[ActiveDir] RIS WinPE Question
I hope some of you brainiacs can help me out here. I have a WinPE image loaded into a W2K3 RIS server. It launches as a standard image just fine, but creates a computer account in AD. I know that W2K3 SP1 is supposed to have the functionality where I can change the *.sif value ImageType=Flat to ImageType=WinPE and then WinPE is supposed to show up in my TOOLS menu, but it doesnt. It just disappears as an option altogether. Ive tried various combinations of the Choice Options GPO, including Disabling all options EXCEPT Tools, at which point the PXE client just says Cant show you anything ha ha ha. (or something evil to that effect). After 2 hours of experimentation and googling, Im at wits end Any help would be greatly appreciated. Dan
RE: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
Hi Susan, To clarify: the increased tombstone-lifetime is effective which every forest built on top of SP1, so you are also able to install WS2k3, then install SP1 (manually, Windows Update,..) and dcpromo your first domain controller for the forest afterwards. Your statement below assumes that it will be only effective with a slipstreamed media, which is not correct. Here's a striped down version of your cheat sheet - the page which tells you which AD-Features were changed with SP1 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Booko fSP1/658a175c-486a-42ee-b3da-9b56de3d187c.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Susan |Bradley, CPA aka Ebitz - SBS Rocks [MVP] |Sent: Sunday, October 16, 2005 4:44 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Stupid question alert... where exactly is |the tombstone value set? | |http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?v ideoid=27 | |Okay so watching Eileen | |And question default on Windows 2003 is 60 days... default |on Windows 2003 sp1 is 180 days BUT many times I know |that these changes only occur on the SLIP/Clean install |versions of these OS's NOT on upgraded onessee below as to |confirmation of this | |btw...request please? When changes are made between SPs... |can we have a cheat sheet... a white paper of how to activate |all the versioning changes? | |Can someone help a SBSer who's googling.. uh..msnsearching on |where that value is set? I want to see what it is on my real |baby that got upgraded and see what it is on some test boxes I |have that are slip installed. | |http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ |library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx | |*Extended storage of deleted objects.* The default period that |a copy of a deleted object is retained in Active Directory, |called the tombstone lifetime, is extended from 60 days to 180 |days. Longer tombstone lifetime decreases the chance that a |deleted object remains in the local directory of a |disconnected domain controller beyond the time when the object |is permanently deleted from online domain controllers. The |tombstone lifetime is not changed automatically when you |upgrade to Windows Server 2003 with SP1, but you can change |the tombstone lifetime manually after the upgrade. New forests |that are installed with Windows Server 2003 with SP1 have a |default tombstone lifetime of 180 days. For more information |about tombstone lifetime, see How the Data Store Works |http://go.microsoft.com/fwlink/?LinkId=38339. | | | |Considerations for Active Directory Services Backup [Active Directory]: |http://msdn.microsoft.com/library/en-us/ad/ad/considerations_fo r_active_directory_services_backup.asp?frame=true |Active Directory Operations Guide: Backup and Restore: |http://www.microsoft.com/technet/prodtechnol/windows2000serv/te |chnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx | |-- |Letting your vendors set your risk analysis these days? |http://www.threatcode.com | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] rebooting a patched, but stubborn DC
Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD/ Sites Services
Dear All, I have here in My Company, 2 Sepearate Locations, the First one is Head Office , the second one is the Private office . The head office have one single Network with this Range of IP-Address ( 70.0.0.X / 255.255.255.0 ) . We have Wireless -Point-To-Point Between the 2 locations . The Privare office have also one single Network with the same range of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). All of them is under Workgroup, and no domains at all . -- -- what we need , is to create domain and to provide users with the authentication from the domain by using user name Password. - My question is here, i am really get confused, what should i follow :- 1- Should i follow Single Site for the 2 locations each site will represented by subnet , so i will have 2 subnets in one site ? Or 2- should i follw Multiple Site with one subnet at least in each site, and each site will represent the location it self ? i really get confused. as i know the site is used for the Replication , so i want to simple the replication it self. CAN ANY ONE GUIDE ME TO THE BEST OF IT. Best Regards, RANIA SAMEER. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
Huh. That doesn't appear to be _US_ I wonder if the Engineering Services group knows that a third party (Partner at that) is advertising these services. Honestly, I didn't think that we farmed those services out Checking. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD/DNS BPA? Microsoft AD Health Check: http://www.systems-group.net/En/Consultancy+Services/Solutions/Microsoft+AD+ Health+Check.htm Looks like it's talked about here too Dean Wells wrote: Ooops ... my apologies :O( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, October 14, 2005 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## # This communication, including any attachments, is confidential. If you are not the intended recipient,
RE: [ActiveDir] AD/ Sites Services
Simple and most forward answer is to create two site - one for each location, with associated subnets assigned to each site. The longer answer is related to how many users in each site, how fast (in AVAILABLE THROUGHPUT) is the connection between, and are you intending to put at least one DC in each physical location. So, hopefully more answers are forthcoming Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rania Sent: Saturday, October 15, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Sites Services Dear All, I have here in My Company, 2 Sepearate Locations, the First one is Head Office , the second one is the Private office . The head office have one single Network with this Range of IP-Address ( 70.0.0.X / 255.255.255.0 ) . We have Wireless -Point-To-Point Between the 2 locations . The Privare office have also one single Network with the same range of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). All of them is under Workgroup, and no domains at all . -- -- what we need , is to create domain and to provide users with the authentication from the domain by using user name Password. - My question is here, i am really get confused, what should i follow :- 1- Should i follow Single Site for the 2 locations each site will represented by subnet , so i will have 2 subnets in one site ? Or 2- should i follw Multiple Site with one subnet at least in each site, and each site will represent the location it self ? i really get confused. as i know the site is used for the Replication , so i want to simple the replication it self. CAN ANY ONE GUIDE ME TO THE BEST OF IT. Best Regards, RANIA SAMEER. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
Yes, they (we) do. I'll check into them and give you an overview of what they do If I can, to be more correct. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] salary(OT)
Oh, and given a bit to think. You asked Dean - but you didn't ask me. Huh. NOW I know where *I* stand. In your mind, off the edge, if Dean was just right at ;-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From:
RE: [ActiveDir] AD/ Sites Services
Thanks for your reply. i heard that , one site is more than enough in order to facilitate the replication it will be intra-replication. i will but a nother DC in the other location as well that will work as child domain controller. the total users in the first location is 30 users. the total users in the second location is 15 users. i prefer to have one site 2 DC in each location. what do you think, i am correct ? or wronge ? Simple and most forward answer is to create two site - one for each location, with associated subnets assigned to each site. The longer answer is related to how many users in each site, how fast (in AVAILABLE THROUGHPUT) is the connection between, and are you intending to put at least one DC in each physical location. So, hopefully more answers are forthcoming Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rania Sent: Saturday, October 15, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Sites Services Dear All, I have here in My Company, 2 Sepearate Locations, the First one is Head Office , the second one is the Private office . The head office have one single Network with this Range of IP- Address ( 70.0.0.X / 255.255.255.0 ) . We have Wireless -Point-To-Point Between the 2 locations . The Privare office have also one single Network with the same range of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). All of them is under Workgroup, and no domains at all . -- -- what we need , is to create domain and to provide users with the authentication from the domain by using user name Password. - My question is here, i am really get confused, what should i follow :- 1- Should i follow Single Site for the 2 locations each site will represented by subnet , so i will have 2 subnets in one site ? Or 2- should i follw Multiple Site with one subnet at least in each site, and each site will represent the location it self ? i really get confused. as i know the site is used for the Replication , so i want to simple the replication it self. CAN ANY ONE GUIDE ME TO THE BEST OF IT. Best Regards, RANIA SAMEER. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/ Sites Services
