RE: [ActiveDir] Knowing when users were deleted.
| Wherever the information gets put, it should be a) done as |the default yet configurable b) centrally viewable (I should |NOT have to visit each DC in my forest to find the data) and |c) be included in the base product. Exactly, that's what I ment. Enable that logging by default and provide something to centralize that info. |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick |Sent: Tuesday, October 18, 2005 2:42 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Not sure that's going to fix the issue though, unless I'm |missing something. | Wherever the information gets put, it should be a) done as |the default yet configurable b) centrally viewable (I should |NOT have to visit each DC in my forest to find the data) and |c) be included in the base product. I can see no valuable way |to otherwise do this. Having to deploy yet another product |doesn't fix the problem, it exacerbates it; it's even worse if |it's a reskit item as those aren't supported nor as heavily |tested. This is important enough that it should be and should |meet those criteria above. | |We may just need to knock a few more edges off before |submitting this FMR ;) | | |From: Ulf B. Simon-Weidner [EMAIL PROTECTED] |Reply-To: ActiveDir@mail.activedir.org |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. |Date: Mon, 17 Oct 2005 23:36:44 +0200 | |Another Hmm. | |I'd still like to see that better configured that putting it into the |AD if the infos are already there (or configurable). We could request |to make it default to log that kind of info. And as far as we are |talking about looking into every server: Where's ACS? And also SNMP |would be an option to get notified on a single system instead of |looking into every DC. | |Ulf | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick ||Sent: Monday, October 17, 2005 3:10 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Knowing when users were deleted. || ||I'll see your Eurocents and add raise you two. :) || ||I fully understand where you're coming from Ulf. Adding this ||information into the DIT when it is currently possible to get is ||something that grates against common sense and common engineering ||principles even if you subscribe to belts and braces methodologies. || ||However, I think two things make this a worthwhile request |with a big ||payoff. First to Laura's point about diminishing returns. I agree, ||at some point there will be diminishing returns. I also |believe that ||as hardware gets bigger (i.e. ||Standard 80 GB hard drives, 1 GB memory in workstation |machines, etc. ||[1]) the bar gets raised until we get to the diminishing return. ||Since we're targeting 80/20 out of the box [2] it seems reasonable ||that 80% of the deployments would benefit from such a change. The ||other 20 would be those that ||a) don't care or know about such things and b) those that can't ||tolerate the additional overhead and therefore wouldn't want |to deploy ||it. I say tough pickles to them. :) Seriously, this could be on by ||default but configurable (group ||policy?) to disable it as a performance issue etc. || ||Second, I think that the major benefit is the ability to |actually get ||usable information native to the product vs. ||having to invest in a third party product. Why? Because today in ||order to get that information I have to have something that scrapes ||the Security logs looking for such information. Is this a |good idea? ||I think it is. Is it something that could be native? I think it ||could and should be native if technically feasible. || ||Making us look in a particular DC's event logs is more |difficult than ||it should be without yet another product. ||That's fine for the really large companies that have deeper pockets, ||and larger needs. For the small to medium businesses, it should not ||be so difficult nor should it ||*require* SQL licensing or expertise. || || || ||[1] I'm not saying that the quality has kept up, only that the ||hardware is bigger, faster, stronger and cheaper. ||[2] I'm making that up, but it sounds reasonable || || || || ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. ||Simon-Weidner ||Sent: Sunday, October 16, 2005 4:42 PM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Knowing when users were deleted. || || ||Hmm. || ||Do we really want to excuse prior failure of proper auditing by ||putting more data into AD? Wouldn't that lead into every request of ||non-configured auditing to requests for extending the AD? Do |it right ||the first way. || ||I completely agree that we should make the people more |auditing aware, ||and it would be great to have a centralized auditing together with ||some force
RE: [ActiveDir] Global Catalog
Hi Gil, (btw - was nice meeting you finally in person) You're right, that might be a better wording. However I didn't mean that I do not agree that the forest is the security boundary, however I do not like people using that term without being more specific. This will lead customers who are not enough into details to deploy multiple forests in scenarious where multiple domains (if even that) would have been sufficient. Keeping viruses, malware, and the regular I'm admin - so let's surf the web aside. Companies who might trust their admins but have to many users to trust each of them might deploy multiple forests b/c they are afraid that users might try to (hack/)try to get into other domains. However case like this it _might_ be overrated to deploy different forest, cause it's way harder for a regular user to get into another domain (and to valuable data there) than it is for a admin, the scenario is more difficult to administer (which might lead to loosened security and/or more admins you'll have to trust) and the phyiscal security might not be in place to justify such a scenario (the users might still hop around in the same building without distinguished building security[1] or network boundaries[2]). I do not think that all domain admin threads are in the non-malicious category, and I don't think that forests shouldn't be mentioned as security boundary, however I think if you do mention that you also need to clarify against which threads you're deploying additional forests and what also needs to be applied in the company if you need that level of security for certain parts. In many cases a proper investment into security is better placed by drilling security into the heads of the admins (you're surfing the web as admin? Put your fingers on the table! Slap! ;-) [3] ) than deploying multiple forests without taking additional measures and wrongly believe it's buying you 100% security. Ulf [1] meaning that people having access to forest A only shouldn't have physical access to any machines in the office running in forest B and vice versa [2] different wires, VLANs, or a generic network with people VPNing into their infrastructure. I don't trust our friends aka the unintentional fighter against security aka devs. There are somewhere passwords on the wire in almost every network, and this thread is dependant on your number of in-house developed apps IMHO. [3] Yes - sorry - I'm german ;-) |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 1:56 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |I think it is better to describe a domain as a policy and |administration boundary (and a replication boundary), rather |than a weak security boundary. It is more precise, and IMO, |given the automatic domain trusts in a forest, there is not |much of a security boundary between domains. | |And given the ease with which malware is distributed (through |email and web pages for instance), the distinction between |criminal and unintentional is thin, if not non-existent. |People with criminal intent subvert administrative machines |and accounts all the time. So even if you think your domain |admin threats are all in the non-malicious category (not a |smart way to think in any case), once the domain admin is |exposed to some malware script, they've effectively taken on |the criminal intent. | |-gil | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 3:14 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | ||So why don't you agree with the general - forest is the security ||boundary - statement? | |Cause IMHO the domain is a security boundary against |accidential security issues, the forest against malicious/criminal. | |Companies usually trust their admins of different domains but |might want to protect them against accidential mistakes or |gaining rights easily. A different domain would be sufficient |then. However if you want to protect yourself against admins |with criminal energy (and I consider manipulating SID-History |on purpose as criminal energy) the forest is the security boundary. | |So I agree a plain vanilla statement the domain is the |security boundary |is wrong, however I don't like the same plain vanilla |statement of the forest - should be more clearly pointed out |if we are talking about criminal intentions or accidential |intentions (which includes let's try quickly if we are able to |... - does not include hacking). | |Ulf | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, ||Jorge de ||Sent: Monday, October 17, 2005 11:59 PM ||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || ||Well, I call it that way
[ActiveDir] BIND on Linux
I would be interested to here from people who have migrated Windows DNS to Linux. I am aware of the basic issues (need for DDNS and service records.) I am particularly interested in: 1) Viability and scalability 2) Versions used and recommended 3) Security ramifications due to lack of secure updates 4) Gotchas or other ramifications. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Knowing when users were deleted.
joe wrote: Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. count me with this request -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
Hi, I'm not sure if I would want this in the AD DB as this would mean a larger DIT (as every change is stamped... - how many versions are kept as history?) and additional replication traffic. I would prefer a better central auditing solution instead of having to check each DC to see for who made a change and when. Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, October 18, 2005 10:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. joe wrote: Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. count me with this request -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Kix to VBS
I have _vbscript_s using WSH extensively for handling computer migrations . I have used WMI just for finding the serialnumber of machine, everything else is handled by WSH. And my scripts are in the range of 500 to 10 K lines, and I have done some 3000+ migrations with these scripts. So, I can say WSH is no problem if you know what you want to do. besides that, WSH will be consistent across OS version. (at least NT and above, I have tested) while WMI has different number of classes available on different OS version. (more recent OS will have more classes) so if you find a class you want to use, you have to make sure that it is supported by all the OS version you going to run the script on. Generally, If i can do a task by WSH easily, i will not use WMI. ( you will tend to know the difference as you use them more and more) Good start for you would be the Microsoft Technet Script Center. http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx -- Kamlesh On 10/18/05, Alain Lissoir [EMAIL PROTECTED] wrote: If you are Windows and above and don't need REG_MULTI_SZ updates, I would gofor WSH (pretty simple model).If you need to do more complex stuffs, I would use WMI (which is actuallyused from WSH as it is the scripting engine). /Alain-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Harding, DevonSent: Monday, October 17, 2005 9:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kix to VBSWhich method is preferred, WSH or WMI?
RE: [ActiveDir] Subinacl print queue
Rich,
I noticed that the script does not work against Printers which have spaces between their sharenames. e.g for a Printer called USATPR001it works fine, but for a printer which share name is USNY PRT 05 it fails,I assume it's because of the spaces.
What would I need to allow the script to understand names with spaces between them?
thanks...
