RE: [ActiveDir] Largest AD DIT

[Gil Kirkpatrick]

Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in
the test lab ... in fact he's going to talk about that at DEC.

-gil



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour,
Joseph
Sent: Friday, January 19, 2007 10:41 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Largest AD DIT

Hey has anyone been keeping track of the largest AD database?  I seem to
remember a few years ago it was an online email company.  I'm curious if
that has changed.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Client time sync

[Gil Kirkpatrick]

And w32tm /monitor will show to what machine it is actually syncing, if
any.

-gil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, January 10, 2007 2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Client time sync

Try the command...

w32tm /resync /rediscover

See if that helps the client figure out where it should look for time.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, January 10, 2007 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Client time sync


I have a machine (at least one I know of) that isn't syncing time with
the domain controller its logging into.  I've restarted the win32time
service on it to see if that would sync it and it doesn't.  Any
suggestions on where to start?  The DC and the client are off by about 9
minutes.

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] OT: Hello?

[Gil Kirkpatrick]

Only if you had to install Linux.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, January 04, 2007 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Hello?

Hey, Santa brought me coupon for a new home computer, redeemed the
coupon and built the system.  Doesn't that count as work??

Dan

  Original Message 
 Subject: RE: [ActiveDir] OT: Hello?
 From: Crawford, Scott [EMAIL PROTECTED]
 Date: Thu, January 04, 2007 3:35 pm
 To: ActiveDir@mail.activedir.org
 
Ive seen a few today, but the list has been quite slow
for the last week or so.  Come on guys, the holidays are the time to
actually get stuff done J   From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
  Sent: Thursday, January 04, 2007 4:21 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail
from the mailing list since yesterday morning. Is anyone else seeing
this e-mail?  Has anyone else received e-mails since then?   Just
curious if the list has just been dead for the past day, or if something
might not be working properly.   ~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] Directory Experts Conference Early-bird pricing expires this week

[Gil Kirkpatrick]

Greetings, list mavens.

The early-bird pricing for DEC 2007 expires this week, so if you're
thinking about coming, now would be a good time to register. Some of the
highlights of this years conference:

1. Hands-on Longhorn AD workshop
2. Hands-on MIIS Raven workshop
3. Hands-on ADFS workshop
4. Keynotes by Kim Cameron (Microsoft architect for identity) and Peter
Houston (Microsoft Senior Director for Identity and Access)
5. Walkthrough and feedback sessions for MIIS Raven
6. Two full tracks of AD technical sessions
7. Two full tracks of MIIS technical sessions
8. Sessions on ADFS, Certificate Lifecycle Manager, InfoCard, and Rights
Management Server 

So now's the time... Check the agenda and register at www.dec2007.com.

Thanks,

Gil Kirkpatrick
Conference Founder
MVP, Directory Services

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] Directory Experts Conference 2007

[Gil Kirkpatrick]

Greetings, list denizens.

The next Directory Experts Conference is scheduled for April 22-25 at
the Red Rock Resort in Summerlin, NV. DEC is the premier conference
focused on Microsoft Identity and Access technologies, including AD,
AD/AM, MIIS, ADFS. New this year are sessions on Certificate Lifecycle
Manager (CLM) and Rights Management Server (RMS). DEC 2007 will also
include pre-conference workshops for Longhorn AD, MIIS (using the latest
Raven bits), ADFS, and possibly InfoCard. You can find out more about
DEC at www.dec2007.com.

DEC is fundamentally a community event, which brings me to the reason
I'm posting this to the list: We are still in the midst of organizing
the conference, and I would like to solicit your input before we nail
everything down. I've set up a wiki for the speakers and organizers (for
those of you so uncool as to not know what a wiki is, see
http://en.wikipedia.org/wiki/Wiki). The wiki currently includes pages
for all of the sessions, as well as each of the workshops. I would
_really_ appreciate it if you could take the time to look over the site
and add any questions, comments or suggestions you might have by
clicking the Add Comment link at the bottom of each page. I'm
particularly interested in your thoughts and desires for the workshops
and sessions. I know the speakers would appreciate your input regarding
their sessions as well. Even if you don't plan on attending DEC this
year, your thoughts and questions are still valuable to me and the
speakers.

The DEC wiki is at http://dec.editme.com, and is available to the public
for reading and commenting. Only the speakers can actually change the
pages. If you want to get email notifications of changes to the wiki,
click the Register link and provide an email address. You'll then get an
email once a day listing the URLs of the changed pages.

Here are some pages to start with:

Backpacks? Messenger bags? Or something else entirel? Make your
suggestions for DEC swag at http://dec.editme.com/DEC2007Events.
Would you be interested in a half-day CardSpace workshop? See Pamela
Dingle's ideas for the workshop at
http://dec.editme.com/Dec2007CardspaceWorkshop and make your comments.
Any feedback on the sessions? Go to
http://dec.editme.com/DEC2007Sessions.

Thanks again for your time and input, and I hope to see you at DEC next
year!

-gil

Gil Kirkpatrick
DEC Founder

Meet us in Las Vegas April 22-25 for the 6th annual Directory Experts
Conference http://www.dec2007.com .
The information in this email is CONFIDENTIAL and is intended only for
the addressee named above. If you have received this communication in
error, please notify me immediately and destroy the communication.
Access to this email by anyone else is unauthorized. Any wrongful
interception of this message is punishable as a federal crime. Please
note that any views or opinions presented in this email are solely those
of the author and do not necessarily represent those of the company.

RE: [ActiveDir] AD Reports

[Gil Kirkpatrick]

Or NetPro's ReportADMin (http://www.netpro.com/products/reportadmin/index.cfm)
 
-gil
 
CTO, NetPro



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, December 19, 2006 2:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Reports


Quest's Reporter may help. They offer a free version as well as a full, retail 
version.
 
neil



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo
Sent: 18 December 2006 16:45
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Reports


What,s the best AD reporting tool. My boss want´s a report of all the users who 
are allowed to send and recieve Internet Mail in exchange 2003. I can go and 
check user by user but we have over 500 users.

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

RE: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix

[Gil Kirkpatrick]

Its certainly doable... there are two gotchas though.
 
One, you need to use the 1.2.840.113556.1.4.801 (#defined as
LDAP_SERVER_SD_FLAGS_OID in ntldap.h) control on the search and modify
operations. This lets you set and retrieve portions of the
nTSecurityDescriptor attribute. The paramter in an integer bit mask that
describes what parts of the sd to return. See
http://msdn2.microsoft.com/en-gb/library/aa366987.aspx. When you update
the SD, be sure you set the flags only for the parts you are updating.
If you don't you'll get an error on the update.
 
The other thing you have to worry about is that the nTSecurityDescriptor
attribute is a binary blob (ASN sequence of bytes). The blob is a
self-relative security descriptor structure as defined in winnt.h
(typedef'd as SECURITY_DESCRIPTOR_RELATIVE). You'll probably have to
create the structure definition yourself based on what's in winnt.h. I
don't know if the Samba headers have a usable definition or not.
 
-gil
 
Gil Kirkpatrick
CTO, NetPro



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Santiago,
Felderi (F.)
Sent: Tuesday, December 12, 2006 12:50 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Possibility of writing to ntSecurityDescriptor with
LDAP and Unix




I know this may sounds crazy, but I need to write to the
ntSecurityDescriptor attribute on a computer account from Unix via LDAP.
Any clues?  Essentially, what I am trying to do is query the
ntsecuritydescriptor attribute of an object already in AD to see the
value and would like to moving forward to set the same value to a
specific object moving forward.

Why ldap from Unix?  Well, I am dealing with Unix Admins who hate
Windows and want to do everything Unix.  Any tips or tricks would be
greatly appreciated.

Thank you!  

RE: [ActiveDir] Quest Recovery Manager

[Gil Kirkpatrick]

Just to give an idea of how insane it can get

A good friend of mine works at a software company (not in the Microsoft
space)... lets call it company G. Company G is small (300 people or so)
and privately held, with a superior product. Company G's main
competition is Company W, a large, bloated publically held company, with
a decidely inferior product. Company W hasn't developed anything
inovative in years... all their new products have come through
acquisitions.

Now check this out: Company G has a competitive sales program for
Company W's customers. If a customer has decided on Company W, for
whatever reason, and there is no way that they will buy Company G's
product, Company G will work with the customer to provide a competitive
bid *just to drive Company W's prices down.* The customer doesn't even
have to look at Company G's products.

Now THAT's ruthless sales behavior!

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, December 07, 2006 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

I would say companies competing via innovative features benefit
customers more than just low balling each other in this space / vertical
market.

And just like a free puppy... If you don't train it... you eventually
have to call in the Directory Whispers.

I think I might have just found some inspiration for a new TV Show.

Todd

-Original Message-
From: Martin Tuip [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 07, 2006 8:16 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Quest Recovery Manager

Competition benefits customers.


Martin

- Original Message - 
From: Gil Kirkpatrick [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Wednesday, December 06, 2006 7:46 PM
Subject: RE: [ActiveDir] Quest Recovery Manager


It gets even nuttier in competitive situations. Bring in the NetPro
products 
for eval, and watch how fast the Quest price goes to zero. Its like the
old 
Crazy Eddy's TV ads in New York.

Of course its free like a puppy... :)

-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some 
pricing for one of my clients so I'm wondering if this is the end of the

year for the salesmen and they need to make their year this month (if so

this is an excellent time to buy Quest software)



Ha! Show me a sales person from ANY software company who doesn't get
that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about
to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to
do 
that, you gotta discount! I would think most IT shops are wise to it by
now. 
Its kind of a sick dance we all do J



Darren



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



Yeah. Sit down with your team and figure out what it is you need - must 
have, would like to have, and nice to have. Then, tell all the vendors
you 
want a little webinar (they love these), and then compare your notes
after 
each/all of them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you
the 
pricing. Then you can suggest (if they haven't already) that they come 
discuss it in further and plan on a lunch/dinner or two on their dime
while 
you further discuss how expensive their stuff is and what they can do
for 
you to make it more attractive. The Quest guys told me the other day
they 
had a lot of leeway on some pricing for one of my clients so I'm
wondering 
if this is the end of the year for the salesmen and they need to make
their 
year this month (if so this is an excellent time to buy Quest software).



Now that said, I've worked in a few large shops, and we haven't had any
of 
this frilly fancy shit. It's expensive, I hate the per head/per seat/per

whatever pricing, and frankly all I think it does is idiot proof what's 
already there. Rather than having something do it for you, why don't you

learn how it does it, because then you'll be smarter, and you can go get
a 
new better job with your new found talents.



That said there is some cool shit from quest and NetIQ and those guys -
I'm 
into the change control/management stuff in shops where there are too
many 
cooks in the kitchen. Quest's migration stuff is of course great if you
can 
afford it.



Thanks,

Brian Desmond

[EMAIL PROTECTED]



c - 312.731.3132



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]
Sent: Wednesday

RE: [ActiveDir] Quest Recovery Manager

[Gil Kirkpatrick]

shamelss plug

NetPro has an AD data recovery product called RestoreADmin that competes
very well with the Quest product. It's solves the AD object recovery
problem nicely.

See http://www.netpro.com/products/restoreadmin/index.cfm.

/shameless plug

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 7:37 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Todd, thanks for your insight. Good points to think about. 


James Masters
Systems Architecture and Engineering
The Kroger Co.
Office: (859) 363-2346
Cell:(859) 653-8644


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 9:14 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Quest Recovery Manager

Same here... Good stuff.

To be fair though, most of the major AD players have these tools now.
The thing about the Quest (Aelita) tool was its use of their own APIs to
address issues like Domain Local Groups etc.  I haven't kept up with the
latest versions so I am not sure what direction they have gone since
2003.
Latest information I remember was they offered you the option to use the
MS API methods for recovery, or their special brew for more advanced
recovery options.

Now if put some extra effort into your query, you might get this thread
nice and hot, and generate input from people like Stuart Kwan discussing
supportability issues using the various recovery methods, Guido 
Vladimir
discussing in great depth the inherent problems of group recovery,
various
opinions on how to use isolates sites with rubber chickens, MIIS, ADAM
to
reanimate deleted objects (This seems to be a favorite topic of Gil's to
use to fill in spots at DEC)... did I forget anyone... hmm maybe Robbie
might take time away from work on his fields medal or latest cookbook to
write you a Monad shell script that Joe will find a way to compile into
a
.exe to execute from a ADFIND query pipe.  

In all seriousness though, when evaluating DR feature for AD you will
have
a lot of things to consider, technologies being just one.  The nature of
the type of AD objects you want to recover and in what state should be
considered (Groups, GPO's, etc, attribute data).  How much time you want
to dedicate to this operation?  How much you want to spend? And who will
support you if the recovery operations fail or seem to cause more
problems.

If you are looking just to recover deleted users, the various free tools
out there will do just fine.

I highly recommend that you start your DR project today by just using
the
good'old MS backup utility at a minimum to make a MST formatted backup
of
the system state and data from a domain controller in each of your
domains
you think has the most current AD data in your organization.  That
pretty
much guarantees you can recover every object given that you have the
data
in some backup.

And to all the people I mentioned above.  Happy Holidays... and New
Year.

Todd

-Original Message-
From: Day, James (NPS)
Sent: Wednesday, December 06, 2006 8:03 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Quest Recovery Manager

Hi James

We bought this when it was an Aelita tool and loved the product - it
pretty much paid for itself in one step the second month we were using
it.
The product is still good but I have nothing good to say about Quest
support (but I could complain for hours about it if I am allowed to).

There are a couple of other similar ones that may also be worth.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-354-1464
202-230-2983 (CEL)
[EMAIL PROTECTED]


 

 [EMAIL PROTECTED]

 ger.com

 Sent by:
To 
 [EMAIL PROTECTED] ActiveDir@mail.activedir.org

 ail.activedir.org
cc 
 

 
Subject 
 12/05/2006 05:11  [ActiveDir] Quest Recovery
Manager  
 PM EST

 

 

 Please respond to

 [EMAIL PROTECTED]

tivedir.org

 

 





Does anybody have anything particularly good or bad to say about Quest's
Recovery Manager product?

We are evaluating it for an 2 forests, and 3 domains.

As always, thanks for all of your insight and expertise.

-James
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 

RE: [ActiveDir] Quest Recovery Manager

[Gil Kirkpatrick]

It gets even nuttier in competitive situations. Bring in the NetPro products 
for eval, and watch how fast the Quest price goes to zero. Its like the old 
Crazy Eddy's TV ads in New York.
 
Of course its free like a puppy... :)
 
-gil



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 12/6/2006 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager



The Quest guys told me the other day they had a lot of leeway on some pricing 
for one of my clients so I'm wondering if this is the end of the year for the 
salesmen and they need to make their year this month (if so this is an 
excellent time to buy Quest software)

 

Ha! Show me a sales person from ANY software company who doesn't get that 
wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around 
quarter-end or year-end and I'll show you a sales person that is about to be 
fired. Its part of the game. Gotta make quota, esp. at year end, and to do 
that, you gotta discount! I would think most IT shops are wise to it by now. 
Its kind of a sick dance we all do J

 

Darren

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, December 06, 2006 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Yeah. Sit down with your team and figure out what it is you need - must have, 
would like to have, and nice to have. Then, tell all the vendors you want a 
little webinar (they love these), and then compare your notes after each/all of 
them again. Rule out any ones now that don't do the trick


Then go get ready to have it shoved way up your ass when they give you the 
pricing. Then you can suggest (if they haven't already) that they come discuss 
it in further and plan on a lunch/dinner or two on their dime while you further 
discuss how expensive their stuff is and what they can do for you to make it 
more attractive. The Quest guys told me the other day they had a lot of leeway 
on some pricing for one of my clients so I'm wondering if this is the end of 
the year for the salesmen and they need to make their year this month (if so 
this is an excellent time to buy Quest software).

 

Now that said, I've worked in a few large shops, and we haven't had any of this 
frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever 
pricing, and frankly all I think it does is idiot proof what's already there. 
Rather than having something do it for you, why don't you learn how it does it, 
because then you'll be smarter, and you can go get a new better job with your 
new found talents.

 

That said there is some cool shit from quest and NetIQ and those guys - I'm 
into the change control/management stuff in shops where there are too many 
cooks in the kitchen. Quest's migration stuff is of course great if you can 
afford it.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DCRI) [E]
Sent: Wednesday, December 06, 2006 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

I don't think there are many independent rankings out there.  You have to 
figure that Windows ITPro and SearchWindows are probably the easiest sources to 
get access to online, but they are influenced by ad dollars sometimes.   It is 
possible that Burton Group and possibly Gartner have done some research But 
I doubt it.  I know that directions on Microsoft hasn't covered it.  It is a 
pretty niche topic.

 

I think the best way to approach this is to have a good old fashion bake off of 
the technologies.  Depending how big a player you are, you can probably get 
Quest, Netpro, Veritas, and Commvalt to step-up.  I would say that all the 
technologies are pretty stable at the moment; there isn't a lot of innovation 
going on anymore, so it is pretty hard to make a mistake choosing one of these 
products.

 

 

Todd



From: Tim Onsomu [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, December 06, 2006 2:06 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

 

Does anybody know what independent rankings look like for AD DR tools?




-Original Message-
From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 12/6/2006 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quest Recovery Manager

shamelss plug

NetPro has an AD data recovery product called RestoreADmin that competes
very well with the Quest product. It's solves the AD object recovery
problem nicely.

See http://www.netpro.com/products/restoreadmin/index.cfm.

/shameless plug

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, December 06, 2006 7:37 AM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED

RE: [ActiveDir] Pointsec software vs. Active Directory

[Gil Kirkpatrick]

Its curious you saw significant disk I/O with no corresponding increase
in LDAP activity. Is the application running on the DC in your test
environment? Is it generating a lot of authentication traffic?
 
-gil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, November 28, 2006 11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Pointsec software vs. Active Directory



Vincent-

 

I have no idea what Pointsec is or does, perhaps you could share a
little bit about this.

 

What are the characteristics of the domain controllers in your test
forest? How much memory? Disk config? How big is the DIT?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of De Potter
Vincent
Sent: Tuesday, November 28, 2006 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Pointsec software vs. Active Directory

 

Hi,

 

My organisation is looking into testing and implementing Pointsec
software for encryption purposes for our client environment. I'm
responsable for the DIrectory service and they've asked me to
participate. 

I've set -up  a development forest and let the Pointsec team loose on
that one. I activated some perfmon counters to see the impact on one DC.
Regarding LDAP queries it was quite ok (only 1 reference to an expensive
one) but I saw some implication on the physical disks of the machine
that were hit quite heavily. Also a collegue of mine could remember from
his previous company that the roll out of that soft brought some issues
along.

Does anyone of you have experience with the implementation of Pointsec
and the impact on the directory service (especially the boxes) in a
large environment?

_
Vincent De Potter
Volvo Information Technology

RE: [ActiveDir] Pointsec software vs. Active Directory

[Gil Kirkpatrick]

And what does it actually do with all the changed AD objects?



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of De Potter
Vincent
Sent: Tuesday, November 28, 2006 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Pointsec software vs. Active Directory


Hi Gil,
 
No it's running on a dedicated server targeting that DC. Authentication
from the softwares' service account is quite numerous let's say :-)
THere's enough LDAP activity but not in an expensive way. This is what
it does : 
 

The ADScanner uses the ADSI (Active Directory Services
Interface) and LDAP (Lightweight Directory Access Protocol) when
searching for changes (default port 389) in a Domain. The ADScanner
works with USN (update sequence number) queries using the uSNChanged
attribute. It uses the uSNChanged attribute of an AD object to retrieve
changes. When an AD object is modified on a domain controller, it sets
the uSNChanged of the object to a value that is larger than the value of
the uSNChanged attribute for all other objects held on that domain
controller. The object with the highest value of the uSNChanged
attribute is then the most recently changed object on the domain
controller. The domain controller holds the highest uSNChanged value in
the highestCommittedUSN attribute. 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: dinsdag 28 november 2006 20:01
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Pointsec software vs. Active Directory


Its curious you saw significant disk I/O with no corresponding increase
in LDAP activity. Is the application running on the DC in your test
environment? Is it generating a lot of authentication traffic?
 
-gil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, November 28, 2006 11:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Pointsec software vs. Active Directory



Vincent-

 

I have no idea what Pointsec is or does, perhaps you could share a
little bit about this.

 

What are the characteristics of the domain controllers in your test
forest? How much memory? Disk config? How big is the DIT?

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of De Potter
Vincent
Sent: Tuesday, November 28, 2006 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Pointsec software vs. Active Directory

 

Hi,

 

My organisation is looking into testing and implementing Pointsec
software for encryption purposes for our client environment. I'm
responsable for the DIrectory service and they've asked me to
participate. 

I've set -up  a development forest and let the Pointsec team loose on
that one. I activated some perfmon counters to see the impact on one DC.
Regarding LDAP queries it was quite ok (only 1 reference to an expensive
one) but I saw some implication on the physical disks of the machine
that were hit quite heavily. Also a collegue of mine could remember from
his previous company that the roll out of that soft brought some issues
along.

Does anyone of you have experience with the implementation of Pointsec
and the impact on the directory service (especially the boxes) in a
large environment?

_
Vincent De Potter
Volvo Information Technology

RE: [ActiveDir] OT: Computer Account in Local Administrators Group

[Gil Kirkpatrick]

Set the resolution to 4096x6720, and... ahh, there it is. 
NOW the whole ego fits on the screen.

:Q

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, July 11, 2006 4:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer 
Account in Local Administrators Group

Almost always

;o)


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji 
AkomolafeSent: Friday, July 07, 2006 9:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer 
Account in Local Administrators Group


I see the flaws in my 
original statement, and should have worded it differently.

My interpretation of "Network 
Service" functionality is different from joe's. But joe is smarter than 
me,has some cool tools that give him much more authoritative information 
on these kind of things, and he is almost always correct. So, please listen to 
him.

