RE: [ActiveDir] Largest AD DIT
Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Client time sync
And w32tm /monitor will show to what machine it is actually syncing, if any. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Wednesday, January 10, 2007 2:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Client time sync Try the command... w32tm /resync /rediscover See if that helps the client figure out where it should look for time. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, January 10, 2007 2:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Client time sync I have a machine (at least one I know of) that isn't syncing time with the domain controller its logging into. I've restarted the win32time service on it to see if that would sync it and it doesn't. Any suggestions on where to start? The DC and the client are off by about 9 minutes. ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Hello?
Only if you had to install Linux. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, January 04, 2007 4:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Hello? Hey, Santa brought me coupon for a new home computer, redeemed the coupon and built the system. Doesn't that count as work?? Dan Original Message Subject: RE: [ActiveDir] OT: Hello? From: Crawford, Scott [EMAIL PROTECTED] Date: Thu, January 04, 2007 3:35 pm To: ActiveDir@mail.activedir.org Ive seen a few today, but the list has been quite slow for the last week or so. Come on guys, the holidays are the time to actually get stuff done J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, January 04, 2007 4:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Hello?I havent seen a single e-mail from the mailing list since yesterday morning. Is anyone else seeing this e-mail? Has anyone else received e-mails since then? Just curious if the list has just been dead for the past day, or if something might not be working properly. ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Directory Experts Conference Early-bird pricing expires this week
Greetings, list mavens. The early-bird pricing for DEC 2007 expires this week, so if you're thinking about coming, now would be a good time to register. Some of the highlights of this years conference: 1. Hands-on Longhorn AD workshop 2. Hands-on MIIS Raven workshop 3. Hands-on ADFS workshop 4. Keynotes by Kim Cameron (Microsoft architect for identity) and Peter Houston (Microsoft Senior Director for Identity and Access) 5. Walkthrough and feedback sessions for MIIS Raven 6. Two full tracks of AD technical sessions 7. Two full tracks of MIIS technical sessions 8. Sessions on ADFS, Certificate Lifecycle Manager, InfoCard, and Rights Management Server So now's the time... Check the agenda and register at www.dec2007.com. Thanks, Gil Kirkpatrick Conference Founder MVP, Directory Services List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Directory Experts Conference 2007
Greetings, list denizens. The next Directory Experts Conference is scheduled for April 22-25 at the Red Rock Resort in Summerlin, NV. DEC is the premier conference focused on Microsoft Identity and Access technologies, including AD, AD/AM, MIIS, ADFS. New this year are sessions on Certificate Lifecycle Manager (CLM) and Rights Management Server (RMS). DEC 2007 will also include pre-conference workshops for Longhorn AD, MIIS (using the latest Raven bits), ADFS, and possibly InfoCard. You can find out more about DEC at www.dec2007.com. DEC is fundamentally a community event, which brings me to the reason I'm posting this to the list: We are still in the midst of organizing the conference, and I would like to solicit your input before we nail everything down. I've set up a wiki for the speakers and organizers (for those of you so uncool as to not know what a wiki is, see http://en.wikipedia.org/wiki/Wiki). The wiki currently includes pages for all of the sessions, as well as each of the workshops. I would _really_ appreciate it if you could take the time to look over the site and add any questions, comments or suggestions you might have by clicking the Add Comment link at the bottom of each page. I'm particularly interested in your thoughts and desires for the workshops and sessions. I know the speakers would appreciate your input regarding their sessions as well. Even if you don't plan on attending DEC this year, your thoughts and questions are still valuable to me and the speakers. The DEC wiki is at http://dec.editme.com, and is available to the public for reading and commenting. Only the speakers can actually change the pages. If you want to get email notifications of changes to the wiki, click the Register link and provide an email address. You'll then get an email once a day listing the URLs of the changed pages. Here are some pages to start with: Backpacks? Messenger bags? Or something else entirel? Make your suggestions for DEC swag at http://dec.editme.com/DEC2007Events. Would you be interested in a half-day CardSpace workshop? See Pamela Dingle's ideas for the workshop at http://dec.editme.com/Dec2007CardspaceWorkshop and make your comments. Any feedback on the sessions? Go to http://dec.editme.com/DEC2007Sessions. Thanks again for your time and input, and I hope to see you at DEC next year! -gil Gil Kirkpatrick DEC Founder Meet us in Las Vegas April 22-25 for the 6th annual Directory Experts Conference http://www.dec2007.com . The information in this email is CONFIDENTIAL and is intended only for the addressee named above. If you have received this communication in error, please notify me immediately and destroy the communication. Access to this email by anyone else is unauthorized. Any wrongful interception of this message is punishable as a federal crime. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
RE: [ActiveDir] AD Reports
Or NetPro's ReportADMin (http://www.netpro.com/products/reportadmin/index.cfm) -gil CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 2:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Reports Quest's Reporter may help. They offer a free version as well as a full, retail version. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Oviedo Sent: 18 December 2006 16:45 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Reports What,s the best AD reporting tool. My boss want´s a report of all the users who are allowed to send and recieve Internet Mail in exchange 2003. I can go and check user by user but we have over 500 users. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
RE: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix
Its certainly doable... there are two gotchas though. One, you need to use the 1.2.840.113556.1.4.801 (#defined as LDAP_SERVER_SD_FLAGS_OID in ntldap.h) control on the search and modify operations. This lets you set and retrieve portions of the nTSecurityDescriptor attribute. The paramter in an integer bit mask that describes what parts of the sd to return. See http://msdn2.microsoft.com/en-gb/library/aa366987.aspx. When you update the SD, be sure you set the flags only for the parts you are updating. If you don't you'll get an error on the update. The other thing you have to worry about is that the nTSecurityDescriptor attribute is a binary blob (ASN sequence of bytes). The blob is a self-relative security descriptor structure as defined in winnt.h (typedef'd as SECURITY_DESCRIPTOR_RELATIVE). You'll probably have to create the structure definition yourself based on what's in winnt.h. I don't know if the Samba headers have a usable definition or not. -gil Gil Kirkpatrick CTO, NetPro From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santiago, Felderi (F.) Sent: Tuesday, December 12, 2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Possibility of writing to ntSecurityDescriptor with LDAP and Unix I know this may sounds crazy, but I need to write to the ntSecurityDescriptor attribute on a computer account from Unix via LDAP. Any clues? Essentially, what I am trying to do is query the ntsecuritydescriptor attribute of an object already in AD to see the value and would like to moving forward to set the same value to a specific object moving forward. Why ldap from Unix? Well, I am dealing with Unix Admins who hate Windows and want to do everything Unix. Any tips or tricks would be greatly appreciated. Thank you!