Frank
Rich Milburn [EMAIL PROTECTED] wrote:
Frank you can use WMI to enumerate the printers, here is a _vbscript_ that will run your command against each shared printer. Save it as a vbs and run it with the server name as an argument, i.e.
printers.vbs printsvr1
begin script -
On Error Resume Next
Dim objShell, objArgs, objWMIService, objItem
Dim strComputer, strPrinter, colItems
Set objShell = WScript.CreateObject ("WScript.Shell")
Set objArgs = WScript.Arguments
strComputer = objArgs(0)
Set objWMIService = GetObject("winmgmts:\\" strComputer "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select ShareName from Win32_Printer",,48)
For Each objItem in colItems
strShareName = objItem.ShareName
If strShareName "" Then
strPrinter = "\\" strComputer "\" strShareName
objShell.run("subinacl /printer " _
strPrinter " /grant=" chr(34) "WSADMINS" chr(34))
End If
Next
end script -
Rich
---
From: [EMAIL PROTECTED] on behalf of Frank Abagnale
Sent: Thu 10/13/2005 2:38 AM
To: Active
Subject: [ActiveDir] Subinacl print queue
Hi,
I need to grant a security group permissions to every print queue on a Print
Server.
I have looked at SUBINACL and I can use this to grant access to each print
queue providing I know the name of the queue. e.g,
subinacl /printer \\printsvr1\USATPR001 /grant="WSADMINS"
The issue I have is that I don't know the name of every print queue, is there
someway I can use a wildcard to allow this command to be run against every
print queue listed on the server?
thanks frank
---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Subinacl print queue
Put double quotes around the printer names, but you have to use Chr(34)... try this: Rich begin script - On Error Resume Next Dim objShell, objArgs, objWMIService, objItem Dim strComputer, strPrinter, colItems Set objShell = WScript.CreateObject (WScript.Shell) Set objArgs = WScript.Arguments strComputer = objArgs(0) Set objWMIService = GetObject(winmgmts:\\ strComputer \root\cimv2) Set colItems = objWMIService.ExecQuery(Select ShareName from Win32_Printer,,48) For Each objItem in colItems strShareName = objItem.ShareName If strShareName Then strPrinter = chr(34) \\ strComputer \ strShareName chr(34) objShell.run(subinacl /printer _ strPrinter /grant= chr(34) WSADMINS chr(34)) End If Next end script - --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Tuesday, October 18, 2005 8:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Subinacl print queue Rich, I noticed that the script does not work against Printers which have spaces between their sharenames. e.g for a Printer called USATPR001it works fine, but for a printer which share name is USNY PRT 05 it fails,I assume it's because of the spaces. What would I need to allow the script to understand names with spaces between them? thanks... Frank Rich Milburn [EMAIL PROTECTED] wrote: Frank you can use WMI to enumerate the printers, here is a _vbscript_ that will run your command against each shared printer. Save it as a vbs and run it with the server name as an argument, i.e. printers.vbs printsvr1 begin script - On Error Resume Next Dim objShell, objArgs, objWMIService, objItem Dim strComputer, strPrinter, colItems Set objShell = WScript.CreateObject (WScript.Shell) Set objArgs = WScript.Arguments strComputer = objArgs(0) Set objWMIService = GetObject(winmgmts:\\ strComputer \root\cimv2) Set colItems = objWMIService.ExecQuery(Select ShareName from Win32_Printer,,48) For Each objItem in colItems strShareName = objItem.ShareName If strShareName Then strPrinter = \\ strComputer \ strShareName objShell.run(subinacl /printer _ strPrinter /grant= chr(34) WSADMINS chr(34)) End If Next end script - Rich --- From: [EMAIL PROTECTED] on behalf of Frank Abagnale Sent: Thu 10/13/2005 2:38 AM To: Active Subject: [ActiveDir] Subinacl print queue Hi, I need to grant a security group permissions to every print queue on a Print Server. I have looked at SUBINACL and I can use this to grant access to each print queue providing I know the name of the queue. e.g, subinacl /printer \\printsvr1\USATPR001 /grant=WSADMINS The issue I have is that I don't know the name of every print queue, is there someway I can use a wildcard to allow this command to be run against every print queue listed on the server? thanks frank ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. Yahoo! Music Unlimited - Access over 1 million songs. Try it free. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or
RE: [ActiveDir] Knowing when users were deleted.
The proposal was no history, nor even a history of who modified it, merely who made the current state of the AD be the way it is. In order to do that, you must track the modifier (whether by backlink, GUID, SID, DN, samAccountName, whatever) at the replication conflict level, ergo for each attribute, and for DN values for each value. The ancillary question, was, would it be OK to just get the last modifier at the object level (i.e. aggregate it up to who last touched the object, any attribute of value). Obviously, this would lose who made the change at time whenChanged minus 1 (or more). The first probably will not bloat the DIT, (in fact it will probably shrink the DIT as I will show shortly, when I find an extra hour). In a twist of irony, the later even though significantly less data, would probably bloat the DIT (although obviously only very slightly). This is because to implement the first idea, you have enough of an impact on DIT size (10% or more), the team would consider strongly compressing the meta-data to make up for it. Where as the later, would be so insignificant, that no one would invest in any compression. At least that is my prediction of how it would play out. Cheers, -Brett On Tue, 18 Oct 2005, Almeida Pinto, Jorge de wrote: Hi, I'm not sure if I would want this in the AD DB as this would mean a larger DIT (as every change is stamped... - how many versions are kept as history?) and additional replication traffic. I would prefer a better central auditing solution instead of having to check each DC to see for who made a change and when. Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, October 18, 2005 10:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. joe wrote: Correct, you can currenlty only get the when and the where (DC Where not Client Where). Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the administrators group nonsense, it points to a specific security principal. count me with this request -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Knowing when users were deleted.
Ulf, what Al (well the suggestion on the plate) is suggesting is taht the something to centralize that info, _is_ AD replication. Implying the data is in AD. Cheers, -Brett On Tue, 18 Oct 2005, Ulf B. Simon-Weidner wrote: | Wherever the information gets put, it should be a) done as |the default yet configurable b) centrally viewable (I should |NOT have to visit each DC in my forest to find the data) and |c) be included in the base product. Exactly, that's what I ment. Enable that logging by default and provide something to centralize that info. |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick |Sent: Tuesday, October 18, 2005 2:42 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Not sure that's going to fix the issue though, unless I'm |missing something. | Wherever the information gets put, it should be a) done as |the default yet configurable b) centrally viewable (I should |NOT have to visit each DC in my forest to find the data) and |c) be included in the base product. I can see no valuable way |to otherwise do this. Having to deploy yet another product |doesn't fix the problem, it exacerbates it; it's even worse if |it's a reskit item as those aren't supported nor as heavily |tested. This is important enough that it should be and should |meet those criteria above. | |We may just need to knock a few more edges off before |submitting this FMR ;) | | |From: Ulf B. Simon-Weidner [EMAIL PROTECTED] |Reply-To: ActiveDir@mail.activedir.org |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. |Date: Mon, 17 Oct 2005 23:36:44 +0200 | |Another Hmm. | |I'd still like to see that better configured that putting it into the |AD if the infos are already there (or configurable). We could request |to make it default to log that kind of info. And as far as we are |talking about looking into every server: Where's ACS? And also SNMP |would be an option to get notified on a single system instead of |looking into every DC. | |Ulf | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick ||Sent: Monday, October 17, 2005 3:10 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Knowing when users were deleted. || ||I'll see your Eurocents and add raise you two. :) || ||I fully understand where you're coming from Ulf. Adding this ||information into the DIT when it is currently possible to get is ||something that grates against common sense and common engineering ||principles even if you subscribe to belts and braces methodologies. || ||However, I think two things make this a worthwhile request |with a big ||payoff. First to Laura's point about diminishing returns. I agree, ||at some point there will be diminishing returns. I also |believe that ||as hardware gets bigger (i.e. ||Standard 80 GB hard drives, 1 GB memory in workstation |machines, etc. ||[1]) the bar gets raised until we get to the diminishing return. ||Since we're targeting 80/20 out of the box [2] it seems reasonable ||that 80% of the deployments would benefit from such a change. The ||other 20 would be those that ||a) don't care or know about such things and b) those that can't ||tolerate the additional overhead and therefore wouldn't want |to deploy ||it. I say tough pickles to them. :) Seriously, this could be on by ||default but configurable (group ||policy?) to disable it as a performance issue etc. || ||Second, I think that the major benefit is the ability to |actually get ||usable information native to the product vs. ||having to invest in a third party product. Why? Because today in ||order to get that information I have to have something that scrapes ||the Security logs looking for such information. Is this a |good idea? ||I think it is. Is it something that could be native? I think it ||could and should be native if technically feasible. || ||Making us look in a particular DC's event logs is more |difficult than ||it should be without yet another product. ||That's fine for the really large companies that have deeper pockets, ||and larger needs. For the small to medium businesses, it should not ||be so difficult nor should it ||*require* SQL licensing or expertise. || || || ||[1] I'm not saying that the quality has kept up, only that the ||hardware is bigger, faster, stronger and cheaper. ||[2] I'm making that up, but it sounds reasonable || || || || ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. ||Simon-Weidner ||Sent: Sunday, October 16, 2005 4:42 PM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Knowing when users were deleted. || || ||Hmm. || ||Do we really want to excuse prior failure
RE: [ActiveDir] BIND on Linux
Are you talking AD integrated DNS? If so, I would ask why move to BIND (unless you are trying to get your DNS servers off of the same machine as the DC, in which case I guess you would be looking at the cost benefit of running a free OS)? Are there currently any problems? If not, then why switch? Maybe stating some of your reasons for wanting to go to BIND will help answer the question better. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 3:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND on Linux I would be interested to here from people who have migrated Windows DNS to Linux. I am aware of the basic issues (need for DDNS and service records.) I am particularly interested in: 1) Viability and scalability 2) Versions used and recommended 3) Security ramifications due to lack of secure updates 4) Gotchas or other ramifications. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] BIND on Linux