Hi Rania, One forest with one domain should do it for you and make all DCs a GC The site and replication topology is used: * By DCs so they know with which DC to replicate with within a site and between sites * By clients/servers to find the nearest DC for authentication, GPOs, etc. Now we need to define nearest The clients get the nearest DC by querying DNS. If the clients don't know what site they are in (mostly when joining) they ask DNS: give me a DC for domain X. If they have discovered the site they are in they ask DNS: give me a DC for domain X in site Y In your situation having 2 location separated by a wireless connection you have the following possibilities: (1) Create 1 overal site for both locations and assign the subnets of the locations to that site (2) Create 2 sites, one for each location and assign the subnets of each location to the corresponding site (1) The answer for the query for give me a DC for domain X and give me a DC for domain X in site Y is the same. Assuming you have DCs at both locations a client in location A can be serviced by a DC in location A and B. So authentication across the wireless connection is a possibility! I don't think you want that (2) Assuming again you have DCs at both locations, the query for give me a DC for domain X and give me a DC for domain X in site Y will have different answers. In this case the client will be authenticated (and etc.) by a DC local to its own site. A best practice and highly recommended is to have AT LEAST 2 DCs for each domain and also to backup AT LEAST 2 DCs for each domain. In your case it is unknown to us how many users you have in your organization (at both location) so it is difficult to say how many DCs each location should get. * If you always need authentication within a site in the situation a DC might crash use 2 DCs for each location. Might be rather expensive is the organization is small * If you have a location with many users and a location with few users you could install 2 DCs at the many users location and 1 DC at the few users location. If one of the DCs in the many users location drops dead you still have the second DC to authenticate locally. If the DC in the few users location drops dead you will need to authenticate across the wireless connection * If both locations have not that many users and you want to spend that much money on DCs, you could install just 1 DC at each location where each DC must be able to service user/clients/servers in both locations if one of the DCs drops dead. From what you have told us and what I have read I think the following would be OK: * 1 DC at each location * 1 AD site for each location * Assign subnets of each location to its corresponding AD site * Use the default IP site link and assign both sites to it and configure the site link accordingly for replication between the sites (cost, schedule, interval) * Combine DC, DNS, WINS, DHCP on one server and if needed wanted setup DHCP redundant using the 80/20 rule I hope this takes away you confusion Cheers, Jorge From: [EMAIL PROTECTED] on behalf of rania Sent: Sun 10/16/2005 2:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Sites Services Dear All, I have here in My Company, 2 Sepearate Locations, the First one is Head Office , the second one is the Private office . The head office have one single Network with this Range of IP-Address ( 70.0.0.X / 255.255.255.0 ) . We have Wireless -Point-To-Point Between the 2 locations . The Privare office have also one single Network with the same range of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). All of them is under Workgroup, and no domains at all . -- -- what we need , is to create domain and to provide users with the authentication from the domain by using user name Password. - My question is here, i am really get confused, what should i follow :- 1- Should i follow Single Site for the 2 locations each site will represented by subnet , so i will have 2 subnets in one site ? Or 2- should i follw Multiple Site with one subnet at least in each site, and each site will represent the location it self ? i really get confused. as i know the site is used for the Replication , so i want to simple the replication it self. CAN ANY ONE GUIDE ME TO THE BEST OF IT. Best Regards, RANIA SAMEER. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If
RE: [ActiveDir] AD/ Sites Services
Thanks for your reply. Your reply is more than Perfect really you are very helpful. Actually, i do not want the user Authentication to be done over the wireless Link. I mean the user in Location A, when he will login in the morning, i want him to go and speake to the DNS which is located in the Factory and then the DNS will reply on him by giving the DC which is located in Factory So i do not want the Authentication Traffic will travle from the Location A to location B. 2- I have in the Location A which is the Head office 30 Users with this Domain name ( MYDOMAIN.COM ) , and we bring 2 Domain Controllers to work as Backup in the Head office. 3- in the FACTORY or in the LOCATION B, i have 20 users and child domain with this name ( child.mydomain.com) and one domain controller only in this location. 4- iam unable exactly to imagin how can i do that , so can you guide me to this? 5- is there any software can i use to trace the traffic and see that this user is now talking to this DNS and asking for the domain controller . Hi Rania, One forest with one domain should do it for you and make all DCs a GC The site and replication topology is used: * By DCs so they know with which DC to replicate with within a site and between sites * By clients/servers to find the nearest DC for authentication, GPOs, etc. Now we need to define nearest The clients get the nearest DC by querying DNS. If the clients don't know what site they are in (mostly when joining) they ask DNS: give me a DC for domain X. If they have discovered the site they are in they ask DNS: give me a DC for domain X in site Y In your situation having 2 location separated by a wireless connection you have the following possibilities: (1) Create 1 overal site for both locations and assign the subnets of the locations to that site (2) Create 2 sites, one for each location and assign the subnets of each location to the corresponding site (1) The answer for the query for give me a DC for domain X and give me a DC for domain X in site Y is the same. Assuming you have DCs at both locations a client in location A can be serviced by a DC in location A and B. So authentication across the wireless connection is a possibility! I don't think you want that (2) Assuming again you have DCs at both locations, the query for give me a DC for domain X and give me a DC for domain X in site Y will have different answers. In this case the client will be authenticated (and etc.) by a DC local to its own site. A best practice and highly recommended is to have AT LEAST 2 DCs for each domain and also to backup AT LEAST 2 DCs for each domain. In your case it is unknown to us how many users you have in your organization (at both location) so it is difficult to say how many DCs each location should get. * If you always need authentication within a site in the situation a DC might crash use 2 DCs for each location. Might be rather expensive is the organization is small * If you have a location with many users and a location with few users you could install 2 DCs at the many users location and 1 DC at the few users location. If one of the DCs in the many users location drops dead you still have the second DC to authenticate locally. If the DC in the few users location drops dead you will need to authenticate across the wireless connection * If both locations have not that many users and you want to spend that much money on DCs, you could install just 1 DC at each location where each DC must be able to service user/clients/servers in both locations if one of the DCs drops dead. From what you have told us and what I have read I think the following would be OK: * 1 DC at each location * 1 AD site for each location * Assign subnets of each location to its corresponding AD site * Use the default IP site link and assign both sites to it and configure the site link accordingly for replication between the sites (cost, schedule, interval) * Combine DC, DNS, WINS, DHCP on one server and if needed wanted setup DHCP redundant using the 80/20 rule I hope this takes away you confusion Cheers, Jorge From: [EMAIL PROTECTED] on behalf of rania Sent: Sun 10/16/2005 2:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Sites Services Dear All, I have here in My Company, 2 Sepearate Locations, the First one is Head Office , the second one is the Private office . The head office have one single Network with this Range of IP- Address ( 70.0.0.X / 255.255.255.0 ) . We have Wireless -Point-To-Point Between the 2 locations . The Privare office have also one single Network with the same range of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). All of them is under Workgroup, and no domains at all . - -
RE: [ActiveDir] salary(OT)
Hi Rick, Stop whining ;-) You've been asked on 7/17 by Robbie. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan |Sent: Sunday, October 16, 2005 2:14 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] salary(OT) | |Oh, and given a bit to think. | |You asked Dean - but you didn't ask me. Huh. NOW I know |where *I* stand. In your mind, off the edge, if Dean was |just right at ;-) | |Rick | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Friday, October 14, 2005 6:36 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] salary(OT) | |Hey I needed to maintain a certain quality | |Did you send something to Robbie to say you wanted to review |it? In the end we were begging for reviewers, I even took Dean |as a reviewer and you know the edge I had to be on for |that He kept wanting to spell words wrong. |Eventually I just took out all references to the words color, |humor, and other or words. | | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan |Sent: Friday, October 14, 2005 7:31 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] salary(OT) | |joe said: Again, the reviewers did a fantastic job. | |Of which, you will all notice when the book comes out, I am |_NOT_ one of those reviewers. | |joe said: They kept me honest | |Which is one of the reason _WHY_ I was not one of those reviewers | |Rick | |P.S. Hey, joe :op | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Friday, October 14, 2005 6:10 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] salary(OT) | |Not out yet, I am expecting Mid November or Early December. I |sent an email to see if I can find out. | |The book is NOT written in my voice, I tried as best as |possible to maintain the voice that was there. I simply |revised it though I did add a Chapter on ADAM and a chapter on |some basic Exchange/AD Scripting. If you have the first or |second edition I think you will find this edition worthy of |picking up even if you don't have Windows Server 2003 SP1 or |R2. I tried fleshing out and changing anything I didn't feel |was right. Also the reviewers all did a bangup job finding |things I missed. I admit I didn't sleep much in August or |September. Tony may have noticed a lull in the list volume, me |working on that book saved at least 2 bazillion helpless bits |from being sacrificed. | |I learned that revising a book may actually be harder than |writing a book from scratch and you get paid less. Well maybe |it is depending on if you know what you want to write about. |With revising you can't just write, you have to read, reread, |write, reread, write, reread, tweak, reread. When you change |the flow and feel and voice it is like hitting a brick wall |when reading. I am sure I didn't get rid of all of the bricks |but I certainly tried to knock the walls down to a point where |you can step over them without too much trouble. Anyway, I |spent less time writing the ADAM chapter than I spent updating |the security chapter. I know now that I probably should have |just rewritten from scratch and it would have gone faster. Oh |well, live and learn or don't live long. | |Again, the reviewers did a fantastic job. They kept me honest |when I tried to skip over some stuff when I got tired and I |thank them profusely. I tried to do them justice in the small |space provided to me for acknowledgements. |Those are the things people tend not to look at at the front |of the book. I do ask that if you pick up the book, you do |look. Those, folks, deserve, |the: attention. | | | joe | | | | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb |Sent: Friday, October 14, 2005 12:01 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] salary(OT) | |joe, Active Directory Third Edition |What is this? Where is it? | |RH |_ | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Friday, October 14, 2005 11:12 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] salary(OT) | | |I would not be surprised. I know this list has become quite |popular and for good reason. It is one of the few places where |I learn things that I don't stumble over myself. Many times I |learn things when people make random comments about their |environment which kicks a realization in myself on how |something probably works in the backend. It is pretty cool. | |On the downside sounds like my total sales on Active Directory |Third Edition will be in the area of 2000 copies which isn't |going to buy me a 100ft ocean ready cruiser. ;o) | |Understood on posting the lurker list. On top of