RE: [ActiveDir] Quest Recovery Manager
Just to give an idea of how insane it can get A good friend of mine works at a software company (not in the Microsoft space)... lets call it company G. Company G is small (300 people or so) and privately held, with a superior product. Company G's main competition is Company W, a large, bloated publically held company, with a decidely inferior product. Company W hasn't developed anything inovative in years... all their new products have come through acquisitions. Now check this out: Company G has a competitive sales program for Company W's customers. If a customer has decided on Company W, for whatever reason, and there is no way that they will buy Company G's product, Company G will work with the customer to provide a competitive bid *just to drive Company W's prices down.* The customer doesn't even have to look at Company G's products. Now THAT's ruthless sales behavior! -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Thursday, December 07, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I would say companies competing via innovative features benefit customers more than just low balling each other in this space / vertical market. And just like a free puppy... If you don't train it... you eventually have to call in the Directory Whispers. I think I might have just found some inspiration for a new TV Show. Todd -Original Message- From: Martin Tuip [mailto:[EMAIL PROTECTED] Sent: Thursday, December 07, 2006 8:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Quest Recovery Manager Competition benefits customers. Martin - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, December 06, 2006 7:46 PM Subject: RE: [ActiveDir] Quest Recovery Manager It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday
RE: [ActiveDir] Quest Recovery Manager
shamelss plug NetPro has an AD data recovery product called RestoreADmin that competes very well with the Quest product. It's solves the AD object recovery problem nicely. See http://www.netpro.com/products/restoreadmin/index.cfm. /shameless plug -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:37 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Todd, thanks for your insight. Good points to think about. James Masters Systems Architecture and Engineering The Kroger Co. Office: (859) 363-2346 Cell:(859) 653-8644 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 9:14 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Quest Recovery Manager Same here... Good stuff. To be fair though, most of the major AD players have these tools now. The thing about the Quest (Aelita) tool was its use of their own APIs to address issues like Domain Local Groups etc. I haven't kept up with the latest versions so I am not sure what direction they have gone since 2003. Latest information I remember was they offered you the option to use the MS API methods for recovery, or their special brew for more advanced recovery options. Now if put some extra effort into your query, you might get this thread nice and hot, and generate input from people like Stuart Kwan discussing supportability issues using the various recovery methods, Guido Vladimir discussing in great depth the inherent problems of group recovery, various opinions on how to use isolates sites with rubber chickens, MIIS, ADAM to reanimate deleted objects (This seems to be a favorite topic of Gil's to use to fill in spots at DEC)... did I forget anyone... hmm maybe Robbie might take time away from work on his fields medal or latest cookbook to write you a Monad shell script that Joe will find a way to compile into a .exe to execute from a ADFIND query pipe. In all seriousness though, when evaluating DR feature for AD you will have a lot of things to consider, technologies being just one. The nature of the type of AD objects you want to recover and in what state should be considered (Groups, GPO's, etc, attribute data). How much time you want to dedicate to this operation? How much you want to spend? And who will support you if the recovery operations fail or seem to cause more problems. If you are looking just to recover deleted users, the various free tools out there will do just fine. I highly recommend that you start your DR project today by just using the good'old MS backup utility at a minimum to make a MST formatted backup of the system state and data from a domain controller in each of your domains you think has the most current AD data in your organization. That pretty much guarantees you can recover every object given that you have the data in some backup. And to all the people I mentioned above. Happy Holidays... and New Year. Todd -Original Message- From: Day, James (NPS) Sent: Wednesday, December 06, 2006 8:03 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Quest Recovery Manager Hi James We bought this when it was an Aelita tool and loved the product - it pretty much paid for itself in one step the second month we were using it. The product is still good but I have nothing good to say about Quest support (but I could complain for hours about it if I am allowed to). There are a couple of other similar ones that may also be worth. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-354-1464 202-230-2983 (CEL) [EMAIL PROTECTED] [EMAIL PROTECTED] ger.com Sent by: To [EMAIL PROTECTED] ActiveDir@mail.activedir.org ail.activedir.org cc Subject 12/05/2006 05:11 [ActiveDir] Quest Recovery Manager PM EST Please respond to [EMAIL PROTECTED] tivedir.org Does anybody have anything particularly good or bad to say about Quest's Recovery Manager product? We are evaluating it for an 2 forests, and 3 domains. As always, thanks for all of your insight and expertise. -James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Quest Recovery Manager
It gets even nuttier in competitive situations. Bring in the NetPro products for eval, and watch how fast the Quest price goes to zero. Its like the old Crazy Eddy's TV ads in New York. Of course its free like a puppy... :) -gil From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 12/6/2006 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software) Ha! Show me a sales person from ANY software company who doesn't get that wide-eyed, crazed, foaming-at-the-mouth look in his or her eye around quarter-end or year-end and I'll show you a sales person that is about to be fired. Its part of the game. Gotta make quota, esp. at year end, and to do that, you gotta discount! I would think most IT shops are wise to it by now. Its kind of a sick dance we all do J Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, December 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Yeah. Sit down with your team and figure out what it is you need - must have, would like to have, and nice to have. Then, tell all the vendors you want a little webinar (they love these), and then compare your notes after each/all of them again. Rule out any ones now that don't do the trick Then go get ready to have it shoved way up your ass when they give you the pricing. Then you can suggest (if they haven't already) that they come discuss it in further and plan on a lunch/dinner or two on their dime while you further discuss how expensive their stuff is and what they can do for you to make it more attractive. The Quest guys told me the other day they had a lot of leeway on some pricing for one of my clients so I'm wondering if this is the end of the year for the salesmen and they need to make their year this month (if so this is an excellent time to buy Quest software). Now that said, I've worked in a few large shops, and we haven't had any of this frilly fancy shit. It's expensive, I hate the per head/per seat/per whatever pricing, and frankly all I think it does is idiot proof what's already there. Rather than having something do it for you, why don't you learn how it does it, because then you'll be smarter, and you can go get a new better job with your new found talents. That said there is some cool shit from quest and NetIQ and those guys - I'm into the change control/management stuff in shops where there are too many cooks in the kitchen. Quest's migration stuff is of course great if you can afford it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E] Sent: Wednesday, December 06, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager I don't think there are many independent rankings out there. You have to figure that Windows ITPro and SearchWindows are probably the easiest sources to get access to online, but they are influenced by ad dollars sometimes. It is possible that Burton Group and possibly Gartner have done some research But I doubt it. I know that directions on Microsoft hasn't covered it. It is a pretty niche topic. I think the best way to approach this is to have a good old fashion bake off of the technologies. Depending how big a player you are, you can probably get Quest, Netpro, Veritas, and Commvalt to step-up. I would say that all the technologies are pretty stable at the moment; there isn't a lot of innovation going on anymore, so it is pretty hard to make a mistake choosing one of these products. Todd From: Tim Onsomu [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 2:06 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager Does anybody know what independent rankings look like for AD DR tools? -Original Message- From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Wed 12/6/2006 9:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Recovery Manager shamelss plug NetPro has an AD data recovery product called RestoreADmin that competes very well with the Quest product. It's solves the AD object recovery problem nicely. See http://www.netpro.com/products/restoreadmin/index.cfm. /shameless plug -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, December 06, 2006 7:37 AM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED
RE: [ActiveDir] Pointsec software vs. Active Directory