Peter, Though it may appear that I have a vested interest in keeping you on our OS, those that know me know that if a reasonable argument is presented - I will assist in the migration for our customers. It's simply good practice and good relations. Typically, when I hear that a customer wants to move from Windows DNS to BIND, there is a reason. I'm interested in yours, and will provide guidance in kind. If it's Politically motivated (and you're not the instigator) I think that we can help you with the case to stay the course. Again - there has to be a reason. Management doesn't make decisions lightly (in most cases...). Did someone just get to Gartner (which there is a big Symposium going on this week) and pull a 'hey... Gartner says...' Those are always fun to shoot down. If the issue is of cost - it's not a good one, and I can provide the reasons for why this move will cost more. If it's inter-operability with other BIND implementation, again - I can provide the reasons for why this might not be a good move. If it's Security - let's talk about how to lock down the OS. If it's simply security, Linux is not the answer. If it is that this server is going in the DMZ for external serving of DNS - let's talk about the benefits of getting you there. I, like the rest of this group, want to find out why you want to move your DNS to BIND. Make no mistake - Active Directory works best with Microsoft DNS. Every implementation I have done otherwise has had problems. Not insurmountable, but your BIND Admins have to learn a whole new set of skills to handle those damn Windows Machines. As to answering your questions: 1. Very viable (again, given the caveat that Windows DNS works best when dealing with MS clients and Active Directory - BIND requires some added care and feeding. As to scalability - BIND is as scalable as anything else. It carries less overhead, if it's the only daemon serving off of the system. Scale for BIND is width, not depth, but you can grow a box to meet the requirements, which are more request query (read) oriented, and write with updates from other DNS. 2. Versions used have been 4.x on up through 9. (whatever the latest version of 9 is/was) If for Active Directory, Must be greater than 8.2 (for DDNS support) 3. Because MS-DNS and BIND use two different methods of doing secure updates (authN to the actual box for confirming I can re-write the record or enter a new one) the issue of secure updates isn't even in the picture. To me, it's a low to medium risk issue. It all depends where you're going to use it and how well the rest of the box is secured. Windows DNS with its secure updates may not be as secure as most admins think - security begins at the OS, not the DNS service level. 4. Gotchas... Huh. Biggest one I've already mentioned. MS DNS works best WITH Active Directory. MS DNS works great with BIND as a peer or (in the typical hierarchical DNS structure) parent DNS. Forwarding, conditional, stub zones - they all work extremely well, and IMHO - surpass BIND in capability. There is (not to my knowledge at least) a good interface for BIND. Seems that most BIND admins are pretty much at home with Vi and Lint or Dig. (Funny, though - if someone is so hardcore that they want to do that on Windows - they can) All of these tools exist for use on MS DNS as well. Most shops dedicate ~50% of a resource's time to managing BIND. I'd spend, typically 30 minutes daily checking logs and adding static requests for servers that required such. So, there you have what I can skim off the top of my head. Again - toss your reasons for wanting to do this. I'm sure many of us are quite curious. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 2:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND on Linux I would be interested to here from people who have migrated Windows DNS to Linux. I am aware of the basic issues (need for DDNS and service records.) I am particularly interested in: 1) Viability and scalability 2) Versions used and recommended 3) Security ramifications due to lack of secure updates 4) Gotchas or other ramifications. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC replication
We just installed a server offsite. It is connected by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that it needs to be a domain controller. Ran dcpromo on it and there were no errors reported. The problem I have with it now is that it seems to be replicating in one direction only. All DC's running 2000 server. Active Directory Sites Services on DC01 and DC02 has all 3 servers listed. DC01 and DC02 do not show any entries in the NTDS settings for DC03. DC03 shows the correct entries for all 3 servers. If I manually add a new active directory connection from DC01 or DC02, it shows all 3 of the DC's in the selection box. After adding it and selecting replicate now, I receive the RPC server is unavailable error. That error refers to DNS errors. I can ping by name to all DC's. Are there other tests I need to run to check DNS? Repadmin shows correct inbound and outbound neighbors on DC01 and DC02. DC03 shows correct inbound neighbors, but no outbound neighbors. DC01 - Main domain controller at main officeDC02 - Secondary domain controller at main officeDC03 - New domain controller at offsite location, VPN connection Thanks in advance Mike Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com
[ActiveDir] userAccountControl
Hello, I am looking at some of these saved queries below and I don't see how they work. http://www.netpro.com/forum/messageview.cfm?catid=29threadid=257 I *think* I understand how the bit flags work but how does the LDAP query correspond to those flags? If I look at say, the disabled user query it is: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1 13556.1.4.803:=2)) How does 1.2.840.113556.1.4.803 translate to the second bit? Just wanting to get this straight. Thanks again for the help. Mike. Mike Newell Sr. Network Engineer Dimensional Fund Advisors 310-633-7889 This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] BIND on Linux
All I ask is that you keep yourself patched and secure. My crowd uses DNS forwarders thus we are dependent on the patching of our ISPs to be secure from DNS poisoning. If you are an ISP.do your part and stay secure so that my SBS community can be secure. Rick Kingslan wrote: Peter, Though it may appear that I have a vested interest in keeping you on our OS, those that know me know that if a reasonable argument is presented - I will assist in the migration for our customers. It's simply good practice and good relations. Typically, when I hear that a customer wants to move from Windows DNS to BIND, there is a reason. I'm interested in yours, and will provide guidance in kind. If it's Politically motivated (and you're not the instigator) I think that we can help you with the case to stay the course. Again - there has to be a reason. Management doesn't make decisions lightly (in most cases...). Did someone just get to Gartner (which there is a big Symposium going on this week) and pull a 'hey... Gartner says...' Those are always fun to shoot down. If the issue is of cost - it's not a good one, and I can provide the reasons for why this move will cost more. If it's inter-operability with other BIND implementation, again - I can provide the reasons for why this might not be a good move. If it's Security - let's talk about how to lock down the OS. If it's simply security, Linux is not the answer. If it is that this server is going in the DMZ for external serving of DNS - let's talk about the benefits of getting you there. I, like the rest of this group, want to find out why you want to move your DNS to BIND. Make no mistake - Active Directory works best with Microsoft DNS. Every implementation I have done otherwise has had problems. Not insurmountable, but your BIND Admins have to learn a whole new set of skills to handle those damn Windows Machines. As to answering your questions: 1. Very viable (again, given the caveat that Windows DNS works best when dealing with MS clients and Active Directory - BIND requires some added care and feeding. As to scalability - BIND is as scalable as anything else. It carries less overhead, if it's the only daemon serving off of the system. Scale for BIND is width, not depth, but you can grow a box to meet the requirements, which are more request query (read) oriented, and write with updates from other DNS. 2. Versions used have been 4.x on up through 9. (whatever the latest version of 9 is/was) If for Active Directory, Must be greater than 8.2 (for DDNS support) 3. Because MS-DNS and BIND use two different methods of doing secure updates (authN to the actual box for confirming I can re-write the record or enter a new one) the issue of secure updates isn't even in the picture. To me, it's a low to medium risk issue. It all depends where you're going to use it and how well the rest of the box is secured. Windows DNS with its secure updates may not be as secure as most admins think - security begins at the OS, not the DNS service level. 4. Gotchas... Huh. Biggest one I've already mentioned. MS DNS works best WITH Active Directory. MS DNS works great with BIND as a peer or (in the typical hierarchical DNS structure) parent DNS. Forwarding, conditional, stub zones - they all work extremely well, and IMHO - surpass BIND in capability. There is (not to my knowledge at least) a good interface for BIND. Seems that most BIND admins are pretty much at home with Vi and Lint or Dig. (Funny, though - if someone is so hardcore that they want to do that on Windows - they can) All of these tools exist for use on MS DNS as well. Most shops dedicate ~50% of a resource's time to managing BIND. I'd spend, typically 30 minutes daily checking logs and adding static requests for servers that required such. So, there you have what I can skim off the top of my head. Again - toss your reasons for wanting to do this. I'm sure many of us are quite curious. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 2:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND on Linux I would be interested to here from people who have migrated Windows DNS to Linux. I am aware of the basic issues (need for DDNS and service records.) I am particularly interested in: 1) Viability and scalability 2) Versions used and recommended 3) Security ramifications due to lack of secure updates 4) Gotchas or other ramifications. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] userAccountControl
Mike Newell wrote: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1 13556.1.4.803:=2)) How does 1.2.840.113556.1.4.803 translate to the second bit? Just wanting to get this straight. 1.2.840.113556.1.4.803 is RuleOID corresponding to AND test and 1.2.840.113556.1.4.804 is RuleOID for OR test. so userAccountControl:1.2.840.113556.1.4.803:=2 is a bitwise AND comparison of userAccountControl value with 2 (decimal value reflecting all bits that should be included in a test). Straight enough?:) -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS Problem please help
Hi All, Need your help for troubleshooting my DNS Server which is also my DC. I have an ADC also which is working fine but unfortunately DNS is not updated. Current scenario is :- Nslookup says:-primary dns non existance domain. Event Viewer says:- replication is not working for me. Please help what should i check to resolve the issue. if any further information is required please revert ASAP. RD
Re: [ActiveDir] BIND on Linux
I work an IT department of an autonomous goverment ministry. I actually have no wish to move DNS to Linux as it works perfectly ok as it is. At the moment it is integrated. The reason I am asking this question is that now it is the policy to move to Open Source wherever possible. Thus HP-UX will move to Linux, MS office will move to Open Office etc. I don't know the reasons why. They want to cut costs but have not done a cost analysis of the change. Curiously no Open Source alternatives are being considered to replace Oracle. Another problem is that the Windows Network service function really well, give very few problems and so have become invisible. There is no particular advantage to moving DNS to Linux. It will not save licenses in itself. It is simply that I have to analyse service by service the implications and possibilities of moving to Open Source. I am not as extremely specialised. With one coworker I manage about 20 windows servers plus administration policy on 1500 workstation distributed in about 80 buildings. Along with AD we have to manage a mixture of Oracle, SQL Server, Exchange, Cluster Services, SANs, Backups, Documentation, AV etc... along with a fair bit of scripting due to lack of management tools. I have no idea how typical this is as I am fairly isolated here. This list is a lifeline to someone in my position. I am only just beginning to think about all this as I was informed of this today. I thought the DNS move might be fairly simple but was concerned about the security implications of non secure updates and was wondering if there are ways to avoid an internal hacker screwing up the database. I also wondered what versions of Linux people were using to get DNS services and any experience or advice they could give me on such a move. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC replication