RE: [ActiveDir] salary(OT)
No I loved it because it mostly wasn't my material. ;o) I admit to being beaten to a pulp in all of my content by the comma police though. Plus I seem to have this habit of typing too slow or thinking too fast and skipping entire words, phrases, and/or sentences. I even caught a case of a missing paragraph but I wonder if it that one was user error since I had to use Word to do this, I am a notepad and editplus person. On the tutoring... My tutoring days are over. If I learn any more I won't remember how to walk. I am already forgetting more than I ever knew because of this circular log called my brain. Now maybe if you were at Arizona State or University of Miami I could be convinced. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Friday, October 14, 2005 7:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] salary(OT) joe is too kind...he's glossing over the bit where he kept saying If that [EMAIL PROTECTED] Laura makes -one- -more- [EMAIL PROTECTED] grammar fix :-) (And joe, if you do Theory of Computation, you may become my best friend during my next grad class. I fully expect to hire a tutor and just have the person move into my house for 16 weeks. :o)) On 10/14/05, joe [EMAIL PROTECTED] wrote: Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I
RE: [ActiveDir] finding computer objects
((samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))) You would have no choice but to use a bitwise filter since the enabled status is included as bit 1 (value 2) in the userAccountControl attribute. Basically if you look at a typical disabled computer userAccountControl you will see a value of of 4130 or 4098. I will take 4130 as the example. In binary it looks like 100100010 Each one of those bits is a status flag, most of which are described here http://msdn.microsoft.com/library/default.asp?url=""> You will note that the following bits are lit 1 = 0x1000 = 4096which is Workstation trust account 10 = 0x20 = 32 which is Password not required 10 = 0x02 = 2 which is disabled When you do a bitwise AND operation, you are filtering for the flags that you want to match on. So if you want to find all disabled accounts you need to look at bit 1 (value 2) so you will filter with the binary value of 10which is decimal2. That would look like this 100100010 AND 00010 00010 A positive non-zero value coming back means it is TRUE in terms of a query. If it comes back zero that means FALSE. So to find disabled whatevers you use useraccountcontrol:1.2.840.113556.1.4.803:=2 If the result of that is a value other than 0 the query resolves to TRUE and the object is returned. If the result of that is a value of 0 then the query resolve to FALSE and the object is not returned. If you want to find enabled objects, unfortunately you have to do a logical NOT of the value returned by the bitwise AND. Now keep in mind that the logical NOT as well as the bitwise filters muck with the ability to use an Index. A NOT completely disallows use of the Index so you have to walk through the entire set of possible objects and check the userAccountControl value and return anything that doesn't have 2 set on it, this would include objects that don't even have the userAccountControl attribute. The bitwise filters will let the index be used, but only for determining how many objects have userAccountControl set, it then has to walk through all of them doing the bitwise operation. So that means when you use NOT or bitwise on an attribute that is indexed, you want to try and find another indexed attribute to help knock down the resultset size that it has to run the bitwise op against. That is always the case though, you want to try and use the most specific indexes for the objects you are looking for. Generally whichever index has the fewest objects in it will be the one used to get the initial set of objects to work with in a simple query. I have seen cases where this wasn't always the case and I chalk it up to the QP making some other decisions based on the actual query. So to break down the query I applied above ((samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))) You are looking for any objects with samAccountType of 805306369 (computer objects) and have a useraccountvalue with bit 1 set. Note I could also have used ((objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))) I used samAccountType to show that there is more than one way to do it. I figure at least one person who might not have read this post due to its length may see that initial query and go WTF is that... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, October 14, 2005 8:20 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here)will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose
RE: [ActiveDir] finding computer objects
Yes, the -samdc switch is useful for doing this. Also play with -stats+ and -stats+only to see how the resultsize of the query changes to find the most efficient way to do it. Note that in some cases, the most efficient for one forest may not necessarily be the same for another. It can vary based on the dataset. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, October 14, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003)) -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/ Sites Services
I don't understand why you want to use a child domain in the factory location? Can you tell us the reason(s). In my opinion there is no need for that. Remember what I said for redundancy purposes you at least need 2 DCs for each domain For the scenario you want to implement (2 domains) you at least need 4 DCs to service about 60 users. For your environment 2 DCs would be enough when also thinking about hardware costs, maintenance, licenses, etc. When talking about the scenario I explained earlier, 2 DCs total, 1 DC for each location you could do the following In the HQ location install the first DC by: * Install Windows 2003 with SP1 on some hardware, install DNS, WINS and DHCP on the DC (DC01) * TCP/IP settings for DC01 (IPs are examples): * IP 70.0.1.1 * Netmask 255.255.255.0 * DNS preferred: 70.0.1.1, DNS alternate: 70.0.2.1 (the alternate DNS is the other DC at the other location) * WINS primary: 70.0.1.1, don't configure a secondary! * In DNS configure the following zones (again examples as the names are!): * MYDOMAIN.LOCAL (primary and allow dynamic updates) * _MSDCS.MYDOMAIN.LOCAL (primary and allow dynamic updates) * DCPROMO DC01 to a DC (DNS NAME domain = MYDOMAIN.LOCAL, NetBIOS name = MYDOMAIN) (new forest, new domain, first DC) * After reboot configure the zones as follows: * MYDOMAIN.LOCAL (AD-integrated, replication scope = DNS in domain, allow SECURE dynamic updates) * _MSDCS.MYDOMAIN.LOCAL (AD-integrated, replication scope = DNS in forest, allow SECURE dynamic updates) * Authorize DC01 as DCHP server * Configure DDNS credentials on DC01 * Configure the DHCP scope on DC01 for the clients in HQ location by creating a scope with ALL available IP addresses (example) * DHCP scope = HQ location * range 70.0.1.101 - 70.0.1.150 * Exclude 70.0.1.141 - 70.0.1.150 (=20%) * Netmask 255.255.255.0 * Default gateway = 70.0.1.254 * Domain name = MYDOMAIN.LOCAL * Default lease period = 8 days * DNS = 70.0.1.1 70.0.2.1 * WINS = 70.0.1.1 70.0.2.1 * Configure the DHCP scope on DC01 for the clients in FACTORY location by creating a scope with ALL available IP addresses (example) * DHCP scope = FACTORY location * range 70.0.2.101 - 70.0.2.150 * Exclude 70.0.1.101 - 70.0.1.140 (=80%) * Netmask 255.255.255.0 * Default gateway = 70.0.2.254 * Domain name = MYDOMAIN.LOCAL * Default lease period = 8 days * DNS = 70.0.2.1 70.0.1.1 * WINS = 70.0.2.1 70.0.1.1 In the FACTORY location install the first DC by: * Install Windows 2003 with SP1 on some hardware, install DNS, WINS and DHCP on the DC (DC01) (same forest, additional DC for existing domain) * TCP/IP settings for DC02 (IPs are examples): * IP 70.0.2.1 * Netmask 255.255.255.0 * DNS preferred: 70.0.2.1, DNS alternate: 70.0.1.1 (the alternate DNS is the other DC at the other location) * WINS primary: 70.0.2.1, don't configure a secondary! * DCPROMO DC02 to a DC (DNS NAME domain = MYDOMAIN.LOCAL, NetBIOS name = MYDOMAIN) * Authorize DC02 as DCHP server * Configure DDNS credentials on DC02 * Configure the DHCP scope on DC02 for the clients in HQ location by creating a scope with ALL available IP addresses (example) * DHCP scope = HQ location * range 70.0.1.101 - 70.0.1.150 * Exclude 70.0.1.101 - 70.0.1.140 (=80%) * Netmask 255.255.255.0 * Default gateway = 70.0.1.254 * Domain name = MYDOMAIN.LOCAL * Default lease period = 8 days * DNS = 70.0.1.1 70.0.2.1 * WINS = 70.0.1.1 70.0.2.1 * Configure the DHCP scope on DC02 for the clients in FACTORY location by creating a scope with ALL available IP addresses (example) * DHCP scope = FACTORY location * range 70.0.2.101 - 70.0.2.150 * Exclude 70.0.1.141 - 70.0.1.150 (=20%) * Netmask 255.255.255.0 * Default gateway = 70.0.2.254 * Domain name = MYDOMAIN.LOCAL * Default lease period = 8 days * DNS = 70.0.2.1 70.0.1.1 * WINS = 70.0.2.1 70.0.1.1 On the router at the HQ location configure the DHCP relay option (or IP helper) to point at DC02 (70.0.2.1) and if possible configure a delay On the router at the FACTORY location configure the DHCP relay option (or IP helper) to point at DC01 (70.0.1.1) and if possible configure a delay On DC01 configure for WINS, DC02 as push/pull replication partner with the default values On DC02 configure for WINS, DC01 as push/pull replication partner with the default values I think not, but I may have forgotten something. Well you can do a network trace to see the traffic between a client and a DC. Free network tracers are available like Etherreal, Packetyzer. Good luck! Cheers, Jorge From: [EMAIL PROTECTED] on behalf of rania Sent: Sun 10/16/2005 3:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/ Sites