Its curious you saw significant disk I/O with no corresponding increase in LDAP activity. Is the application running on the DC in your test environment? Is it generating a lot of authentication traffic? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 28, 2006 11:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pointsec software vs. Active Directory Vincent- I have no idea what Pointsec is or does, perhaps you could share a little bit about this. What are the characteristics of the domain controllers in your test forest? How much memory? Disk config? How big is the DIT? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Potter Vincent Sent: Tuesday, November 28, 2006 11:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Pointsec software vs. Active Directory Hi, My organisation is looking into testing and implementing Pointsec software for encryption purposes for our client environment. I'm responsable for the DIrectory service and they've asked me to participate. I've set -up a development forest and let the Pointsec team loose on that one. I activated some perfmon counters to see the impact on one DC. Regarding LDAP queries it was quite ok (only 1 reference to an expensive one) but I saw some implication on the physical disks of the machine that were hit quite heavily. Also a collegue of mine could remember from his previous company that the roll out of that soft brought some issues along. Does anyone of you have experience with the implementation of Pointsec and the impact on the directory service (especially the boxes) in a large environment? _ Vincent De Potter Volvo Information Technology
RE: [ActiveDir] Pointsec software vs. Active Directory
And what does it actually do with all the changed AD objects? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Potter Vincent Sent: Tuesday, November 28, 2006 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pointsec software vs. Active Directory Hi Gil, No it's running on a dedicated server targeting that DC. Authentication from the softwares' service account is quite numerous let's say :-) THere's enough LDAP activity but not in an expensive way. This is what it does : The ADScanner uses the ADSI (Active Directory Services Interface) and LDAP (Lightweight Directory Access Protocol) when searching for changes (default port 389) in a Domain. The ADScanner works with USN (update sequence number) queries using the uSNChanged attribute. It uses the uSNChanged attribute of an AD object to retrieve changes. When an AD object is modified on a domain controller, it sets the uSNChanged of the object to a value that is larger than the value of the uSNChanged attribute for all other objects held on that domain controller. The object with the highest value of the uSNChanged attribute is then the most recently changed object on the domain controller. The domain controller holds the highest uSNChanged value in the highestCommittedUSN attribute. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: dinsdag 28 november 2006 20:01 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pointsec software vs. Active Directory Its curious you saw significant disk I/O with no corresponding increase in LDAP activity. Is the application running on the DC in your test environment? Is it generating a lot of authentication traffic? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 28, 2006 11:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Pointsec software vs. Active Directory Vincent- I have no idea what Pointsec is or does, perhaps you could share a little bit about this. What are the characteristics of the domain controllers in your test forest? How much memory? Disk config? How big is the DIT? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of De Potter Vincent Sent: Tuesday, November 28, 2006 11:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Pointsec software vs. Active Directory Hi, My organisation is looking into testing and implementing Pointsec software for encryption purposes for our client environment. I'm responsable for the DIrectory service and they've asked me to participate. I've set -up a development forest and let the Pointsec team loose on that one. I activated some perfmon counters to see the impact on one DC. Regarding LDAP queries it was quite ok (only 1 reference to an expensive one) but I saw some implication on the physical disks of the machine that were hit quite heavily. Also a collegue of mine could remember from his previous company that the roll out of that soft brought some issues along. Does anyone of you have experience with the implementation of Pointsec and the impact on the directory service (especially the boxes) in a large environment? _ Vincent De Potter Volvo Information Technology
RE: [ActiveDir] OT: Computer Account in Local Administrators Group
Set the resolution to 4096x6720, and... ahh, there it is. NOW the whole ego fits on the screen. :Q -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, July 11, 2006 4:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group Almost always ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Friday, July 07, 2006 9:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group I see the flaws in my original statement, and should have worded it differently. My interpretation of "Network Service" functionality is different from joe's. But joe is smarter than me,has some cool tools that give him much more authoritative information on these kind of things, and he is almost always correct. So, please listen to him. If I have the time, I may come back and try to explain my interpretation. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 7/6/2006 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group A service running on ServerAas localsystem or networkservice will touch remote machines including ServerB with the security context of DOMAIN\ServerA, not networkservice. A service running on ServerA in localservice should touch remote machinesas anonymous. At no point will configuring permission on ServerB to networkservice give any rights to ServerA, only processes running on the local machine (ServerB))as networkservice. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Thursday, July 06, 2006 12:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group I see... If the service runs as LocalSystem, then it already has the highest privilege possible on that system. In this case, the vendor (or the vendor's support rep) may be asking for this simply for the "interact" portion of your statement. Without knowing what the app does, it's hard to tell. But, I'd ask the vendor's rep specifically what level of access is needed to perform whatever the app is supposed to perform on the "other machine". Because, you see, if the app runs in the context of LocalSystem on ServerA and needs to do something on ServerB, the Network Service credentials will be used. If whatever is running on ServerB allows "Network Service" account to do the job, then there is no additional config or privilege to add on ServerA. Ask the vendor if "Network Service" has the ability to successfully "interact" with the other machine in question, or if the access can be configured to accommodate the"Network Service" account. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED]Sent: Thu 7/6/2006 8:08 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Computer Account in Local Administrators Group Im definitely not wanting to do this but a vendor was saying to do it to allow one of their services to run as Local System and be able to interact with another machine. I am very skeptical, and not allowing it. Thanks, James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]omSent: Wednesday, July 05, 2006 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group More directly - WHY are you looking to do this? What problem are you trying to solve? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceshttp://www.readymaids.com/ - we know IThttp://www.akomolafe.com/-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Wed 7/5/2006 9:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group Ultimately, anyone with physical access to the remote PC will have Adminrights over the PC in which you add the account to the admins group for. Directly, anyone who can run anything as localsystem or networkservice willhave
RE: [ActiveDir] Schema Question
I never considered that the license cost of MIIS was all that high. Even if you paid list (which not many of the customers I've worked with did), its not a huge outlay. The significant costs are in the analysis, requirements, engineering, and operations. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DC Configuration
OS, DIT, logs on separate spindles. Enough memory to store the DIT + overhead. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, June 22, 2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC Configuration We have some budget money to replace domain controllers this year. Not all of them but probably half of them. We've pretty much decided on 64 bit Dell PowerEdge servers. Most of the discussion is about disk configuration. Two schools of thought exist here. 1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with 20GB or so for the OS and the remainder for NTDS, Sysvol, and system state backups 2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS, the second is for NTDS, Sysvol, and system state backups. I've always liked physically separating the OS from the application data. Others here like carving up the volume at the OS. Any thoughts, opinions, suggestions? tia, al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DC Configuration
Ethics? Thats the stuff the guys in the other party don't have. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 22, 2006 3:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Configuration Exactly... Congress: Ethics? What's that? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, June 22, 2006 6:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Configuration Yea, it seemed an awful basic question for you joe. And, of course I fell for it. Agreed though that software RAID is like Congress creating its own ethics rules--just a bad idea all around. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 22, 2006 3:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Configuration ROFL! That was more of a case of purposely refusing to acknowledge software RAID versus truly understanding what it is. I have had far more than my share of times trying to rebuild software raid configs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Thursday, June 22, 2006 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Configuration Software RAID is where the OS (in this case) handles the striping of the data rather than the hardware (usually the controller). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 22, 2006 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Configuration o Software RAID? What's that? o Yeah I am not a fan of mirrors. I like lots of spindles.But then I tend to work with bigbusy directorieswith Exchange beating on it. Being 64 bit you don't have to worry _as much_ assuming you have enough RAM to cache your entire DIT but you still have to load that baby in the first place so I would still recommend RAID 0+1, 10, or 5 or if you don't care about fault tolerance the fastest is RAID-0. o I would say if you are going 64 bit, make sure you make it a priority to get enough RAM tohold your entire DIT. That is the cool thing about getting 64 bit. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Thursday, June 22, 2006 5:12 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DC Configuration There would be a little more to gain than that but often that's the reason. joe might point out that a two mirror configuration is not his optimal configuration. I'm pretty sure he'd also point out that compared with software raid, that he'd take that option. :) I can honestly say I'd agree with him on this one. Software mirroring for this type of application is never a good idea. The slower spindle speeds likely won't be enough of an issue to matter in your configuration. Unless you have a very large DIT queue jokes here or applications that pound the snot out of the individual servers spindle speed won't be nearly as important. Since it's 64 bit you're after, spend some money on the memory and take advantage of the cache as much as you can. Al On 6/22/06, Noah Eiger [EMAIL PROTECTED] wrote: What would the partitions on the first configuration gain you (over just asingle C:)? I thought the idea behind placing NTDS, etc on something _besides_ C: was to get the performance benefits of extra spindles (as in#2).-- nme-Original Message-From: Al Lilianstrom [mailto:[EMAIL PROTECTED] ]Sent: Thursday, June 22, 2006 1:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC ConfigurationWe have some budget money to replace domain controllers this year. Not all of them but probably half of them. We've pretty much decided on 64bit Dell PowerEdge servers. Most of the discussion is about diskconfiguration. Two schools of thought exist here.1) 2x73GB 15K drives in RAID1. Carve up the volume at the OS level with 20GB or so for the OS and the remainder for NTDS, Sysvol, and systemstate backups2) Two sets of 2x73 10K drives in RAID1. The first set is for the OS,the second is for NTDS, Sysvol, and system state backups. I've always liked physically separating the OS from the applicationdata. Others here like carving up the volume at the OS.Any thoughts, opinions, suggestions? tia, al--Al Lilianstrom CD/CSS/CSI[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx--No virus found in this incoming message.Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.9.2/370 - Release Date: 6/20/2006--No virus found in
RE: RE : RE: [ActiveDir] AD LDAP Logging.
You can use SPA, or you can use logman and tracerpt to get detailed LDAP stats. SPA does a lot of analysis for you and diagnoses several classes of AD perf problems. Tracerpt will give you a fairly raw look at all the LDAP traffic. I covered all three in my DEC AD Performance session (which I didn't actually deliver at DEC :). Its available on the NetPro website at http://www.netpro.com/community/medialibrary.cfm. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: Friday, June 09, 2006 11:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: RE : RE: [ActiveDir] AD LDAP Logging. It is true that SPA is not localized but I believe the French version will be ok. The problem comes about with the localization of the perfmon data. If you have problems post back and we can try a few work arounds because we are only really interested in the trace data at this point which should not be impacted. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 11:31 AMTo: ActiveDir@mail.activedir.orgSubject: RE : RE: [ActiveDir] AD LDAP Logging. Thank you for your answer Steve. I will install spa on monday and see if i can log some ldpa activities (errors, connections pb,etc...). Will this version of spa work on a w2k3 sp1 French version ? Regards, YannSteve Linehan [EMAIL PROTECTED] a écrit: I would suggest taking a look at Server Performance Advisor (SPA), assuming these are Windows Server 2003 DCs and using it to collect and analyze the data for the DCs in question. This tool combines performance counters and the tracing data that Joe is referring to which will allow you to get very detailed information on what is occurring. This tool will give you a peak into the new performance and monitoring capabilities that we are adding into the next versions of the OS. It will also give you hints on what we believe the performance problems are. One of these days when I get a chance I will try to write a blog entry on all of the things you can do with SPA. By the way it also collects information for other server roles as well such as IIS giving you tremendous amounts of detail found no where else. Yes event tracing is the future of not only performance monitoring but debugging difficult issues. You can download SPA from here: http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, June 09, 2006 9:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD LDAP Logging. Unfortunately the logging is very basic, it will not log LDAP errors from anything I have seen. This is something I have asked for from MSFT as well, very detailed LDAP logging like you can enable with some of the other directories. Usually I hear a response of use event tracing but I haven't gotten had a chance to really dig deep into that yet to see how useful it will be. It depends on the code is displaying error messages bit possibly a query timed out? That could be indicative of a very poor query. By default, if a query goes more than 2 minutes, it will get dropped. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Friday, June 09, 2006 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: Re : [ActiveDir] AD LDAP Logging. Good point Joe. I will use perfmon to monitor the health of my DC. An nother question. The Web app timed out with thisgeneric error "the serveur is down", where "the server" = mydc. At the time of the web app timed out, i saw no errors about ldap connections between my dc and the zope server. With the Field Engineeringset to5 andifthe web apptimed-out, willa LDAP error appear in my eventlogs that stated a disconnection occured ? Thanks for taking time to reply, Cheers, Yann - Message d'origine De : joe [EMAIL PROTECTED]À : ActiveDir@mail.activedir.orgEnvoyé le : Vendredi, 9 Juin 2006, 2h25mn 26sObjet: RE: [ActiveDir] AD LDAP Logging. When you change that threshhold you are specifying how expensive you want the query to be before AD reports it. Changing "Expensive" to 1, according to the docs means that as soon as a query has to look atone or more entries it will be logged. So when you turn down that value, you are telling it to log pretty much everything. That being said, unless you
RE: [ActiveDir] max password age where else to look?
Think divisble by 7 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 12:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? I'll second guess joe - 91 stops ppl from using cyclic passwords, which use dates or quarters to generate a password. e.g. passwordq12006, passwordq22006 etc. Hopefully joe will give an authoritative response :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: 05 June 2006 22:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] max password age where else to look? Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W Stelley Sent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] max password age where else to look? Yeah doublecheck the value you are getting back from MaxPasswordAge, if zero, check out maxPwdAge attribute on the NC Head, possibly your policy isn't being applied properly. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Wednesday, May 24, 2006 4:47 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] max password age where else to look? What do you get if just before this: If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _ domain. Therefore, the password does not expire. you echo the intMaxPwdAge value? I'm wondering if you're not pulling back the max password age value correctly either through a misspelling or some other error prevents you from getting the value. Having used that method before, I can tell you it does work in a Windows 2000 environment and a Windows 2003 environment. Native, DFL, etc. If that doesn't work, do you get the same results with this script? http://support.microsoft.com/default.aspx?scid=kb;en-us;323750 On 5/24/06, Douglas W Stelley [EMAIL PROTECTED] wrote: In this domain, in the default domain policy the Max Password Age is set to 90, however when I look for when the password will change using the below sample script I always get the answer The Maximum Password Age is set to 0 in the domain. Therefore, the password does not expire. The rest of the possibilities below do work, just the password age doesn't. This is a Win2K Active Directory I need to expire all passwords on a specific date, but before I do that I need to ensure the system will continue expiring them by age. What might I be doing wrong? Thanks Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = h1 Set objUserLDAP = GetObject _ (LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com) intCurrentValue = objUserLDAP.Get(userAccountControl) If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then Wscript.Echo The password does not expire. Else dtmValue = objUserLDAP.PasswordLastChanged Wscript.Echo The password was last changed on _ DateValue(dtmValue) at TimeValue(dtmValue) VbCrLf _ The difference between when the password was last set _ and today is int(now - dtmValue) days intTimeInterval = int(now - dtmValue) Set objDomainNT = GetObject(WinNT://fabrikam) intMaxPwdAge = objDomainNT.Get(MaxPasswordAge) If intMaxPwdAge 0 Then WScript.Echo The Maximum Password Age is set to 0 in the _
[ActiveDir] DSID-020A06F3 error from French platform AD
I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, "CN=Configuration,DC=francais,DC=local", 2, "(objectclass=*)", attrList, 0, msg)Error: Search: Erreur d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, SanthoshSent: Monday, June 05, 2006 10:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC and ADC replication prob. What is your ADC configuraiton? Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA Houston, TX From: [EMAIL PROTECTED] on behalf of Ajay KumarSent: Sun 6/4/2006 10:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC and ADC replication prob. Hi all, Pls help me out, Just recently I set up small doaminof 50Pc'swith a DC and ADC. But the prob. is that the replication is not taking place between DC and ADC and there is no error in event log. What could be the problem. Ajay.