There are a number of ports with TCP and UDP/TCP required that must be available for full communication from DC to DC to succeed. Likely one or more of these are blocked and a ping is great for basic connectivity. From both sides of the VPN, run DCDIAG /v dcdiag.log and a netdiag /v netdiag.log Send those pack to us in the list and we'll help you through. As a quick test, try telnet name or IP of DC 389, where name or IP of DC is the DC on the other side of the VPN. Do from both sides. this is just one of the ports that you need. Another would be 445. Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WilliamsSent: Tuesday, October 18, 2005 10:40 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC replication We just installed a server offsite. It is connected by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that it needs to be a domain controller. Ran dcpromo on it and there were no errors reported. The problem I have with it now is that it seems to be replicating in one direction only. All DC's running 2000 server. Active Directory Sites Services on DC01 and DC02 has all 3 servers listed. DC01 and DC02 do not show any entries in the NTDS settings for DC03. DC03 shows the correct entries for all 3 servers. If I manually add a new active directory connection from DC01 or DC02, it shows all 3 of the DC's in the selection box. After adding it and selecting replicate now, I receive the RPC server is unavailable error. That error refers to DNS errors. I can ping by name to all DC's. Are there other tests I need to run to check DNS? Repadmin shows correct inbound and outbound neighbors on DC01 and DC02. DC03 shows correct inbound neighbors, but no outbound neighbors. DC01 - Main domain controller at main officeDC02 - Secondary domain controller at main officeDC03 - New domain controller at offsite location, VPN connection Thanks in advance Mike Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com
Re: [ActiveDir] DNS Problem please help
Ravi Dogra wrote: Hi All, Need your help for troubleshooting my DNS Server which is also my DC. I have an ADC also which is working fine but unfortunately DNS is not updated. Current scenario is :- Nslookup says:- primary dns non existance domain. Event Viewer says:- replication is not working for me. Please help what should i check to resolve the issue. if any further information is required please revert ASAP. Give us more infromation - is this only one DC in Your domain, do You have other DC\DNS servers. Where is Your DNS setting pointing? -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Problem please help
If your DNS is not answering for the domain that AD lives in, the yes - your replication will not work. 1. If you go to the DNS applet, do you have a DNS Forward zone created for your domain? 2. If the domain is there, what is in the DNS zone? Are there other 'folder's' inside, or just DNS name to IP records? 3. Stop NETLOGON - wait 30 seconds. Start NetLogon. This will re-register missing AD records. If none of the above seem correct, from the Server disk in the Support/Tools directory, install the support tools. We will need a DCDIAG /V and NETDIAG /V written out to a log file. Paste those to your message and we will review. Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi DograSent: Tuesday, October 18, 2005 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Problem please help Hi All, Need your help for troubleshooting my DNS Server which is also my DC. I have an ADC also which is working fine but unfortunately DNS is not updated. Current scenario is :- Nslookup says:-primary dns non existance domain. Event Viewer says:- replication is not working for me. Please help what should i check to resolve the issue. if any further information is required please revert ASAP. RD
RE: [ActiveDir] BIND on Linux
OK. It makes more sense. 1. Are you moving away from Active Directory to NIS? If not, keeping DNS on Windows is a zero cost / zero impact issue. If it's AD integrated, then the cost is nil. It's a no cost part of the DC package. 2. DNS on a Windows server as the primary system does invoke cost in this case. AD integrate everything that controls the INTERNAL DNS. Allow the external facing accept forwarding from the Windows DNS that is serving the internal servers and workstations. 3. If this primary factor is cost, and only cost - that's a political battle that is hard to win. I would look to your Microsoft resources to help you cost justify our products. Is this in EU? Harder battle, I have to add. Interesting comment on the database (Oracle especially...) thing. What are you replacing SQL with? Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] BIND on Linux I work an IT department of an autonomous goverment ministry. I actually have no wish to move DNS to Linux as it works perfectly ok as it is. At the moment it is integrated. The reason I am asking this question is that now it is the policy to move to Open Source wherever possible. Thus HP-UX will move to Linux, MS office will move to Open Office etc. I don't know the reasons why. They want to cut costs but have not done a cost analysis of the change. Curiously no Open Source alternatives are being considered to replace Oracle. Another problem is that the Windows Network service function really well, give very few problems and so have become invisible. There is no particular advantage to moving DNS to Linux. It will not save licenses in itself. It is simply that I have to analyse service by service the implications and possibilities of moving to Open Source. I am not as extremely specialised. With one coworker I manage about 20 windows servers plus administration policy on 1500 workstation distributed in about 80 buildings. Along with AD we have to manage a mixture of Oracle, SQL Server, Exchange, Cluster Services, SANs, Backups, Documentation, AV etc... along with a fair bit of scripting due to lack of management tools. I have no idea how typical this is as I am fairly isolated here. This list is a lifeline to someone in my position. I am only just beginning to think about all this as I was informed of this today. I thought the DNS move might be fairly simple but was concerned about the security implications of non secure updates and was wondering if there are ways to avoid an internal hacker screwing up the database. I also wondered what versions of Linux people were using to get DNS services and any experience or advice they could give me on such a move. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC replication
Title: Message run dcdiag /s:servername and netdiag on that server and see what they report. You can then run a netdiag /fix to fix trivial errors. You can pipe these to a file as such: netdiag netdiag_servername.txt dcdiag /s:servername dcdiag_servername.txt Make sure your VPN is passing all required traffic for replication. See this article for more info: http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx Regards, David Chianese -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WilliamsSent: Tuesday, October 18, 2005 11:40 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC replication We just installed a server offsite. It is connected by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that it needs to be a domain controller. Ran dcpromo on it and there were no errors reported. The problem I have with it now is that it seems to be replicating in one direction only. All DC's running 2000 server. Active Directory Sites Services on DC01 and DC02 has all 3 servers listed. DC01 and DC02 do not show any entries in the NTDS settings for DC03. DC03 shows the correct entries for all 3 servers. If I manually add a new active directory connection from DC01 or DC02, it shows all 3 of the DC's in the selection box. After adding it and selecting replicate now, I receive the RPC server is unavailable error. That error refers to DNS errors. I can ping by name to all DC's. Are there other tests I need to run to check DNS? Repadmin shows correct inbound and outbound neighbors on DC01 and DC02. DC03 shows correct inbound neighbors, but no outbound neighbors. DC01 - Main domain controller at main officeDC02 - Secondary domain controller at main officeDC03 - New domain controller at offsite location, VPN connection Thanks in advance Mike Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com
Re: [ActiveDir] DC replication
Mike Williams wrote: We just installed a server offsite. It is connected by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that it needs to be a domain controller. Ran dcpromo on it and there were no errors reported. The problem I have with it now is that it seems to be replicating in one direction only. All DC's running 2000 server. (...) DC01 - Main domain controller at main office DC02 - Secondary domain controller at main office DC03 - New domain controller at offsite location, VPN connection Thanks in advance Which DNS service were You pointed when You dcpromed DC3? Does all DCs have correct DC3 information in DNS server they are using? If you want to be sure that You are free from DNS issues try to set DC3 to the same DNS server which is used by DC1 and DC2 and restart netlogon service on DC3 to re register DC records. Do You have objects corresponding to DC3 in NTDS settings on DC3 and DC1\DC2? If not try to create connection in opposite direction from DC2 or DC1 to DC3. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC replication
Thanks, I'll get this information and send it back Mike -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Rick KingslanSent: Tuesday, October 18, 2005 10:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC replication There are a number of ports with TCP and UDP/TCP required that must be available for full communication from DC to DC to succeed. Likely one or more of these are blocked and a ping is great for basic connectivity. From both sides of the VPN, run DCDIAG /v dcdiag.log and a netdiag /v netdiag.log Send those pack to us in the list and we'll help you through. As a quick test, try telnet name or IP of DC 389, where name or IP of DC is the DC on the other side of the VPN. Do from both sides. this is just one of the ports that you need. Another would be 445. Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WilliamsSent: Tuesday, October 18, 2005 10:40 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC replication We just installed a server offsite. It is connected by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that it needs to be a domain controller. Ran dcpromo on it and there were no errors reported. The problem I have with it now is that it seems to be replicating in one direction only. All DC's running 2000 server. Active Directory Sites Services on DC01 and DC02 has all 3 servers listed. DC01 and DC02 do not show any entries in the NTDS settings for DC03. DC03 shows the correct entries for all 3 servers. If I manually add a new active directory connection from DC01 or DC02, it shows all 3 of the DC's in the selection box. After adding it and selecting replicate now, I receive the RPC server is unavailable error. That error refers to DNS errors. I can ping by name to all DC's. Are there other tests I need to run to check DNS? Repadmin shows correct inbound and outbound neighbors on DC01 and DC02. DC03 shows correct inbound neighbors, but no outbound neighbors. DC01 - Main domain controller at main officeDC02 - Secondary domain controller at main officeDC03 - New domain controller at offsite location, VPN connection Thanks in advance Mike Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com
Re: [ActiveDir] BIND on Linux
On 10/18/05, Rick Kingslan [EMAIL PROTECTED] wrote: OK. It makes more sense. 1. Are you moving away from Active Directory to NIS? If not, keeping DNS on Windows is a zero cost / zero impact issue. If it's AD integrated, then the cost is nil. It's a no cost part of the DC package. I honestly have no idea if they actually have the courage to take out AD. It would be hard to justify on cost. I have very little knowledge of NIS and have no idea up to what point it could cover AD roles 3. If this primary factor is cost, and only cost - that's a political battle that is hard to win. I would look to your Microsoft resources to help you cost justify our products. Is this in EU? Harder battle, I have to add. Interesting comment on the database (Oracle especially...) thing. What are you replacing SQL with? This is EU(Spain). As for Open Source database I am familiar with MySQL so they will probably go with Postgres ;) Basically they have got into a flap over the cost of Office licences and this, mixed with a liberal dash of Microphobia and combined with a total lack of analysis have led them to this posture. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Global Catalog