If I have the time, I may come back and try 
to explain my interpretation.


Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: joeSent: Thu 7/6/2006 11:17 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OT: Computer Account in Local Administrators Group

A service running on ServerAas localsystem or 
networkservice will touch remote machines including ServerB with the security 
context of DOMAIN\ServerA, not networkservice. 

A service running on ServerA in localservice should touch 
remote machinesas anonymous. 

At no point will configuring permission on ServerB to 
networkservice give any rights to ServerA, only processes running on the local 
machine (ServerB))as networkservice. 


--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji 
AkomolafeSent: Thursday, July 06, 2006 12:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer 
Account in Local Administrators Group


I see...

If the service runs as LocalSystem, then it 
already has the highest privilege possible on that system. In this case, the 
vendor (or the vendor's support rep) may be asking for this simply for the 
"interact" portion of your statement. Without knowing what the app does, it's 
hard to tell. But, I'd ask the vendor's rep specifically what level of access is 
needed to perform whatever the app is supposed to perform on the "other 
machine".

Because, you see, if the app runs in the 
context of LocalSystem on ServerA and needs to do something on ServerB, the 
Network Service credentials will be used. If whatever is running on ServerB 
allows "Network Service" account to do the job, then there is no additional 
config or privilege to add on ServerA. Ask the vendor if "Network Service" has 
the ability to successfully "interact" with the other machine in question, or if 
the access can be configured to accommodate the"Network Service" 
account.



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you 
were worried about Yesterday? 
-anon


From: [EMAIL PROTECTED]Sent: 
Thu 7/6/2006 8:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Computer Account 
in Local Administrators Group



Im definitely not 
wanting to do this  but a vendor was saying to do it to allow one of their 
services to run as Local System and be able to interact with another 
machine.

I am very skeptical, 
and not allowing it.

Thanks,
James





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]omSent: Wednesday, July 05, 2006 5:54 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: 
Computer Account in Local 
Administrators Group



More directly - WHY 
are you looking to do this? What problem are you trying to 
solve?





Sincerely, 
 
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - 
Directory Serviceshttp://www.readymaids.com/ - 
we know IThttp://www.akomolafe.com/-5.75, 
-3.23Do you now realize that Today is the 
Tomorrow you were worried about 
Yesterday? -anon





From: joeSent: Wed 7/5/2006 9:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: 
Computer Account in Local 
Administrators Group
Ultimately, anyone with physical access to the remote PC will have Adminrights over the PC in which you add the account to the admins group for. Directly, anyone who can run anything as localsystem or networkservice willhave 

RE: [ActiveDir] Schema Question

[Gil Kirkpatrick]

I never considered that the license cost of MIIS was all that high. Even
if you paid list (which not many of the customers I've worked with did),
its not a huge outlay.

The significant costs are in the analysis, requirements, engineering,
and operations.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, June 30, 2006 10:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Schema Question

Yeah,
 
until the price of MIIS [1] comes down from its stratospheric level, and
until I can look customer in the eye and say yes, you can use mySQL or
such, I won't touch MIIS with a long pole.
 
[1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a
few,
and the engineering that goes into making them work at all is so
intensive
that I don't like to offer them as solutions.

 

 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com  
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 6/30/2006 1:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Schema Question


You mean as in copying in ADUC... What are you crazy?? Provisioning is
the
new cool key word Deji. ;)
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

 
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
Sent: Friday, June 30, 2006 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Schema Question


Listen to what they say
 
But if you really have to set attributes, consider using user templates
and
populating the relevant settings that you need. Then do your user
account
creation using the templates.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com  
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: Brian Desmond
Sent: Fri 6/30/2006 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Schema Question



And anyway you should be putting quotas either in a recipient policy or
manually on the attributes that control them...

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Friday, June 30, 2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Schema Question

 

No. Your provisioning system (e.g. MIIS, etc) should be doing this. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin
(ITS)
Sent: Friday, June 30, 2006 12:38 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Schema Question

 

All,

 

Let me start with, I'm a total newb when it comes to Schema and Schema
modifications.

 

Is it possible to modify the schema that so every time a new user is
created
(via ADUC) an extension attribute is populated with a default value? Our
Exchange guys would like extensionAttribute5 to be populated
automatically
with 100, which is the default mailbox size. Is this possible? It seems
like
it would be, but as I warned, I'm a newb.

 

Thanks,

 

Justin Clay
ITS Enterprise Services 
Metropolitan Government of Nashville and Davidson County 
Howard School Building 
Phone: (615) 880-2573

 



ITS ENTERPRISE SERVICES EMAIL NOTICE

The information contained in this email and any attachments is
confidential
and may be subject to copyright or other intellectual property
protection. If
you are not the intended recipient, you are not authorized to use or
disclose
this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DC Configuration

[Gil Kirkpatrick]

OS, DIT, logs on separate spindles.

Enough memory to store the DIT + overhead.

-gil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Thursday, June 22, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Configuration

We have some budget money to replace domain controllers this year. Not
all of them but probably half of them. We've pretty much decided on 64
bit Dell PowerEdge servers. Most of the discussion is about disk
configuration. Two schools of thought exist here.

1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with
20GB or so for the OS and the remainder for NTDS, Sysvol, and system
state backups

2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS,
the second is for NTDS, Sysvol, and system state backups.

I've always liked physically separating the OS from the application
data. Others here like carving up the volume at the OS.

Any thoughts, opinions, suggestions?

tia, al
-- 

Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DC Configuration

[Gil Kirkpatrick]

Ethics? Thats the stuff the guys in the other party don't 
have.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, June 22, 2006 3:52 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC 
Configuration

Exactly...

Congress: Ethics? What's that?



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Thursday, June 22, 2006 6:25 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC 
Configuration

Yea, it seemed an awful basic question for you joe. And, of 
course I fell for it. Agreed though that software RAID is like Congress creating 
its own ethics rules--just a bad idea all around.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, June 22, 2006 3:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC 
Configuration

ROFL!

That was more of a case of purposely refusing to 
acknowledge software RAID versus truly understanding what it is. I have had far 
more than my share of times trying to rebuild software raid configs. 



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Thursday, June 22, 2006 6:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC 
Configuration

Software RAID is where the OS (in this case) handles the 
striping of the data rather than the hardware (usually the 
controller).




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, June 22, 2006 3:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC 
Configuration

o Software RAID? What's that? 

o Yeah I am not a fan of mirrors. I like lots of 
spindles.But then I tend to work with bigbusy directorieswith 
Exchange beating on it. Being 64 bit you don't have to worry _as much_ 
assuming you have enough RAM to cache your entire DIT but you still have to load 
that baby in the first place so I would still recommend RAID 0+1, 10, or 5 or if 
you don't care about fault tolerance the fastest is RAID-0. 

o I would say if you are going 64 bit, make sure you make 
it a priority to get enough RAM tohold your entire DIT. That is the cool 
thing about getting 64 bit.




--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Thursday, June 22, 2006 5:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC 
Configuration

There would be a little more to gain than that but often that's the 
reason. joe might point out that a two mirror configuration is not his 
optimal configuration. I'm pretty sure he'd also point out that compared with 
software raid, that he'd take that option. :) 

I can honestly say I'd agree with him on this one. Software mirroring for 
this type of application is never a good idea. The slower spindle speeds 
likely won't be enough of an issue to matter in your configuration. Unless you 
have a very large DIT queue jokes here or applications that pound the 
snot out of the individual servers spindle speed won't be nearly as important. 
Since it's 64 bit you're after, spend some money on the memory and take 
advantage of the cache as much as you can. 

Al
On 6/22/06, Noah 
Eiger [EMAIL PROTECTED] 
wrote: 
What 
  would the partitions on the first configuration gain you (over just 
  asingle C:)? I thought the idea behind placing NTDS, etc on something 
  _besides_ C: was to get the performance benefits of extra spindles (as 
  in#2).-- nme-Original Message-From: Al 
  Lilianstrom [mailto:[EMAIL PROTECTED] ]Sent: 
  Thursday, June 22, 2006 1:24 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] DC ConfigurationWe have some budget money to replace 
  domain controllers this year. Not all of them but probably half of them. 
  We've pretty much decided on 64bit Dell PowerEdge servers. Most of the 
  discussion is about diskconfiguration. Two schools of thought exist 
  here.1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS 
  level with 20GB or so for the OS and the remainder for NTDS, Sysvol, and 
  systemstate backups2) Two sets of 2x73 10K drives in RAID1. The 
  first set is for the OS,the second is for NTDS, Sysvol, and system state 
  backups. I've always liked physically separating the OS from the 
  applicationdata. Others here like carving up the volume at the 
  OS.Any thoughts, opinions, 
  suggestions? tia, 
  al--Al Lilianstrom CD/CSS/CSI[EMAIL PROTECTED]List 
  info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx--No 
  virus found in this incoming message.Checked by AVG Free Edition. 
  Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 
  6/20/2006--No virus found in 

RE: RE : RE: [ActiveDir] AD LDAP Logging.

[Gil Kirkpatrick]

You can use SPA, or you can use logman and tracerpt to get 
detailed LDAP stats. SPA does a lot of analysis for you and diagnoses several 
classes of AD perf problems. Tracerpt will give you a fairly raw look at all the 
LDAP traffic. I covered all three in my DEC AD Performance session (which I 
didn't actually deliver at DEC :). Its available on the NetPro website at http://www.netpro.com/community/medialibrary.cfm.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
LinehanSent: Friday, June 09, 2006 11:50 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: RE : RE: [ActiveDir] AD LDAP 
Logging.


It is true that SPA is 
not localized but I believe the French version will be ok. The problem 
comes about with the localization of the perfmon data. If you have 
problems post back and we can try a few work arounds because we are only really 
interested in the trace data at this point which should not be 
impacted.

Thanks,

-Steve





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of YannSent: Friday, June 09, 2006 11:31 
AMTo: ActiveDir@mail.activedir.orgSubject: RE : RE: [ActiveDir] AD LDAP 
Logging.


Thank you for your answer Steve. I will install spa on 
monday and see if i can log some ldpa activities (errors, connections 
pb,etc...).



Will this version of spa work on a w2k3 sp1 French 
version ?



Regards,



YannSteve 
Linehan 
[EMAIL PROTECTED] a 
écrit:

  
  I would suggest 
  taking a look at Server Performance Advisor (SPA), assuming these are Windows 
  Server 2003 DCs and using it to collect and analyze the data for the DCs in 
  question. This tool combines performance counters and the tracing data 
  that Joe is referring to which will allow you to get very detailed information 
  on what is occurring. This tool will give you a peak into the new 
  performance and monitoring capabilities that we are adding into the next 
  versions of the OS. It will also give you hints on what we believe the 
  performance problems are. One of these days when I get a chance I will 
  try to write a blog entry on all of the things you can do with SPA. By 
  the way it also collects information for other server roles as well such as 
  IIS giving you tremendous amounts of detail found no where else. Yes 
  event tracing is the future of not only performance monitoring but debugging 
  difficult issues.
  
  
  
  You can download SPA 
  from here:
  
  http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en 
  
  
  
  
  Thanks,
  
  
  
  -Steve
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Friday, June 09, 2006 9:35 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD LDAP 
  Logging.
  
  
  
  Unfortunately the 
  logging is very basic, it will not log LDAP errors from anything I have seen. 
  This is something I have asked for from MSFT as well, very detailed LDAP 
  logging like you can enable with some of the other directories. Usually I hear 
  a response of use event tracing but I haven't gotten had a chance to really 
  dig deep into that yet to see how useful it will be. 
  
  
  
  
  It depends on the 
  code is displaying error messages bit possibly a query timed out? That could 
  be indicative of a very poor query. By default, if a query goes more than 2 
  minutes, it will get dropped.
  
  
  
  
  
  
  --
  
  O'Reilly Active 
  Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of YannSent: Friday, June 09, 2006 9:42 
  AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP 
  Logging.
  
  
  
  Good point 
  Joe.
  
  
  
  
  
  I will use perfmon to monitor the health of my 
  DC.
  
  
  An nother 
  question.
  
  
  
  
  
  The Web app timed out with thisgeneric error 
  "the serveur is down", where "the server" = 
  mydc.
  
  
  At the time of the web app timed 
  out, i saw no errors about ldap connections between my dc and the zope 
  server.
  
  
  
  
  
  With the Field 
  Engineeringset to5 
  andifthe web apptimed-out, willa LDAP error appear in 
  my eventlogs that stated a disconnection occured 
  ?
  
  
  
  
  
  Thanks for taking time to 
  reply,
  
  
  
  
  
  Cheers,
  
  
  
  
  
  Yann
  
  
  
  
  
  - Message d'origine De : joe 
  [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé 
  le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP 
  Logging.
  
  When you change that 
  threshhold you are specifying how expensive you want the query to be before AD 
  reports it.
  
  
  
  Changing "Expensive" 
  to 1, according to the docs means that as soon as a query has to look 
  atone or more entries it will be logged. So when you turn down that 
  value, you are telling it to log pretty much everything. 
  
  
  
  
  That being said, 
  unless you 

RE: [ActiveDir] max password age where else to look?

[Gil Kirkpatrick]

Think divisble by 7











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, June 06, 2006 12:36
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] max
password age  where else to look?





I'll second guess joe - 91 stops ppl from
using cyclic passwords, which use dates or quarters to generate a password.
e.g. passwordq12006, passwordq22006 etc.



Hopefully joe will give an authoritative
response :)



neil









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Steve
Sent: 05 June 2006 22:59
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] max
password age  where else to look?



Okay. I'll ask the question that everyone else is afraid
to why 91 and not 90? 











Cheers







On 5/31/06, joe
[EMAIL PROTECTED] wrote:






:o)



I can imagine





Something I like to recommend to folks is
to monitor password changes. Depending on how big you are you may even want to
do it daily. It is a great way to keep an eye open for various issues. For
instance if passwords aren't being changed in the normal periods at the normal
rates, your policy may not be working. If more than usual are being changed
then possibly you have some DC issues. You will even be able to graph out the
password changes and possibly find interesting trends.Oh to go along with
this, I recommend a password age of 91 days for the obvious reasons... Actually
I always recommend that over 90 days. 



 joe









From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Douglas W Stelley
Sent: Thursday, May 25, 2006 11:49
AM




To: ActiveDir@mail.activedir.org





Subject: RE:
[ActiveDir] max password age  where else to look?










That was it, the policy needed
to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of
users needed to change there password cause they had expired! 
Thanks all 




 
  
  joe [EMAIL PROTECTED] 
  Sent
  by: [EMAIL PROTECTED]
  
  05/24/2006 10:41 PM 
  
   

Please
respond to
ActiveDir@mail.activedir.org


   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org


   
   

cc




   
   

Subject


RE: [ActiveDir] max password age  where
else to look?

   
  
  
  
   






   
  
  
  
 





Yeah doublecheck the
value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge
attribute on the NC Head, possibly your policy isn't being applied properly. 
 
 joe 
 
-- 
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

 
 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Al Mulnick
Sent: Wednesday, May
24, 2006 4:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
max password age  where else to look?

What do you get if just before this: 
If intMaxPwdAge 
0 Then
   WScript.Echo The Maximum Password Age
is set to 0 in the   _ 
 domain. Therefore, the
password does not expire. 

you echo the intMaxPwdAge value? I'm wondering if
you're not pulling back the max password age value correctly either through a
misspelling or some other error prevents you from getting the value.
Having used that method before, I can tell you it does work in a Windows
2000 environment and a Windows 2003 environment. Native, DFL, etc. 
 
 
If that doesn't work, do you get
the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750




On 5/24/06, Douglas W Stelley 
[EMAIL PROTECTED] wrote: 

In this domain, in the default domain policy the Max Password Age is set to 90,
however when I look for when the password will change using the below sample
script 

I always get the answer The Maximum Password Age is set to 0 in the
domain. Therefore, the password does not expire. 

The rest of the possibilities below do work, just the password age doesn't. 

This is a Win2K Active Directory 

I need to expire all passwords on a specific date, but before I do that I need
to ensure the system will continue expiring them by age. 

What might I be doing wrong? 

Thanks 





Const SEC_IN_DAY = 86400 
Const ADS_UF_DONT_EXPIRE_PASSWD = h1

Set objUserLDAP = GetObject _
(LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com)
intCurrentValue = objUserLDAP.Get(userAccountControl) 

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
 Wscript.Echo The password does not expire.
Else
 dtmValue = objUserLDAP.PasswordLastChanged 
 Wscript.Echo The password was last changed on   _ 
   DateValue(dtmValue)   at  
TimeValue(dtmValue)  VbCrLf  _
 The difference between when the
password was last set  _
   and today is 
 int(now - dtmValue)   days 
 intTimeInterval = int(now - dtmValue)

 Set objDomainNT = GetObject(WinNT://fabrikam)
 intMaxPwdAge = objDomainNT.Get(MaxPasswordAge)
 If intMaxPwdAge  0 Then
   WScript.Echo The Maximum Password Age is set
to 0 in the   _
 

[ActiveDir] DSID-020A06F3 error from French platform AD

[Gil Kirkpatrick]

I'm receiving this error on subtree searches of the Config 
NC, on a French version of Windows 2003 SP1. Anyone have any 
ideas?

(From LDP) 
ldap_search_s(ld, "CN=Configuration,DC=francais,DC=local", 
2, "(objectclass=*)", attrList, 0, msg)Error: Search: Erreur 
d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 
5012 (DIR_ERROR), data -1018

Result 1: 20EF: SvcErr: DSID-020A06F3, problem 
5012 (DIR_ERROR), data -1018

Matched DNs: Getting 0 entries:


I'm logged in as the domain Administrateur. One level 
searches seem to work ok.

-gil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, 
SanthoshSent: Monday, June 05, 2006 10:10 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC and ADC 
replication prob.


What is your ADC 
configuraiton?





Santhosh 
Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, 
TX


From: [EMAIL PROTECTED] on 
behalf of Ajay KumarSent: Sun 6/4/2006 10:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC and ADC 
replication prob.

Hi all,

Pls help me out,
Just recently I set up small doaminof 50Pc'swith a 
DC and ADC.
But the prob. is that the replication is not taking place between DC and 
ADC and there
is no error in event log. What could be the problem.

Ajay.

RE: [ActiveDir] DSID-020A06F3 error from French platform AD

[Gil Kirkpatrick]

Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other 
activities all seemed to work normally, so the corruption thing is a surprise.

Hey Brett, if I consider the hardware suspect, does that mean I have to file 
a bug with the VS team?

I'll kill it and rebuild and see what happens.

You want to know what sucks? Trying to type French on an US-English keyboard. 
Its like those French, they have a different key for everything!

Thanks for your help.

-gil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, June 05, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD

This means there is a physical corruption in the AD database.  Does this domain 
have replicas?  If yes, just repromote another replica and then demote this 
guy.  If no, sometimes a offline defrag can save the database.  Otherwise, what 
is the backup situation for this domain?  Don't be tempted to repair your 
database, that's unsupported.

The hardware should be considered suspect at this point.

Cheers,
BrettSh [msft]


On Mon, 5 Jun 2006, Gil Kirkpatrick wrote:

 I'm receiving this error on subtree searches of the Config NC, on a French 
 version of Windows 2003 SP1. Anyone have any ideas?
  
 (From LDP) 
 ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, 
 (objectclass=*), attrList,  0, msg)
 Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: 
 DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018
  
 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), 
 data -1018
  
 Matched DNs: 
 Getting 0 entries:
 
  
 I'm logged in as the domain Administrateur. One level searches seem to work 
 ok.
  
 -gil
  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] DSID-020A06F3 error from French platform AD

[Gil Kirkpatrick]

I've blown the image away already, but I have a backup. I'll check to see if 
the backup exhibits the same behavior. Send me an email with the upload 
particulars. It's a differencing disk, and the total will be in the 3-4GB 
range, uncompressed. It may be that throughput over the FedEx network will be 
better in this case...

-g 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Monday, June 05, 2006 2:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD

Very interesting.
Can we see the VHD before you blow it away? I can set up a place for you to 
upload it to. Please let me now how large it isjust ping me offline and we 
can coordinate.

~Eric



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, June 05, 2006 2:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD

Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other 
activities all seemed to work normally, so the corruption thing is a surprise.

Hey Brett, if I consider the hardware suspect, does that mean I have to file 
a bug with the VS team?

I'll kill it and rebuild and see what happens.

You want to know what sucks? Trying to type French on an US-English keyboard. 
Its like those French, they have a different key for everything!

Thanks for your help.

-gil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, June 05, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD

This means there is a physical corruption in the AD database.  Does this domain 
have replicas?  If yes, just repromote another replica and then demote this 
guy.  If no, sometimes a offline defrag can save the database.  Otherwise, what 
is the backup situation for this domain?  Don't be tempted to repair your 
database, that's unsupported.

The hardware should be considered suspect at this point.

Cheers,
BrettSh [msft]


On Mon, 5 Jun 2006, Gil Kirkpatrick wrote:

 I'm receiving this error on subtree searches of the Config NC, on a French 
 version of Windows 2003 SP1. Anyone have any ideas?
  
 (From LDP) 
 ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, 
 (objectclass=*), attrList,  0, msg)
 Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: 
 DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018
  
 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), 
 data -1018
  
 Matched DNs: 
 Getting 0 entries:
 
  
 I'm logged in as the domain Administrateur. One level searches seem to work 
 ok.
  
 -gil
  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Query for user AD info from web application

[Gil Kirkpatrick]

I assume you mean an X.400 address?
 
I would guess that the translation between PseudoSQL and LDAP doesn't properly 
escape the literal strings. Try using the LDAP escaping rules on the X.400 
email address, e.g. instead of 'g=john,s=smith,o=foo,prmd=bar' etc., try 
'g\3djohn\3bs\3dsmith\3b' etc... where \3d represents the '=' and \3b 
represents the ';'.
 
Just a guess...
 