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other activities all seemed to work normally, so the corruption thing is a surprise. Hey Brett, if I consider the hardware suspect, does that mean I have to file a bug with the VS team? I'll kill it and rebuild and see what happens. You want to know what sucks? Trying to type French on an US-English keyboard. Its like those French, they have a different key for everything! Thanks for your help. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, June 05, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
I've blown the image away already, but I have a backup. I'll check to see if the backup exhibits the same behavior. Send me an email with the upload particulars. It's a differencing disk, and the total will be in the 3-4GB range, uncompressed. It may be that throughput over the FedEx network will be better in this case... -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, June 05, 2006 2:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Very interesting. Can we see the VHD before you blow it away? I can set up a place for you to upload it to. Please let me now how large it isjust ping me offline and we can coordinate. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, June 05, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other activities all seemed to work normally, so the corruption thing is a surprise. Hey Brett, if I consider the hardware suspect, does that mean I have to file a bug with the VS team? I'll kill it and rebuild and see what happens. You want to know what sucks? Trying to type French on an US-English keyboard. Its like those French, they have a different key for everything! Thanks for your help. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, June 05, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Query for user AD info from web application
I assume you mean an X.400 address? I would guess that the translation between PseudoSQL and LDAP doesn't properly escape the literal strings. Try using the LDAP escaping rules on the X.400 email address, e.g. instead of 'g=john,s=smith,o=foo,prmd=bar' etc., try 'g\3djohn\3bs\3dsmith\3b' etc... where \3d represents the '=' and \3b represents the ';'. Just a guess... -gil From: [EMAIL PROTECTED] on behalf of Jason Benway Sent: Tue 5/30/2006 11:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Query for user AD info from web application Our internet web application use AD to pull user information. They start with the users email address and then look up other information. We've notice today that if a user has a X500 address our query doesn't work. Here's what the web developer sent me SELECT displayName FROM 'GC://DOMAIN.COM' WHERE objectCategory='organizationalPerson' AND ((mail = '[EMAIL PROTECTED]')) I don't know why a X500 address would mess this up, ideas? Thanks,jb -- Jason Benway Network Services Manager [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx winmail.dat
RE: [ActiveDir] Robocopy(OT)
CHKDSK? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, May 05, 2006 6:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) How can I take ownership of it? It doesn't have a security tab and xcacls doesn't see the folder.. Thanks On 5/4/06, joe [EMAIL PROTECTED] wrote: Wonder if you have a dorked up ACL, what happens if you try to take ownership of it? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Sunday, April 30, 2006 8:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) Well, I've rebooted the server,ran a chkdsk, and still the dir will not disappear. I've run Process Explorer and Filemon and nothing is acessing this dir. Yet I can delete it and its missing the security tab(its on an ntfs vol). How the heck can I get rid of this dir? Has anyone had an issue like this? Thanks again 4/6/06, Bruyere, Michel [EMAIL PROTECTED] wrote: Hi, I got something similar but with a PDF file. The solution was to reboot the server From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Thursday, April 06, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Robocopy(OT) No one has this folder open. I've run Process Explorer and Filemon and nothing is accessing this folder. I can't delete it or share it out and its missing the security tab. anything else I should look for? Thanks On 4/5/06, Mark Parris [EMAIL PROTECTED] wrote: I have seen this if another PC has explorer open on that folder and you try and delete from another. Mark -Original Message- From: Steve Rochford [EMAIL PROTECTED] Date: Wed, 5 Apr 2006 16:37:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Robocopy(OT) This seems to happen when the folder is in the process of being deleted but hasn't quite gone. Sometimes, just waiting a while will clear the problem - I suspect that a process is holding open the folder (or, possibly, a file in the folder). More than once I've hit this and gone to use Sysinternals process explorer to find out which process is guilty. By the time I've run up the program and searched for the folder name there's nothing there. going back to the folder finds that it's either gone or can now be deleted. In your case, I'd guess that robocopy had started creating folders and when it got interrupted, something took a while for things to get tidied up - if the helpdesk guy hasn't yet unmapped the drives he was using then I think that this might help. Steve From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: 05 April 2006 15:45 To: activedirectory Subject: [ActiveDir] Robocopy(OT) I have a strange issue. I had a help desk admin robocopy a dir from one server to another. During the copy, for whatever reason, he canceled the robocopy job. When he went to the target server a empty dir was created which now cannot be deleted. I can't delete it through explorer or the command console at the server and get an error of cannot delete file:cannot read from the source file or disk. If i do a RD /s, i get The system cannot find the file specified. However the dir shows up in a dir listing or explorer. The weird thing is also, the dir has no security tab(and its on an ntfs file system). Some backround on the robocopy job- the admin mapped 2 drives from his local box(win2k). One drive to the root of the volume on the source server and another to the root on the target. he then CD'ed to the source and ran robocopy with the /E and /V switches. after sometime, he killed the job and now I'm stuck with this undeletable DIR. Any insight would be great. thanks
RE: [ActiveDir] Root Place Holder justification
Hey Rocky, Watch me pull a rabbit out of my hat! Sorry, just had to get that out of my system. Most people on the list won't have a clue as to what I'm talking about anyway... In any case, how do increased operational costs and overhead not qualify as "harm"? I'm confused by your question... -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: Wednesday, April 26, 2006 12:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification "Where's the harm?" Don't tell me about economics or overhead or other things. Tell me where the "harm" is. Please. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, April 26, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Jef, We dont have a root domain because somebody smarter than I made that decision before I took over. I was convinced at the time we had made a mistake, but like you have come to the opposite conclusion. J AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef KazimerSent: Wednesday, April 26, 2006 9:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Root Place Holder justification Al, If you had asked me in the year 2000, I could see issues that would drive a root domain to anchor multiple domains. I would caution against it now. I believe MS had the same stance, and now thinks it may not make as much sense as it once did. Maybe they should re-evaluate their service offerings. :) I admit I was wrong :) Jef Subject: RE: [ActiveDir] Root Place Holder justification Date: Wed, 26 Apr 2006 08:03:19 -0600 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Mark, I'minthesameplaceyouare:singleforest,singledomain,but30DCsinaglobaldeploymentwith45kusersand37kcomputers.Ranthatwayfor6years. Nowwe'vesoldoffabusinessunitofacouplethousandusersandtheyoutsourcedtoabig3rdpartyserviceproviderwhoinsistedtheygowithanemptyroot.Irecommendedagainstit,butthesourcer(whoseinitialsareE.D.S.)claimedtheconfigurationwassupportedbyMicrosoftandtheythathadrunitbyMicrosoftfor"approval." Ithinkwhatitboilsdowntoisthatthisistheirstandardserviceandthat'sthat.TheguysI'mworkingwitharequiteknowledgeableandgoodatwhattheydo,butthey'rethefrontlinepeopleandnotthedeep-thinkingarchitectswefindatDEC. AL AlMaurer ServiceManager,NamingandAuthenticationServices IT|InformationTechnology AgilentTechnologies (719)590-2639;Telnet590-2639 http://activedirectory.it.agilent.com -OriginalMessage- From:[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]OnBehalfOfMarkParris Sent:Wednesday,April26,20067:37AM To:ActiveDir.org Subject:[ActiveDir]RootPlaceHolderjustification Doesanyonehaveanyofficialdocumentationastothejustificationforarootplaceholder,pro'sandcon's? WhereIam-Ihavestartedatonedomainandcanseenoreasontoexpandonthat-theyonlyhave6DC'snowinasingledomain-yetthepartnertheyhavechosenisrecomendingarootplaceholderwith5DC'sandthen8inthechilddomain(theyareNOTevensupplyingthetin)andIwantedsomedecentamo-alittlebitstrongerthanschemaandEntadminseparation. IknowatDECtheconcensuswasthedesiretoeliminateandIbelieveGuidoandWookhavestatedthisforthepasttwoDEC's Ihavesearchedthislistandcanfindnorelevantarticles. Manythanks Regards Mark Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/ Join the next generation of Hotmail and you could win the adventure of a lifetime Learn More.