Hi Ulf, Nice to have met you too.. Put your fingers on the table! Slap! ;-) [3] Yes - sorry - I'm german ;-) It sounds more like you're a Catholic nun! We're pretty much in agreement. The real answer (as it always seems to be) is to analyze the threats, assess the risks, and make the appropriate cost/benefit tradeoffs of risk vs. mitigation. Multiple forests increase costs but provide more isolation. Do the costs outweigh the benefits? It all depends on the particular organization. BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, October 17, 2005 11:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Global Catalog Hi Gil, (btw - was nice meeting you finally in person) You're right, that might be a better wording. However I didn't mean that I do not agree that the forest is the security boundary, however I do not like people using that term without being more specific. This will lead customers who are not enough into details to deploy multiple forests in scenarious where multiple domains (if even that) would have been sufficient. Keeping viruses, malware, and the regular I'm admin - so let's surf the web aside. Companies who might trust their admins but have to many users to trust each of them might deploy multiple forests b/c they are afraid that users might try to (hack/)try to get into other domains. However case like this it _might_ be overrated to deploy different forest, cause it's way harder for a regular user to get into another domain (and to valuable data there) than it is for a admin, the scenario is more difficult to administer (which might lead to loosened security and/or more admins you'll have to trust) and the phyiscal security might not be in place to justify such a scenario (the users might still hop around in the same building without distinguished building security[1] or network boundaries[2]). I do not think that all domain admin threads are in the non-malicious category, and I don't think that forests shouldn't be mentioned as security boundary, however I think if you do mention that you also need to clarify against which threads you're deploying additional forests and what also needs to be applied in the company if you need that level of security for certain parts. In many cases a proper investment into security is better placed by drilling security into the heads of the admins (you're surfing the web as admin? Put your fingers on the table! Slap! ;-) [3] ) than deploying multiple forests without taking additional measures and wrongly believe it's buying you 100% security. Ulf [1] meaning that people having access to forest A only shouldn't have physical access to any machines in the office running in forest B and vice versa [2] different wires, VLANs, or a generic network with people VPNing into their infrastructure. I don't trust our friends aka the unintentional fighter against security aka devs. There are somewhere passwords on the wire in almost every network, and this thread is dependant on your number of in-house developed apps IMHO. [3] Yes - sorry - I'm german ;-) |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 1:56 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |I think it is better to describe a domain as a policy and |administration boundary (and a replication boundary), rather |than a weak security boundary. It is more precise, and IMO, |given the automatic domain trusts in a forest, there is not |much of a security boundary between domains. | |And given the ease with which malware is distributed (through |email and web pages for instance), the distinction between |criminal and unintentional is thin, if not non-existent. |People with criminal intent subvert administrative machines |and accounts all the time. So even if you think your domain |admin threats are all in the non-malicious category (not a |smart way to think in any case), once the domain admin is |exposed to some malware script, they've effectively taken on |the criminal intent. | |-gil | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 3:14 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | ||So why don't you agree with the general - forest is the security ||boundary - statement? | |Cause IMHO the domain is a security boundary against |accidential security issues, the forest against malicious/criminal. | |Companies usually trust their admins of different domains but |might want to protect them against accidential mistakes or |gaining rights easily. A different domain would be sufficient |then. However if you want to protect yourself against admins |with criminal energy (and I
Re: [ActiveDir] BIND on Linux
On Tue, 18 Oct 2005 17:59:48 +0200, Peter Jessop [EMAIL PROTECTED] said: The reason I am asking this question is that now it is the policy to move to Open Source wherever possible. Thus HP-UX will move to Linux, MS office will move to Open Office etc. Ahh, I see. Moving your DNS to a BIND implementation would comply with the letter of that policy but not the spirit. BIND will need a home and that could involve spinning up another couple of servers. Plus, the DC's where DNS is running now will continue to run as DC's. The end-result is server sprawl and you aren't doing a thing to get Microsoft outta your shop. The only way I'd switch to BIND is if I were going the Samba route with an eye toward getting rid of Active Directory entirely. If you're running AD, keep MSDNS. Sleep well at night. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS Problem please help
Yes forward zone is created for my domain and all folders are there. stopping netlogon is also not resolving the issue.
[ActiveDir] OT? Remote Assistance.
Trouble getting Remote Assistance going. XP w/ SP2 in a 2K3 domain. XP firewall disabled on both boxes. Two computers for test. Both in the same OU. GPO forces offer and invite enabled with a group having the permissions. RSOP on both machines shows it is all taking effect. Both logged on users are local admins, and are in fact domain admins. Invitations for Assistance work fine, in both directions. However Offer Assistance fails with 'Permission Denied'. Been through everything here: http://support.microsoft.com/default.aspx?scid=kb;en-us;310629 Simple file sharing off and verified the groups and members are being passed down. This one does not apply, that group policy is undefined. Tried defining it with the fix anyway, no change. http://support.microsoft.com/?kbid=884910 http://support.microsoft.com/default.aspx?scid=kb;en-us;889248 Even fired up all the disabled services on both machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server Monitoring
A little late to put my 2 cents in, but I guess better late than never. I've used NAGIOS, Kaseya, and MonitorIT. If you're comfortable with Linux I'd go with NAGIOS, you can't go wrong with the price: FREE. Otherwise the other two are viable options, you get a whole lotta features. The down side is that they require installing agents. --Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Monday, October 17, 2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server Monitoring Hello all... We are searching for a tool that will monitor server uptime and send out an alert when a server goes down. Anyone have a suggestion? Does not have to be too complicated. Everything is Win2K AD fully spacked. Thank you in advance. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Sunday, October 16, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. I give carte blanche to folks to wack me upside the head if I get too annoying. :-) Rick Kingslan wrote: Susan, Really - I know you too well. You're not going to lurk. Get in the game. It appears most folks want to hear what you have to say from the Small Business arena. And, if it broadens the message of managing and maintaining the systems - it's good for all. Just please - stop convincing yourself you're lurking You're aren't! You're too valuable to do so... :o) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde
RE: [ActiveDir] Knowing when users were deleted.
Hi Bratt, I knew, however assuming performance and size issues I'd prefer to get a better solutions within the OS for auditing AD instead of bloating it up for retrieving some information. But thanks to your prior post I'd vote for a auditing within AD as well, if it's even decreasing the metadata and doesn't have a high impact on performance (I know - reading less data is mostly better than worrying about the time it takes to be decompressed, and depending how you would implement this this might even be done distributed on the requesting machine). However - and I was impressed of your sharp brain at the summit ;-) - the DCRs I've been involved with don't make me to confident - even if it's you suggesting that - still a stony path to take until we might see something like this. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Tuesday, October 18, 2005 4:02 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Ulf, what Al (well the suggestion on the plate) is suggesting |is taht the something to centralize that info, _is_ AD |replication. Implying the data is in AD. | |Cheers, |-Brett | | |On Tue, 18 Oct 2005, Ulf B. Simon-Weidner wrote: | | | Wherever the information gets put, it should be a) done as the | |default yet configurable b) centrally viewable (I should |NOT have to | |visit each DC in my forest to find the data) and | |c) be included in the base product. | | Exactly, that's what I ment. Enable that logging by default and | provide something to centralize that info. | | |-Original Message- | |From: [EMAIL PROTECTED] | |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick | |Sent: Tuesday, October 18, 2005 2:42 AM | |To: ActiveDir@mail.activedir.org | |Subject: RE: [ActiveDir] Knowing when users were deleted. | | | |Not sure that's going to fix the issue though, unless I'm missing | |something. | | Wherever the information gets put, it should be a) done as the | |default yet configurable b) centrally viewable (I should |NOT have to | |visit each DC in my forest to find the data) and | |c) be included in the base product. I can see no valuable way to | |otherwise do this. Having to deploy yet another product |doesn't fix | |the problem, it exacerbates it; it's even worse if it's a |reskit item | |as those aren't supported nor as heavily tested. This is |important | |enough that it should be and should meet those criteria above. | | | |We may just need to knock a few more edges off before |submitting this | |FMR ;) | | | | | |From: Ulf B. Simon-Weidner [EMAIL PROTECTED] | |Reply-To: ActiveDir@mail.activedir.org | |To: ActiveDir@mail.activedir.org | |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Date: Mon, 17 Oct 2005 23:36:44 +0200 | | | |Another Hmm. | | | |I'd still like to see that better configured that putting it into | |the AD if the infos are already there (or configurable). We could | |request to make it default to log that kind of info. And as far as | |we are talking about looking into every server: Where's ACS? And | |also SNMP would be an option to get notified on a single system | |instead of looking into every DC. | | | |Ulf | | | ||-Original Message- | ||From: [EMAIL PROTECTED] | ||[mailto:[EMAIL PROTECTED] On Behalf Of |Al Mulnick | ||Sent: Monday, October 17, 2005 3:10 AM | ||To: ActiveDir@mail.activedir.org | ||Subject: RE: [ActiveDir] Knowing when users were deleted. | || | ||I'll see your Eurocents and add raise you two. :) | || | ||I fully understand where you're coming from Ulf. Adding this | ||information into the DIT when it is currently possible to get is | ||something that grates against common sense and common engineering | ||principles even if you subscribe to belts and braces |methodologies. | || | ||However, I think two things make this a worthwhile request | |with a big | ||payoff. First to Laura's point about diminishing returns. I | ||agree, at some point there will be diminishing returns. I also | |believe that | ||as hardware gets bigger (i.e. | ||Standard 80 GB hard drives, 1 GB memory in workstation | |machines, etc. | ||[1]) the bar gets raised until we get to the diminishing return. | ||Since we're targeting 80/20 out of the box [2] it seems |reasonable | ||that 80% of the deployments would benefit from such a change. The | ||other 20 would be those that | ||a) don't care or know about such things and b) those that can't | ||tolerate the additional overhead and therefore wouldn't want | |to deploy | ||it. I say tough pickles to them. :) Seriously, this could be on | ||by default but configurable (group | ||policy?) to disable it as a performance issue etc. | || | ||Second, I think that the major benefit is the ability to | |actually get | ||usable information native to the product vs. | ||having to invest in a third party product. Why? Because today in | ||order
RE: [ActiveDir] Subinacl print queue
Subinacls has issues with spaces and is used in Rich's script. When doing
files I didn't find a fast way around and had to use the 8.1 name. Sucks -
doesn't it?