-gil



From: [EMAIL PROTECTED] on behalf of Jason Benway
Sent: Tue 5/30/2006 11:58 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Query for user AD info from web application



Our internet web application use AD to pull user information. They start
with the users email address and then look up other information.

We've notice today that if a user has a X500 address our query doesn't
work.

Here's what the web developer sent me

SELECT displayName FROM 'GC://DOMAIN.COM' WHERE
objectCategory='organizationalPerson' AND ((mail = '[EMAIL PROTECTED]'))

I don't know why a X500 address would mess this up, ideas?

Thanks,jb

--
Jason Benway
Network Services Manager
[EMAIL PROTECTED]
GHSP
1250 S.Beechtree
Grand Haven, MI 49417
616-847-8474
Fax: 616-850-1208   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


winmail.dat

RE: [ActiveDir] Robocopy(OT)

[Gil Kirkpatrick]

CHKDSK?











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Tom Kern
Sent: Friday, May 05, 2006 6:14 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Robocopy(OT)







How can I take ownership of it?





It doesn't have a security tab and xcacls doesn't see the
folder..











Thanks







On 5/4/06, joe
[EMAIL PROTECTED] wrote:




Wonder if you have a dorked up ACL, what
happens if you try to take ownership of it?







--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm



















From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern





Sent: Sunday, April
30, 2006 8:58 AM






To: ActiveDir@mail.activedir.org

Subject: Re:
[ActiveDir] Robocopy(OT)




















Well, I've rebooted the server,ran a chkdsk, and still the dir will not
disappear.











I've run Process Explorer and Filemon and nothing is acessing this dir.











Yet I can delete it and its missing the security tab(its on an ntfs
vol).











How the heck can I get rid of this dir?











Has anyone had an issue like this?











Thanks again







4/6/06, Bruyere,
Michel [EMAIL PROTECTED]
 wrote: 





Hi, 


I got something similar but with a PDF file. The solution was to reboot the
server 













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Thursday, April 06, 2006
9:18 AM






To: ActiveDir@mail.activedir.org






Subject: Re:
[ActiveDir] Robocopy(OT) 











No one
has this folder open.





I've run
Process Explorer and Filemon and nothing is accessing this folder.











I can't
delete it or share it out and its missing the security tab.











anything
else I should look for?











Thanks







On
4/5/06, Mark Parris 
[EMAIL PROTECTED] wrote: 

I have
seen this if another PC has explorer open on that folder and you try and delete
from another.

Mark
-Original Message-
From: Steve Rochford  [EMAIL PROTECTED]
Date: Wed, 5 Apr 2006 16:37:03
To:
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Robocopy(OT)

This seems to happen when the folder is in the process of being deleted but
hasn't quite gone. Sometimes, just waiting a while will clear the problem - I
suspect that a process is holding open the folder (or, possibly, a file in the
folder). More than once I've hit this and gone to use Sysinternals process
explorer to find out which process is guilty. By the time I've run up the
program and searched for the folder name there's nothing there. going back to
the folder finds that it's either gone or can now be deleted. 

In your case, I'd guess that robocopy had started creating folders and when it
got interrupted, something took a while for things to get tidied up - if the
helpdesk guy hasn't yet unmapped the drives he was using then I think that this
might help. 

Steve



From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]
] On Behalf Of Tom Kern
Sent: 05 April 2006 15:45
To: activedirectory 
Subject: [ActiveDir] Robocopy(OT)



I have a strange issue.
I had a help desk admin robocopy a dir from one server to another. 
During the copy, for whatever reason, he canceled the robocopy job.
When he went to the target server a empty dir was created which now cannot be
deleted.
I can't delete it through explorer or the command console at the server and get
an error of cannot delete file:cannot read from the source file or
disk. 

If i do a RD /s, i get The system cannot find the file specified.

However the dir shows up in a dir listing or explorer.
The weird thing is also, the dir has no security tab(and its on an
ntfs file system). 

Some backround on the robocopy job-
the admin mapped 2 drives from his local box(win2k).
One drive to the root of the volume on the source server and another to the
root on the target.
he then CD'ed to the source and ran robocopy with the /E and
/V switches. 
after sometime, he killed the job and now I'm stuck with this undeletable DIR.

Any insight would be great.
thanks

RE: [ActiveDir] Root Place Holder justification

[Gil Kirkpatrick]

Hey Rocky,

Watch me pull a rabbit out of my hat!

Sorry, just had to get that out of my system. Most people 
on the list won't have a clue as to what I'm talking about 
anyway...

In any case, how do increased 
operational costs and overhead not qualify as "harm"? I'm confused by your 
question...

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
Holder justification

"Where's the 
harm?"
Don't tell me about economics 
or overhead or other things.
Tell me where the "harm" 
is.
Please.

RH
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Root Place Holder justification
  
  Jef,
  
  We dont have a root 
  domain because somebody smarter than I made that decision before I took 
  over. I was convinced at the time we had made a mistake, but like you 
  have come to the opposite conclusion.
  J
  
  AL
  
  
  Al Maurer Service Manager, Naming and 
  Authentication Services IT | Information 
  Technology 
  Agilent Technologies (719) 590-2639; Telnet 
  590-2639 
  http://activedirectory.it.agilent.com 
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jef 
  KazimerSent: Wednesday, 
  April 26, 2006 9:51 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place 
  Holder justification
  
  Al,
  
  If you had asked me in the year 
  2000, I could see issues that would drive a root domain to anchor multiple 
  domains. I would caution against it now. I believe MS had the same 
  stance, and now thinks it may not make as much sense as it once 
  did.
  
  Maybe they should re-evaluate 
  their service offerings. :) I admit I was wrong 
  :)
  
  Jef
  
  
  
   Subject: RE: [ActiveDir] 
  Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 
  -0600 From: [EMAIL PROTECTED] To: 
  ActiveDir@mail.activedir.org  Mark,  
  I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. 
   
  Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." 
   
  Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. 
   AL  AlMaurer 
  ServiceManager,NamingandAuthenticationServices 
  IT|InformationTechnology 
  AgilentTechnologies 
  (719)590-2639;Telnet590-2639 
  http://activedirectory.it.agilent.com  
  -OriginalMessage- 
  From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris 
  Sent:Wednesday,April26,20067:37AM 
  To:ActiveDir.org 
  Subject:[ActiveDir]RootPlaceHolderjustification 
   
  Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? 
   
  WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. 
   
  IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's 
   
  Ihavesearchedthislistandcanfindnorelevantarticles. 
   Manythanks  Regards  
  Mark 
  Listinfo:http://www.activedir.org/List.aspx 
  ListFAQ:http://www.activedir.org/ListFAQ.aspx 
  Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ 
  Listinfo:http://www.activedir.org/List.aspx 
  ListFAQ:http://www.activedir.org/ListFAQ.aspx 
  Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
  
  
  Join the next generation of 
  Hotmail and you could win the adventure of a lifetime Learn 
More.

RE: [ActiveDir] IIFP GAL Sync

[Gil Kirkpatrick]

I'm pretty sure it it works fine with W2K AD. MIIS itself 
needs to run on WS2K3 though.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony 
MurraySent: Tuesday, April 11, 2006 2:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] IIFP GAL 
Sync


Hi all

I was discussing GAL sync using IIFP with 
someone today and he said he thought there was a requirement for the DC that 
IIFP uses to be 2003. I cant see this requirement in the product 
documentation. Can anyone confirm this?

Tony


This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

RE: [ActiveDir] List problems - resolved

[Gil Kirkpatrick]

Hey Laura, did you ever think that maybe it was just you? :)

-g 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter
Sent: Tuesday, April 11, 2006 2:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] List problems - resolved

Hey Tony, did you know that the list was broken for like 4 days?

*runs FAR away*  :-)

- Laura

On 4/11/06, Tony Murray [EMAIL PROTECTED] wrote:



 You will have noticed that messages are now coming through again.
The
 problem has been resolved and all should be back to normal.  Any
emails sent
 to the list during the outage will not have been queued, so please
send
 again.



 Thanks to the 732 of you who alerted me to the fact that the list was
not
 operational J



 Tony

 This communication, including any attachments, is confidential. If you
are
 not the intended recipient, you should not read it - please contact me
 immediately, destroy it, and do not copy or use any part of this
 communication or disclose anything about it. Thank you. Please note
that
 this communication does not designate an information system for the
purposes
 of the Electronic Transactions Act 2002.





--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)

[Gil Kirkpatrick]

!  But now I can gamble all I want since on the last day I went to the
MM world-store on the strip and bought a Slot-Machine-Type of MM dispenser
for my kids - it's way cool and I'm sure I'll use it more often than they
will ;-))


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Donnerstag, 30. März 2006 19:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

Would be interested in hearing the survery results. Oh that reminds me, I
forgot to hand mine in. :o) I had to fly out Wed evening and was running
around like my shorts were on fire trying to take care of some stuff that
was absolutely mandatory prior to trying to get through security at
McCarran. 

I would say that venue would be suitable for next year unless Sydney was an
option... You could rent a jumbo jet and fly everyone going to the
presession down in it and actually have the presession on the flight, that
would certainly make it seem like the flight went faster. My return ticket
though would have to be valid for a month as I know a lot of folks down
there and would need to go say hi and collect on some beers I am owed. 

Odd thing is I spent no more than $60 on gambling. $20 of it was spent
showing Guido how US slot machines worked in the Belagio. $20 was spent when
I was passing a $1 Wheel of Fortune progressive slot on the way to the rest
room because it called out to me and said it would make me financially
independent for the rest of my natural born life (it lied), and finally $20
was spent while I sat at a bar playing Jacks or Better waiting on Dean and
company to go to dinner not realizing that they didn't see me sit down next
to them and were waiting on me to get there. I was up $80 bucks on that
thing and then gave it all back. 


  joe (The joe of the Dean and joe show, the j in www.jadonex.com)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, March 29, 2006 6:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

Just wrapped up Day 3. 530 people. General consensus is that it was the best
DEC ever. More to follow when I can type on something bigger than a credit
card.

-gil


-Original Message-
From: Ayers, Diane [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 3/29/06 1:23 PM
Subject: RE: [ActiveDir] Quiet?  DEC?  Related?

Maybe we should ask a question on the merits of doubling down on an 11 when
the dealer has a face card showing...  :-)
 
Diane



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, March 29, 2006 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?


Don't worry we're still here.. ;-)
 
Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior
Infrastructure Consultant MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Moon, Brendan
Sent: Wed 2006-03-29 19:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Quiet? DEC? Related?


Hmm.. everyone must be having fun at DEC... this list has been very quiet
this week!
 
- Brendan Moon
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx

[ActiveDir] Thanks to all who came to DEC 2006

[Gil Kirkpatrick]

 and
company to go to dinner not realizing that they didn't see me sit down next
to them and were waiting on me to get there. I was up $80 bucks on that
thing and then gave it all back. 


  joe (The joe of the Dean and joe show, the j in www.jadonex.com)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Wednesday, March 29, 2006 6:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?

Just wrapped up Day 3. 530 people. General consensus is that it was the best
DEC ever. More to follow when I can type on something bigger than a credit
card.

-gil


-Original Message-
From: Ayers, Diane [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 3/29/06 1:23 PM
Subject: RE: [ActiveDir] Quiet?  DEC?  Related?

Maybe we should ask a question on the merits of doubling down on an 11 when
the dealer has a face card showing...  :-)
 
Diane



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, March 29, 2006 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?


Don't worry we're still here.. ;-)
 
Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior
Infrastructure Consultant MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Moon, Brendan
Sent: Wed 2006-03-29 19:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Quiet? DEC? Related?


Hmm.. everyone must be having fun at DEC... this list has been very quiet
this week!
 
- Brendan Moon
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DEC photos?

[Gil Kirkpatrick]

Title: RE: [ActiveDir] Reset Local Admin Passwords



If anyone has photos from DEC 2006, could you please send 
them to me? I want to put them up on the DEC web site.

The presentations that were NOT on the USB drives will be 
posted up on the site in the next week or so (as soon as Stella 
recovers)

I'll be doing my AD performance presentation over the web 
on Tuesday April 11 at 0900 Arizona time (MST-7). I'll post the URL to the list 
as I know what it is.

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Active 
DirectorySent: Friday, March 31, 2006 1:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local 
Admin Passwords


http://mycuweb.com/dcpc.zip


Rick





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Scott 
KlassenSent: Friday, March 31, 
2006 12:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin 
Passwords

A bit dated I know, but 
Danish companys web site seems to have gone kaput. Does anyone here 
happen to have a copy of DCPC to share?

Scott 
Klassen





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Katrin 
WilhelmSent: Tuesday, January 
31, 2006 3:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin 
Passwords

Use a tool call DCPC 
(DC password changer) freeware you can find it here http://www.danish-company.com/dcpc 
all you need is the domain admin password and all PC running.  Strait forward 
and I am changing the password every 2-3 month.

Cheers,


Katrin 
Wilhelm (MCSA)CVGT Employment  Training 
SpecialistsAustraliaE-mail: [EMAIL PROTECTED]




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, 1 February 2006 4:09 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin 
Passwords

We do 
realize the potential risk in this but this request is coming from 
a higher authority (my boss). 
I've been asked to find a way to change it and I believe that they are going to have the password 
reset on a monthly 
basis. 
-Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Laura E. Hunter Sent: Tuesday, January 31, 2006 11:30 AM 
To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Reset Local Admin 
Passwords 
  
We currently have about 4 different passwords floating around our 
  domain 
and we'd like to get it down to a single standard. Any help 
  would be 
appreciated.  
  
 
Okay, just 
to offer a counterpoint to your underlying plan - you do realise that by using a single local admin 
password across your enterprise, if even -one- of those workstations gets the 
admin password compromised, the attacker who did so now has local admin 
rights to every workstation on your network? With apologies to 
Jesper Johannsen[1], it's one of those "How to get your network hacked in 10 
easy steps" things 
- if I've just compromised the local admin password of WorkstationA, what do you think is going to 
be the very first password I try when I move on to try and compromise 
WorkstationB? 

[1] And 
additional apologies for the fact that I'm sure I just spelled 
his name wrong. 

-- --- Laura E. Hunter Microsoft MVP - Windows Server 
Networking Author: 
_Active Directory Consultant's Field 
Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

Confidentiality:
The contents contain privileged and/or 
confidential information intended for the named recipient of this 
email.
CVGT does not warrant that the contents of 
any electronically transmitted information will remain 
confidential.
If the reader of this email is not the 
intended recipient you are hereby notified that any use, reproduction, 
disclosure or distribution of the information contained in the email is 
prohibited.
If you receive this email in error, please 
reply to us immediately and delete the 
document.Viruses:

It is the recipient/client's duties to 
virus scan and otherwise test the information provided before loading onto any 
computer system.
No warranty is made that this material is 
free from computer virus or any other defect or 
error.
Any loss/damage incurred by using this 
material is not the sender's responsibility. CVGTs entire liability will 
be limited to resupplying the material.Please contact us at 
www.cvgt.com.au for further information regarding this 
disclaimer.

RE: [ActiveDir] Quiet? DEC? Related?

[Gil Kirkpatrick]

Just wrapped up Day 3. 530 people. General consensus is that it was the best 
DEC ever. More to follow when I can type on something bigger than a credit card.

-gil


-Original Message-
From: Ayers, Diane [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 3/29/06 1:23 PM
Subject: RE: [ActiveDir] Quiet?  DEC?  Related?

Maybe we should ask a question on the merits of doubling down on an 11
when the dealer has a face card showing...  :-)
 
Diane



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, March 29, 2006 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Quiet? DEC? Related?


Don't worry we're still here.. ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Moon, Brendan
Sent: Wed 2006-03-29 19:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Quiet? DEC? Related?


Hmm.. everyone must be having fun at DEC... this list has been very
quiet this week!
 
- Brendan Moon
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS Server will not Start

[Gil Kirkpatrick]

Title: DNS Server will not Start








MY first thought was missing service
dependency of DNS on AD, but my DCs dont have one either.



Is there any commonality between the
servers?



-g











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Saturday, March 18, 2006
7:39 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS Server
will not Start





All,

Another question from me, I have several Windows Server 2003 SP1
DCs that all run AD
integrated DNS when I reboot these
servers the DNS Server does not load the DNS zones  it just
starts and then has a red X in the server name when you check on it. I restart
DNS and it functions correctly loading all zones and the DC can function. You
cannot logon until DNS has been
restarted via another server.

Does anyone have any idea as to what could be causing this? The event logs do not reveal much at all.

Mark

RE: [ActiveDir] Individual admin accounts vs Generic admin account.

[Gil Kirkpatrick]

There's no way you should use a single admin account. You have no way to
track who did what. Managing admin accounts and their group memberships
is not difficult, certainly not as difficult as trying to figure out who
screwed something up when the audit logs all say Administrator. You
shouldn't have that many admins to worry about anyway. I know several
very large AD installations (100K users, 100s of sites, a few domains)
and they have 2 or at most 3 domain admins per domain.

Most organizations I've worked with give admins two accounts, a regular
everyday account and an admin account that they use only when they need
the extra privs. The admin account doesn't have email, and in some envs
is restricted to logging in on a handful of highly locked-down
workstations. This reduces the possibility of malware running under
admin privs.

And I've worked with a couple of companies that use shared accounts (not
just admin accounts), and it is a complete and utter nightmare from an
administration and auditing standpoint.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: Friday, March 10, 2006 7:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Individual admin accounts vs Generic admin account.

Dear collective,

In your esteemed opinions, is it better to have one central admin
account which every member of the sysadmin team should use, or is it
better to give ever member of the team their own admin account?

I'm inclined towards giving people their own admin accounts, purely
from an audit point of view, but I'm being told that it's better to
have one central admin account, as it is easier to track which
accounts have admin rights.  I would have thought that NET GROUP would
make that fairly obvious.

Am I missing something here?

--
AdamT
'Thank-you for not requesting read receipts'
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] What do you do when ooops won't work?

[Gil Kirkpatrick]

Actually, I think all three of Deji's friends are on this list anyway... :)

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Thursday, March 09, 2006 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?

come on Deji - forget whoever you've had in your contact list until now and 
just get some new friends :-) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Donnerstag, 9. März 2006 23:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?

Wouldn't that be just wonderful? Only if the admin were human :)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Thu 3/9/2006 1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?



Can you get the server admin to pull a tape? You could do the restore
yourself in a VM environment.

-g

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 09, 2006 1:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What do you do when ooops won't work?

I just f-fingered a synch between my PDA and Outlook. Short story, all my
contacts (painfully built over several years) just took a road-trip to
neverland on a one-way ticket.

Local backup? I was meaning to do it tomorrow. Really ;)

Server backup restore? Yeah. I have a greater chance of being the next
King of insert-favorite-empire-here than getting my corporate server admin
to help me here. Just won't happen.

So, am I really SOL?

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] What do you do when ooops won't work?

[Gil Kirkpatrick]

Ok, so maybe its only two... :) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 09, 2006 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?

Three? Don't tell me you are including yourself :)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Thu 3/9/2006 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?



Actually, I think all three of Deji's friends are on this list anyway... :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, March 09, 2006 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?

come on Deji - forget whoever you've had in your contact list until now and
just get some new friends :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Donnerstag, 9. März 2006 23:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?

Wouldn't that be just wonderful? Only if the admin were human :)


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Thu 3/9/2006 1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] What do you do when ooops won't work?



Can you get the server admin to pull a tape? You could do the restore
yourself in a VM environment.

-g

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 09, 2006 1:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] What do you do when ooops won't work?

I just f-fingered a synch between my PDA and Outlook. Short story, all my
contacts (painfully built over several years) just took a road-trip to
neverland on a one-way ticket.

Local backup? I was meaning to do it tomorrow. Really ;)

Server backup restore? Yeah. I have a greater chance of being the next
King of insert-favorite-empire-here than getting my corporate server admin
to help me here. Just won't happen.

So, am I really SOL?

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cleaning Up AD

[Gil Kirkpatrick]

The link on our page is screwed up, and so is the TechTarget search
engine. I'll post a working link as soon as I find it.

-gil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Wednesday, March 08, 2006 7:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cleaning Up AD

A couple of weeks ago i 'attended' a webinar from NetPro called:

16 Steps to a Healthier and Happier Active Directory
http://www.netpro.com/company/events.cfm

It is a very good overview of the tasks involved in getting AD to smile.

It seems like the link from NetPro's website sends you to 
http://searchwindowssecurity.bitpipe.com/webcasts but i don't see it 
archived there ... maybe Gil can chime in with a location?

Slides here:

http://www.netpro.com/forum/files/Sixteen_Simple_Steps.pdf

good luck,

john

[EMAIL PROTECTED] wrote:
 AD Gurus, 
 
 Before I embarked on a Google search, I thought I might get some
opinions 
 from this list. 
 
 What resources (utils, whitepapers etc) have people been using to
clean up 
 an AD infrastructure? 
 
 I can go into more detail if anyone is interested...basically all of
our 
 DC's have tons of warnings and errors in the event logs. 
 
 Thanks, 
 
 Jbl
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cleaning Up AD

[Gil Kirkpatrick]

16 Steps to a Healthier and Happier Active Directory is archived here:

http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.j
speventid=17740sessionid=1partnerref=swsc_sitepost_02_14_06key=F2F27
A63A35B4F457FECDA9201B08DBAeventuserid=5675189

And the slides are at
http://www.netpro.com/forum/files/Sixteen_Simple_Steps.pdf

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Singler
Sent: Wednesday, March 08, 2006 7:58 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Cleaning Up AD

A couple of weeks ago i 'attended' a webinar from NetPro called:

16 Steps to a Healthier and Happier Active Directory
http://www.netpro.com/company/events.cfm

It is a very good overview of the tasks involved in getting AD to smile.

It seems like the link from NetPro's website sends you to 
http://searchwindowssecurity.bitpipe.com/webcasts but i don't see it 
archived there ... maybe Gil can chime in with a location?