RE: [ActiveDir] IIFP GAL Sync
I'm pretty sure it it works fine with W2K AD. MIIS itself needs to run on WS2K3 though. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, April 11, 2006 2:16 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] IIFP GAL Sync Hi all I was discussing GAL sync using IIFP with someone today and he said he thought there was a requirement for the DC that IIFP uses to be 2003. I cant see this requirement in the product documentation. Can anyone confirm this? Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
RE: [ActiveDir] List problems - resolved
Hey Laura, did you ever think that maybe it was just you? :) -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Tuesday, April 11, 2006 2:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] List problems - resolved Hey Tony, did you know that the list was broken for like 4 days? *runs FAR away* :-) - Laura On 4/11/06, Tony Murray [EMAIL PROTECTED] wrote: You will have noticed that messages are now coming through again. The problem has been resolved and all should be back to normal. Any emails sent to the list during the outage will not have been queued, so please send again. Thanks to the 732 of you who alerted me to the fact that the list was not operational J Tony This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Where's Deji.. (was Quiet? DEC? Related?)
! But now I can gamble all I want since on the last day I went to the MM world-store on the strip and bought a Slot-Machine-Type of MM dispenser for my kids - it's way cool and I'm sure I'll use it more often than they will ;-)) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Donnerstag, 30. März 2006 19:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Would be interested in hearing the survery results. Oh that reminds me, I forgot to hand mine in. :o) I had to fly out Wed evening and was running around like my shorts were on fire trying to take care of some stuff that was absolutely mandatory prior to trying to get through security at McCarran. I would say that venue would be suitable for next year unless Sydney was an option... You could rent a jumbo jet and fly everyone going to the presession down in it and actually have the presession on the flight, that would certainly make it seem like the flight went faster. My return ticket though would have to be valid for a month as I know a lot of folks down there and would need to go say hi and collect on some beers I am owed. Odd thing is I spent no more than $60 on gambling. $20 of it was spent showing Guido how US slot machines worked in the Belagio. $20 was spent when I was passing a $1 Wheel of Fortune progressive slot on the way to the rest room because it called out to me and said it would make me financially independent for the rest of my natural born life (it lied), and finally $20 was spent while I sat at a bar playing Jacks or Better waiting on Dean and company to go to dinner not realizing that they didn't see me sit down next to them and were waiting on me to get there. I was up $80 bucks on that thing and then gave it all back. joe (The joe of the Dean and joe show, the j in www.jadonex.com) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 29, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx
[ActiveDir] Thanks to all who came to DEC 2006
and company to go to dinner not realizing that they didn't see me sit down next to them and were waiting on me to get there. I was up $80 bucks on that thing and then gave it all back. joe (The joe of the Dean and joe show, the j in www.jadonex.com) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, March 29, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DEC photos?
Title: RE: [ActiveDir] Reset Local Admin Passwords If anyone has photos from DEC 2006, could you please send them to me? I want to put them up on the DEC web site. The presentations that were NOT on the USB drives will be posted up on the site in the next week or so (as soon as Stella recovers) I'll be doing my AD performance presentation over the web on Tuesday April 11 at 0900 Arizona time (MST-7). I'll post the URL to the list as I know what it is. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Active DirectorySent: Friday, March 31, 2006 1:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords http://mycuweb.com/dcpc.zip Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott KlassenSent: Friday, March 31, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords A bit dated I know, but Danish companys web site seems to have gone kaput. Does anyone here happen to have a copy of DCPC to share? Scott Klassen From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Tuesday, January 31, 2006 3:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords Use a tool call DCPC (DC password changer) freeware you can find it here http://www.danish-company.com/dcpc all you need is the domain admin password and all PC running. Strait forward and I am changing the password every 2-3 month. Cheers, Katrin Wilhelm (MCSA)CVGT Employment Training SpecialistsAustraliaE-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, 1 February 2006 4:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reset Local Admin Passwords We do realize the potential risk in this but this request is coming from a higher authority (my boss). I've been asked to find a way to change it and I believe that they are going to have the password reset on a monthly basis. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Laura E. Hunter Sent: Tuesday, January 31, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Reset Local Admin Passwords We currently have about 4 different passwords floating around our domain and we'd like to get it down to a single standard. Any help would be appreciated. Okay, just to offer a counterpoint to your underlying plan - you do realise that by using a single local admin password across your enterprise, if even -one- of those workstations gets the admin password compromised, the attacker who did so now has local admin rights to every workstation on your network? With apologies to Jesper Johannsen[1], it's one of those "How to get your network hacked in 10 easy steps" things - if I've just compromised the local admin password of WorkstationA, what do you think is going to be the very first password I try when I move on to try and compromise WorkstationB? [1] And additional apologies for the fact that I'm sure I just spelled his name wrong. -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document.Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGTs entire liability will be limited to resupplying the material.Please contact us at www.cvgt.com.au for further information regarding this disclaimer.
RE: [ActiveDir] Quiet? DEC? Related?