Ulf
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frank
AbagnaleSent: Tuesday, October 18, 2005 3:45 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Subinacl print
queue
Rich,
I noticed that the script does not work against Printers which have
spaces between their sharenames. e.g for a Printer
called USATPR001it works fine, but for a printer which share name is
USNY PRT 05 it fails,I assume it's because of the
spaces.
What would I need to allow the script to understand
names with spaces between them?
thanks...
Frank
Rich Milburn [EMAIL PROTECTED]
wrote:
Frank you can use WMI to enumerate the printers,
here is a _vbscript_ that will run your command against each shared
printer. Save it as a vbs and run it with the server name as an
argument, i.e.
printers.vbs printsvr1
begin script
-
On Error Resume Next
Dim objShell, objArgs, objWMIService,
objItem
Dim strComputer, strPrinter,
colItems
Set objShell = WScript.CreateObject
("WScript.Shell")
Set objArgs =
WScript.Arguments
strComputer =
objArgs(0)
Set objWMIService = GetObject("winmgmts:\\"
strComputer "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select
ShareName from Win32_Printer",,48)
For Each objItem in
colItems
strShareName =
objItem.ShareName
If strShareName
"" Then
strPrinter = "\\" strComputer "\"
strShareName
objShell.run("subinacl /printer " _
strPrinter " /grant=" chr(34)
"WSADMINS" chr(34))
End
If
Next
end script
-
Rich
---
From: [EMAIL PROTECTED] on behalf
of Frank Abagnale
Sent: Thu 10/13/2005 2:38
AM
To: Active
Subject: [ActiveDir] Subinacl print
queue
Hi,
I need to grant a security group permissions to
every print queue on a Print
Server.
I have looked at SUBINACL and I can use this to
grant access to each print
queue providing I know the name of the queue. e.g,
subinacl /printer \\printsvr1\USATPR001
/grant="WSADMINS"
The issue I have is that I don't know the name of
every print queue, is there
someway I can use a wildcard to allow this command
to be run against every
print queue listed on the server?
thanks frank
---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message
or any attachments. This information is strictly confidential and may be
subject to attorney-client privilege. This message is intended only for the
use of the named addressee. If you are not the intended recipient of this
message, unauthorized forwarding, printing, copying, distribution, or using
such information is strictly prohibited and may be unlawful. If you have
received this in error, you should kindly notify the sender by reply e-mail
and immediately destroy this message. Unauthorized interception of this
e-mail is a violation of federal criminal law. Applebee's International,
Inc. reserves the right to monitor and review the content of all messages
sent to and from this e-mail address. Messages sent to or from this e-mail
address may be stored on the Applebee's International, Inc. e-mail
system.
Yahoo!
Music Unlimited - Access over 1 million songs. Try it
free.
RE: [ActiveDir] userAccountControl
Thanks everyone for the info! Mike Newell Sr. Network Engineer Dimensional Fund Advisors 310-633-7889 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, October 18, 2005 9:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] userAccountControl It doesn't! 1.2.840.113556.1.4.803 is the equivalent of AND which is a LDAP matching rule object identifier (OID) It is bit 2 not because of the =2 but because of: 2^0=1 (1st bit) 2^1=2 (2nd bit) Etc. 2^9=512 (10th bit) Etc. 2^12=4096 (13th bit) Etc. 2^16=65536 (17th bit) Etc. userAccountControl:1.2.840.113556.1.4.803:=2 MEANS: bit 2 (2^1) from the userAccountControl attribute is ON (which means USER=DISABLED) (!(userAccountControl:1.2.840.113556.1.4.803:=2)) MEANS: bit 2 from the userAccountControl attribute is OFF (which means USER=ENABLED) Think binary ;-) (like IP addresses) (bin) = 0 (dec) 1 1 1 1 1 1 1 1 (bin) = 255 (dec) 1x2^7 1x2^6 1x2^5 1x2^4 1x2^3 1x2^2 1x2^1 1x2^0 128 64 32 16 8 4 2 1 = 255 (dec) 1 1 1 0 1 0 1 1 (bin) = 235 (dec) 1x2^7 1x2^6 1x2^5 0x2^4 1x2^3 0x2^2 1x2^1 1x2^0 128 64 320 8 0 2 1 = 235 (dec) You can find more info and explanations at: http://www.microsoft.com/technet/scriptcenter/resources/qanda/may05/hey0 512.mspx http://www.alvestrand.no/objectid/1.2.840.113556.1.4.803.html http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange .htm http://www.tek-tips.com/faqs.cfm?fid=5667 Cheers, jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Tuesday, October 18, 2005 17:45 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] userAccountControl Hello, I am looking at some of these saved queries below and I don't see how they work. http://www.netpro.com/forum/messageview.cfm?catid=29threadid=257 I *think* I understand how the bit flags work but how does the LDAP query correspond to those flags? If I look at say, the disabled user query it is: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1 13556.1.4.803:=2)) How does 1.2.840.113556.1.4.803 translate to the second bit? Just wanting to get this straight. Thanks again for the help. Mike. Mike Newell Sr. Network Engineer Dimensional Fund Advisors 310-633-7889 This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message and any attachments (the Message) may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] OT: but in the vein of monitoring
http://www.scorpionsoft.com/blog/archives/2005/10/sbs_firewall_da.html The first thing was on the need for the product itself. From the results of our survey, 96% of the SBSers out there find their logs tedious to go through, and would love a dashboard view of their (or their customer's) firewall events. - And this is just the firewall logs mind you -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT? Remote Assistance.
First try this DCOM fix, http://searchwinsystems.techtarget.com/tip/0,289483,sid68_gci1091907,00.html then this script... @echo off Echo Stopping The Remote Assistance Service... net stop rdsessmgr sleep 5 Echo Running Fix for Remote Assistance... %systemroot%\system32\sessmgr .exe -service sleep 5 Echo Starting Remote Assistance Service... net start rdsessmgr On 10/18/05, Kennedy, Jim [EMAIL PROTECTED] wrote: Trouble getting Remote Assistance going. XP w/ SP2 in a 2K3 domain. XPfirewall disabled on both boxes.Two computers for test. Both in the same OU. GPO forces offer and inviteenabled with a group having the permissions. RSOP on both machines shows it is all taking effect. Both logged on users are local admins, and arein fact domain admins.Invitations for Assistance work fine, in bothdirections. However Offer Assistance fails with 'Permission Denied'. Been through everything here:http://support.microsoft.com/default.aspx?scid=kb;en-us;310629Simplefile sharing off and verified the groups and members are being passed down.This one does not apply, that group policy is undefined. Tried definingit with the fix anyway, no change.http://support.microsoft.com/?kbid=884910 http://support.microsoft.com/default.aspx?scid=kb;en-us;889248Even fired up all the disabled services on both machines. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/-- ~~~ Fortune and Love befriend the bold~~~
RE: [ActiveDir] BIND on Linux
Yep, add to that the integrated authentication. I know Rick pointed out some authentication options, but if you have to analyze the move, consider the support and security implications when this is a) less secure (maybe) and harder to make work. AD-Integrated makes more sense if you intend to keep AD. If you don't, then I don't see moving DNS as the first step in migration ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of RM Sent: Tuesday, October 18, 2005 1:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] BIND on Linux On Tue, 18 Oct 2005 17:59:48 +0200, Peter Jessop [EMAIL PROTECTED] said: The reason I am asking this question is that now it is the policy to move to Open Source wherever possible. Thus HP-UX will move to Linux, MS office will move to Open Office etc. Ahh, I see. Moving your DNS to a BIND implementation would comply with the letter of that policy but not the spirit. BIND will need a home and that could involve spinning up another couple of servers. Plus, the DC's where DNS is running now will continue to run as DC's. The end-result is server sprawl and you aren't doing a thing to get Microsoft outta your shop. The only way I'd switch to BIND is if I were going the Samba route with an eye toward getting rid of Active Directory entirely. If you're running AD, keep MSDNS. Sleep well at night. RM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] BIND on Linux
Hi Peter, Peter Jessop wrote: 1. Are you moving away from Active Directory to NIS? If not, keeping DNS on Windows is a zero cost / zero impact issue. If it's AD integrated, then the cost is nil. It's a no cost part of the DC package. If you need to move from AD you can consider OpenLDAP. phpLDAPadmin can be used to manage it. http://www.openldap.org/ http://phpldapadmin.sourceforge.net/ fr -- André Franciosi Consultor em TI [0x15C50B90, pgp.mit.edu] Franciosi Consultoria http://www.franciosi.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Security Log file size not reaching the maximum log file size
We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Veritas and DC backup
Hi Charlie Thanks for that, yeah basically it works under DA/EA but that's an overkill as I only want to delegate basic stuff to site admins (yeah problem with distributed control :( Any suggestions...of course other than buying quest adrestore (wishlist)..otherwise ill most probabbly backup to a remote disk and get veritas to backup that as a file (two step troublesome)... Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -Original Message- From: Charlie Kaiser [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Veritas and DC backup One of my peeves with BE; it requires domain admin rights to completely back up a DC. You can't get system state without it. http://seer.support.veritas.com/docs/243033.htm ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, October 18, 2005 3:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Veritas and DC backup Hi all, Just a quick question, is anyone using Backupexec to backup domain controllers - remotely perhaps? Basically we have a distributed model here and we are trying to let the site admins manage the domain controllers (in terms of restarting the server) - yeah I know this is bad - and do backup but without the ability of Domain Admins. The only problem that we have is that we are unable to backup using Backup Operators rights via Veritas 9 - for some reason. And even if we comes to that part - Backup Operators will have logon rights to all machines in the domain (on default)... which is bad Any ideas please? Sort of bad as we do not have a 24/7 domain admins on rotates.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
Is the local setting perhaps being overwritten by a Group Policy setting? Just a thought. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, 19 October 2005 2:54 p.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ? This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy oruse any part of this communication or disclose anything about it.Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002.. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i
RE: [ActiveDir] Knowing when users were deleted.