Slides here:

http://www.netpro.com/forum/files/Sixteen_Simple_Steps.pdf

good luck,

john

[EMAIL PROTECTED] wrote:
 AD Gurus, 
 
 Before I embarked on a Google search, I thought I might get some
opinions 
 from this list. 
 
 What resources (utils, whitepapers etc) have people been using to
clean up 
 an AD infrastructure? 
 
 I can go into more detail if anyone is interested...basically all of
our 
 DC's have tons of warnings and errors in the event logs. 
 
 Thanks, 
 
 Jbl
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS 2003 Domain/Forest Rename

[Gil Kirkpatrick]

Ni! Ni! Ni! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Wednesday, March 08, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename
Importance: Low

Dare I suggest a shrubbery? ;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename

And remember we are a single DC/Forest... so we're more like a tree
than a
forest.

;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename

If you consider flattening the box and reinstalling reasonable.  :-)

Remember it's got Exchange on a DC which means a rename is not supported
along with an integrated Sharepoint.


In MVPdom where we don't care about such things and sometimes we do it
just
to see if you can, you have to rip out a lot of stuff and even then
there is
'weirdness' left over in the event logs.  Thus it's really not for
production machines that you care about at all.

We recommend that the domain is not named in a manner that you care
about
renaming it later.

Remember you can always CEICW (run the wizard) and redo the Exchange
name
with no issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard,
Alex
Sent: Wednesday, March 01, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBS 2003 Domain/Forest Rename

This question is for Susan - SBS Goddess - but feel free to respond if
you know the answer. Can a SBS 2003 domain/forest be renamed? If so,
what's the best/recommended practice in doing it?

TIA 

Alex Alborzfard

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS 2003 Domain/Forest Rename

[Gil Kirkpatrick]

One that looks nice. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Wednesday, March 08, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename
Importance: Low

Dare I suggest a shrubbery? ;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename

And remember we are a single DC/Forest... so we're more like a tree
than a
forest.

;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename

If you consider flattening the box and reinstalling reasonable.  :-)

Remember it's got Exchange on a DC which means a rename is not supported
along with an integrated Sharepoint.


In MVPdom where we don't care about such things and sometimes we do it
just
to see if you can, you have to rip out a lot of stuff and even then
there is
'weirdness' left over in the event logs.  Thus it's really not for
production machines that you care about at all.

We recommend that the domain is not named in a manner that you care
about
renaming it later.

Remember you can always CEICW (run the wizard) and redo the Exchange
name
with no issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard,
Alex
Sent: Wednesday, March 01, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBS 2003 Domain/Forest Rename

This question is for Susan - SBS Goddess - but feel free to respond if
you know the answer. Can a SBS 2003 domain/forest be renamed? If so,
what's the best/recommended practice in doing it?

TIA 

Alex Alborzfard

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SBS 2003 Domain/Forest Rename

[Gil Kirkpatrick]

And not too expensive. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook
Sent: Wednesday, March 08, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename
Importance: Low

Dare I suggest a shrubbery? ;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename

And remember we are a single DC/Forest... so we're more like a tree
than a
forest.

;-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley
Sent: Wednesday, March 01, 2006 7:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename

If you consider flattening the box and reinstalling reasonable.  :-)

Remember it's got Exchange on a DC which means a rename is not supported
along with an integrated Sharepoint.


In MVPdom where we don't care about such things and sometimes we do it
just
to see if you can, you have to rip out a lot of stuff and even then
there is
'weirdness' left over in the event logs.  Thus it's really not for
production machines that you care about at all.

We recommend that the domain is not named in a manner that you care
about
renaming it later.

Remember you can always CEICW (run the wizard) and redo the Exchange
name
with no issues.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard,
Alex
Sent: Wednesday, March 01, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SBS 2003 Domain/Forest Rename

This question is for Susan - SBS Goddess - but feel free to respond if
you know the answer. Can a SBS 2003 domain/forest be renamed? If so,
what's the best/recommended practice in doing it?

TIA 

Alex Alborzfard

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MVP mini summit at DEC 2006

[Gil Kirkpatrick]

I dunno for sure... I sort of suspect it is, but Alym will clarify it
when he gets his head above water. But I don't see any reason why you
couldn't join in the DBLW/M (tm) after the MVP session.

-g

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, February 23, 2006 1:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MVP mini summit at DEC 2006

Daft question maybe, but is this open to MVPs only?


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: 23 February 2006 00:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MVP mini summit at DEC 2006

Alym has scheduled a MVP mini summit session at the conclusion of DEC
2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of
the DEC session rooms (tbd). Drugs, booze, and loose women will
follow... or at least that's what I was led to believe. :)

Alym is swamped with another project, but will be providing the official
announcement in a few days. I just wanted to make MVPs aware of it in
case you had scheduled a flight out on Wednesday afternoon.

-gil

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete
your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication
and
Nomura International plc ('NIplc') will not, to the extent permitted by
law,
accept responsibility or liability for (a) the accuracy or completeness
of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of
this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely
those of
the author and do not necessarily represent those of NIplc; (3) is
intended
for informational purposes only and is not a recommendation,
solicitation or
offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised
and
regulated by the Financial Services Authority.  Registered in England
no. 1550505 VAT No. 447 2492 35.  Registered Office: 1 St
Martin's-le-Grand,
London, EC1A 4NP.  A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] MVP mini summit at DEC 2006

[Gil Kirkpatrick]

Alym has scheduled a MVP mini summit session at the conclusion of DEC
2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of
the DEC session rooms (tbd). Drugs, booze, and loose women will
follow... or at least that's what I was led to believe. :)

Alym is swamped with another project, but will be providing the official
announcement in a few days. I just wanted to make MVPs aware of it in
case you had scheduled a flight out on Wednesday afternoon.

-gil

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admin SD holder

[Gil Kirkpatrick]

See http://support.microsoft.com/kb/232199/.

Briefly, AD copies the security descriptor of the 
AdminSDHolder object (there is one per domain) to all users, groups, and 
computersthat are members of administrator groups in that domain. This 
makes sure that delegated admins don't change the ACLs on these sensitive 
accounts. It also gives the appearance of AD losing or reversing manually made 
ACL changes on user objects.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Senthil 
KumarSent: Monday, February 20, 2006 3:40 PMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] admin SD 
holder

Hi,

Can anyone give me the details about admin SD holder.What it is ? What it 
do?

K.Senthil

RE: [ActiveDir] admin SD holder

[Gil Kirkpatrick]

After the flurry of recent hits, its now up to #3! 
:)

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Monday, February 20, 2006 3:50 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD 
holder

Number 4 on the google query "AdminSDHolder" is pretty good 
;-)

http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx

Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Senthil 
  KumarSent: Monday, February 20, 2006 11:40 PMTo: 
  activedir@mail.activedir.orgSubject: [ActiveDir] admin SD 
  holder
  
  Hi,
  
  Can anyone give me the details about admin SD holder.What it is ? What it 
  do?
  
  K.Senthil

RE: [ActiveDir] admin SD holder

[Gil Kirkpatrick]

You're correct, not many people query adminSDHolder... Most 
of the queries are something like "disappearing security descriptors" or "Active 
Directory what the f***"

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Monday, February 20, 2006 4:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD 
holder

Keep it hitting guys

(not that it would be relevant - there are not that many 
people querying adminSDHolder)

BTW - 
I have one slide about adminSDHolder in my presentation at DEC - not worth more 
since the other content is waybetter ;-)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Gil 
  KirkpatrickSent: Tuesday, February 21, 2006 12:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD 
  holder
  
  After the flurry of recent hits, its now up to #3! 
  :)
  
  -gil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
  Simon-WeidnerSent: Monday, February 20, 2006 3:50 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD 
  holder
  
  Number 4 on the google query "AdminSDHolder" is pretty 
  good ;-)
  
  http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
  
  Gruesse - Sincerely, 
  
  Ulf B. Simon-Weidner 
   MVP-Book "Windows XP - Die 
  Expertentipps": http://tinyurl.com/44zcz Weblog: 
  http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile="">
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Senthil 
KumarSent: Monday, February 20, 2006 11:40 PMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] admin SD 
holder

Hi,

Can anyone give me the details about admin SD holder.What it is ? What 
it do?

K.Senthil

RE: [ActiveDir] Microsoft Announces Vision and Roadmap for Active Directory

[Gil Kirkpatrick]

The marketing message is finally catching up with what Stuart has been
talking about at DEC the last couple of years.

-g 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Wednesday, February 15, 2006 12:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Microsoft Announces Vision and Roadmap for Active
Directory

Morning all,
Microsoft is announcing a roadmap for AD. Read all about it here:
 
http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/ADv
ision.mspx
 
cheers,
Jorge


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DR implementation planning

[Gil Kirkpatrick]

Guido and I did a DR webinar a few months back, and an associated
whitepaper... You can get the whitepaper at
http://www.netpro.com/welcome/disasterrecovery/index.cfm. The last I
looked, you had to register for it (email address, etc.)

We recorded the webinar as well. You can get to it at
http://www.netpro.com/forum/files/AD_Disaster_Recovery.wmv. Same
registration requirements.

We are also hosting an all-day DR pre-conference workshop for DEC this
year. See www.dec2006.com.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Thursday, February 09, 2006 7:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DR implementation planning

Hi all. 
We are finally getting our DR project going, and I'm looking for good
resources for design/implementation.

We have a small business; under 100 users. Running W2K3 AD (2 DCs in one
location), E2K3, Cisco Unity VM, home-grown intranet on IIS, LOB app
contained in-house. Around 30 remote SOHO users connecting via VPN.
Current backup consists of Backup Exec 9.x running backup-to-disk and
then copies to tapes which are moved and stored offsite.

I have relatively complete design authority, and am starting with a
clean slate. A couple of basic parameters. We will be building the DR
site in our parent company's datacenter and currently have frame
circuits to their corp net (not sure if we'll have direct to the data
center or not). We want to utilize HP blade servers and VMWare as much
as possible. The management goal is to virtualize the entire
infrastructure, although it is recognized that this may not be entirely
possible. We want the DR site to be fully vendor supported, so
virtualization will depend largely on vendor support. The site will be
required to support ~50% of our user base for up to 30 days. We would
prefer to avoid utilizing 3rd party replication apps and stick with
native tools if possible.

This will be a warm DR site with once-per-day replication with
production; recovery within 24 hours is the goal. Losing the current
day's work is acceptable. We have ~6 weeks for design and ~10 weeks
after that for build/test, including fire drill.

We start the design meetings today. I'm interested in pointers to any
good whitepapers, references, and recommendations. Also interested in
what has worked (or failed!) for others with similar criteria. While
there's no shortage of information on the net about DR planning and
implementation, I'm interested in what the experts here have found to be
valuable. I remember DEC a couple of years ago had some great DR stuff,
but my event logs have overwritten most of that by now, and I don't
remember if there was a proceedings DVD or anything on that. Plus, two
years is a long time; methods and the like have changed since then.

Thanks!

**
Charlie Kaiser
W2K3 MCSA/MCSE/Security, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DSQUERY filter for space character only

[Gil Kirkpatrick]

That will only work on appropriately indexed 
attributes.

Try \20. That would be the appropriate escaped 
filter.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio 
J Mr ANOSC/FCBSSent: Tuesday, February 07, 2006 11:23 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
DSQUERY filter for space character only


Have you tried * 
*


Thanks... 
... ... ...
Sergio J. 
Olivarez





From: Sitton 
Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 
AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for 
space character only


I need to run an obscure DSQUERY 
with a filter that finds displayNames with a value of a single space 
character. I'm stumped. I've tried every escape character 
possibility that I'm aware of. I know how to find null values, but can't 
seem to query on a space character alone. It hoses the ldap 
syntax.



When ADUC builds the ldap query 
itself, it fails:



 ((objectCategory=user)(displayName= 
))



 The 
query filter ... is not a valid query string.



I've 
tried:

" 
"

 ' 
'

 
%20

 
+

and escaping it with a \ or a 
^



Any 
ideas?



Thanks in 
advance,

- 
Glen

RE: [ActiveDir] Site Links

[Gil Kirkpatrick]

Adeel,

Ah, the old "best practices" question.You'll get a 
lot of responses regarding the whole concept of "best practices" which will 
ultimately say "it depends" :) For instance, what sort of 
administrators do you have? Are they experienced, well educated in AD, reliable, 
etc? What's your organizations risk tolerance? Threat profile? Budget? 
Maturity?

To be more helpful, you'll need to 
fill in some blanks. First off, whats the issue you're trying to fix? Is there 
an operational problem? Generally speaking, if you have the right site links in 
place, they don't need to be changed unless the underlying topology changes, or 
unless a DC goes down. Or is the problem that you don't know if your topology is 
right to being with?

That all being said, some "best practices" which might or 
might no apply to your situation.


1. Monitoring DCs is critical for a multi-site AD, and 
especially so for topologies with manual site links.
2. Monitoring replication 
is also critical
3. If your'e using WS2003, its best to let 
the KCC sort out this sort of thing and not muck it up manually. There are few 
situations that the KCC will not handle well in WS2003 
AD.
4. Implement strict change control on your topology. 
The change process should include justification for change, review by 
someone who understands how replication and KCC work, implementation, and 
auditing of the final result, including some testing to ensure that the change 
actually does what you think. 
5. Monitoring DCs and replications is really 
important.
6. And be sure to monitor...


HTH,

-gil



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Adeel AnsariSent: Tuesday, February 07, 2006 
12:31 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Site Links

AD 
Experts, 

Is 
there any best practices for creatingand managing site links? The problem 
I am facing where I have manyhub and spoke sites with well over 20 
site links. What is the best procedure to fix this issue? 

-Adeel

RE: [ActiveDir] DNS Restart

[Gil Kirkpatrick]

net stop dns
net start dns



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, February 06, 2006 4:30 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS 
Restart
Cannot find my notes on this 
one. What is the command line to 
restart DNS services without rebooting the DC? Brent EadsEmployee Technology Solutions, 
Inc.Office: (312) 762-9224Fax:   (312) 
762-9275The contents contain privileged and/or confidential 
information intended for the named recipient of this email. ETSI (Employee 
Technology Solutions, Inc.) does not warrant that the contents of any 
electronically transmitted information will remain confidential. If the reader 
of this email is not the intended recipient you are hereby notified that any 
use, reproduction, disclosure or distribution of the information contained in 
the email in error, please reply to us immediately and delete the document. 
Viruses, Malware, Phishing and other known and unknown electronic 
threats: It is the recipient/client's duties to perform virus scans and 
otherwise test the information provided before loading onto any computer system. 
No warranty is made that this material is free from computer virus or any other 
defect.Any loss/damage incurred by using this material is not the 
sender's responsibility. Liability will be limited to resupplying the 
material.

  
  
Message scanned by TrendMicro

RE: [ActiveDir] OT: Change Tracking Database

[Gil Kirkpatrick]

Youve pretty much described ChangeAuditor from NetPro. Its
not freeware though. See http://www.netpro.com/products/changeauditor/index.cfm.



-gil











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Monday, January 30, 2006
8:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Change
Tracking Database





Hi 



I am
looking for a database (preferably with a web interface) to track all changes made
in the network/directory infrastructure. Change something in DNS? Log it. Make
some registry changes on a server? Log it. Change a recipient policy in
Exchange? Log it. You get the picture. Right now we are using a
somewhat-clunky, homegrown, MySQL database. Anything off the shelf or
free/shareware?



TIA



--
nme








--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date: 1/30/2006
 

RE: [ActiveDir] DC II

[Gil Kirkpatrick]

If a client can't find a DC in its site, it will then try to find any DC
in its domain, regardless of site, based on the weights and priorities
associated with the DCs locator records in DNS. Site link cost doesn't
enter into the process.

However, NETLOGON does use site link cost to determine the covering DC
for a DC-less site.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Figueroa,
Johnny
Sent: Thursday, January 26, 2006 12:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC II


We are in the process of coming up with a 2nd Data Center for DR. I am
working on the AD part of it and I am trying to find out what the
process is for finding a DC in DC II of DC I is down. 

I looked at some of the Domain Locator articles and it talks about how a
client finds a DC and what happens if the DC that it contacts is not in
its site, etc, etc. What I don't see is what happens if the DC I site is
down?... How could it find DC II, is that all part of the site cost?. It
has been a while and I am confused, is Site Costs used to find DCs or
just for replication?

Any articles or explanations are appreciated.

Thanks

Johnny Figueroa
Enterprise Network Consultant/Integrator
Network Services Banner Health Voice (602)
495-4195 Fax (602) 495-4406
 
WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: WMI to retrieve DHCP leases

[Gil Kirkpatrick]

Title: RE: [ActiveDir] OT: WMI to retrieve DHCP leases



Another tack to take is to use something like NMAP. It's a 
very effective IP discovery tool. I suppose it all depends on what you mean by 
"out there".

Counting objects in AD will tell you the computers have 
been joined to the domain at some point. They might or might not exist anymore, 
and if they exist, they might not be in use.

Counting DHCP leases will tell you the computers that use 
DHCP and are on a subnet covered by a DHCP scope. It won't tell you anything 
about computers with static addresses, or computers whose lease has expired. And 
you have to know where all your DHCP servers (they might be routers or switches 
or WAPs (!), and not Windows servers). And some of the leases may be for 
printers and copiers and such, which might not fit your definition of a 
computer.

UsingNMAPwilltellyouallthedevicesthatarereachableonthesubnetsyouspecify, 
areturnedon,andhavealoadedIPstack.The 
nicethingaboutNMAPisthatitwilltellyouwhatkindofadeviceitis,whatOSisloaded,andwhatservicesarerunningonit. It won't tell you anything about devices that aren't 
turned on.

None of these schemes will tell you about standalone 
computers not on the network. Would you consider a non-networked computer "out 
there"?

Some combination of the three (with appropriate 
duplicate removal) could give you a very accurate 
count.

-gil




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Thursday, January 26, 2006 7:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: WMI to 
retrieve DHCP leases


DHCP is a much better 
metric than computers joined to the domain for this. You can't count 
non-domain-joined devices with any AD tool. Chances are however these devices 
have a DHCP lease.


Thanks,
Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132


From: [EMAIL PROTECTED] on 
behalf of [EMAIL PROTECTED]Sent: Thu 1/26/2006 8:05 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OT: WMI to retrieve DHCP leases

DHCP is NOT the authoritative source for "how many computers are 
out there"If you could, grab Joe's oldcomp tool and just run it against 
your domain.You should get something close to accurate from 
there.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M 
MCTMicrosoft MVP - Directory Serviceswww.readymaids.com - we know 
ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you 
were worried aboutYesterday? 
-anonFrom: 
[EMAIL PROTECTED] on behalf of Mitch ReidSent: Thu 
1/26/2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: Re: 
[ActiveDir] OT: WMI to retrieve DHCP leasesNo, I need to get a count 
of how many computers are out there. I'm lacking agood authoritative 
source and want to use the DHCP servers as a count.My script works that 
runs NETSH (for each scope on each server) but I like tokeep everything in 
VB/WMI when possible.Thanks for the replies.On 1/26/06, 
[EMAIL PROTECTED] [EMAIL PROTECTED] 
wrote: To the 
OP: 
Would you be happy with pulling the info on the client side? Youcould 
use 
Win32_NetworkAdapterConfiguration and retrieve the 
DHCPLeaseObtainedor 
DHCPLeaseExpire 
values. 
back to my rabiit hole, folks 
:) 
Sincerely, 
Dèjì Akómöláfé, MCSE+M MCSA+M MCT 
Microsoft MVP - Directory Services 
www.readymaids.com - we know IT 
www.akomolafe.com Do you now 
realize that Today is the Tomorrow you were worried 
about Yesterday? 
-anon 
 
From: [EMAIL PROTECTED] on behalf of Alain 
Lissoir Sent: Wed 1/25/2006 6:45 
PM To: 
ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] OT: WMI to retrieve DHCP 
leases 
There is no WMI exposure of the DHCP settings and data. 
Sorry. 
 
From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Mitch Reid Sent: 
Wednesday, January 25, 2006 1:08 
PM To: 
ActiveDir.Org Subject: [ActiveDir] 
OT: WMI to retrieve DHCP 
leases 
I'm trying to write a _vbscript_ to pull current DHCP leases from a2003 
DHCP 
server. I can do it with NETSH but 
I'd like to do it only with WMI in 
VBS. 
The closest I could find was dhcpobj.dll from the 2000 Resource 
Kit.However it 
doesn't appear to be able to pull 
leases. 
Is this 
possible? 
Thanks, 
Mitch. 
List info : http://www.activedir.org/List.aspx 
List FAQ : http://www.activedir.org/ListFAQ.aspx 
List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List 
info : http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] can variables be used in the registry?

[Gil Kirkpatrick]

It would depend on the app that is interpreting the registry entry. The
registry itself doesn't automatically do parameter replacement like
that.

-gil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, January 26, 2006 8:23 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] can variables be used in the registry?

A discussion this afternoon touched upon the notion of using variables
(like %systemroot% or %windir%) in the registry.  Is this possible?  Has
anyone ever done it?  TIA!

Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Gauging AD experience

[Gil Kirkpatrick]

But at least you're not bitter...

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DNA) [E]Sent: Friday, January 20, 2006 12:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experience


In my experience, when 
good directories go bad, it is usually due to three things.


  Firewalls 
  Firewalls 
  Did I list 
  firewalls? 

Runner ups would be ADC 
for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, 
Clowns posing as Security experts, and no disaster recovery 
solution.

Todd 
Myrick
Brushing off the dust 
of my MVP status. 