Just wrapped up Day 3. 530 people. General consensus is that it was the best DEC ever. More to follow when I can type on something bigger than a credit card. -gil -Original Message- From: Ayers, Diane [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 3/29/06 1:23 PM Subject: RE: [ActiveDir] Quiet? DEC? Related? Maybe we should ask a question on the merits of doubling down on an 11 when the dealer has a face card showing... :-) Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, March 29, 2006 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quiet? DEC? Related? Don't worry we're still here.. ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Moon, Brendan Sent: Wed 2006-03-29 19:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Quiet? DEC? Related? Hmm.. everyone must be having fun at DEC... this list has been very quiet this week! - Brendan Moon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Server will not Start
Title: DNS Server will not Start MY first thought was missing service dependency of DNS on AD, but my DCs dont have one either. Is there any commonality between the servers? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Saturday, March 18, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS Server will not Start All, Another question from me, I have several Windows Server 2003 SP1 DCs that all run AD integrated DNS when I reboot these servers the DNS Server does not load the DNS zones it just starts and then has a red X in the server name when you check on it. I restart DNS and it functions correctly loading all zones and the DC can function. You cannot logon until DNS has been restarted via another server. Does anyone have any idea as to what could be causing this? The event logs do not reveal much at all. Mark
RE: [ActiveDir] Individual admin accounts vs Generic admin account.
There's no way you should use a single admin account. You have no way to track who did what. Managing admin accounts and their group memberships is not difficult, certainly not as difficult as trying to figure out who screwed something up when the audit logs all say Administrator. You shouldn't have that many admins to worry about anyway. I know several very large AD installations (100K users, 100s of sites, a few domains) and they have 2 or at most 3 domain admins per domain. Most organizations I've worked with give admins two accounts, a regular everyday account and an admin account that they use only when they need the extra privs. The admin account doesn't have email, and in some envs is restricted to logging in on a handful of highly locked-down workstations. This reduces the possibility of malware running under admin privs. And I've worked with a couple of companies that use shared accounts (not just admin accounts), and it is a complete and utter nightmare from an administration and auditing standpoint. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Friday, March 10, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Individual admin accounts vs Generic admin account. Dear collective, In your esteemed opinions, is it better to have one central admin account which every member of the sysadmin team should use, or is it better to give ever member of the team their own admin account? I'm inclined towards giving people their own admin accounts, purely from an audit point of view, but I'm being told that it's better to have one central admin account, as it is easier to track which accounts have admin rights. I would have thought that NET GROUP would make that fairly obvious. Am I missing something here? -- AdamT 'Thank-you for not requesting read receipts' List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Actually, I think all three of Deji's friends are on this list anyway... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, March 09, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? come on Deji - forget whoever you've had in your contact list until now and just get some new friends :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 9. März 2006 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] What do you do when ooops won't work?
Ok, so maybe its only two... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Three? Don't tell me you are including yourself :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Actually, I think all three of Deji's friends are on this list anyway... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, March 09, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? come on Deji - forget whoever you've had in your contact list until now and just get some new friends :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 9. März 2006 23:17 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Wouldn't that be just wonderful? Only if the admin were human :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 3/9/2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What do you do when ooops won't work? Can you get the server admin to pull a tape? You could do the restore yourself in a VM environment. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What do you do when ooops won't work? I just f-fingered a synch between my PDA and Outlook. Short story, all my contacts (painfully built over several years) just took a road-trip to neverland on a one-way ticket. Local backup? I was meaning to do it tomorrow. Really ;) Server backup restore? Yeah. I have a greater chance of being the next King of insert-favorite-empire-here than getting my corporate server admin to help me here. Just won't happen. So, am I really SOL? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cleaning Up AD
The link on our page is screwed up, and so is the TechTarget search engine. I'll post a working link as soon as I find it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Wednesday, March 08, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cleaning Up AD A couple of weeks ago i 'attended' a webinar from NetPro called: 16 Steps to a Healthier and Happier Active Directory http://www.netpro.com/company/events.cfm It is a very good overview of the tasks involved in getting AD to smile. It seems like the link from NetPro's website sends you to http://searchwindowssecurity.bitpipe.com/webcasts but i don't see it archived there ... maybe Gil can chime in with a location? Slides here: http://www.netpro.com/forum/files/Sixteen_Simple_Steps.pdf good luck, john [EMAIL PROTECTED] wrote: AD Gurus, Before I embarked on a Google search, I thought I might get some opinions from this list. What resources (utils, whitepapers etc) have people been using to clean up an AD infrastructure? I can go into more detail if anyone is interested...basically all of our DC's have tons of warnings and errors in the event logs. Thanks, Jbl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cleaning Up AD
16 Steps to a Healthier and Happier Active Directory is archived here: http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.j speventid=17740sessionid=1partnerref=swsc_sitepost_02_14_06key=F2F27 A63A35B4F457FECDA9201B08DBAeventuserid=5675189 And the slides are at http://www.netpro.com/forum/files/Sixteen_Simple_Steps.pdf -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Wednesday, March 08, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cleaning Up AD A couple of weeks ago i 'attended' a webinar from NetPro called: 16 Steps to a Healthier and Happier Active Directory http://www.netpro.com/company/events.cfm It is a very good overview of the tasks involved in getting AD to smile. It seems like the link from NetPro's website sends you to http://searchwindowssecurity.bitpipe.com/webcasts but i don't see it archived there ... maybe Gil can chime in with a location? Slides here: http://www.netpro.com/forum/files/Sixteen_Simple_Steps.pdf good luck, john [EMAIL PROTECTED] wrote: AD Gurus, Before I embarked on a Google search, I thought I might get some opinions from this list. What resources (utils, whitepapers etc) have people been using to clean up an AD infrastructure? I can go into more detail if anyone is interested...basically all of our DC's have tons of warnings and errors in the event logs. Thanks, Jbl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SBS 2003 Domain/Forest Rename
Ni! Ni! Ni! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Wednesday, March 08, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename Importance: Low Dare I suggest a shrubbery? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, March 01, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename And remember we are a single DC/Forest... so we're more like a tree than a forest. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, March 01, 2006 7:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename If you consider flattening the box and reinstalling reasonable. :-) Remember it's got Exchange on a DC which means a rename is not supported along with an integrated Sharepoint. In MVPdom where we don't care about such things and sometimes we do it just to see if you can, you have to rip out a lot of stuff and even then there is 'weirdness' left over in the event logs. Thus it's really not for production machines that you care about at all. We recommend that the domain is not named in a manner that you care about renaming it later. Remember you can always CEICW (run the wizard) and redo the Exchange name with no issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Wednesday, March 01, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS 2003 Domain/Forest Rename This question is for Susan - SBS Goddess - but feel free to respond if you know the answer. Can a SBS 2003 domain/forest be renamed? If so, what's the best/recommended practice in doing it? TIA Alex Alborzfard List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SBS 2003 Domain/Forest Rename