RE: [ActiveDir] Major issue not sure if 2003 created this problem
Well previously you mentioned it was IP hardcoded, now you specify name. If the name was there, possibly someone dorked with the name in DNS, especially if you didn't use a fully qualified name and you have multiple search suffixes. Otherwise, the only way for the client to jump to another machine would be through a referral. If you have multiple domains, you may find that straight kerberos is not as fun as you may think. I recall one kerberos integration project that went over 2 years with no production machines launched. There are some difficult problems that can be encountered and the people on that project generally found the MS people in Redmond good to work with and the MIT kerberos people a pain to work with. The onsite MS PSS/MCS people really didn't have any ideas on any of the problems. Kerberos is one of those things that most of the MS world likes to just see work, when it doesn't, there are a lot of shrugged shoulders and mumbled I don't knows. Not saying it is impossible, it can just be trying. Microsoft did an amazing, yes amazing, job on hiding the backend complexities of kerberos. As for pricing, hit Vintela/Quest at the end of a quarter or at the end of the fiscal year. Also check out Centrify, they are in the same space. See if you can get both companies into a bidding war. As for who is better, I think it hasn't been worked out yet. Lots of opinions both ways but no clear cut you must do it this way winner. I am friends with people on both sides of that fight. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Friday, October 14, 2005 9:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Hi all, The linux client is configured with a host parameter in the ldap.conf file and isn't srv aware. I was running several network traces and sniffers, etc to determine what exactly was going on but the dumps came up empty. But, I think the issue has gone away but not sure why. On another note: I did look into vintela before we decided to go with ldap but they were extremly expense. We are heading to kerberos with the rh 3.0 upgrade and I cannot wait for that! Thanks for you input! Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem This assumes that the client knows how to retrieve SRV records though. The first thing I would say to do in troubleshooting this is to do drum roll please. Network trace, yeah you knew I was going to pull that one didn't you? Another thing to do would be to use proper authentication with Kerberos. Vintela and Centrify have products to help this be much less painless than it can be. Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, October 14, 2005 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major issue not sure if 2003 created this problem Well To query for ANY DC (or LDAP server) in the domain you use: _ldap._tcp.dc._msdcs.domain.tld To query for ANY DC (or LDAP server) in a certain site you use: _ldap._tcp.site name._sites.dc._msdcs.domain.tld If a computer does not know its site it uses the first and if it know its site it will use the second. I don't know if a linux client is site aware or can be made site aware (with the samba client?) (and I don't know anything about linux/unix) How is the linux client configured to search for a DC? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Jennifer Fountain Sent: Fri 10/14/2005 9:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Major issue not sure if 2003 created this problem Hi all: I currently have my linux boxes configured to log into AD via ldap. I noticed today that even thought I have the host ip hard coded to a local server, each box is trying to authenticate to a DC at a remote site. Has anyone experienced this issue? Kind Regards, Jennifer Fountain Systems Administrator/Security RB Distribution 3400 E Walnut Street Colmar, PA 18915 * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] finding computer objects
Because you will never have the case of userAccountControl=2 so that query will never be true. userAccountControl is a bit flag, not an absolute value. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, October 14, 2005 10:26 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter. why can't you just have userAccountControl=2 then and just use "!", to find a disabled or enabled acouunt? Thats where my confusion comes in. Thanks On 10/14/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: LDAP filter for disabled user accounts"((objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2))"LDAP filter for enabled user accounts"((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"Cheers,JorgeFrom: [EMAIL PROTECTED] on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] finding computer objectsTom-I'll certainly not try to explain it while joe's around :-)but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew theflags for already...How to use the UserAccountControl flags to manipulate user accountproperties:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objectsso how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s - since you responded to this one after my stupid salary query andthis actually is one of those questions which has nothing to do with mycurrent job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the ADCookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks againOn 10/14/05, joe [EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter(which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of KamleshParmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabledaccounts also.. As bit 2 is set for account disabled, and and you are notchecking its absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that those are disabled accounts.(which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery *dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter"((objectcategory=computer)(operatingSystem=windows server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us theadfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r"((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DNis always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: -- ~~~ "Fortune and Love befriend the bold" ~~~ -- ~~~ "Fortune and Love befriend the bold" ~~~List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be
RE: [ActiveDir] rebooting a patched, but stubborn DC
How long had the DC been up? I know this is stupid but I have seen multiple cases where a DC that is up for months at a time will be cranky when you go to reboot it. You can try to do something to take the legs out from under the DC like somehow killing LSASS or if you have some form of remote hardware access you can pop the reset button but I really don't recommend those ideas unless you are looking for DB corruption. However, I understand that some sites can not randomly have a DC rebooting on them in the middle of the day. It may be better to blow up the DC before start of business day than allow it to just reboot at some point. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Sunday, October 16, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
SBS people shouldn't be playing with ADSIEDIT. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 1:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? ...and it appears to not be on the OEM version of SBS sp1... geeze guys... SBSize this sucker and make it easier to find.. Windows 2003 ADSI Edit - Download and explore Active Directory Containers: http://www.computerperformance.co.uk/w2k3/utilities/adsi_edit.htm Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: For others spending their Saturday night looking for that dll... it's not installed by default... How to Change Display Names of Active Directory Users: http://support.microsoft.com/?kbid=250455 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: We barely have a tree let alone a forest. David Adner wrote: This article below describes where to read it and how to change it. A value of not set assumes the default. The new 2003 SP1 180 day default is only implemented if a forest is built as 2003 SP1. If you simply install SP1 the value doesn't change. Looks like they even updated this link, although the wording is atrocious. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3df8a52-81ea-4a1d-9823-4e51fbd3422a.mspx -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 9:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Stupid question alert... where exactly is the tombstone value set? http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx? videoid=27 Okay so watching Eileen And question default on Windows 2003 is 60 days... default on Windows 2003 sp1 is 180 days BUT many times I know that these changes only occur on the SLIP/Clean install versions of these OS's NOT on upgraded onessee below as to confirmation of this btw...request please? When changes are made between SPs... can we have a cheat sheet... a white paper of how to activate all the versioning changes? Can someone help a SBSer who's googling.. uh..msnsearching on where that value is set? I want to see what it is on my real baby that got upgraded and see what it is on some test boxes I have that are slip installed. http://www.microsoft.com/technet/prodtechnol/windowsserver2003 /library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx *Extended storage of deleted objects.* The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works http://go.microsoft.com/fwlink/?LinkId=38339. Considerations for Active Directory Services Backup [Active Directory]: http://msdn.microsoft.com/library/en-us/ad/ad/considerations_f or_active_directory_services_backup.asp?frame=true Active Directory Operations Guide: Backup and Restore: http://www.microsoft.com/technet/prodtechnol/windows2000serv/t echnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
That isn't necessarily the same check. I have seen several companies who have offered an AD Healthcheck. Occasionally they even know something about AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, October 16, 2005 8:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Huh. That doesn't appear to be _US_ I wonder if the Engineering Services group knows that a third party (Partner at that) is advertising these services. Honestly, I didn't think that we farmed those services out Checking. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD/DNS BPA? Microsoft AD Health Check: http://www.systems-group.net/En/Consultancy+Services/Solutions/Microsoft+AD+ Health+Check.htm Looks like it's talked about here too Dean Wells wrote: Ooops ... my apologies :O( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, October 14, 2005 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Knowing when users were deleted.