From: joe 
[mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experience

When I read Al's post I 
thought of you Wook, I figured, hey Wook could use a creative presentation 
name... ;o)

I would say When Bad 
Things Happen To Good Directories is more on par with "When Bad Things Happen 
To Good People", say like when your nanny gets a flat tire. "When Good 
Directories Go Bad" is more like when yourgood little daughter hits her 
teen years and starts going out to parties in fish net stockings and Big Red 
gum. :o)







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Lee, WookSent: Thursday, January 19, 2006 2:00 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experienceImportance: 
Low
Sorry, I already did 
that one. My first DEC presentation was entitled When Bad Things Happen To Good 
Directories. J

Wook





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, January 19, 2006 8:02 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experience

when good directories 
go badsounds like a catchy title for a presentation, Joe. I think of 
directories and identity management infrastructures a little like networks: you 
rarely do get to design one from scratch, youre always tweaking an existing 
one. And I agree that tweaking the existing ones are a lot more 
interesting than designing from a blank slate. The analogy could be taken 
too far, but like networks, directories and authentications systems are always 
morphing due to new technologies, new tools, adding or removing 
applications. Lots of fun.


Al Maurer Service Manager, Naming and 
Authentication Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, January 18, 2006 6:31 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experience

I would say focusing on 
the design of big directories is pigeon-holing a little too much. There are only 
so many big directories that need to be designed. I personally find much more 
fun in diagnosing good directories that have gone bad than trying to design 
them. I design if I have to but it isn't what I like. Plus often with the 
design, it is rarely the case where you actually have all of the info though 
someone will tell you you do. You find out you don't later on when someone 
starts complaining or something starts breaking. 

I am not sure I would 
go so far to say it is something you let the tools handle though. A lot of the 
tools out there still aren't doing the greatest job and there are many companies 
that don't want to spend the millions on those tools that they would be charged 
for them instead having a few really good people handling it. A tool doesn't see 
bad things coming when someone is coming at you with the next great thing they 
want to plug into the AD. If the tool does catch it, it is way too late in the 
integration cycle. Plus, what if the tool isn't catching the problem? Someone 
has to be knowledgeable enough too. If you depend solely on your tools to keep 
your AD running well it is possible you are going to get cut pretty good. When I 
did Ops, I had several tools that watched what had been determined needed to be 
watched and then I would just go off and sample things to decide if there was 
something that maybe could be watched that we weren't watching. That could take 
the form of just watching a network packets on a DC or a client subnet for an 
hour or so or just walking the event logs event by event or walking through 
looking at objects in the directory. Whatever.

To get into those 
positions you want to get in with the companies already mentioned and jump about 
(and try not to hurt the customer too much with your learning) or find a big 
company and take whatever entry position you can get and prove yourself and grow 
into bigger/better positions. Don't expect to, for instance, walk into Walmart 
and become their AD guy. Maybe you get in as desktop support and get to know the 
right people and make suggestions on how things can be better and work 

RE: [ActiveDir] OU Delegation

[Gil Kirkpatrick]

when the 
GPO guys screwed up on the main account domains. The locked down EVERY 
single userid to kiosk mode

Most people 
mitigate this sort of risk by technical review, automating the change app 
lication, and testing in a separate test forest. I can't see creating a 
separate domain as a "safe haven" for screwups like that. And it doesn't provide 
a safe haven from lots of other potential screwups like replication topology 
changes or schema mods.

-gil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, January 19, 2006 11:10 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OU Delegation

Exactly. There are good reasons forand against both 
multiple domains (including empty) and multiple forests. As a safe haven from 
domain level GPOs or finalQA point for domain level modificationsare 
things I wouldn't push against. Does it make sense for everyone? Depends on your 
management structure and concerns - some will see that as an issue that could 
impact them, others could see it as nothing. As a security barrier to protect 
hacking of the enterprise/schema admin is one I would pushagainst because 
it doesn't actually do anything to help that. Organization of the forest is one 
that could easily go either way, tough to argue it as it really isn't 
technically based. In larger multidomain environments, I tend to like empty 
roots because the overhead is usually quite minimal in relation to everything 
else and it is a great place to deploy new patches, etc.




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OU Delegation

candid=on
As we've heard before today - do a cost/benefit 
study.

Is it really prudent to build an extra domain with the 
incurred over heads just in case someone makes a mistake? There are doubtless 
other mistakes which can only mitigated by building a separate forest. 


There may be good reasons (and bad ones too) for building a 
placeholder domain - these reasons need to be weighed against the incurred costs 
(over at least a 3 year period).
candid=off

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: 19 January 2006 14:37To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation

"The biggest thing about an 
empty forest root is it is a safe haven. Safe haven: A domain where the 
god rights live and you don't apply any gpo's or other things that can get out 
of hand and hurt you. This actually saved my a__ once at [deleted] when 
the GPO guys screwed up on the main account domains. The locked down EVERY 
single userid to kiosk mode. Fortunately they have no rights in the root 
domain so couldn't do anything to my IDs so I could log onto my PC with the 
forest root ID and undo what they did."

Verbatim quote fromone of 
the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I 
asked him about whether or not I should do an empty root. I did 
it.

RH
_


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  joeSent: Wednesday, January 18, 2006 8:13 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
  Delegation
  Well I didn't say I don't see the benefit of an empty 
  root. I just don't see it as a generic best practice. Sometimes it makes a ton 
  of sense, sometimes someone needs to be slapped for bringing it up. 
  ;o)
   
   joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] OU Delegation
  
  
  Boy, I just had a 
  consultant recommend an empty root as best practice for a divestiture were 
  doing. Like Gil and Joe, I really dont see the benefit (nor could the 
  consultant name anything specifically).
  
  We have a single 
  domain and delegate OU rights based basically on an administrative teams need 
  to manage a group of resources, typically computers. Users, groups and 
  Exchange are managed centrally. Moving things around within one domain 
  is a whole lot easier than among domains.
  
  AL
  
  Al Maurer Service Manager, Naming and 
  Authentication Services IT | Information 
  Technology 
  Agilent Technologies (719) 590-2639; Telnet 
  590-2639 
  http://activedirectory.it.agilent.com 
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Gil 
  KirkpatrickSent: Thursday, 
  January 12, 2006 10:50 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
  Delegation
  
  As joe says, "it 
  depends". AD architecture is always a cost/benefit discussion, and most people 
  don't really understand 1) the real benefits of multiple domains, and 2) the 
  additional costs of running multiple domains.
  
  For 

RE: [ActiveDir] Permissions vanishing

[Gil Kirkpatrick]

Title: RE: [ActiveDir] Token Bloat



The fact that nothing showed up in the audit log is 
disturbing. Can you modify the ACL manually and see the audit entries that 
appear?

Is there possibly a group policy that is changing the 
ACLs?

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel 
V Contractor NASIC/SCNASent: Thursday, January 19, 2006 11:34 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Permissions vanishing


Hey everyone,

I am having a issue with a cluster server that shares our 
our common access data drive. Every other day, the NTFS permissions on the 
shared clustered drive will revert to only Administrators and System having 
privleges. I have it set up as follows:

X:\SharedData - Share permissions 
Authenticated Users RWX

X:\SharedData - Inherited NTFS 
permissions Authenticated Users RX,LIST FOLDER 
CONTENTS
 
Administrators 
F
 
System F

Every other day or so the Authenticated users 
vanish from the NTFS permissions.

I 
enabled auditing on the folder for permission change, but nothing came up in the 
security log that stated that the permissions had changed.


Any 
ideas?

I 
would appreciate anything anyone had to suggest.


Thanks,
Nate

RE: [ActiveDir] ADPrep Version Questions

[Gil Kirkpatrick]

There are no .dlls that it needs outside of whats in 
systerm32, but I think there are a bunch of .ldf files in \i386 that it 
uses.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Thursday, January 19, 2006 12:42 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions


Ok. Promise. Last adprep question: Does 
adprep need to be run from an i386 directory or can it be run on its own? Does 
it have dependant files within i386 or is it 
self-contained?

Thanks.






From: joe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 18, 
2006 5:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions

LOL. It isn't a decimal number though... It 
is a series of variable length decimal numbers separated by the period 
character... Sort of like an OID

1.2.840.113556.1.4.7000.102.7038

Versioning is a lost art I think though. I 
am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. 


To me... major rev changes for big changes, 
massive updates or rewrites or drammatic functional changes.minor is added 
features, bug fixes. really minor is output string changes or remarks in the 
code being changed, things that don't change thecode flow and don't 
require any serious testing (I rarely update this one). And build of course 
ishow many times the bin has been compiled. 


G:\filever 
f:\dev\cpp\adfind\adfind.exe--a-- W32i APP 
ENU 1.29.0.785 shp 950,784 
12-22-2005 adfind.exe

The current release version ofadfind 
for instance has been compiled 785 times. Well actually that is incorrect, it 
has compiled 785 times since V01.08.00. There was a little bug in the routine I 
had been using to increment the counter and it was resetting on every new minor 
version rev. If I follow the average I am probably off by 250-300 compile build 
numbers but I expect it is less than that because as the complexity grew in 
versions 15 the number of compiles between releases went up due to testing 
and bug hunting. 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 10:44 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions
It's a common source of 
confusion.

Ask a user if version 1.4.4 is newer or 
older than 1.4.3.4 :)

Some say "344 therefore the latter is 
newer" some say "43 therefore the former is newer"

neil
PS The purist in me would say that without 
a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 
19601830. it's all about justification, when dealing with the decimal 
notation :)




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: 18 January 2006 15:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions
Ah don't worry about it, I figured you were 
just disconnected there when I saw the first question at all. That is why I 
counted it out. :)






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Tuesday, January 
17, 2006 8:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions
Oh (blush)

Dont mind me. Im just over here 
re-learning that whole tens, hundreds, thousands, etc thing. 


Ugh! (eyes roll skyward, head 
shakes)

;-)

Sorry for the wasted 
bandwidth.






From: joe [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 17, 
2006 5:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions

one thousand eight hundred and thirty is 
greater than one hundred ninety six. The SP1 version is the most recent and 
highest version of adprep. 

0
1
2
3
4
5
6
...
194
195
196
197
198
199
200
...
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
...

 joe




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Tuesday, January 
17, 2006 7:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions
yes






From: joe [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, January 17, 
2006 3:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version 
Questions

Are you asking if 1830  196 
?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Tuesday, January 
17, 2006 6:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version 
Questions
Hi-

I am 
preparing to upgrade a W2k domain to W2k3. I want to use the latest version of 
ADPrep. I have found the following info and am 
confused:

For 
ADPrep on the following -
From 
Windows Server 2003 CD: 
 
5.2.3790.0 
July 22, 2004, 9:07:08 AM
from 
WindowsServer2003-KB889101-SP1-x86-ENU.exe: 
5.2.3790.1830 
November 07, 2005, 5:48:59 PM
listed 
in MSKB / Hotfix 324392  
 
 
5.2.3790.196 
July 23, 2004, 9:04

Am I 
reading that correctly: the one from SP1 is a lower version and later date than 
the one in the hotfix? Which one is the latest?

Thanks.

-- 
nme

--No 
virus found in 

RE: [ActiveDir] AD computer accounts being removed

[Gil Kirkpatrick]

When you say "lose their account", do you mean the computer 
object in AD disappears? Or something else?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, January 18, 2006 10:42 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts 
being removed

Occasionally computers will lose their 
account in Active Directory for no apparent reason.Sometimes it is a 
computer that has just joined the domain, while other times the machine has been 
a member of the domain for 2 years. The computer can only be logged on by 
a local account (not a domain account). To remedy this, the computer has 
to be disjoined from the domain, join a workgroup, then join the domain 
again. As I am sure you all are aware, this is not only time consuming, 
but very inappropriate to have to do.

Has anyone else had this experience 
and how have you fixed it?

Thanks, 
Brenda

RE: [ActiveDir] AD DNS in Windows delegation to Novell DNS

[Gil Kirkpatrick]

I'm not familiar with Novell's DNS implementation... I 
assume it is based on BIND?

See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/73c0ae36-8058-43d1-8809-046eb03b73fb.mspxand 
http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
BurraSent: Wednesday, January 18, 2006 10:55 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD DNS in Windows 
delegation to Novell DNS

Hi Team,

Wanted to know what are the pro's and con's of delegating the DNS zone 
created in Windows DNS for 2003AD being delegated to Novell DNS as the client 
wants to use Novell as the primary

Regards,
Chandra Burra

RE: [ActiveDir] OT: Gauging AD experience

[Gil Kirkpatrick]

Yikes, I missed that one! When did that 
happen?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Robinson, 
ChuckSent: Wednesday, January 18, 2006 11:09 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experience


Internosis is now EMC 
Microsoft Practice.

Doug, contact me 
offline if you are considering this option.

[EMAIL PROTECTED]





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
January 18, 2006 12:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD 
experience

Hiring on with an IT 
services company that does large Windows projects would probably be the best way 
to develop the experience you're looking for. That way you get exposure to many 
different environments, requirements, people, and 
projects.

HP, Internosis, 
LogicaCMG, and Microsoft Consulting Servicesare some examples, and there 
are tens or hundreds of others. 

Some smaller consulting 
companies like Oxford Computer Group focus on IdM projects and will sometimes 
get pulled into AD projects in an advisory 
capacity.

From a career 
standpoint, I would look more to the broader IdM technologies. AD expertise is 
rapidly becoming comoditized, and inlarger enterprise environments, AD is 
but one component of the IdM and security infrastructure. Moving forward, MIIS 
and ADFS are going to take center stage in the WIndows environment, and AD is 
going to be pushed more into the background. AD will still be a critical 
component, and there will always be a need for architects who can design large 
AD infrastructures. ButAD won't be where the action 
is.

-gil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Wednesday, January 
18, 2006 9:49 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Gauging AD 
experience
I am trying to figure out how one 
gauges their AD experience. For example, I have designed, implemented and 
maintained an AD/Exchange environment of 5000 users with 1000 workstations from 
the ground up, alone. The environment is only 3 sites, with little complexity. I 
now work for a company maintaining a directory of about 150 users and 150 
workstations. And the more local AD people I talk to, the more confident I am 
that I know quite a bit about AD compared to them (only talking about the people 
I have metnot generalizing the entire industry).

Although I am not a guru like some 
on this list, I would like to get myself to the place where I can say yeah, I 
can design your 50,000 user / 15 site infrastructure. Or is that even possible? 
Is a project of that size several directory experts working together? 


I honestly believe that I could 
perform such a task, but knowing that I would make some mistakes that a VERY 
experienced person would not. 

So, I guess my question 
is:

How do I get to where I want to be? 
Consult? Try to get a job with the biggest company I can? 


There may be no real answer, but I 
thought it was worth asking because I have been thinking about it for a couple 
of months and dont know where to start to move forward, and this is the only 
place I know that has people that I consider AD gurus (or gods 
even)

RE: [ActiveDir] AD computer accounts being removed

[Gil Kirkpatrick]

You might enable auditing on the appropriate OU to find out 
who is doing the deleting. You need to enable AD auditing in the Domain 
Controllers group policy, and then add auditing entries on the security 
descriptor of the appropriate OU, e.g CN=Computers to track creation and 
deletion of Computer objects.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, January 18, 2006 12:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed

Yes, their computer account in AD is actually 
gone.

Thanks, 
Brenda

Brenda CaseyNetwork 
Manager
Billings Public 
Schools
[EMAIL PROTECTED]

406-247-3792



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed

When you say "lose their account", do you mean the computer 
object in AD disappears? Or something else?

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, January 18, 2006 10:42 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts 
being removed

Occasionally computers will lose their 
account in Active Directory for no apparent reason.Sometimes it is a 
computer that has just joined the domain, while other times the machine has been 
a member of the domain for 2 years. The computer can only be logged on by 
a local account (not a domain account). To remedy this, the computer has 
to be disjoined from the domain, join a workgroup, then join the domain 
again. As I am sure you all are aware, this is not only time consuming, 
but very inappropriate to have to do.

Has anyone else had this experience 
and how have you fixed it?

Thanks, 
Brenda

RE: [ActiveDir] OU Delegation

[Gil Kirkpatrick]

Tell him he needs to go to DEC. Its where all the cool AD 
people go :)

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 3:11 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OU Delegation


Boy, I just had a 
consultant recommend an empty root as best practice for a divestiture were 
doing. Like Gil and Joe, I really dont see the benefit (nor could the 
consultant name anything specifically).

We have a single domain 
and delegate OU rights based basically on an administrative teams need to 
manage a group of resources, typically computers. Users, groups and 
Exchange are managed centrally. Moving things around within one domain is 
a whole lot easier than among domains.

AL

Al Maurer Service Manager, Naming and 
Authentication Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Thursday, 
January 12, 2006 10:50 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation

As joe says, "it 
depends". AD architecture is always a cost/benefit discussion, and most people 
don't really understand 1) the real benefits of multiple domains, and 2) the 
additional costs of running multiple domains.

For instance, 
"additional security" is often cited as a benefit of an empty root. An empty 
root maybe provides a little additional security, but not much. The benefit 
depends on your own risk evaluation.

On the other hand, the 
ongoing operational cost of a two domainforestis considerably higher 
than a single domain forest. Additional hardware costs, additional diagnostic 
complexity, and a more complicated DR situation all add to the costs of running 
multiple domains.

My general 
recommendationis tostick with a single domain if you can, and add 
additional domains if you need to for password policy or controlling 
replicationtraffic. And if you find you have to have multiple domains 
anyway, use an empty root, because the incremental cost of an additional domain 
if you already have more than one is pretty small.

But, "it 
depends".

-gil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, January 12, 2006 9:32 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation
Ah good ol best 
practices. :)

What is recommended? 
Whatever is best for the customer of course.

I guess my question is 
why one domain and one root versus just one domain? What is the purpose of the 
root? I am not saying this is bad by any stretch, there are good valid reasons 
for a root with other domains hanging off of it. Just curious what the decision 
flow was like to do it. Hopefully it wasn't something along the lines of reading 
"an empty root" is good somewhere and going for it as it is totally context 
sensitive. 

I would say the overall 
design goal, especially when Exchange is involved is to use a single domain 
forest. However, if there is a good reason to add more domains, do it. Usually 
when someone says they have a domain and a root they mean they have a domain and 
an EMPTY root and I wonder about how the decision was arrived at. 


We have had this 
discussion previously on the list where some people are gung ho empty root and 
some people are gung ho no-empty root and both pointing at best practices. I am 
more of the does it make sense in this specific situation kind of person. 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, 
DevonSent: Thursday, January 
12, 2006 11:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation
Well, I just thought it 
would be best practice to consolidate multiple domains to one. Whats 
recommended?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation

You want 
to look at a couple of main points

1. How do 
you plan to delegate the permisisons, I.E. the groupings of machines, users, 
etc.
2. How do 
you play to do GPOs if at all.
3. How is 
the administration really going to work. For instance, if you use a provisioning 
system for managing users (highly recommended) you don't generally want to 
delegate those to local OU admins but instead keep them in a main OU that the 
provisioning system only has control to. 

Why one 
domain and one root domain? I am not arguing one way or the other, just curious 
for the reasoning.








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: Wednesday, January 11, 2006 4:24 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU 
Delegation
Were in the process of 
consolidating 21 child domains into just one and one root. We want to 
separate the divisions (domains) into different OUs. Is there a guide 

RE: [ActiveDir] Migrate domain to separate forest

[Gil Kirkpatrick]

Someone needs to do a cost-benefit analysis. I would guess that 2
forests = 1.6x the operations costs more or less.

I don't know Exchange at all... isn't there some way to constrain the
policy to a subset of mailboxes?

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Wednesday, January 18, 2006 2:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrate domain to separate forest

 Because they want to have their out-of-office replies go to the
internet

hmm - that puts a whole new meaning to the requirements of a different
forest. So just to get OOO replies configured the way they want, they're
giving up being managed in the same forest and being in the same
Exchange Org, having the same GAL as the rest as the company (or
requiring extra mechanism to sync the users/contacts), or being able to
easily share calendar data, simplifying resource sharing between any
part of the company or allowing easy transition of users between other
parts of the organiation.

way to go.  I certainly know of other reasons to create a separate
forest, but I hadn't considered OOO configurations to be one of them :-)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Mittwoch, 18. Januar 2006 14:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrate domain to separate forest

Thanks for your reply, Gil.

You wrote:
 Just out of curiosity, why do they think they want their own forest?

Because they want to have their out-of-office replies go to the
internet, and our security policy won't let 'em do it because it affects
everybody else, too!

 In any case, there's no way that I'm aware of to carve off a 
 domain and
 make it a new forest root... I think you'll have to create the forest
 and migrate the users and resources.

That's what I thought.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU Delegation

[Gil Kirkpatrick]

I heard you weren't going to make it this year. High 
suckage factor.

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 4:21 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
OU Delegation


Well, if I were going 
this time, Id tell you in person which consulting firm he worked for. 
HINT: its none of the ones weve mentioned in this thread as being AD experts. 
J


Al Maurer Service Manager, Naming and 
Authentication Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
January 18, 2006 3:56 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation

Tell him he needs to go 
to DEC. Its where all the cool AD people go :)

-g




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 3:11 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation
Boy, I just had a 
consultant recommend an empty root as best practice for a divestiture were 
doing. Like Gil and Joe, I really dont see the benefit (nor could the 
consultant name anything specifically).

We have a single domain 
and delegate OU rights based basically on an administrative teams need to 
manage a group of resources, typically computers. Users, groups and 
Exchange are managed centrally. Moving things around within one domain is 
a whole lot easier than among domains.

AL

Al Maurer Service Manager, Naming and 
Authentication Services 
IT | Information 
Technology 
Agilent Technologies (719) 590-2639; Telnet 
590-2639 
http://activedirectory.it.agilent.com 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Thursday, 
January 12, 2006 10:50 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation

As joe says, "it 
depends". AD architecture is always a cost/benefit discussion, and most people 
don't really understand 1) the real benefits of multiple domains, and 2) the 
additional costs of running multiple domains.

For instance, 
"additional security" is often cited as a benefit of an empty root. An empty 
root maybe provides a little additional security, but not much. The benefit 
depends on your own risk evaluation.

