiag? Or
6, 9, what's a few timezones among friends
Interesting that lDAPDisplayName is optional in the classSchema class but mandatory in the attributeSchema class. I suppose it's possible for an object and an attribute to have the same name, but why would you other than to sow mayhem and mischief
ok, i've installed the dsclient, i've disabled the secure connections on the gpo on
the domain controller ou,wins is set up, and still when a win98 client attempts to
logon i get a no domain controller could be contacted error.
i'm running a mixed mode win2k ad. my dc's have sp4 installed.
what
Eric, you need to buy a jeep or go hang out at the Lodge...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Wednesday, May 19, 2004 12:48 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos
error on W2K3 server
Debugging lsass is highly
Have you entered a static WINS address in the TCP/IP properties? If not
try it.
Julie
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98
ok, i've installed
Ugh.
So this means our filter has to get more complicated, we
need to add a !(isdefunct=TRUE).
So our filter will now look like
((!(isdefunct=TRUE))(|(ldapDisplayName=drink)(ldapdisplayname=member)))
On the positive side, that doesn't change the used filter
according to STATS and the
yup
-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98
Have you entered a static WINS address in the TCP/IP properties? If not
try it.
Julie
-Original Message-
From:
Hmmm...Upgrade the machine to 2K Pro :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 12:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98
yup
-Original Message-
From: Wilson, Julie
Are all updates installed on the Win 98 machine? I've had instances
where I had to install all updates first and then install the DS client
in that order before it would work. Unfortunately we have a lot of 98's
on our networkbut...we are able to get them to log in.
Julie
-Original
What shows up in the DC security logs when the 98 client attempts to attach?
Anything? I'm wondering if that's a valid error message or not.
IIRC, there's two settings to disable for win9x clients. Did you set two?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Are the TCPIP settings correct on the 98 machines?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 1:25 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] win98
ok, i've installed the dsclient, i've disabled the secure
nice...
-Original Message-
From: Wilson, Julie [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 19, 2004 1:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98
Hmmm...Upgrade the machine to 2K Pro :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
What are the two?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, May 19, 2004 2:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] win98
What shows up in the DC security logs when the 98 client attempts to
attach?
Eric,
It looks like I was not clear enough. See my comments below.
And as others have already stated, the solution should be in the app's
code. The problem is that it's not always that easy to change the code
even if it's open source.
Guy
On Wed, 2004-05-19 at 14:50, Eric Fleischman wrote:
Im
My experience with Aelita is that they are an outstanding group of people
that will bend over backwards to fill your needs. We use EMM now to migrate
servers into our Active Directory from many sources (NT Domains, other AD's
and Workgroups) and have hit a few snags here and there. Aelita folks
Digitally Sign Communications
(always) - Set to DISABLED
Digitally encrypt or sign secure channel
data - Set to DISABLED
both are set to disable
nothing in the security logs.
i'm now setting up a second wins server. will let you know.
thanks for all your help
-Original Message-
Three more references from our friends at Cisco... Look at the Netlogon
part of the client ini file. IIRC, this is the bit you may have to adjust.
Client ini file config:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administratio
n_guide_chapter09186a008015cfdc.html
Inline again.
Sorry Guy, I really disagree with you here, and I'm going to drop the point. ;)
~Eric
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Wednesday, May 19, 2004 1:26 PM
To: [EMAIL PROTECTED]
Cc: ADS Customer Feedback
i added a second wins server and that worked??!!
-Original Message-
From: Kern, Tom
Sent: Wednesday, May 19, 2004 2:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98
Digitally Sign Communications
(always) - Set to DISABLED
Digitally encrypt or sign secure channel
data - Set
Well, endpoint
mapper error message is actually, in event log for the W2K domain controller,
which started to complain only after W2K3 DC appeared in the
domain...
Interesting that
I've run all tests possible in dcdiag separately, testing connectivity,
replications, security discriptors,
The more and more I read and think about maybe i should be
doing the dreaded GUID (of the attributes) search i.e. rather use the GUID than
the ldapDisplayName ---
Yes/No/YouMad?
CM
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee,
WookSent: Wednesday, May 19, 2004 6:54
Cant be - sharedDisplayName cant
it?