I would be curious just from the standpoint that I will probably learn something about the internals. If you don't feel the list would be interested, send to me offline. I have removed your email address from the kill file. ;o) Now I have to go get ready to see a noon showing of Serenity[1]. joe [1] We're deep in space, corner of No and Where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 16, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. You then change the representation from an external one to an internal one, which is a significant design decision ... I wrote up about a page filling out the argument against using a backlink scheme ... then figured there probably isn't interest, as we're talking a hypothetical feature. Let me know if you want me to finish off and send my argument against backlinks ... Cheers, BrettSh [msft] On Fri, 14 Oct 2005, joe wrote: Can you do some sort of backlink type of magic where you use some smaller sized value to represent the real value via indirection or something? I expect most companies would be willing to take the hit on DIT size to get this kind of capability. ESE can handle it right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, October 14, 2005 3:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hi Yann, You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted. But as for who deleted - I
RE: [ActiveDir] AD/DNS BPA?
Correct, that's a 3rd party's offering that has no relation to MS's workshop. There are multiple companies who offer Active Directory Health Checks like aren't part of MS's workshop. I don't believe the term is copyrighted. :) Essentially, if it wasn't arranged via a company's Premier support contract then it's pretty much guaranteed to be a 3rd party company, not MS. I've never sat through another company's health check so I can't offer a comparison. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, October 16, 2005 7:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Huh. That doesn't appear to be _US_ I wonder if the Engineering Services group knows that a third party (Partner at that) is advertising these services. Honestly, I didn't think that we farmed those services out Checking. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD/DNS BPA? Microsoft AD Health Check: http://www.systems-group.net/En/Consultancy+Services/Solutions /Microsoft+AD+ Health+Check.htm Looks like it's talked about here too Dean Wells wrote: Ooops ... my apologies :O( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, October 14, 2005 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if
RE: [ActiveDir] AD/DNS BPA?
To the original poster, if you have a TAM that would be the best avenue to obtain further information. They can get you a document that details what the Active Directory Health Check involves. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, October 16, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Yes, they (we) do. I'll check into them and give you an overview of what they do If I can, to be more correct. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. ## ## # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
I'd be interested as well. BTW for the original request (don't have it here separatelly to reply) I've been told that there are some 3rd party tools which allow that kind of Audit. E.g. inTrust from Quest claims to plug in front of the LSASS and control which actions to log, which ones to apply and which ones to decline b/c they are in conflict with some buiness rules. Haven't head a chance to look into the app yet - just know the marketing ;-) Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of joe |Sent: Sunday, October 16, 2005 5:11 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |I would be curious just from the standpoint that I will |probably learn something about the internals. If you don't |feel the list would be interested, send to me offline. I have |removed your email address from the kill file. ;o) | |Now I have to go get ready to see a noon showing of Serenity[1]. | | joe | | |[1] We're deep in space, corner of No and Where. | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Sunday, October 16, 2005 10:27 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |You then change the representation from an external one to an |internal one, which is a significant design decision ... I |wrote up about a page filling out the argument against using a |backlink scheme ... then figured there probably isn't |interest, as we're talking a hypothetical feature. |Let me know if you want me to finish off and send my argument |against backlinks ... | |Cheers, |BrettSh [msft] | |On Fri, 14 Oct 2005, joe wrote: | | Can you do some sort of backlink type of magic where you use some | smaller sized value to represent the real value via indirection or |something? | | I expect most companies would be willing to take the hit on DIT size | to get this kind of capability. ESE can handle it right? | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Friday, October 14, 2005 11:50 AM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] Knowing when users were deleted. | | | Ignoring the 16 bytes at the beginning of the metadata for |version and | attr count info, and garbage wasted space ... the metadata for a | single attribute is 48 bytes, adding the SID (28 bytes) would be an | expansion of 57% on the _raw_ per attribute metadata size. | | A sampling of a corporate DB showed the raw metadata size to |be 15% of | the DIT size, which would lead me to believe the DIT would expand by | ~10% for a trivial implementation against this paticular corporate | DIT.[1] | | However, if you look at the /showobjmeta for _any_ object, you will | realize that is a data structure that is over ripe (like |banannas you | wouldn't even use for a bananna cake) for being compressed. |I think I | could add a SID, | (custom) compress it, and shrink the DIT in size. | | While you might think a GUID is better, because If you add a |GUID, it | is only 16 bytes, but that's a very uncompressible 16 bytes, | effectively a random hash. The SID is more likely to |compress properly. | | [1] I expect that corporate DITs vary what % is meta-data by |how many | certs and big blobs they stick in thier AD. I imagine most |corporate | DITs are worse (as in higher % is metadata) than the one I |checked out. | | Not that I've been thought of it ... | | Cheers, | -BrettSh [msft] | | This posting is provided AS IS with no warranties, and confers no |rights. | | | On Fri, 14 Oct 2005, Al Mulnick wrote: | | raises hand | GUID or SID of the user account that made the delete |request. Last | mod my not be enough in case some process gets hold of |that data in | the deleted items, even if unlikely. I want the id of the |identity | that put caused the object to be there in the first place. | | Having the data for a full undelete option wouldn't seem too | terrible either, although that might significantly increase the | storage |in the DIT. | In the past I've had to write apps to keep that information out of | band in order to put back items mistakenly removed. But I |can't see | why I should have to trip through all the DC's Audit logs to find | the information about who deleted something given how common this | type of question is. It should be recorded same as the audit log | (we have the information, why not stamp it on the object at time of | deletion?) | | Al | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of joe | Sent: Friday, October 14, 2005 11:03 AM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] Knowing when users were deleted. | | | Correct, you can currenlty only get the when and the where
RE: [ActiveDir] rebooting a patched, but stubborn DC
Hi joe, The DC had been up for about 45 days. Pushing the power button is the last resort. (IMHO, Windows OSs have become remarkably well designed to recover from a last ditch power reset.) I prefer doing patches/rebooting on the weekends when the majority of my users are not impacted and if there are any issues, I have the rest of the weekend to get them corrected. It does make it a little tougher contacting the right people if there are any issues that go beyond my immediate expertise or authority. But generally the weekends work well. We cover ourselves pretty well with redendant servers. And terminal services functionality makes the effort much easier by working from home, beer in hand, in my underwear! LOL! Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 10/16/2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC How long had the DC been up? I know this is stupid but I have seen multiple cases where a DC that is up for months at a time will be cranky when you go to reboot it. You can try to do something to take the legs out from under the DC like somehow killing LSASS or if you have some form of remote hardware access you can pop the reset button but I really don't recommend those ideas unless you are looking for DB corruption. However, I understand that some sites can not randomly have a DC rebooting on them in the middle of the day. It may be better to blow up the DC before start of business day than allow it to just reboot at some point. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Sunday, October 16, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security problem
Logon as an administrator and take ownership of the drive. Then grant adequate permissions again. Reinstalling Windows will obviously fix it, but is a drastic measure. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, October 16, 2005 5:43 PM Subject: [ActiveDir] security problem Hello, I have done a mistake now need an advice. on my computer which i have windows 2000 server. I have unchecked the security of my C drive . the security for everybody was full control and I unchecked it so when it was applied I did not have access to C drive. and then I shot down the computer then I could not restart it. now does installation of windows 2000 server again solves the problem or not? any advice or recommedation is appriciated. Thanks in advance roseta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] rebooting a patched, but stubborn DC