On the other hand, the 
ongoing operational cost of a two domainforestis considerably higher 
than a single domain forest. Additional hardware costs, additional diagnostic 
complexity, and a more complicated DR situation all add to the costs of running 
multiple domains.

My general 
recommendationis tostick with a single domain if you can, and add 
additional domains if you need to for password policy or controlling 
replicationtraffic. And if you find you have to have multiple domains 
anyway, use an empty root, because the incremental cost of an additional domain 
if you already have more than one is pretty small.

But, "it 
depends".

-gil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, January 12, 2006 9:32 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation
Ah good ol best 
practices. :)

What is recommended? 
Whatever is best for the customer of course.

I guess my question is 
why one domain and one root versus just one domain? What is the purpose of the 
root? I am not saying this is bad by any stretch, there are good valid reasons 
for a root with other domains hanging off of it. Just curious what the decision 
flow was like to do it. Hopefully it wasn't something along the lines of reading 
"an empty root" is good somewhere and going for it as it is totally context 
sensitive. 

I would say the overall 
design goal, especially when Exchange is involved is to use a single domain 
forest. However, if there is a good reason to add more domains, do it. Usually 
when someone says they have a domain and a root they mean they have a domain and 
an EMPTY root and I wonder about how the decision was arrived at. 


We have had this 
discussion previously on the list where some people are gung ho empty root and 
some people are gung ho no-empty root and both pointing at best practices. I am 
more of the does it make sense in this specific situation kind of person. 






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, 
DevonSent: Thursday, January 
12, 2006 11:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation
Well, I just thought it 
would be best practice to consolidate multiple domains to one. Whats 
recommended?






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU 
Delegation

You want 
to look at a couple of main points

1. How do 
you plan to delegate the permisisons, I.E. the 

RE: [ActiveDir] AD computer accounts being removed

[Gil Kirkpatrick]

Title: Message



Let me find my rolled up newspaper... 
:)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Wednesday, January 18, 2006 4:50 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed


NO 
NO NO NO NO BAD BAD BAD

You 
have to use sysprep. Youre getting duplicate SIDs here  bad. 



Thanks,Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Aaron 
VisserSent: Wednesday, January 
18, 2006 5:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed

Gary, 
Brian,

I do not use Sysprep on 
my images and have yet to come across any problems, but there may be one big 
difference with my images, before I ghost them or create the image I put the 
said machine into a workgroup and then create image. After I have imaged a 
computer I log on and change the Computer Name reboot and then join the domain 
with the new computer name, should I be using Sysprep? 


And Brenda I have 
experienced your problem but I have never noticed the accounts actually being 
out of AD, anyways most times for me a simple reboot works although I have had 
to actually ghost computers in order to rejoin the domain because I do not have 
any local accounts active on my computers in the school, makes it a little safer 
J but with that comes 
more work L








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed

Gary-

Are 
you implying you dont sysprep your images?


Thanks,Brian 
Desmond
[EMAIL PROTECTED]

c - 
312.731.3132







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed


Brenda,



FWIW: It happens 
to me when I clone a workstation then try to join that workstation to the domain 
in order to change the computer name. AD sees 2 machines with the same 
name, gives me a notification and lets the 2nd one in. Then when the 
original machine with that name logs in next time, it isn't seen on the 
network. Then I have to do the same thing you did - with the original 
machine. Thenall is wellagain. Don't know if that will 
help, but it might narrow down the problem 
some.



Gary



Gary 
Polvinale

Denton 
ATD




-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brenda 
CaseySent: Wednesday, January 
18, 2006 2:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed
Yes, 
their computer account in AD is actually 
gone.


Thanks, 

Brenda

Brenda 
CaseyNetwork 
Manager
Billings 
Public Schools
[EMAIL PROTECTED]
406-247-3792






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Wednesday, 
January 18, 2006 11:14 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer 
accounts being removed
When you say "lose 
their account", do you mean the computer object in AD disappears? Or something 
else?

-g




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brenda 
CaseySent: Wednesday, January 
18, 2006 10:42 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts 
being removed
Occasionally 
computers will lose their account in Active Directory for no apparent 
reason.Sometimes it is a computer that has just joined the domain, while 
other times the machine has been a member of the domain for 2 years. The 
computer can only be logged on by a local account (not a domain account). 
To remedy this, the computer has to be disjoined from the domain, join a 
workgroup, then join the domain again. As I am sure you all are aware, 
this is not only time consuming, but very inappropriate to have to 
do.

Has 
anyone else had this experience and how have you fixed 
it?


Thanks, 

Brenda

RE: [ActiveDir] Migrate domain to separate forest

[Gil Kirkpatrick]

Just out of curiosity, why do they think they want their own forest?

In any case, there's no way that I'm aware of to carve off a domain and
make it a new forest root... I think you'll have to create the forest
and migrate the users and resources.

ADMT would seem to be a reasonable way to go. Or one of the commercial
migration products.

-g

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Tuesday, January 17, 2006 11:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrate domain to separate forest

Hello, colleagues,

One of our organizations is in their own domain, a child domain of our
root. They want to be in their own forest. Are there tools to migrate
them to their own separate forest, or will I need to build the forest
first, presumably with 2 new DC's, and then make all their servers join
the new forest? And, of course, they have about 140 users.

Thanks, folks.

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: DEC 2006 (way OT ...)

[Gil Kirkpatrick]

When you saved a file, it didn't overwrite the old version... You would
have files like foo.txt;1 foo.txt;2, etc. until you explicitly removed
the old versions.

-g

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Friday, January 13, 2006 10:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...)

Al,

 I always wished that Microsoft would support multiple file versions
like 
 VMS did.

I'm just curious, if you have the time, for my own edification, what was
this VMS file system feature?  Could you elaborate how it worked?

Cheers,
BrettSh [msft]
SDE - ESE


On Thu, 12 Jan 2006, Al Lilianstrom wrote:

 Don't forget the VAXMate and PCSA v1.1. What a interesting pair...
 
 My brother in law worked for DEC at that time and had a VAXStation II 
 and a Pro350 that he had bought from DEC in his basement. Kept trying
to 
 sell me the Pro.
 
 VMS was great. I turned off my last VAX just over 2 years ago. It had 
 been up and running for 8 years. Great OS, great hardware, lousy
company 
 management.
 
 I always wished that Microsoft would support multiple file versions
like 
 VMS did.
 
   al
 
 Lee, Wook wrote:
  Ah, now we're really dragging out the old war horses. My first job
at
  DEC was writing CBI courses for the DECmate WPS+ list processing
module.
  They gave me a Robin (think VT100 with a processor and dual 5.25
floppy
  disks) to use at home (a little basement studio next to the laundry
room
  in the basement of my apartment building in Acton, MA.) My second
job
  was writing a device driver in C for a Polaroid CRT-to-film
peripheral
  called the Polaroid Palette (had a mini-high resolution BW CRT and
a
  Color-filter wheel all controlled by a Z80 processor) for the very
same
  Rainbow PC.
  
  In those days, Digital could not decide on a PC strategy. There were
  three different product lines that all had some potential but none
of
  them took off. We had the Rainbow which was close to what became
  mainstream with an 8088 or 8086 processor, the DECmate with was
  basically a secretarial workstation running WPS+ and not much else
and
  the Pro 350 which was a repackaged PDP-11 that spent a few years as
the
  console device for some of the bigger VAXen. If I recall correctly,
the
  Pro 350 OS was based on RSTS.
  
  Those were the good old days before 1987 and Black Tuesday. I think
I
  had some Digital options at something like $150. Sigh.
  
  Wook
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins
  Sent: Wednesday, January 11, 2006 6:18 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] OT: DEC 2006
  
  Anyone remember the Rainbow?  It was DEC's attempt at a Personal
  computer.  Launched in early '83, if I remember...  ran its own
  proprietary DEC-OS and was not compatible with any IBM-DOS apps.  It
  died a year or two later, but the marketing stickers held up for
about
  10 years!!  I had one stuck to my daughter's mirror and damned if I
  could get it off!!
  
  And the DECwriter and the Gold key. a - sweet memories!!
  
  On 1/11/06, joe [EMAIL PROTECTED] wrote:
  Ah but people using DEC and attending DECUS were smarter than the
  average
  bear To this day the people I meet who grew up on DEC are more
  well
  rounded and knowledgeable in the field than the norm.
 
  The good ol days... Anyone remember Mike Mayfield and the RSTS/E
  Monitor
  Internals books he wrote? Only place to get the real scoop on the
  internals
  so you could really wreak havoc. I think he also wrote the original
  Trek too
  so if your system was still up after poking around in the internals
  you
  could play a video game on your DecWriter or VT52.
 
  I got my first official corporate support position supporting OS/2
and
  Win31
  on Token Ring back in the mid 90's because I knew DEC. The 8 or so
  people in
  the panel interview started asking me questions about the equipment
  the job
  was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of
  the
  questions so they saw DEC on my resume and started asking DEC
  questions and
  a couple of hours later we were all laughing and I had my choice of
  the
  three open positions they had even though I knew nothing about any
of
  them.
  :)
 
 
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of John
  McGlinchey
  Sent: Tuesday, January 10, 2006 4:13 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] OT: DEC 2006
 
  My experience is just the opposite. I attended DECUS (The other
DEC,
  Digital
  Equipment Computer Users Society Symposia) a few times back in the
  90's and
  the casinos complained that the attendees were not losing enough
  money.
  This was attributed to 1) most of the attendees knew the odds were
  against
  them so they kept their money in their pockets where it belonged
and
  2) the
  ones 

RE: [ActiveDir] [List Owner] Mailing list is 5 today!

[Gil Kirkpatrick]

That's really cool. Congratulations on creating the best online forum
for AD professionals.

-gil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, January 13, 2006 11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List Owner] Mailing list is 5 today!

congrats Tony! - keep up the good work !!!

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Freitag, 13. Januar 2006 01:57
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [List Owner] Mailing list is 5 today!

Hi all

I started this list on 13th January 2001. Thanks to everyone out
there for making it a great place to hang out and learn about AD (and
more besides!).

Tony

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Congrat Jorge !!!!!

[Gil Kirkpatrick]

Title: Congrat Jorge !



Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have 
email over there? :)
Congratulations Jorge, you certainly deserve 
it.

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Friday, January 13, 2006 12:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Congrat Jorge 
!


Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat 
jorge for your nomination as a MVP. :o)Will u have a microsoft professional 
card as the MCP/MCSE one ?Yann

RE: [ActiveDir] LDAPS SRV Records?

[Gil Kirkpatrick]

Title: LDAPS SRV Records?



Try http://msdn.microsoft.com/library/default.asp?url="">

These are relatively new (WS2003 perhaps?) We developed our 
own DNS functions over Winsock.

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon 
(.)Sent: Friday, January 13, 2006 1:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAPS SRV 
Records?

Does anyone have an idea which Windows API does the 
DNS registration of SRV records for DCs? I'm very curious as to if that is a 
public method. The purpose is I'm looking into how feasible it is to write a 
Windows Service that hooks into netlogon and registers secure LDAP SRV records 
as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could 
be done better? Let me know what you think. I know the ultimate solution is a 
DCR, but like I said..I'm just brainstorming ideas.
-Brandon 

RE: [ActiveDir] Congrat Jorge !!!!!

[Gil Kirkpatrick]

I have my sources... :) 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, January 13, 2006 5:15 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Congrat Jorge !

I don't think Gil is allowed to say :) NDA, you know ;)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
Sent: Fri 1/13/2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Congrat Jorge !


Thanks everyone!
 
A week ago on january 6th I got notice from the US MVP Lead I have been
nominated (blogged that on january 6th
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx) and today
(friday the 13th...) I got notice from the dutch MVP lead saying Microsoft
awarded me the MVP DS Award (blogged that today
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/13/406.aspx)
I don't how the process works...
 
Gil, how did you find out?
 
Cheers,
Jorge
 



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Fri 2006-01-13 22:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Congrat Jorge !


Amazingly I blogged this a week ago
(http://www.gilsblog.com/index.cfm?commentID=44
http://www.gilsblog.com/index.cfm?commentID=44  ) How did Jorge not find
out till today? Don't they have email over there? :)

Congratulations Jorge, you certainly deserve it.
 
-g



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Friday, January 13, 2006 12:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Congrat Jorge !


Just read jorge's blog @
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx

Congrat jorge for your nomination as a MVP. :o)
Will u have a microsoft professional card as the MCP/MCSE one ?

Yann

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: DEC 2006

[Gil Kirkpatrick]




Its not Vegas the Green Valley Resort is in Henderson, 
NV. :)

Nope, nothing to see here. No gambling, no shows, no fast 
women. Just boring technical sessions. Move along.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rich 
MilburnSent: Tuesday, January 10, 2006 7:55 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 
2006


Ditto for me… My title 
doesn’t start with a C _ _ so I’m afraid to even ask for a paid trip to Vegas 
J


---Rich 
MilburnMCSE, Microsoft MVP - 
Directory ServicesSr 
Network Analyst, Field Platform DevelopmentApplebee's International, 
Inc.4551 
W. 107th 
StOverland 
Park, 
KS 66207913-967-2819--”I love the smell of 
red herrings in the morning” - 
anonymous




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jose 
MedeirosSent: Monday, January 
09, 2006 1:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DEC 
2006


I would love to go, unfortunately as 
most people on the list unless our employeers pay for it, we just can not afford 
to attend.



Jose

  
  - Original Message - 
  
  
  From: McLeod, Scotty 
  
  
  To: ActiveDir@mail.activedir.org 
  
  
  Sent: Monday, January 09, 2006 7:45 
  AM
  
  Subject: RE: [ActiveDir] OT: DEC 
  2006
  
  
  Am attending again, 
  looking forward to it.
  
  Scotty
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: 05 January 2006 22:17To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 
  2006
  
  Of the list how many 
  people are going to DEC this year? www.directoryexpertsconference.com 
  
  
  Tomorrow is the last 
  day for the early bird registrations if anyone wants to day some 
  $£€’s.
  
  Mark
  
  This e-mail and any attachments may contain 
  confidential and privilegedinformation. If you are not the intended 
  recipient, please notify thesender immediately by return e-mail, delete 
  this e-mail and destroy anycopies. Any dissemination or use of this 
  information by a person otherthan the intended recipient is unauthorized 
  and may be illegal.




---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- 
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or 
any attachments. This information is strictly confidential and may be subject to 
attorney-client privilege. This message is intended only for the use of the 
named addressee. If you are not the intended recipient of this message, 
unauthorized forwarding, printing, copying, distribution, or using such 
information is strictly prohibited and may be unlawful. If you have received 
this in error, you should kindly notify the sender by reply e-mail and 
immediately destroy this message. Unauthorized interception of this e-mail is a 
violation of federal criminal law. Applebee's International, Inc. reserves the 
right to monitor and review the content of all messages sent to and from this 
e-mail address. Messages sent to or from this e-mail address may be stored on 
the Applebee's International, Inc. e-mail system.

RE: [ActiveDir] OT: DEC 2006

[Gil Kirkpatrick]

I'll get right on that... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Friday, January 06, 2006 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: DEC 2006

Almeida Pinto, Jorge de wrote:
 it looks like it should be a swiss army bag with a rolling 6 pack
cooler that you can take to the gym and is not a burden when drinking at
the bar... ehhh I mean doing some quality community interaction ;-)
  
 is that possible Gil?


You forgot about portable wirelles connection unit :)

-- 
Tomasz Onyszko
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: DEC 2006

[Gil Kirkpatrick]




Well, I'm going. But I get a free pass... 
:)

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
ParrisSent: Thursday, January 05, 2006 3:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 
2006


Of the list how many 
people are going to DEC this year? www.directoryexpertsconference.com 


Tomorrow is the last 
day for the early bird registrations if anyone wants to day some 
$£€’s.

Mark

This e-mail and any attachments may contain confidential and 
privilegedinformation. If you are not the intended recipient, please notify 
thesender immediately by return e-mail, delete this e-mail and destroy 
anycopies. Any dissemination or use of this information by a person 
otherthan the intended recipient is unauthorized and may be 
illegal.

RE: [ActiveDir] OT: Request for Test AD Poplulation Data

[Gil Kirkpatrick]

Try ADTEST from MSFT. Along with creating an arbitrarily large AD
population, it can also generate authentication and query traffic so you
can load test DCs.

http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4
871-b8a4-99f98b3f4338DisplayLang=en

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Thursday, January 05, 2006 4:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data

That's true.. used it once  for generating 25,000 users... if I remember

right it'll even do mailboxes (if you can wait)... it's called AD 
Populator or something :-)

Regards,
Mylo

Peter Johnson wrote:

If you download the eval of NetIQ DRA there is a tool in there that
will
generate users for you. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: 04 January 2006 15:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Request for Test AD Poplulation Data

Hi Mark,

What I've done once: took the northwind DBs and extracted names and
addresses to create sample users for me.

Unfortunately don't know where it is anymore, but that's the approach
I'd take b/c Northwind contains general sample data, addresses, many
locations (I created a OU-Structure out of these), and if you need more
you can also take the list of firstnames and lastnames and create more
sample users.

Gruesse - Sincerely, 

Ulf B. Simon-Weidner 

  MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F121
4
C811
D   


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, January 03, 2006 4:03 PM
To: ActiveDir.org
Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data

I utilise VBScript too, but I wanted user data with a little more
substance.

500 names in an ldf file is a lot more use to me than a vbs file which
creates user 1, 2, 3 etc etc

Mark

-Original Message-
From: Tomasz Onyszko [EMAIL PROTECTED]
Date: Tue, 03 Jan 2006 15:49:22
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data

Rick Kingslan wrote:
  

Tomasz, I think that Mark is looking to populate his metabase with 
data other than User 1, User 2, User 3, etc. with simple or blank


attributes.
  

So, he's looking for stuff like Homer Simpson, with all of the user 
data, then Marge, etc.



So stuill I don't think he will find such .. I use vbscript to populate
my AD with test data.

--
Tomasz Onyszko
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/g/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


  


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Way OT: DC Server monitoring tools

[Gil Kirkpatrick]

Title: Way OT: DC & Server monitoring tools



DirectoryAnalyzer from NetPro. http://www.netpro.com/products/directoryanalyzer/index.cfm.

Paid for by the Sell More NetPro Products Committee. (c) 
2006 All Rights Reserved.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, January 05, 2006 4:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Way OT: DC  
Server monitoring tools

You will get as many different answers as people that 
respond to this. Monitoring tends to be a big personal feeling item, especially 
when you start asking for cheap solutions. Most of the bigger well known names 
are not inexpensive such as MOM, HP OVO, etc.

Something I used for a long time for various things 
including a majority of the monitoring of the DCs of a very largeAD 
Deployment I used to do ops forwas called HostMonitor. 


http://www.ks-soft.com/hostmon.eng/index-price.htm

The tool is (or at least was I haven't looked in a while) 
primarily agentless, in fact agents were an addon if you wanted them. That is 
one of the things I liked about it. I have personal issues with depending on a 
server completely monitoring itself. The issues being additional overhead for 
the agents, the fact that the agents can impact the functioning of the server, 
and that if the server is bad enough off, the agent can't tell anyone anyway. I 
much prefer service availability based monitoring, test the services remotely 
like a client would. 

I was able to pull most of my custom perl scripts into the 
engine and let it do the driving of the scripts and the notification for all 
sorts of things like AD replication, WINS name resolution, etc. 


 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Freddy 
HARTONOSent: Wednesday, January 04, 2006 9:55 PMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] Way OT: DC  
Server monitoring tools

Hi all 
Just looking for some advice on server monitoring 
tools, and for DC monitoring as well as exchange monitoring 
I'm currently using Argent but found it much of a 
hassle to setup and the predefined rules out of the box is very standard and is 
much more expensive than others as well.
Tried installing MOM but the gui isnt easy (havent 
have time to play around much)... 
Any suggestions or experience on good monitoring 
products - preferred agentless.. 
Thank you and have a splendid day! 
Kind Regards, 
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: 
[EMAIL PROTECTED] phone: 
(+65) 6330-9785 

RE: [ActiveDir] OT: DEC 2006

[Gil Kirkpatrick]




I've passed your comment on to Stella. We've done nice 
backpacks the last couple of years that seem to be 
well-regarded.

After seeing King Kong, I now have a much greater 
appreciation of the term "going ape".

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
ParrisSent: Thursday, January 05, 2006 3:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 
2006


Just a thought: 


As most people already 
have a laptop bag – can we have a bag that we can say use for the gym this year 
or is it too late?

I always get laptop 
bags (average 6 a year) and they sit in cupboard (closet) until I have too many 
or my wife goes ape (mad) and I have to dispose of 
them.





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Gil KirkpatrickSent: 05 January 2006 22:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 
2006

Well, I'm going. But I 
get a free pass... :)

-gil




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Mark 
ParrisSent: 
Thursday, January 05, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 
2006
Of the list how many 
people are going to DEC this year? www.directoryexpertsconference.com 


Tomorrow is the last 
day for the early bird registrations if anyone wants to day some 
$£€’s.

Mark

This e-mail 
and any attachments may contain confidential and privilegedinformation. If 
you are not the intended recipient, please notify thesender immediately by 
return e-mail, delete this e-mail and destroy anycopies. Any dissemination 
or use of this information by a person otherthan the intended recipient is 
unauthorized and may be 
illegal.

RE: [ActiveDir] OT: DEC 2006

[Gil Kirkpatrick]

Jorge, you're speaking at DEC. You already get a free pass. 

We're not going to make speakers pay for their tickets, at least not until 
after 2007. :)

-g 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Thursday, January 05, 2006 3:51 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DEC 2006

can I get a free pass?
jorge



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Thu 2006-01-05 23:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: DEC 2006


Well, I'm going. But I get a free pass... :)
 
-gil



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, January 05, 2006 3:17 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: DEC 2006



Of the list how many people are going to DEC this year? 
www.directoryexpertsconference.com http://www.directoryexpertsconference.com/ 
 

 

Tomorrow is the last day for the early bird registrations if anyone wants to 
day some $£EUR's.