(I did peek :oP)
CM
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric
FleischmanSent: Wednesday, May 19, 2004 6:41 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP
filter
I can conceive of a scenario (maybe more,
you tell
What was it you said was the errors logged in the FRS event
viewer?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
KouznetsovaSent: Wednesday, May 19, 2004 2:58 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos
error on W2K3 server
Well, endpoint
Is it just me or does this sounds like a replication island? (a.k.a. The Replication Roach Motel, i.e. changes get but they never get out.)
Wook
From: Svetlana KouznetsovaSent: Wed 5/19/2004 11:58 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos error on W2K3 server
Well,
When I ran across this problem about a year and half ago, I found an
article that suggested a secondary WINS entry. I will keep searching to
find it. It was due to the request not being received in time from the
1st entry, so it tries the second. If there is not a second entry, it
fails.
Why use LDAP for Linux client authentication instead of Kerberos? I am
seriously asking. I don't know why someone would avoid an authentication
protocol for authentication and instead would use a directory protocol for
authentication. Especially when you have to go through an extra step then to
I think most people know my position on Aelita/Quest (Man it is funny to say
that in the same sentence).
We are currently using EMM and I believe it has done everything promised
without issue. I highly recommend getting On-site support if your migration
is large.
Also ARM (ERD) for AD and
what's the primary suffix of your clients? and how are the search
suffixes configured? or WINS?
also, did you not only check that you're service records in DNS exist,
but that they're also registered by the right machines? It's
potentially possible, that other non-DC clients could have
This whole thing just sounds weird.
At this point I would do two things. Please note I don't
have great reasons for suggesting them, just gut feeling.
1. I would check the SMB signing policies to see if they
are aligned. Most likely if you don't have that set at the domain controller
Can you say more about how you intend to use the schema
lookup? Someone earlier mentioned that you could just read the schema into
memory and deal with it that way... offhand that sounds like a good
idea.You can even hang a persistent search on the Schema container to get
notified of any
If you have it available, sure. Any attribute is as good as
any other though with objectGUID you can't possibly have mistaken identity due
to fun tricks with defuncting. Do you mean objectGUID or some other
guid?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Ok, I would be checking that first WINS Server really closely at this
point...
joe
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 19, 2004 2:50 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] win98
i added a second
what's the DNS config of this client?
don't remember if Win98 has nslookup, but from a different client that
has, you should run
nslookup %DNSname_of_domain% = should get back a list of your DCs for
that domain - do you?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
We are using both the Aelita ARM for AD and the migration products. There
have been a few minor unintuitive things with the migration software but
other then that it has reduced our workload and performed with very few
hiccups. On the whole we are pretty happy with the product. The ARM for
on W2K3 (new
DC):
in FRS
event viewer there are onlywarnings 13508 ("having troubles to
replicate/sysvol...etc"); dcdiag shows [FAILED] on test
frsevent;
netdiag - PASSED
all tests
on W2K (old DC in
the same domain) :
No errors in FRS;
in Directory
Service: warning NTDS KCC 1265
When you say you added a second wins server, do you mean a physical wins
server or a second one was defined (possibly the same one) on the client?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 19, 2004 4:53 PM
To: [EMAIL
This may be helpful then
http://support.microsoft.com/?kbid=839880
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Svetlana
KouznetsovaSent: Wednesday, May 19, 2004 4:28 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] FATAL kerberos
error on W2K3 server
on W2K3 (new
DC):
Return Receipt
Your RE: [ActiveDir] win98
document
:
Title: RE: [ActiveDir] Exchange 2003 Question
another option is to adjust the default property sets,
which can be done in 2003 (but not in 2000) - this will even allow to change the
effective permissions instantaniously on all objects ACLed with this property
set without any re-acling on the
Thanks,
Al
I've actually,
seen this and tried some of it already, but was confused by the fact, that this
is, actually - for W2K3 and I'm having mapperwarnings on W2K servers...oh,
and another thing, I should mention, perhaps: in Ntfrs.log on W2K3 server there
are lots of "ACCESS DENIED"
I am guessing he added a whole new WINS Server as he mentioned that in
another post...
i'm now setting up a second wins server. will let you know.
Either way, whether it be a second entry to the first machine or a whole new
machine, that WINS machine needs to be checked out.
-Original
81 matches
Mail list logo