Such beauty in a mere typo - Ulf Hi Bratt /Ulf ... still laughing at the irony ;o) ah hahahahaha -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, October 18, 2005 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Knowing when users were deleted. Hi Bratt, I knew, however assuming performance and size issues I'd prefer to get a better solutions within the OS for auditing AD instead of bloating it up for retrieving some information. But thanks to your prior post I'd vote for a auditing within AD as well, if it's even decreasing the metadata and doesn't have a high impact on performance (I know - reading less data is mostly better than worrying about the time it takes to be decompressed, and depending how you would implement this this might even be done distributed on the requesting machine). However - and I was impressed of your sharp brain at the summit ;-) - the DCRs I've been involved with don't make me to confident - even if it's you suggesting that - still a stony path to take until we might see something like this. Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley |Sent: Tuesday, October 18, 2005 4:02 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Ulf, what Al (well the suggestion on the plate) is suggesting is taht |the something to centralize that info, _is_ AD replication. Implying |the data is in AD. | |Cheers, |-Brett | | |On Tue, 18 Oct 2005, Ulf B. Simon-Weidner wrote: | | | Wherever the information gets put, it should be a) done as the | |default yet configurable b) centrally viewable (I should |NOT have to | |visit each DC in my forest to find the data) and | |c) be included in the base product. | | Exactly, that's what I ment. Enable that logging by default and | provide something to centralize that info. | | |-Original Message- | |From: [EMAIL PROTECTED] | |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick | |Sent: Tuesday, October 18, 2005 2:42 AM | |To: ActiveDir@mail.activedir.org | |Subject: RE: [ActiveDir] Knowing when users were deleted. | | | |Not sure that's going to fix the issue though, unless I'm missing | |something. | | Wherever the information gets put, it should be a) done as the | |default yet configurable b) centrally viewable (I should |NOT have to | |visit each DC in my forest to find the data) and | |c) be included in the base product. I can see no valuable way to | |otherwise do this. Having to deploy yet another product |doesn't fix | |the problem, it exacerbates it; it's even worse if it's a |reskit item | |as those aren't supported nor as heavily tested. This is |important | |enough that it should be and should meet those criteria above. | | | |We may just need to knock a few more edges off before |submitting this | |FMR ;) | | | | | |From: Ulf B. Simon-Weidner [EMAIL PROTECTED] | |Reply-To: ActiveDir@mail.activedir.org | |To: ActiveDir@mail.activedir.org | |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Date: Mon, 17 Oct 2005 23:36:44 +0200 | | | |Another Hmm. | | | |I'd still like to see that better configured that putting it into | |the AD if the infos are already there (or configurable). We could | |request to make it default to log that kind of info. And as far as | |we are talking about looking into every server: Where's ACS? And | |also SNMP would be an option to get notified on a single system | |instead of looking into every DC. | | | |Ulf | | | ||-Original Message- | ||From: [EMAIL PROTECTED] | ||[mailto:[EMAIL PROTECTED] On Behalf Of |Al Mulnick | ||Sent: Monday, October 17, 2005 3:10 AM | ||To: ActiveDir@mail.activedir.org | ||Subject: RE: [ActiveDir] Knowing when users were deleted. | || | ||I'll see your Eurocents and add raise you two. :) | || | ||I fully understand where you're coming from Ulf. Adding this | ||information into the DIT when it is currently possible to get is | ||something that grates against common sense and common engineering | ||principles even if you subscribe to belts and braces |methodologies. | || | ||However, I think two things make this a worthwhile request | |with a big | ||payoff. First to Laura's point about diminishing returns. I | ||agree, at some point there will be diminishing returns. I also | |believe that | ||as hardware gets bigger (i.e. | ||Standard 80 GB hard drives, 1 GB memory in workstation | |machines, etc. | ||[1]) the bar gets raised until we get to the diminishing return. | ||Since we're targeting 80/20 out of the box [2] it seems |reasonable | ||that 80% of the deployments would benefit from such a change. The | ||other 20 would be those that | ||a) don't care or know about such things and b) those that can't | ||tolerate the additional overhead and
RE: [ActiveDir] Virtual Servers in Branch Offices
"Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC?" Dean Virtual DCseffectively weaken thebroader-definition of security in a number of ways including the context of physical access ... this is due primarily to the relative ease with which the entire DC's state can be duplicated, subsequently, becoming portable and reproduced in a running state elsewhere with little to no effort. The host machine has no bearing ... it's rather like saying "the rack in which the server is physically housed has to be a domain member" (or any further extension of that particular metaphor). Keep in mind the VM (for the most part) doesn't even realize it's virtual. /Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box. I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production. Any thoughts most welcome. -- nme This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy oruse any part of this communication or disclose anything about it.Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
Have you cleared (archived) the logs since the new settings??? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 6:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] Security Log file size not reaching the maximum log file size
And just so you do not think I am making this up here is the public reference that documents it: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/5a86ab0f-c7eb-45ed-9e5e-514173bf15e3.mspx :-) Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, October 18, 2005 10:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Security Log file size not reaching the maximum log file size This problem is described in http://support.microsoft.com/default.aspx?scid=kb;en-us;312571 . The fix allows the automatic archiving of the log files but does not explain why the problem occurs. The issue is around the fact that a contiguous block of memory is needed for all of the log files and this is not pre-allocated so if the memory on the box becomes fragmented, which it will, then eventually the contiguous block can not be allocated and we will stop logging. Generally we recommend not setting the total size of all logs over 300 MB and using the feature above for the security log so that it can be automatically archived. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 18, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Log file size not reaching the maximum log file size We recently increased our auditing and set the security log file size to 1G, but the security log over-writes at about 409MBs; thus never reaching the 1G security log file size. Windows 2003 Domain Controllers Anyone with any ideas ?