I see that occasionally, but rarely. But I'm not running any DC's these days - just a whole boatload of application servers. Roger D. Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Sunday, October 16, 2005 4:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
You guys are still seeing things from big server land. Think little. One DC. I only have on PDC... I dont' build any dcs for any forests... so for us. we have to go 'change' that figure in a sp1'd box otherwise we are still at 60 days. My box at home 'and' at the office are 60 days. My slip installed one is the only one with the new 180 value. I'm barely planting desktops let alone deploying forests. :-) Ulf B. Simon-Weidner wrote: Hi Susan, To clarify: the increased tombstone-lifetime is effective which every forest built on top of SP1, so you are also able to install WS2k3, then install SP1 (manually, Windows Update,..) and dcpromo your first domain controller for the forest afterwards. Your statement below assumes that it will be only effective with a slipstreamed media, which is not correct. Here's a striped down version of your cheat sheet - the page which tells you which AD-Features were changed with SP1 http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Booko fSP1/658a175c-486a-42ee-b3da-9b56de3d187c.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Susan |Bradley, CPA aka Ebitz - SBS Rocks [MVP] |Sent: Sunday, October 16, 2005 4:44 AM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Stupid question alert... where exactly is |the tombstone value set? | |http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?v ideoid=27 | |Okay so watching Eileen | |And question default on Windows 2003 is 60 days... default |on Windows 2003 sp1 is 180 days BUT many times I know |that these changes only occur on the SLIP/Clean install |versions of these OS's NOT on upgraded onessee below as to |confirmation of this | |btw...request please? When changes are made between SPs... |can we have a cheat sheet... a white paper of how to activate |all the versioning changes? | |Can someone help a SBSer who's googling.. uh..msnsearching on |where that value is set? I want to see what it is on my real |baby that got upgraded and see what it is on some test boxes I |have that are slip installed. | |http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ |library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx | |*Extended storage of deleted objects.* The default period that |a copy of a deleted object is retained in Active Directory, |called the tombstone lifetime, is extended from 60 days to 180 |days. Longer tombstone lifetime decreases the chance that a |deleted object remains in the local directory of a |disconnected domain controller beyond the time when the object |is permanently deleted from online domain controllers. The |tombstone lifetime is not changed automatically when you |upgrade to Windows Server 2003 with SP1, but you can change |the tombstone lifetime manually after the upgrade. New forests |that are installed with Windows Server 2003 with SP1 have a |default tombstone lifetime of 180 days. For more information |about tombstone lifetime, see How the Data Store Works |http://go.microsoft.com/fwlink/?LinkId=38339. | | | |Considerations for Active Directory Services Backup [Active Directory]: |http://msdn.microsoft.com/library/en-us/ad/ad/considerations_fo r_active_directory_services_backup.asp?frame=true |Active Directory Operations Guide: Backup and Restore: |http://www.microsoft.com/technet/prodtechnol/windows2000serv/te |chnologies/activedirectory/maintain/opsguide/part1/adogd03.mspx | |-- |Letting your vendors set your risk analysis these days? |http://www.threatcode.com | |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
I'd be interested to see that argument as well, Brett. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 16, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. I would be curious just from the standpoint that I will probably learn something about the internals. If you don't feel the list would be interested, send to me offline. I have removed your email address from the kill file. ;o) Now I have to go get ready to see a noon showing of Serenity[1]. joe [1] We're deep in space, corner of No and Where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 16, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. You then change the representation from an external one to an internal one, which is a significant design decision ... I wrote up about a page filling out the argument against using a backlink scheme ... then figured there probably isn't interest, as we're talking a hypothetical feature. Let me know if you want me to finish off and send my argument against backlinks ... Cheers, BrettSh [msft] On Fri, 14 Oct 2005, joe wrote: Can you do some sort of backlink type of magic where you use some smaller sized value to represent the real value via indirection or something? I expect most companies would be willing to take the hit on DIT size to get this kind of capability. ESE can handle it right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Friday, October 14, 2005 3:18 AM To:
Re: [ActiveDir] Stupid question alert... where exactly is the tombstone value set?
uh.. because you can? :-) And I was interested to see how they documented the difference between pre sp1 and post sp1. I like how they did it. We don't dcpromo in SBSland unless we are migrating boxes. Truly, unless we are in the process of migration... the typical SBS admin/consultant never uses that command. Remember our annoying GUI wizards do that for us. The tools can easily be installed on any box. They just weren't on the particular cdrom I was looking at. [again ... folks.. if you ever do deploy SBS boxes.. don't do OEM] okay now going back to lurk mode. the adsiediting SBSer. Ulf B. Simon-Weidner wrote: So I'm curious why you would want to change the default anyways - if you only have one box you can decrease the tombstone-lifetime to whatever amount of days you want to be able to reanimate tombstones - which is not that important in a single server infrastructure anyways since you could also create new user-accounts and reacl the ressources if needed. And I didn't think big or little - just wanted to point out that every box which is dcpromoed into a new AD (forest) and has WS2k3SP1 underneath will get 180 day tombstones, every box which is dcpromoed into a new AD without SP1 still has 60 days. Just wanted to clarify that it does not depend on how you got SP1 on your machine (slipstreamed or manually installed), it only depends on if it was installed when you started dcpromo'ing. I'm pretty sure you'd be able to install SP1 on a SBS prior to running dcpromo, but you know that way better than I do. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Susan |Bradley, CPA aka Ebitz - SBS Rocks [MVP] |Sent: Sunday, October 16, 2005 7:27 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Stupid question alert... where |exactly is the tombstone value set? | |You guys are still seeing things from big server land. | |Think little. One DC. | |I only have on PDC... I dont' build any dcs for any forests... |so for us. we have to go 'change' that figure in a sp1'd |box otherwise we are still at 60 days. My box at home 'and' |at the office are 60 days. |My slip installed one is the only one with the new 180 value. | |I'm barely planting desktops let alone deploying forests. :-) | |Ulf B. Simon-Weidner wrote: | |Hi Susan, | |To clarify: the increased tombstone-lifetime is effective which every |forest built on top of SP1, so you are also able to install |WS2k3, then |install SP1 (manually, Windows Update,..) and dcpromo your |first domain |controller for the forest afterwards. Your statement below |assumes that |it will be only effective with a slipstreamed media, which is |not correct. | |Here's a striped down version of your cheat sheet - the page which |tells you which AD-Features were changed with SP1 |http://www.microsoft.com/technet/prodtechnol/windowsserver2003 |/library/ |Booko fSP1/658a175c-486a-42ee-b3da-9b56de3d187c.mspx | |Gruesse - Sincerely, | |Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org | Profile: |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4 |89-F2F1214C811 |D | | | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Susan ||Bradley, CPA aka Ebitz - SBS Rocks [MVP] ||Sent: Sunday, October 16, 2005 4:44 AM ||To: ActiveDir@mail.activedir.org ||Subject: [ActiveDir] Stupid question alert... where exactly is the ||tombstone value set? || ||http://www.microsoft.com/uk/technet/itsshowtime/sessionh.aspx?v |ideoid=27 || ||Okay so watching Eileen || ||And question default on Windows 2003 is 60 days... default on ||Windows 2003 sp1 is 180 days BUT many times I know that these ||changes only occur on the SLIP/Clean install versions of these OS's ||NOT on upgraded onessee below as to confirmation of this || ||btw...request please? When changes are made between SPs... ||can we have a cheat sheet... a white paper of how to |activate all the ||versioning changes? || ||Can someone help a SBSer who's googling.. uh..msnsearching on where ||that value is set? I want to see what it is on my real baby |that got ||upgraded and see what it is on some test boxes I have that are slip ||installed. || ||http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ ||library/TechRef/54094485-71f6-4be8-8ebf-faa45bc5db4c.mspx || ||*Extended storage of deleted objects.* The default period |that a copy ||of a deleted object is retained in Active Directory, called the ||tombstone lifetime, is extended from 60 days to 180 days. Longer ||tombstone lifetime decreases the chance that a deleted |object remains ||in the local directory of a disconnected domain controller |beyond the ||time when the object is permanently deleted from online domain ||controllers.