 

Mark

 

This e-mail and any attachments may contain confidential and privileged
information. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this e-mail and destroy any
copies. Any dissemination or use of this information by a person other
than the intended recipient is unauthorized and may be illegal.




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT Request

[Gil Kirkpatrick]

How about
http://www.microsoft.com/technet/itsolutions/ucs/ds/dmcnmg/default.mspx

-gil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Tuesday, December 13, 2005 1:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Request

www.activedir.org :-)

sounds like you want to do a bit of domain collapsing within your forest
(which is a good thing, yet it can be more painful than migrating to a
new forest).

do you have a concrete question?

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Dienstag, 13. Dezember 2005 16:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Request

Does anyone know of a place to get all the best practices for a windows
2000 multiple domain - Windows 2003 single domain (intra-forest). 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Monday, December 12, 2005 5:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Request

it's less point and click these days, at least if you do it right, since
you should certainly leverage the include-file options to select the
objects for the migration (also allows to rename objects during the
migration).

However, I doubt that James even has a problem with the migration of
users and groups  (although I've also used multiple sessions to speed up
larger scale migrations with ADMTv3). 

The more lengthy task is obviously the processing/migration of the
clients - here multiple sessions are useful for many reasons, especially
to run the tool with different credentials so that it can connect with
different account data to the various clients (if these reside in
various source domains). Or even just to handle processing of batches.
Especially now that ADMT has a cool retry option that will go after all
those clients that are forever offline (and it even performs
post-migration checks on the clients to see that they've migrated
successfully...)

The way I've helped myself was to use a terminal server with multiple
connections for the different sessions - the RDC session name will be
visible and allow you to keep the sessions appart.  And when connected
to a session - your account would tell you that this is the Denver
session or you could even add some other notes on the desktop or
whereever, if this helps you keep the sessions appart...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Dienstag, 13. Dezember 2005 00:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Request

It's been ages since we ran our migration, but at the time we scripted
it using the sample scripts that accompanied ADMT. If you go that route,
you can have multiple log files that are uniquely named and not run into
the session confusion. You'll also get much more consistent results from
the scripts, as you won't have mischecked options or typos that seem
inevitable in lots of point/click scenarios.

Hunter 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, December 12, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADMT Request

Hi All

I am not sure anybody that can do anything with this listens on this
list but we have been using ADMT v.3 with great success for a very large
scale migration.  The multi session ability has been a huge benefit to
us.  We are running into a problem keeping multiple sessions straight.

How hard would it be to include a description field that you can fill in
when you start the session that would then show up in the title bar for
the session (something like Session DENVER, California, etc)

Just a wish.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 

RE: [ActiveDir] AD Defrag

[Gil Kirkpatrick]

http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/adpog3.mspx#EZAA

recommends that you do it on an "as needed" basis, as 
determined by available disk space, or after large batch delete 
operations.

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Monday, December 12, 2005 10:25 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD 
Defrag


Question:

I have 8 AD 
controllers in several locations. All have different database sizes ranging from 
45 MB to 80 MB. 
Is there a 
rule of when I should or when I need to do an offline defrag of the Database? 


I just had to 
defrag my mail store and I dont want to not be proactive with my Active 
Directory so Im looking for advice on when, why and how often I should do a 
defrag.

Thanks
Mike 

RE: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003

[Gil Kirkpatrick]

If you are talking about restricting access on a DC, you can use the
little known feature in AD called the IP Deny List. It was documented in
W2K, and still works in WS2K3. Essentially, it is a list of IP addresses
and subnets that the DC will not accept AD connections from.

You can set the IP Deny list using the W2k of NTDSUTIL, or you can use
ADSIEdit and add the strings in hex (yucky). Or write some code, if
you're so inclined.

The IP deny list is maintained in the lDAPIPDenyList attribute of the
queryPolicy object. If you want to deny access to ALL DCs from specified
addresses, you can add the lDAPIPDenyList attribute to the
CN=Query-Policies,CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=your root domain here object.
Otherwise, create a new queryPolicy object and attach it to the DCs you
are concerned about.

The syntax of the lDAPIPDenyList attribute is octet string, but the data
is stored as text. So for instance, to deny access from IP address
1.2.3.4, you would add the value 0x31 0x2e 0x32 0x2e 0x33 0x2e 0x34, one
address per value. You can also deny access from entire subnets by doing
something like 1.2.3.4/24 (in hex).

Probably its easier to make the change from a W2K machine. The W2K
version of NTDSUTIL doesn't run on a WS2K3 DC AFAIK.

I haven't determined if this is supported or not. It seems it would be,
since you can make the change to a WS2K3 DC from a W2K machine. But it
does work quite well.

But of course this doesn't work generically, just on DCs.

-gil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Monday, December 12, 2005 3:19 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003

May be of interest, but in addition to IPSec, which in no way am I 
denigrating :0), there are a couple of interesting packet filtering 
alternatives that perform a similar function as well, particularly on
Win2K

http://sourceforge.net/projects/pktfilter/
http://force.coresecurity.com/index.php?module=basepage=factsheet#IDAAU
ZS

I've not used CoreForce but I have used pktfilter under Win2K.. useful 
if you already know IPFilter.
If you're on Win2k3 then you're probably best off with IPSec since it's 
much improved ...

Regards,
Mylo


Tomasz Onyszko wrote:

 Medeiros, Jose wrote:

 Hello everyone,
 Is there a way I can restrict accepting TCP/IP packets from a 
 specific address in Windows 2000 / 2003 server? I do not see this 
 option in the TCP/IP Filtering menu?



 No, You can't do that - use IPSec filtering instead of TCP\IP:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/207E34C8-F715-4AA8-8F26-E06BD1ECA808.mspx 

 http://support.microsoft.com/kb/313190

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I
IS/904d3234-18e1-45b3-b7c0-73e6586ea159.mspx 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FSMO role transfer

[Gil Kirkpatrick]

By definition, the impact of a maintenance task is expected to be low.
But the behavior of a server isn't always predictable after you change
the software and/or configuration and reboot it. Sometimes just the
power or temperature fluctuation is enough to kick a marginal component
over the edge.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, November 29, 2005 12:16 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer

If you want 100% insurance then yes transfering the FSMO roles prior to
the maintenance task could prevent an eventual seize if the particular
DC dies for some reason.
 
Maybe dependent on the maintenance task that is performed a decision
should be made if the FSMO roles should be transfered or not. So..
define maintenance task... what is the impact of the maintenance task?
 
 
 
 
jorge



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Tue 11/29/2005 6:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer


I'd move the FSMOs just in case something happens and the DC in fact
doesn't come back in 2 hours. How many times have you done PM on a
machine only to have it completely f* up and have to restore? It
seems like about a 1-in-25 chance that something will go wrong.
 
-gil 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, November 29, 2005 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FSMO role transfer


First, look at each role and see what it does...
 
Forest FSMOs
* Schema Master -- needed when updating the schema
* Domain Naming master -- needed when adding or removing domains within
the forest
 
Domain FSMOs
* PDC Emulator -- needed for legacy clients (NT4, W9x) when changing
passwords, used for time sync, is used for pwd checking when a user
enters an incorrect pwd at another DC, used by DFS roots to get DFS info
* RID Master -- needed to distribute RID pools to DCs that have
exhausted their current RID pool for 50% (=250 RIDs)
* Infrastructure -- needed to update references between domains in a
forest (does not do anything in a single domain forest)
 
If you look at this, there is no need to first transfer the FSMO roles
to another DC, just to carry out maintenance activities. It also depends
on the FSMO role. The most used ones in your case will be the RID and
the PDC FSMO. Only if you create more than 500 security principals
(users, groups and computers) during the moment that the DC with the RID
FSMO is down, you will experience a problem on the DC that is left. If
you still have legacy clients and they want to change the password that
will not be possible. And if those clients have the DSClient installed
that will not be an issue either.
 
In short: leave as is. it will be OK for those 2 hours
 
Cheers,
jorge



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter
Sent: Tuesday, November 29, 2005 16:43
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FSMO role transfer


Hi guys,
 
We have two DC's, one which holds the Forest FSMO roles, the other which
holds the domain FSMO roles.
 
I plan to take each server down at different times so that one of the
two servers can provide authentication etc while the other gets
maintained.  
 
Initially, I was planning on moving the FSMO roles to the other DC while
maintainance work is carried out and transferring it back once it's
online again. I would then do the same for the other DC.
 
I was then told that you don't need to move the FSMO roles when you
perform maintenance on a DC holding the roles. Each server will be down
for about 2hrs.
 
Does anyone have advice for me? I would like to move the roles for peace
of mind knowing they are available, but if I don't need to do that, I
won! 't bother
 
Is there any recommended practice?
 
Amy



To help you stay safe and secure online, we've developed the all new
Yahoo! Security Centre
http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http:/
/uk.security.yahoo.com/ .



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http

RE: [ActiveDir] Active Directory 3rd Book

[Gil Kirkpatrick]

Yes and yes. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, November 18, 2005 9:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

Is Robbie Allen still going to MIT for his Masters or is he back at
Cisco?


Sincerely, 
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Friday, November 18, 2005 7:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book


LOL. 


Umm no.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Friday, November 18, 2005 10:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

Who wants to hear Joe do a Cornet solo at DEC???!!!

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, November 18, 2005 9:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

You will probably find me, if you can find me there, in the penny slots
or
on one of those darn Wheel of Fortune slot machines. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Wednesday, November 16, 2005 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

I am hoping to bring a copy with me to Henderson, NV in March 2006
(DEC2006).  Hopefully, the author will be there to sign it!
 
Mike Thommes



From: [EMAIL PROTECTED] on behalf of Medeiros, Jose
Sent: Wed 11/16/2005 5:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book



Hey Joe, If I buy it. Will you autograph it? I already asked Robbie to
present at our user group and do a book signing. Would you be interested
as
well?


Sincerely,
Jose Medeiros
ADP | National Account Services
ProBusiness Division | Information Services
925.737.7967 | 408-449-6621 CELL




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of joe
Sent: Wednesday, November 16, 2005 3:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book


Not available yet, it is Active Directory Third Edition. From O'Reilly
publishing. As soon as Amazon has it available I will have a link to it
from
my website - http://www.joeware.net and announce it in my blog
http://blog.joeware.net. If you don't like purposely enflaming blog
entries
I recommend pointing the RSS feed at the tech specific links though you
still won't avoid them, just the non-technical ones. :o)




  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell
Sent: Tuesday, November 15, 2005 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

I'm sorry for coming into this late - can you give me the exact name of
the
book so I can look for it??

Thanks

Russ

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, November 05, 2005 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Active Directory 3rd Book

Interesting, O'Reilly doesn't even have it listed yet. I just heard from
the
O'Reilly that it is finally out of copy-edit.

On the co-author piece. Alistaire wrote the initial edition, Robbie did
the
2nd Edition update, I did the 3rd Edition update. You may want to ask
the
reviewers (they almost all read and response heavily on this
list) but I am quite sure there is sufficient updates to warrant someone
who
has the 2nd Edition to get the 3rd Edition. There should be a chapter
that
will be floating around for the book that you can look at, I requested
that
it be Chapter 11 which is the security chapter as I spent considerable
time
reworking it. If someone is familiar with an older edition they will
almost
certainly note the changes.

I go into great detail on the evil that is SBS and why it shouldn't be
used.
Or did I??? Hmmm the SBS folks will just have to buy it to find out. ;o)

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi
Sent: Tuesday, November 01, 2005 11:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active Directory 3rd Book

The Active Directory 3rd Book with Joe as co-author seems will be
released
somewhere in February 2006 based on
http://www.bookpool.com/sm/0596101732 .

(Bookpool is having discounted O'reilly book sale this month, and accept
pre-order, though I do not have any relation with bookpool other than
being
as a customer who is looking to buy a couple books and noticed this
book)
List info   : http://www.activedir.org/List.aspx
List FAQ: 

RE: [ActiveDir] Audit Collection Services

[Gil Kirkpatrick]

They certainly realize that small firms want those features, but they
will leave it to the ISV community to satisfy the need, at least for
now. There are at least a dozen third-party log collection products,
probably more, some of them very inexpensive. Or there's MSFTs own free
LogParser. ACS's primary advantage is its scalability, which is not
generally an issue for small organizations.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, November 14, 2005 6:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Audit Collection Services

And hopefully Microsoft will realize that even small firm markets that 
they've traditionally never sold MOM to will possibly want audit 
collection features and thus have a Mom-lite edition.

Sincerely,

the annoying SBSer with the toy server networks where we don't buy MOM 
for our networks where we barely have one server let alone 10.



Tomasz Onyszko wrote:
 Free, Bob wrote:
 Well the other Eric F from MS has weighed in (! ~eric) Once again the
 landscape has changed. It is going to be part of MOM...after all.

 Yup, You should not expect the ACS as separated product. it will be 
 shiped with a MOM in its next version.


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Directory Experts Conference 2006 call for presentations

[Gil Kirkpatrick]

Title: Directory Experts Conference 2006 call for presentations



The URL I provided is messed up... its www.dec2006.com/callforpapers.cfm. 
I somehow managed to get a file:// inserted in the original 
link.

-g



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Tuesday, November 08, 2005 5:02 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Directory Experts 
Conference 2006 call for presentations

Greetings list-members 
DEC 2006 is coming up in March, and I'd like to 
extend this invitation to you to submit a proposal for a presentation. 

For those who have not attended DEC before, it is a 
technology conference focused on MSFT Identity and Access technologies, 
including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or 
MIIS architect or engineer, usually from a large enterprise deployment, with at 
least a couple of years of AD experience under their belt.
We will also be hosting a "Masters Track" for AD, 
targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the 
idea).
The conference is in Vegas March 26-29, and promises 
to be a lot of fun, with great sessions and speakers, and loads of networking 
opportunities.
Feel free to send your proposals to me, or submit 
them through the DEC web site, www.dec2006.com/callforpapers.cfm. 
And remember, be excellent to each other, and party 
on, dudes. 
-gil 
Gil Kirkpatrick CTO, NetPro 
Don''t miss the Directory Experts Conference 2006. 
More information at www.dec2006.com. 

RE: [ActiveDir] Netlogon.dns (2)

[Gil Kirkpatrick]

Were the entries dropped off the end of the file, or were 
they missing from the middle? Any pattern to the entries that were 
missing?

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-WeidnerSent: Tuesday, November 08, 2005 3:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Netlogon.dns 
(2)


Instead of hijacking another thread I'm going to start my own ;)

What I've seen recently and was pretty surprised: A customer of mine had 
incomplete netlogon.dns-files, they had some of the records which were supposed 
to be there but not all. On some DCs about 50% of the netlogon.dns was 
missing.

Really bad about this is that the tools like dcdiag only test the content of 
the netlogon.dns against the DNS-Service, and that the netlogon-process does not 
check the content of the netlogon.dns without any changes unless the file is 
missing. So the customer had missing DNS-Informations for ages and never noticed 
it - not everyone is digging around in DNS and knows what's supposed to be there 
;)

DCs were W2k SP4.

Anyone seen this before? OK - I've already fixed it by renaming netlogon.dns 
and restarting netlogon, but I'm curious if anyone has ideas where this might 
come from and if anyone has seen it before.
Gruesse - Sincerely, 
Ulf B. Simon-Weidner 
 MVP-Book "Windows XP - Die Expertentipps": 
http://tinyurl.com/44zcz Weblog: 
http://msmvps.org/UlfBSimonWeidner 
Website: http://www.windowsserverfaq.org 

[ActiveDir] Directory Experts Conference 2006 call for presentations

[Gil Kirkpatrick]

Title: Directory Experts Conference 2006 call for presentations






Greetings list-members


DEC 2006 is coming up in March, and I'd like to extend this invitation to you to submit a proposal for a presentation.


For those who have not attended DEC before, it is a technology conference focused on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually from a large enterprise deployment, with at least a couple of years of AD experience under their belt.

We will also be hosting a Masters Track for AD, targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the idea).

The conference is in Vegas March 26-29, and promises to be a lot of fun, with great sessions and speakers, and loads of networking opportunities.

Feel free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm.


And remember, be excellent to each other, and party on, dudes.


-gil


Gil Kirkpatrick

CTO, NetPro


Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.

RE: [ActiveDir] Directory Experts Conference 2006 call for presentations

[Gil Kirkpatrick]

Title: Directory Experts Conference 2006 call for presentations








J



-gil











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brian Desmond
Sent: Tuesday, November 08, 2005
5:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Directory
Experts Conference 2006 call for presentations





The first two
times, I read DEC 2006 is coming up in March... and I'm thinking
WTF is this dude telling me December 2006 is coming up in March?? 







Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c - 312.731.3132



















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil
 Kirkpatrick
Sent: Tuesday, November 08, 2005
7:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Directory
Experts Conference 2006 call for presentations

Greetings
list-members 

DEC
2006 is coming up in March, and I'd like to extend this invitation to you to
submit a proposal for a presentation. 

For
those who have not attended DEC before, it is a technology conference focused
on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard,
and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually
from a large enterprise deployment, with at least a couple of years of AD
experience under their belt.

We
will also be hosting a Masters Track for AD, targeting the true AD
gear-heads (think joe, Dean, and Guido, and you get the idea).

The
conference is in Vegas March 26-29, and promises to be a lot of fun, with great
sessions and speakers, and loads of networking opportunities.

Feel
free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm.


And
remember, be excellent to each other, and party on, dudes. 

-gil


Gil Kirkpatrick 
CTO,
NetPro 

Don''t miss the Directory Experts Conference 2006. More
information at www.dec2006.com.

RE: [ActiveDir] Global Catalog

[Gil Kirkpatrick]

Hi Ulf,

Nice to have met you too..

Put your fingers on the table! Slap! ;-)
[3] Yes - sorry - I'm german ;-) 

It sounds more like you're a Catholic nun!

We're pretty much in agreement. The real answer (as it always seems to
be) is to analyze the threats, assess the risks, and make the
appropriate cost/benefit tradeoffs of risk vs. mitigation. Multiple
forests increase costs but provide more isolation. Do the costs outweigh
the benefits? It all depends on the particular organization.

BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin.

-g


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Monday, October 17, 2005 11:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Global Catalog

Hi Gil,

(btw - was nice meeting you finally in person)

You're right, that might be a better wording. However I didn't mean that
I
do not agree that the forest is the security boundary, however I do not
like
people using that term without being more specific. This will lead
customers
who are not enough into details to deploy multiple forests in scenarious
where multiple domains (if even that) would have been sufficient.
Keeping
viruses, malware, and the regular I'm admin - so let's surf the web
aside.
Companies who might trust their admins but have to many users to trust
each
of them might deploy multiple forests b/c they are afraid that users
might
try to (hack/)try to get into other domains. However case like this it
_might_ be overrated to deploy different forest, cause it's way harder
for a
regular user to get into another domain (and to valuable data there)
than it
is for a admin, the scenario is more difficult to administer (which
might
lead to loosened security and/or more admins you'll have to trust) and
the
phyiscal security might not be in place to justify such a scenario (the
users might still hop around in the same building without distinguished
building security[1] or network boundaries[2]).

I do not think that all domain admin threads are in the non-malicious
category, and I don't think that forests shouldn't be mentioned as
security
boundary, however I think if you do mention that you also need to
clarify
against which threads you're deploying additional forests and what also
needs to be applied in the company if you need that level of security
for
certain parts. In many cases a proper investment into security is better
placed by drilling security into the heads of the admins (you're surfing
the
web as admin? Put your fingers on the table! Slap! ;-) [3] ) than
deploying
multiple forests without taking additional measures and wrongly believe
it's
buying you 100% security.

Ulf

[1] meaning that people having access to forest A only shouldn't have
physical access to any machines in the office running in forest B and
vice
versa

[2] different wires, VLANs, or a generic network with people VPNing into
their infrastructure. I don't trust our friends aka the unintentional
fighter against security aka devs. There are somewhere passwords on the
wire in almost every network, and this thread is dependant on your
number of
in-house developed apps IMHO.

[3] Yes - sorry - I'm german ;-)

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
|Kirkpatrick
|Sent: Tuesday, October 18, 2005 1:56 AM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Global Catalog
|
|I think it is better to describe a domain as a policy and 
|administration boundary (and a replication boundary), rather 
|than a weak security boundary. It is more precise, and IMO, 
|given the automatic domain trusts in a forest, there is not 
|much of a security boundary between domains.
|
|And given the ease with which malware is distributed (through 
|email and web pages for instance), the distinction between 
|criminal and unintentional is thin, if not non-existent. 
|People with criminal intent subvert administrative machines 
|and accounts all the time. So even if you think your domain 
|admin threats are all in the non-malicious category (not a 
|smart way to think in any case), once the domain admin is 
|exposed to some malware script, they've effectively taken on 
|the criminal intent.
|
|-gil
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
|Simon-Weidner
|Sent: Monday, October 17, 2005 3:14 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Global Catalog
|
||So why don't you agree with the general - forest is the security 
||boundary - statement?
|
|Cause IMHO the domain is a security boundary against 
|accidential security issues, the forest against malicious/criminal.
|
|Companies usually trust their admins of different domains but 
|might want to protect them against accidential mistakes or 
|gaining rights easily. A different domain would be sufficient 
|then. However if you want to protect yourself against admins 
|with criminal energy (and I

RE: [ActiveDir] slightly OT: MissionControl for MIIS

[Gil Kirkpatrick]

Hi David,

The licensing scheme is per-production-MIIS-server-processor (like
MIIS), plus a charge for each 5 management agents. Test servers, or
processors not used by MIIS aren't counted. The rest of the questions
I'll leave to others, as I suspect my opinions are biased :)

You might get more feedback on MIIS-related topics from the MMSUG Yahoo
group.