RE: [ActiveDir] ADFIND mods
I have finished the initial pass through the adfind updates. I have done some testing and allowed a few others to test it and am now opening up the beta to this list, please don't forward as I don't want a bunch of people using the beta 2 months from now. o Phantom Root capability (-pr) - Allows you to search across all partitions across a DC or ADAM instance based on specified base. I.E. -b .com would retrieve *.com partitions. -b would retrieve all partitions say all ADAM partitions or default domain, config, and schema of a DC (even if it isn't a GC). o Added list (-list) - output from adfind is in list format. For instance say you want a simple list of ldapdisplaynames of all the attributes in the schema. You could use a query like Adfind -schema -f objectcategory=attributeschema ldapdisplayname -list If you want the output sorted by ldapdisplayname, you do not have to specify -sort ldapdisplayname, if you specify -sort or -rsort it will automatically assume you want ldapdisplayname or whatever other attribute you are listing by. However, if you want it sorted by some other attribute, you can still specify it. o Added -soao - Sorted order attribute output. Jerry Schulman asked me for this and the next update. This sorts the attributes output for each object by attribute name so they will be in a consistent order. This is nice for scripting in the scripting languages that have minimal parsing capabilities (like not Perl) ;o) o -oao - Ordered attribute output. Attribute output for each object is in the order you specify attributes to be returned in the command submitted. Not only that, but if a specific object doesn't have one of the attributes, it will still put a slot in the output for that attribute. By default that slot will be empty (attribname:) but if you like, you can specify a value to insert (this is from Al Mulnick from some time last year) like say #undef# so if an attribute you specify to be returned will have that value in the output (attribname: #undef#). This is done by specifying that string after the -oao switch. o CSV output... You must specify a list of attributes to be returned, if you don't it will autoselect dn and name for you. If you don't want to specify a list of attributes, you can still use adcsv.pl (Should I compile that?). Supporting switches are -csvdelim, -csvmvdelim, -csvq. The delim switches let you specify delimiters for the attribs and the values of a mv attrib. csvq lets you specify a different value to quote the attributes, default is the quote character. -nodn is supported with -csv... o -incldn and -incldndelim - these are like -excldn and -excldndelim but allows you to filter on what you want to see versus what you don't want to see. Remember, all data from the query comes back, this will simply filter out unwanted objects on display. o Added the ability to decode msDS-User-Account-Control-Computed when using -samdc o Added decode for AzMan groups (basic and query based) with -samdc on grouptypes. o Fixed a bug in the filter expansion of the stats+ output. It would blow it if there were parens in the output that wasn't related to the filter itself. o Added environment option (-e). We discussed this functionality and the next functionality on the list a while back. You can specify environment variables and adfind will read them and use them like they were specified on the command line. Switches provided at the command line will override anything specified in the env vars. Attributes specified will be in addition to what is specified on the command line. The default prefix for the env vars is adfind-. So if you wanted to specify a host to use in the env vars, say because you don't want to keep typing it, you could type Set adfind-h=hostname.somedomain.someotherdomain.somedomain.com And then when you do adfind and specify the -e switch it will pull that in and use it. If you want to specify a different prefix you specify it after the -e like for instance -e adam1 -e adam2 -adam3 and then you could have Set adam1-h=somehost:345 Set adam2-h=somehost:5000 Set adam3-h=someotherhost.something.com You could also do this with filters you like to use Set nastyfilter1-f=(blah)(blah)(blah)(blah)(|(blah)(!((blah)(blah)(blah If you want to specify properties you either don't specify a switch name or use the virtual switch props so adfind-props or adfind- should work. o Added environment from file option (-ef). Similar to above -e option except that you specify the switches in a file just like you would on the command line only one switch per line. Attributes can be specified on a single line each or all on one line. Again switches on the command line will override. You can combine -e and -ef. Processing order is -ef and then -e. For example you could have a file like -h 2k3dc01 -config -f objectcategory=subnet name siteobject If the file is named adfind.cf you simply specify -ef, if you want to use a different file name, specify the
RE: [ActiveDir] Knowing when users were deleted.
Outch - Sorry Brett! |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, October 19, 2005 5:20 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] Knowing when users were deleted. |Importance: Low | |Such beauty in a mere typo - | |Ulf |Hi Bratt |/Ulf | |... still laughing at the irony ;o) | |ah hahahahaha | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Tuesday, October 18, 2005 10:34 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Knowing when users were deleted. | |Hi Bratt, | |I knew, however assuming performance and size issues I'd |prefer to get a better solutions within the OS for auditing AD |instead of bloating it up for retrieving some information. | |But thanks to your prior post I'd vote for a auditing within |AD as well, if it's even decreasing the metadata and doesn't |have a high impact on performance (I know - reading less data |is mostly better than worrying about the time it takes to be |decompressed, and depending how you would implement this this |might even be done distributed on the requesting machine). |However - and I was impressed of your sharp brain at the |summit ;-) - the DCRs I've been involved with don't make me to |confident - even if it's you suggesting that - still a stony |path to take until we might see something like this. | |Ulf | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley ||Sent: Tuesday, October 18, 2005 4:02 PM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Knowing when users were deleted. || ||Ulf, what Al (well the suggestion on the plate) is suggesting is taht ||the something to centralize that info, _is_ AD replication. | Implying ||the data is in AD. || ||Cheers, ||-Brett || || ||On Tue, 18 Oct 2005, Ulf B. Simon-Weidner wrote: || || | Wherever the information gets put, it should be a) done as the || |default yet configurable b) centrally viewable (I should ||NOT have to || |visit each DC in my forest to find the data) and || |c) be included in the base product. || || Exactly, that's what I ment. Enable that logging by default and || provide something to centralize that info. || || |-Original Message- || |From: [EMAIL PROTECTED] || |[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick || |Sent: Tuesday, October 18, 2005 2:42 AM || |To: ActiveDir@mail.activedir.org || |Subject: RE: [ActiveDir] Knowing when users were deleted. || | || |Not sure that's going to fix the issue though, unless I'm missing || |something. || | Wherever the information gets put, it should be a) done as the || |default yet configurable b) centrally viewable (I should ||NOT have to || |visit each DC in my forest to find the data) and || |c) be included in the base product. I can see no valuable way to || |otherwise do this. Having to deploy yet another product ||doesn't fix || |the problem, it exacerbates it; it's even worse if it's a ||reskit item || |as those aren't supported nor as heavily tested. This is ||important || |enough that it should be and should meet those criteria above. || | || |We may just need to knock a few more edges off before ||submitting this || |FMR ;) || | || | || |From: Ulf B. Simon-Weidner [EMAIL PROTECTED] || |Reply-To: ActiveDir@mail.activedir.org || |To: ActiveDir@mail.activedir.org || |Subject: RE: [ActiveDir] Knowing when users were deleted. || |Date: Mon, 17 Oct 2005 23:36:44 +0200 || | || |Another Hmm. || | || |I'd still like to see that better configured that putting it into || |the AD if the infos are already there (or configurable). We could || |request to make it default to log that kind of info. And |as far as || |we are talking about looking into every server: Where's ACS? And || |also SNMP would be an option to get notified on a single system || |instead of looking into every DC. || | || |Ulf || | || ||-Original Message- || ||From: [EMAIL PROTECTED] || ||[mailto:[EMAIL PROTECTED] On Behalf Of ||Al Mulnick || ||Sent: Monday, October 17, 2005 3:10 AM || ||To: ActiveDir@mail.activedir.org || ||Subject: RE: [ActiveDir] Knowing when users were deleted. || || || ||I'll see your Eurocents and add raise you two. :) || || || ||I fully understand where you're coming from Ulf. Adding this || ||information into the DIT when it is currently possible to get is || ||something that grates against common sense and common |engineering || ||principles even if you subscribe to belts and braces ||methodologies. || || || ||However, I think two things make this a worthwhile request || |with a big || ||payoff. First to Laura's point about diminishing returns. I || ||agree, at some point there will be diminishing returns. I also || |believe that || ||as hardware gets bigger (i.e. ||
RE: [ActiveDir] Global Catalog
Hi Gil, Put your fingers on the table! Slap! ;-) [3] Yes - sorry - |I'm german ;-) It sounds more like you're a Catholic nun! Big belly, big feet, trolling around slowly on the ms campus when we met - I can see that I appeared to you as penguin ;-) BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin. Cool, and impressive. Most people in the US which are x% of some nationality don't know the language. To bad I didn't know, would have been easier to speak more fluently ;-) Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 7:00 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |Hi Ulf, | |Nice to have met you too.. | |Put your fingers on the table! Slap! ;-) [3] Yes - sorry - |I'm german |;-) | |It sounds more like you're a Catholic nun! | |We're pretty much in agreement. The real answer (as it always seems to |be) is to analyze the threats, assess the risks, and make the |appropriate cost/benefit tradeoffs of risk vs. mitigation. |Multiple forests increase costs but provide more isolation. Do |the costs outweigh the benefits? It all depends on the |particular organization. | |BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin. | |-g | | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 11:20 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |Hi Gil, | |(btw - was nice meeting you finally in person) | |You're right, that might be a better wording. However I didn't |mean that I do not agree that the forest is the security |boundary, however I do not like people using that term without |being more specific. This will lead customers who are not |enough into details to deploy multiple forests in scenarious |where multiple domains (if even that) would have been sufficient. |Keeping |viruses, malware, and the regular I'm admin - so let's surf the web |aside. |Companies who might trust their admins but have to many users |to trust each of them might deploy multiple forests b/c they |are afraid that users might try to (hack/)try to get into |other domains. However case like this it _might_ be overrated |to deploy different forest, cause it's way harder for a |regular user to get into another domain (and to valuable data |there) than it is for a admin, the scenario is more difficult |to administer (which might lead to loosened security and/or |more admins you'll have to trust) and the phyiscal security |might not be in place to justify such a scenario (the users |might still hop around in the same building without |distinguished building security[1] or network boundaries[2]). | |I do not think that all domain admin threads are in the |non-malicious category, and I don't think that forests |shouldn't be mentioned as security boundary, however I think |if you do mention that you also need to clarify against which |threads you're deploying additional forests and what also |needs to be applied in the company if you need that level of |security for certain parts. In many cases a proper investment |into security is better placed by drilling security into the |heads of the admins (you're surfing the web as admin? Put your |fingers on the table! Slap! ;-) [3] ) than deploying multiple |forests without taking additional measures and wrongly believe |it's buying you 100% security. | |Ulf | |[1] meaning that people having access to forest A only |shouldn't have physical access to any machines in the office |running in forest B and vice versa | |[2] different wires, VLANs, or a generic network with people |VPNing into their infrastructure. I don't trust our friends |aka the unintentional fighter against security aka devs. |There are somewhere passwords on the wire in almost every |network, and this thread is dependant on your number of |in-house developed apps IMHO. | |[3] Yes - sorry - I'm german ;-) | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of Gil ||Kirkpatrick ||Sent: Tuesday, October 18, 2005 1:56 AM ||To: ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || ||I think it is better to describe a domain as a policy and ||administration boundary (and a replication boundary), rather than a ||weak security boundary. It is more precise, and IMO, given the ||automatic domain trusts in a forest, there is not much of a security ||boundary between domains. || ||And given the ease with which malware is distributed (through |email and ||web pages for instance), the distinction between criminal and ||unintentional is thin, if not non-existent. ||People with criminal intent subvert administrative machines and ||accounts all the time. So even if you think your domain admin threats ||are all in the non-malicious category (not a smart way to |think