Re: [ActiveDir] Knowing when users were deleted.
Yep. Me too. - Original Message - From: Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, October 16, 2005 6:38 PM Subject: RE: [ActiveDir] Knowing when users were deleted. I'd be interested to see that argument as well, Brett. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 16, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. I would be curious just from the standpoint that I will probably learn something about the internals. If you don't feel the list would be interested, send to me offline. I have removed your email address from the kill file. ;o) Now I have to go get ready to see a noon showing of Serenity[1]. joe [1] We're deep in space, corner of No and Where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 16, 2005 10:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. You then change the representation from an external one to an internal one, which is a significant design decision ... I wrote up about a page filling out the argument against using a backlink scheme ... then figured there probably isn't interest, as we're talking a hypothetical feature. Let me know if you want me to finish off and send my argument against backlinks ... Cheers, BrettSh [msft] On Fri, 14 Oct 2005, joe wrote: Can you do some sort of backlink type of magic where you use some smaller sized value to represent the real value via indirection or something? I expect most companies would be willing to take the hit on DIT size to get this kind of capability. ESE can handle it right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, October 14, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Ignoring the 16 bytes at the beginning of the metadata for version and attr count info, and garbage wasted space ... the metadata for a single attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the _raw_ per attribute metadata size. A sampling of a corporate DB showed the raw metadata size to be 15% of the DIT size, which would lead me to believe the DIT would expand by ~10% for a trivial implementation against this paticular corporate DIT.[1] However, if you look at the /showobjmeta for _any_ object, you will realize that is a data structure that is over ripe (like banannas you wouldn't even use for a bananna cake) for being compressed. I think I could add a SID, (custom) compress it, and shrink the DIT in size. While you might think a GUID is better, because If you add a GUID, it is only 16 bytes, but that's a very uncompressible 16 bytes, effectively a random hash. The SID is more likely to compress properly. [1] I expect that corporate DITs vary what % is meta-data by how many certs and big blobs they stick in thier AD. I imagine most corporate DITs are worse (as in higher % is metadata) than the one I checked out. Not that I've been thought of it ... Cheers, -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Fri, 14 Oct 2005, Al Mulnick wrote: raises hand GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place. Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. _ From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] salary(OT)
Dropping thread... -r -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 16, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I didn't ask Dean. I would not have asked Dean. I know how busy he is and wouldn't want to use our friendship to guilt him into allowing me to steal him away from money making endeavours. Instead I figured I would needle him with one-offs as I hit them and be thankful for the responses. In the end he wasn't able to proof the whole thing, only parts of it. But the parts he did proof of the older material I ended up having to correct a bunch of stuff. He pointed out AD Replication terms and such that the only google hits on were in reference to the book itself. That IM conversation spawned a 90 minute phone call with him and you know how much I hate phones and how much Dean and I can cover in 10 minutes and we had to chop it off at 90 minutes because we both had to be somewhere else. Obviously, I had to change it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, October 16, 2005 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh, and given a bit to think. You asked Dean - but you didn't ask me. Huh. NOW I know where *I* stand. In your mind, off the edge, if Dean was just right at ;-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH
Re: [ActiveDir] Knowing when users were deleted.
Various thoughts from this thread: [1] I agree with Al and Paul[1] on a desire for that sort of metadata. I'm not as convinced of the trade-off value of bloating the DIT for full undelete information, particularly in monster big environments. For my teeny-tiny single domain it probably wouldn't be that bad of a hit, but I imagine that the laws of diminishing returns would quickly set in. [2] Please finish the thought, Brett, I'm sure I'd find it helpful/enlightening/informative even if it's only speaking in hypotheticals. [3] It's Gil and Darren's turn to crack me up today, I guess joe is taking a break. [1] *waves* Hi Paul! Glad to see you alive post-Summit. - L List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
Hmm. Do we really want to excuse prior failure of proper auditing by putting more data into AD? Wouldn't that lead into every request of non-configured auditing to requests for extending the AD? Do it right the first way. I completely agree that we should make the people more auditing aware, and it would be great to have a centralized auditing together with some force of configuration instead of the per server events and auditing which is rearly configured. However I'm not sure if I want this kind of data in the AD. Just my Eurocents. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Laura |E. Hunter |Sent: Sunday, October 16, 2005 10:28 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Knowing when users were deleted. | |Various thoughts from this thread: | |[1] I agree with Al and Paul[1] on a desire for that sort of metadata. | I'm not as convinced of the trade-off value of bloating the |DIT for full undelete information, particularly in monster big |environments. |For my teeny-tiny single domain it probably wouldn't be that |bad of a hit, but I imagine that the laws of diminishing |returns would quickly set in. | |[2] Please finish the thought, Brett, I'm sure I'd find it |helpful/enlightening/informative even if it's only speaking in |hypotheticals. | |[3] It's Gil and Darren's turn to crack me up today, I guess |joe is taking a break. | | |[1] *waves* Hi Paul! Glad to see you alive post-Summit. | |- L |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and therefore wouldn't want to deploy it. I say tough pickles to them. :) Seriously, this could be on by default but configurable (group policy?) to disable it as a performance issue etc. Second, I think that the major benefit is the ability to actually get usable information native to the product vs. having to invest in a third party product. Why? Because today in order to get that information I have to have something that scrapes the Security logs looking for such information. Is this a good idea? I think it is. Is it something that could be native? I think it could and should be native if technically feasible. Making us look in a particular DC's event logs is more difficult than it should be without yet another product. That's fine for the really large companies that have deeper pockets, and larger needs. For the small to medium businesses, it should not be so difficult nor should it *require* SQL licensing or expertise. [1] I'm not saying that the quality has kept up, only that the hardware is bigger, faster, stronger and cheaper. [2] I'm making that up, but it sounds reasonable -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, October 16, 2005 4:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hmm. Do we really want to excuse prior failure of proper auditing by putting more data into AD? Wouldn't that lead into every request of non-configured auditing to requests for extending the AD? Do it right the first way. I completely agree that we should make the people more auditing aware, and it would be great to have a centralized auditing together with some force of configuration instead of the per server events and auditing which is rearly configured. However I'm not sure if I want this kind of data in the AD. Just my Eurocents. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Laura |E. Hunter |Sent: Sunday, October 16, 2005 10:28 PM |To: ActiveDir@mail.activedir.org |Subject: Re: [ActiveDir] Knowing when users were deleted. | |Various thoughts from this thread: | |[1] I agree with Al and Paul[1] on a desire for that sort of metadata. |I'm not as convinced of the trade-off value of bloating the DIT for |full undelete information, particularly in monster big environments. |For my teeny-tiny single domain it probably wouldn't be that |bad of a hit, but I imagine that the laws of diminishing |returns would quickly set in. | |[2] Please finish the thought, Brett, I'm sure I'd find it |helpful/enlightening/informative even if it's only speaking in |hypotheticals. | |[3] It's Gil and Darren's turn to crack me up today, I guess |joe is taking a break. | | |[1] *waves* Hi Paul! Glad to see you alive post-Summit. | |- L |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ | List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] rebooting a patched, but stubborn DC
Hi Mike, I had the same issue when patching this month's patch on my dell test dc using 3rd party patch software (st bernards' updateexpert) - it just doesn't reboot! (one whole day) Upon going into dell drac - it reboots without actually pressing anything...wierd but true.. Do you happen to be on dell? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Sunday, October 16, 2005 7:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Knowing when users were deleted.
here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and therefore wouldn't want to deploy it. I say tough pickles to them. :) Seriously, this could be on by default but configurable (group policy?) to disable it as a performance issue etc. Second, I think that the major benefit is the ability to actually get usable information native to the product vs. having to invest in a third party product. Why? Because today in order to get that information I have to have something that scrapes the Security logs looking for such information. Is this a good idea? I think it is. Is it something that could be native? I think it could and should be native if technically feasible. Making us look in a particular DC's event logs is more difficult than it should be without yet another product. That's fine for the really large companies that have deeper pockets, and larger needs. For the small to medium businesses, it should not be so difficult nor should it *require* SQL licensing or expertise. [1] I'm not saying that the quality has kept up, only that the hardware is bigger, faster, stronger and cheaper. [2] I'm making that up, but it sounds reasonable -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Sunday, October 16, 2005 4:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hmm. Do we really want to excuse prior failure of proper auditing by putting more data into AD? Wouldn't that lead into every request of non-configured auditing to requests for extending the AD? Do it right the first way. I completely agree that we should make the people more auditing aware, and it would be great to have a centralized auditing together with some force of configuration instead of the per server events and auditing which is rearly configured. However I'm not sure if I want this kind of data in the AD.