-gil

CTO, NetPro

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McClure David
Sent: Monday, October 17, 2005 9:19 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] slightly OT: MissionControl for MIIS


Hi listers,

I'm considering MIIS for a project  haven't been able to find much
non-MS
information about MIIS out there on the web.  Hoping for help from
y'all.

One of the minor knocks against MIIS seems to be a lack of
mgmt/troubleshooting tools.  Netpro claims to have filled this gap with
MissionControl for MIIS.  Does anyone have any experience with this tool
that you'd be willing to share?  I'm interested in high-level stuff at
this
point, such as:  What's the licensing scheme?  In your opinion, does
MissionControl fulfill it's promises?  What's your impression of ease of
implementation, usability, overall bang-for-the-buck, etc?

Thanks!


---
This message and any included attachments are from Siemens Medical
Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged
or 
otherwise confidential information.  Unauthorized review, forwarding,
printing, 
copying, distributing, or using such information is strictly prohibited
and may 
be unlawful.  If you received this message in error, or have reason to
believe 
you are not authorized to receive it, please promptly delete this
message and 
notify the sender by e-mail with a copy to
[EMAIL PROTECTED] 

Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Global Catalog

[Gil Kirkpatrick]

I think it is better to describe a domain as a policy and administration
boundary (and a replication boundary), rather than a weak security
boundary. It is more precise, and IMO, given the automatic domain trusts
in a forest, there is not much of a security boundary between domains.

And given the ease with which malware is distributed (through email and
web pages for instance), the distinction between criminal and
unintentional is thin, if not non-existent. People with criminal
intent subvert administrative machines and accounts all the time. So
even if you think your domain admin threats are all in the non-malicious
category (not a smart way to think in any case), once the domain admin
is exposed to some malware script, they've effectively taken on the
criminal intent.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B.
Simon-Weidner
Sent: Monday, October 17, 2005 3:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Global Catalog

|So why don't you agree with the general - forest is the 
|security boundary - statement?

Cause IMHO the domain is a security boundary against accidential
security
issues, the forest against malicious/criminal.

Companies usually trust their admins of different domains but might want
to
protect them against accidential mistakes or gaining rights easily. A
different domain would be sufficient then. However if you want to
protect
yourself against admins with criminal energy (and I consider
manipulating
SID-History on purpose as criminal energy) the forest is the security
boundary.

So I agree a plain vanilla statement the domain is the security
boundary
is wrong, however I don't like the same plain vanilla statement of the
forest - should be more clearly pointed out if we are talking about
criminal
intentions or accidential intentions (which includes let's try quickly
if we
are able to ... - does not include hacking).

Ulf 

|-Original Message-
|From: [EMAIL PROTECTED] 
|[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, Jorge de
|Sent: Monday, October 17, 2005 11:59 PM
|To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Global Catalog
|
|Well, I call it that way because a user can authenticate with 
|only DCs from its domain available (assuming the requirement 
|for a GC is disabled) but cannot authenticate without a DC 
|from its domain while having a GC available. You are correct 
|that any GC in the forest may be used if the GC requirement is 
|enabled (by default) or even use the crappy universal group 
|caching feature. So you need a DC from your domain to 
|authenticate and that is why a domain is called the 
|authentication boundary (at least for me ;-) )
| 
|So why don't you agree with the general - forest is the 
|security boundary - statement?
|Jorge
|
|
|
|From: [EMAIL PROTECTED] on behalf of Ulf B. 
|Simon-Weidner
|Sent: Mon 10/17/2005 11:24 PM
|To: ActiveDir@mail.activedir.org
|Subject: RE: [ActiveDir] Global Catalog
|
|
|
|Hmm - I wouldn't 100% call the domain the authentication boundary.
|
|Authentication in a W2k+ Network without any mods not to rely 
|on the GC is done - as you said - via DC of the same domain 
|the account resides plus any GC of the forest - not 
|necessarily that a GC which resides in the same domain is 
|available but the logon will work.
|
|Ulf I also don't agree with the general 'Forest is the 
|security boundary'-statement B. Simon-Weidner
|
||-Original Message-
||From: [EMAIL PROTECTED]
||[mailto:[EMAIL PROTECTED] On Behalf Of 
|Almeida Pinto, 
||Jorge de
||Sent: Monday, October 17, 2005 6:47 PM
||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
||Subject: RE: [ActiveDir] Global Catalog
||
||Yes you are correct. The answer is No. A domain within a 
|forest is the 
||authentication boundary. So when all DCs of domain other.biz are 
||unavailable the users from other.biz
||will not be able to log on as there is no DC available to 
|authenticate 
||the user at logon and create the access token.
||During logon a GC is contacted to check if universal group 
|memberships 
||exist for the user account logging on.
||
||Jorge
||
||
||
||From: [EMAIL PROTECTED] on behalf of Pete
||Sent: Mon 10/17/2005 5:57 PM
||To: ActiveDir@mail.activedir.org
||Subject: [ActiveDir] Global Catalog
||
||
||
||Hi
||
||Just a quick and easy question to profs:
||
||Can AD domain controller of one domain (one.com) with Global Catalog 
||function enabled somehow process logon request of user from different 
||domain (other.biz), in case when all domain controllers for 
|that other 
||domain (other.biz) are not reachable?
||
||I believe - no.
||Am I right?
||
||Thanks,
||
||Pete
||
||
||--
||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/
||List info   : http://www.activedir.org/List.aspx
||List FAQ: http://www.activedir.org/ListFAQ.aspx
||List archive:

RE: [ActiveDir] Knowing when users were deleted.

[Gil Kirkpatrick]

shameless plug
NetPro's ChangeAuditor for AD does this without requiring 
auditing. The change log includes what was changed, before and after values, 
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
/shameless plug



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Thursday, October 13, 2005 11:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users 
were deleted.

Hi there,

I wonder if there is a way to know when a user has been deleted from AD 
other than using security audt, because at the time of the deletion, i forgot to 
activate the audit :(

So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated, 
whenmodified attribute but not whendeletedtimestamp one.

Any idea ?


Appel audio GRATUIT partout dans le monde avec 
le nouveau Yahoo! MessengerTéléchargez 
le ici ! 

RE: [ActiveDir] Knowing when users were deleted.

[Gil Kirkpatrick]

I get to be Burt Reynolds! :)

-g


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Friday, October 14, 2005 10:33 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when 
users were deleted.

Ok, now you've done it Gil :-) I guess this is the geek 
version of "dueling banjos" :-)

shameless plug2
Quest's InTrust for Active Directory provides 
detailed, real-time auditing and alerting of all changes to AD and Group Policy 
Objects (GPOs), including changes to AD configuration and GPO settings. It also 
provides all information behind important changes, including who made the change 
and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/
/shamelessplug2





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when 
users were deleted.

shameless plug
NetPro's ChangeAuditor for AD does this without requiring 
auditing. The change log includes what was changed, before and after values, 
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
/shameless plug



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
YannSent: Thursday, October 13, 2005 11:57 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users 
were deleted.

Hi there,

I wonder if there is a way to know when a user has been deleted from AD 
other than using security audt, because at the time of the deletion, i forgot to 
activate the audit :(

So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated, 
whenmodified attribute but not whendeletedtimestamp one.

Any idea ?


Appel audio GRATUIT partout dans le monde avec 
le nouveau Yahoo! MessengerTéléchargez 
le ici ! 

[ActiveDir] Results of survey - Most common cause of Active Directory failures?

[Gil Kirkpatrick]

Title: Most common cause of Active Directory "failures"?



Here's the summary of the results from last weeks informal survey. By far 
the most popular cause of AD failure is the inadvertant misconfiguration of MSFT 
DNS, which is interesting, because that was true 2 years ago as well. I guess 
some things never change.


(45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. 
Inadvertant misconfiguration of AD (for instance screwing up a connection 
object, or changing the wrong registry setting, or making an inappropriate GPO 
change)
(28 pts) A. Inadvertant data deletion (fat-fingering a user object or, 
God-forbid, an OU) (22 pts) G. Hardware failure of a networking device 
(including DNS servers, if they are not also DCs) (15 pts) H. Physical 
disaster (fire, flood, power failure, etc) 
(14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant 
misconfiguration of networking devices (4 pts) J. Malicious attack by a data 
admin 
(2 pts)K. Malicious attack by an authenticated user 



I ignored anything that 
was ranked lower than 5th... Also interesting to note that the top three items are human 
error due to lack of knowledge or carelessness, the next three are physical 
failures nominally outside of human control. Is this because there are just too 
many knobs and switches on AD and DNS?

A 
little surprising is that the there were two votes for malicious attacks by an 
internal source.

Some of the other failure reasons cited (no overlap, so I must have 
listed all the important reasons...)

Incomplete load of an IPSec filter list
Impact of a 3rd party agent or application on a DC e.g. 
Antivirus software
Issues with FW config that hindered replication over tombstone livetime 
(may belong to E)
Corrupt AD DC database /required metadata cleanup and repromotion 
of DC
Misconfiguration by a previous admin, and 
shutting down a DC with out dcpromo, or cleaning up metadata 
afterwards.
Inadvertantly double-clicking a 
_vbscript_ when someone meant to right-click  edit it 
:)

The two winners of the "nothing too fancy" prize are Hunter Coleman and 
Stuart Fuller (wait for applause to die down...) Please emailyour shipping 
particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out 
ASAP.

I 
only received about 20 responses... I was expecting maybe 40 or 50. Any 
suggestions as to how to make this more effective (I don't have any money to 
spend on this, so large cash-valueprizes are right out 
:)

-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of 
Active Directory "failures"?

Greetings fellow travellers, 
Here's a quick, informal, non-scientific survey. 
Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some 
swell gifts to give away at random to a couple of lucky respondants (nothing too 
fancy). I'll post the summary in a few days.
Question: *In your experience*, which are the most 
common causes of Active Directory "failure" (where failure is defined as failure 
to authenticate, authorize, replicate, or apply GPOs as expected). List as many 
as you care to, in order from most common to least common. Note that I am not 
considering the consequences of the failure, just how frequent they 
are.
Just send me a response like B, A, F or some such, 
along with any commentary you might have. 
A. Inadvertant data deletion (fat-fingering a user 
object or, God-forbid, an OU) B. Inadvertant 
misconfiguration of AD (for instance screwing up a connection object, or 
changing the wrong registry setting, or making an inappropriate GPO 
change)
C. Inadvertant misconfiguration of MSFT DNS. 
D. Inadvertant misconfiguration of non-MSFT 
DNS. E. Inadvertant misconfiguration of 
networking devices F. Hardware failure of a 
DC G. Hardware failure of a networking device 
(including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user 
M. Other (please specify) 
Thanks for your feedback. 
-gil 
Gil Kirkpatrick CTO, NetPro 
Don''t miss the Directory Experts Conference 2006. 
More information at www.dec2006.com. 

RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?

[Gil Kirkpatrick]

 the wrong registry 
setting, or making an inappropriate GPO change)
C. 
Inadvertant misconfiguration of MSFT DNS. D. Inadvertant 
misconfiguration of non-MSFT DNS. E. Inadvertant 
misconfiguration of networking devices F. Hardware failure of 
a DC G. Hardware failure of a networking 
device (including DNS servers, if they are not also DCs) H. Physical 
disaster (fire, flood, power failure, etc) I. Malicious attack by 
a service admin J. Malicious attack by a data 
admin K. Malicious attack by an 
authenticated user L. Malicious attack by an 
unauthenticated user M. Other (please 
specify) 
Thanks for your 
feedback. 
-gil 
Gil 
Kirkpatrick CTO, NetPro 

Don''t miss the 
Directory Experts Conference 2006. More information at www.dec2006.com. 

RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?

[Gil Kirkpatrick]

Title: Most common cause of Active Directory "failures"?



We usually do a big "State of the AD World" survey at DEC, 
and certainly will again in Vegas (assuming there are some people left in the 
room who haven't already headed out to the casino. :)

I needed some 
answers sooner than later for a whitepaper I was working on. 


-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Monday, October 10, 2005 1:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of 
survey - Most common cause of Active Directory "failures"?


Why not just ask the 
people at DEC - a captive audience of some of the most knowledgeable AD people 
anywhere. Or were you hoping for answers prior to 
then?


mcThis 
e-mail transmission contains information that is intended to be confidential and 
privileged. If you receive this e-mail and you are not a named addressee you are 
hereby notified that you are not authorized to read, print, retain, copy or 
disseminate this communication without the consent of the sender and that doing 
so is prohibited and may be unlawful. Please reply to the message immediately by 
informing the sender that the message was misdirected. After replying, please 
delete and otherwise erase it and any attachments from your computer system. 
Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?

[Gil Kirkpatrick]

Interesting idea... what say you 
joe?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Monday, October 10, 2005 7:14 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Results of 
survey - Most common cause of Active Directory "failures"?

Start a blog? :)

Since that takes some time to get traffic, perhaps joe would be willing to 
post your survey on his blog? I imagine hegets some good traffic to his 
blog.

Phil
On 10/10/05, Gil 
Kirkpatrick [EMAIL PROTECTED] 
wrote: 

  We usually 
  do a big "State of the AD World" survey at DEC, and certainly will again in 
  Vegas (assuming there are some people left in the room who haven't already 
  headed out to the casino. :) 
  
  I 
  needed some answers sooner than later for a whitepaper I was working on. 
  
  
  -gil
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Creamer, 
  MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Results of survey - Most common cause of Active Directory 
  "failures"?
  
  
  Why not just ask the 
  people at DEC - a captive audience of some of the most knowledgeable AD people 
  anywhere. Or were you hoping for answers prior to then? 
  
  
  mc
  This e-mail transmission 
  contains information that is intended to be confidential and privileged. If 
  you receive this e-mail and you are not a named addressee you are hereby 
  notified that you are not authorized to read, print, retain, copy or 
  disseminate this communication without the consent of the sender and that 
  doing so is prohibited and may be unlawful. Please reply to the message 
  immediately by informing the sender that the message was misdirected. After 
  replying, please delete and otherwise erase it and any attachments from your 
  computer system. Your assistance in correcting this error is appreciated. 
  

RE: [ActiveDir] Adding custom fields to AD

[Gil Kirkpatrick]

Much of AD's heritage lies in the old Exchange directory, which was
ESE-based.

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, October 08, 2005 8:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding custom fields to AD

 One thing I am curious about though is why MS opted for JET  
 as the DB of choice for AD.. was it the only viable option 
 at the time ? 

What do you feel is wrong with ESE (aka Jet Blue)?


 What's the ceiling on actual database size before it caves in
(performance-wise)? 

Max size for an ESE DB for AD is ~16TB (8KB pages * 2147483646 max pages
[1]). As for when it caves perf wise from an AD standpoint it really
depends
on what you are doing with it and what you have indexed from what I have
seen. If someone is issuing crappy inefficient queries it will seem to
be
pretty slow pretty fast with relatively little data.

The largest DB I have seen in production has been ~20GB and that was
with
W2K on a GC and a bunch of that data shouldn't have been in the AD like
duplicated ACEs and misc unneeded objects, etc. Going to K3 would
probably
reduce that DB to about 10-12GB or better due to single instance store,
cleanup would reduce it even further. One Fortune 5 company I have
worked
with had a K3 GC DB in the area of 5GB and that was for some 250,000
users
with Exchange and multiple custom attributes. 

  joe

[1] See the docs for JetCreateDatabase -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese
/jet
createdatabase.asp?frame=true



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, October 07, 2005 9:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding custom fields to AD

That's a good point about plonking stuff in AD a case of once a good
thing comes along everyone wants to climb aboard. I remember doing
ZENworks
stuff with Novell where all the application configuration information
for
software distribution was shunted into NDS/E-Directory... all that bloat
adds up replication-wise (still, at least there was partitioning).

One thing I am curious about though is why MS opted for JET  as the DB
of
choice for AD.. was it the only viable option at the time ? What's the
ceiling on actual database size before it caves in (performance-wise)?

Mylo

joe wrote:

I am going to basically say what the other said only I am going to put 
it this way

IF the data needs to be available at all locations or a majority of 
locations where your domain controllers are located, consider adding 
the data to AD.

IF the data is going to be needed only at a couple of sites or a single

site, put them into another store. My preference being AD/AM unless you

need to do some complicated joins or queries of the data that LDAP 
doesn't support.

There is also the possibility of using app partitions but if you were 
going to go that far, just use AD/AM.

The thing I have about sticking this data into AD is that AD is 
becoming, in many companies, a dumping ground of all the crap that was 
in all the other directories in the company. I realize this was the 
initial view from MS on how this should work but I worked in a large 
company and thought that was silly even then.

The number one most important thing for AD is to authenticate Windows
users.
Every time you dump more crap into AD you are working towards impacting

that capability or the capability to quickly restore or the ability to 
quickly add more DCs. The more I see the one stop everything loaded 
into ADs the more I think that the NOS directory should be NOS only. 
Plus, I wonder how long before we hit some interesting object size 
limits. I have asked for details from some MS folks a couple of times 
on the issues with admin limit exceeded errors that you get when 
overpopulating a normal multivalue attribute (i.e. not linked) and it 
causing no other attributes to be added to the object. I wonder what
other
limits like that exist.



   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 09, 2005 12:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding custom fields to AD

Group,

My manager wanted me to check, even though, I don't think that it is 
possible, but, I will present the question.

He would like to add some custom fields, about 30, to AD.  He would 
like to add bio information into AD to be pulled by Sharepoint and 
other applications for people to read. I think that this is a waste of 
time, space and effort.  However, it is not my call and if this is what
he
wants

What are everyone's thoughts on the topic?

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: 

RE: [ActiveDir] Server Roles

[Gil Kirkpatrick]

As you mentioned, this topic has been debated frequently on this list.
Running other services on a DC raises the hackles on the back of my
neck, and I expect that most on the list will have similar reactions.
And you've listed most of the reasons why the proposed deployment would
be a bad idea. But truthfully, the right answer has to be based on a
proper risk assessment for your client's environment. I think in the
past most people either a) never did a risk assessment, or b) didn't
understand the risks with branch office DCs running multiple services.
Consequently, most AD professionals now default to its pure insanity
when asked about this kind of deployment. The answer of course, as with
most everything, is it depends.

Because every organization has different perceptions of and
sensitivities to different kinds of threats (some organizations have a
high tolerance for service failure, but a low tolerance for trade-secret
theft, for instance), and because the threat profile is different for
each organization (how protected are the remote DCs? How accessible is
the network? How effective is patch deployment?) the only way to
evaluate the proposed deployment is to do a proper risk analysis in the
context of the organizational environment.

So if I were faced with this situation, I would recommend a threat
assessment and risk analysis project to evaluate the risks associated
with this sort of deployment. A good paper is Butler and Fishbeck's
Multi-Attribute Risk Assessment
http://www.cs.cmu.edu/~Compose/paper_abstracts/butler-fishbeck-02.html,
but your favorite CISSP text covers it as well. Because you understand
the threats and risks in the proposed deployment, you can make sure that
they are properly represented in the analysis, and the customer can
weigh the (definite) costs of additional servers against the (potential)
costs of a security failure.

That all being said, I think that running Exchange, SMS, or IIS on a DC
is a Really Bad Idea (tm).

My $.25...

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Thursday, October 06, 2005 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Server Roles

Hi All,

It's a well trodden path (in these forums anyway) that I'm about to 
discuss but I'd like to get our resident experts 10 cents worth on a 
rather interesting issue I've run into.. I'm working at a client, 
reviewing an AD design,  where 2 support providers are providing a 
migration path to an AD2003/Exchange 2003 solution (from NT4/Ex5.5). One

of the providers is responsible for AD (desktop/SMS/File and Print) 
design and the other E-Mail design/deployment.  This is a single 
forest/single domain solution where both have agreed to work in concert,

together in the spirit of harmony and SLA's... There's a possibility 
that proxy tools may be used (e.g. Aelita/Quest type tooling) to 'limit'

or delegate AD activities for each party, with these interfaces largely 
limited to managing AD delegation of OU/user/group/machine objects  ... 
resource management (AV/Backup/SMS/DHCP/DNS/WINS etc) still requires 
native or 3rd party tooling.

The problem lies in the fact that the client (on the advice of the 
support provider)  has opted for consolidating File and print / SMS/ AD 
roles onto a single server at sites of up to around 200 users. Above 
this size the solution scales out to multiple servers, but continues to 
adhere to the principal of dual role, namely placing File and Print 
together with domain controllers and/or SMS and IIS together with a 
domain controller. In the legacy solution these roles were separated 
onto different serves and the file and print locally managed (also 
meaning that there's an awful lot of crap that will be migrated into AD 
as a result of combining these roles into one box) ... The combined role

approach was given the green light largely for (I believe) cost reasons,

but I do have *ahem* a number of concerns with this approach.

Security
=
- multiple roles on a single server and no-no's such as placing IIS and 
SMS on a DC
- it tends to look at security from a 'top down' perspective (i.e. it's 
a single AD provider therefore we're safe)... i don't think this flies 
simply because of the implications of using 3rd party s/w such as 
anti-virus and backup on dual-role servers where local admin rights are 
required, which equates to domain admin rights;  providing a rather 
scary escalation path to being able to doing anything to anybody in the 
domain. Scenarios where the AD provider outsources to another party  
(e.g. in smaller countries)if A (the client) trusts B (the support 
provider) who trusts C (outsourcee), should A trust C? ... I knew trusts

would come in handy one day :-)

Stability
=
- Print Services on domain controllers
- Migrating clutter off the legacy file and print into AD (10,000's 
local/global groups)
- If there's a mail server on-site with a combined server then e-Mail 

[ActiveDir] Anyone ever run into this problem?

[Gil Kirkpatrick]

Title: Anyone ever run into this problem?






I haven't seen this myself, and I was curious if anyone else had.


http://support.microsoft.com/default.aspx?scid=kb;en-us;898613


-gil


Gil Kirkpatrick

CTO, NetPro


Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.