RE: [ActiveDir] Knowing when users were deleted.
And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and therefore wouldn't want to deploy it. I say tough pickles to them. :) Seriously, this could be on by default but configurable (group policy?) to disable it as a performance issue etc. Second, I think that the major benefit is the ability to actually get usable information native to the product vs. having to invest in a third party product. Why? Because today in order to get that information I have to have something that scrapes the Security logs looking for such information. Is this a good idea? I think it is. Is it something that could be native? I think it could and should be native if technically feasible. Making us look in a particular DC's event logs is more difficult than it should be without yet another product. That's fine for the really large
Re: [ActiveDir] Knowing when users were deleted.
Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and therefore wouldn't want to deploy it. I say tough pickles to them. :) Seriously, this could be on by default but configurable (group policy?) to disable it as a performance issue etc. Second, I think that the major benefit is the ability to actually get usable information native to the product vs. having to invest in a third party product. Why? Because today in order to get that information I have to have something that scrapes the Security logs looking for such information. Is this a
Re: [ActiveDir] Knowing when users were deleted.
sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the
RE: [ActiveDir] Reverse DNS
Oooof. ROTFLMAO! Funny - very funny! Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Friday, October 14, 2005 11:20 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Reverse DNS Why lurk when you can participate so effectively? :) Phil On 10/15/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Or get a better ISP or DNS record keeper that will allow you to do whatyou need to do.okay okay I don't lurk well ... I know I know... Phil Renouf wrote: So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, *rubix cube* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, *Ed Crowley [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I can't fathom why any organization would "have to". Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups! *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Derek Harris *Sent:* Wednesday, October 12, 2005 3:35 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you "have to."Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools.The only gripe I've got with them is that they won't host SPF records. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] *On Behalf Of *Bernard, Aric *Sent:* Wednesday, October 12, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet.Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records.If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *rubix cube *Sent:* Wednesday, October 12, 2005 1:44 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal
RE: [ActiveDir] Knowing when users were deleted.
I get these sorts of emails, at least the security audit aggregation stuff too. Just remember for me that I have a section of a very expensive SAN shelf allocated to my audit collection project, a pair of very well equipped servers clustered running SQL (expensive), a web frontend running SQL RS (cheap), and my time as a consultant maintaining it (very expensive). This stuff adds up. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 9:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and therefore wouldn't want to deploy it. I say tough pickles to them. :) Seriously, this could be on by default but configurable (group policy?) to disable it as a performance issue etc. Second, I think that the major benefit is the ability to actually get usable information native to the product vs. having to invest in a third party product. Why? Because today in order to get that information I have to have something that scrapes the Security logs looking for such information. Is this a good idea? I think it is. Is it something that could be native? I think it could and should be native if technically feasible. Making us look in a particular DC's event logs is more difficult than it should be without yet another product. That's fine for the really large companies that have deeper pockets, and larger needs. For the small to medium businesses, it should not be so difficult nor should it *require* SQL licensing or expertise. [1] I'm not saying that the quality has kept up, only that the hardware is bigger, faster, stronger and cheaper. [2] I'm making that up, but it sounds reasonable -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] Knowing when users were deleted.
Mrtg (actually mrtg + rrdtool) and nagios are standard equipment in many an enterprise, mrtg in particular. You can get mrtg to graph damn near anything if you're good. Nagios in my opinion is better than MOM in certain respects, and it's free. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 10:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two.
RE: [ActiveDir] Knowing when users were deleted.
I suppose that this is why they pay folks who devise solutions to make this stuff work like it's supposed to the big bucks. shrug Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and
RE: [ActiveDir] Knowing when users were deleted.
Susan, Really - I know you too well. You're not going to lurk. Get in the game. It appears most folks want to hear what you have to say from the Small Business arena. And, if it broadens the message of managing and maintaining the systems - it's good for all. Just please - stop convincing yourself you're lurking You're aren't! You're too valuable to do so... :o) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger
Re: [ActiveDir] Knowing when users were deleted.
I give carte blanche to folks to wack me upside the head if I get too annoying. :-) Rick Kingslan wrote: Susan, Really - I know you too well. You're not going to lurk. Get in the game. It appears most folks want to hear what you have to say from the Small Business arena. And, if it broadens the message of managing and maintaining the systems - it's good for all. Just please - stop convincing yourself you're lurking You're aren't! You're too valuable to do so... :o) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face
RE: [ActiveDir] rebooting a patched, but stubborn DC
I also have had this problem on a specific DC. It has an intel motherboard with integrated NIC and adaptec RAID controller. I don't know if that has anything to do with it, but it may. You have any similar HW in your machine? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Sunday, October 16, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] security problem
how can I take the ownership while I do not have the security tab any more because I have taken the control of C drive for every one. so There is no security tab is gone for every drive because the windows was installed on C drive. thanks in advance roseta Quoting Paul Williams [EMAIL PROTECTED]: Logon as an administrator and take ownership of the drive. Then grant adequate permissions again. Reinstalling Windows will obviously fix it, but is a drastic measure. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, October 16, 2005 5:43 PM Subject: [ActiveDir] security problem Hello, I have done a mistake now need an advice. on my computer which i have windows 2000 server. I have unchecked the security of my C drive . the security for everybody was full control and I unchecked it so when it was applied I did not have access to C drive. and then I shot down the computer then I could not restart it. now does installation of windows 2000 server again solves the problem or not? any advice or recommedation is appriciated. Thanks in advance roseta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] audit problem
Hello If I set the audit for a drive. where should I see the logs? if any one access this drive on network with share permission does it have a record or not? what about terminal service? if one access a drive with terminal service will it have a record or not? thanks in advance. roseta List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] rebooting a patched, but stubborn DC
Well you are definitely not alone. Something like this just happened to me while patching my Exchange clusters (only happened to 1 out of 18, so its pretty rare). After patching and telling the passive node to reboot it was completely inaccessible even after 15 minutes (normally it does not take this long to reboot). I could not ping or TS into the box. iLO was my life saver though. Connected with iLO and no hung services, nothing funny in the event log...just was not network accessible (even on the private network with its partner node). Had to reboot it via iLO (using the standard start\shutdown procedure..no cold boot required) and it eventually went down and came back up happy. I hope there is not some gremlin in the recent round of patches that is going to stick its head out when the clock strikes midnight. Best regards, Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Sunday, October 16, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] rebooting a patched, but stubborn DC Hi Susan, Thanks for the response. No UPS issues. Checked the services remotely and didn't find anything unusual. The DC did finally reboot on its own shortly after I sent out my first message - about 2 hours after the original patching and message saying it wanted to reboot and I clicked OK. The event logs showed nothing of any consequence, just a big (2 hour) gap in the system event log entries (between the entry saying it initiated shutdown and the entry saying the system was coming back up). The security log showed no gaps at all. Am I the only one that sees this kind of behavior on W2K3/SP1 servers? I normally don't use the /console switch when I TS in (eg, mstsc.exe /console). I wonder if that could speed the process up. Mike Thommes From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 10/15/2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] rebooting a patched, but stubborn DC APC UPS's and you don't have the latest ver on there? HP with a UPS? Can you get into services and see if something is 'stopping'? Got any ILO ability there [or suitable other remote techniques]? Thommes, Michael M. wrote: So I have remotely (TS connection) applied the latest Windows patches to one of my DCs. Patches went on fine. Said it needed to reboot. I clicked Restart. And two hours later, it still has not rebooted, but it did terminate the TS session. I have tried to kick it via a shutdown /f /r command from another DC. Still no luck. Issue same command remotely with the big Kahuna account, and it says a shutdown is in progress. It appears to still be serving up clients, e.g., no discernable ill effects. I have seen this periodically in the past with other servers. Anyone have any comments/thoughts are this irritating, weekend sigh activity? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