One that looks nice. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Wednesday, March 08, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename Importance: Low Dare I suggest a shrubbery? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, March 01, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename And remember we are a single DC/Forest... so we're more like a tree than a forest. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, March 01, 2006 7:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename If you consider flattening the box and reinstalling reasonable. :-) Remember it's got Exchange on a DC which means a rename is not supported along with an integrated Sharepoint. In MVPdom where we don't care about such things and sometimes we do it just to see if you can, you have to rip out a lot of stuff and even then there is 'weirdness' left over in the event logs. Thus it's really not for production machines that you care about at all. We recommend that the domain is not named in a manner that you care about renaming it later. Remember you can always CEICW (run the wizard) and redo the Exchange name with no issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Wednesday, March 01, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS 2003 Domain/Forest Rename This question is for Susan - SBS Goddess - but feel free to respond if you know the answer. Can a SBS 2003 domain/forest be renamed? If so, what's the best/recommended practice in doing it? TIA Alex Alborzfard List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SBS 2003 Domain/Forest Rename
And not too expensive. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Wednesday, March 08, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename Importance: Low Dare I suggest a shrubbery? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, March 01, 2006 7:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename And remember we are a single DC/Forest... so we're more like a tree than a forest. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Wednesday, March 01, 2006 7:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SBS 2003 Domain/Forest Rename If you consider flattening the box and reinstalling reasonable. :-) Remember it's got Exchange on a DC which means a rename is not supported along with an integrated Sharepoint. In MVPdom where we don't care about such things and sometimes we do it just to see if you can, you have to rip out a lot of stuff and even then there is 'weirdness' left over in the event logs. Thus it's really not for production machines that you care about at all. We recommend that the domain is not named in a manner that you care about renaming it later. Remember you can always CEICW (run the wizard) and redo the Exchange name with no issues. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Wednesday, March 01, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS 2003 Domain/Forest Rename This question is for Susan - SBS Goddess - but feel free to respond if you know the answer. Can a SBS 2003 domain/forest be renamed? If so, what's the best/recommended practice in doing it? TIA Alex Alborzfard List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MVP mini summit at DEC 2006
I dunno for sure... I sort of suspect it is, but Alym will clarify it when he gets his head above water. But I don't see any reason why you couldn't join in the DBLW/M (tm) after the MVP session. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 23, 2006 1:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MVP mini summit at DEC 2006 Daft question maybe, but is this open to MVPs only? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: 23 February 2006 00:09 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MVP mini summit at DEC 2006 Alym has scheduled a MVP mini summit session at the conclusion of DEC 2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of the DEC session rooms (tbd). Drugs, booze, and loose women will follow... or at least that's what I was led to believe. :) Alym is swamped with another project, but will be providing the official announcement in a few days. I just wanted to make MVPs aware of it in case you had scheduled a flight out on Wednesday afternoon. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MVP mini summit at DEC 2006
Alym has scheduled a MVP mini summit session at the conclusion of DEC 2006 in Las Vegas. We'll meet on Wednesday March 29th at 4pm in one of the DEC session rooms (tbd). Drugs, booze, and loose women will follow... or at least that's what I was led to believe. :) Alym is swamped with another project, but will be providing the official announcement in a few days. I just wanted to make MVPs aware of it in case you had scheduled a flight out on Wednesday afternoon. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] admin SD holder
See http://support.microsoft.com/kb/232199/. Briefly, AD copies the security descriptor of the AdminSDHolder object (there is one per domain) to all users, groups, and computersthat are members of administrator groups in that domain. This makes sure that delegated admins don't change the ACLs on these sensitive accounts. It also gives the appearance of AD losing or reversing manually made ACL changes on user objects. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: Monday, February 20, 2006 3:40 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] admin SD holder Hi, Can anyone give me the details about admin SD holder.What it is ? What it do? K.Senthil
RE: [ActiveDir] admin SD holder
After the flurry of recent hits, its now up to #3! :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Monday, February 20, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD holder Number 4 on the google query "AdminSDHolder" is pretty good ;-) http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: Monday, February 20, 2006 11:40 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] admin SD holder Hi, Can anyone give me the details about admin SD holder.What it is ? What it do? K.Senthil
RE: [ActiveDir] admin SD holder
You're correct, not many people query adminSDHolder... Most of the queries are something like "disappearing security descriptors" or "Active Directory what the f***" -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Monday, February 20, 2006 4:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD holder Keep it hitting guys (not that it would be relevant - there are not that many people querying adminSDHolder) BTW - I have one slide about adminSDHolder in my presentation at DEC - not worth more since the other content is waybetter ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Tuesday, February 21, 2006 12:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD holder After the flurry of recent hits, its now up to #3! :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Monday, February 20, 2006 3:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] admin SD holder Number 4 on the google query "AdminSDHolder" is pretty good ;-) http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: Monday, February 20, 2006 11:40 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] admin SD holder Hi, Can anyone give me the details about admin SD holder.What it is ? What it do? K.Senthil
RE: [ActiveDir] Microsoft Announces Vision and Roadmap for Active Directory
The marketing message is finally catching up with what Stuart has been talking about at DEC the last couple of years. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, February 15, 2006 12:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft Announces Vision and Roadmap for Active Directory Morning all, Microsoft is announcing a roadmap for AD. Read all about it here: http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/ADv ision.mspx cheers, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DR implementation planning
Guido and I did a DR webinar a few months back, and an associated whitepaper... You can get the whitepaper at http://www.netpro.com/welcome/disasterrecovery/index.cfm. The last I looked, you had to register for it (email address, etc.) We recorded the webinar as well. You can get to it at http://www.netpro.com/forum/files/AD_Disaster_Recovery.wmv. Same registration requirements. We are also hosting an all-day DR pre-conference workshop for DEC this year. See www.dec2006.com. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Thursday, February 09, 2006 7:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DR implementation planning Hi all. We are finally getting our DR project going, and I'm looking for good resources for design/implementation. We have a small business; under 100 users. Running W2K3 AD (2 DCs in one location), E2K3, Cisco Unity VM, home-grown intranet on IIS, LOB app contained in-house. Around 30 remote SOHO users connecting via VPN. Current backup consists of Backup Exec 9.x running backup-to-disk and then copies to tapes which are moved and stored offsite. I have relatively complete design authority, and am starting with a clean slate. A couple of basic parameters. We will be building the DR site in our parent company's datacenter and currently have frame circuits to their corp net (not sure if we'll have direct to the data center or not). We want to utilize HP blade servers and VMWare as much as possible. The management goal is to virtualize the entire infrastructure, although it is recognized that this may not be entirely possible. We want the DR site to be fully vendor supported, so virtualization will depend largely on vendor support. The site will be required to support ~50% of our user base for up to 30 days. We would prefer to avoid utilizing 3rd party replication apps and stick with native tools if possible. This will be a warm DR site with once-per-day replication with production; recovery within 24 hours is the goal. Losing the current day's work is acceptable. We have ~6 weeks for design and ~10 weeks after that for build/test, including fire drill. We start the design meetings today. I'm interested in pointers to any good whitepapers, references, and recommendations. Also interested in what has worked (or failed!) for others with similar criteria. While there's no shortage of information on the net about DR planning and implementation, I'm interested in what the experts here have found to be valuable. I remember DEC a couple of years ago had some great DR stuff, but my event logs have overwritten most of that by now, and I don't remember if there was a proceedings DVD or anything on that. Plus, two years is a long time; methods and the like have changed since then. Thanks! ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DSQUERY filter for space character only
That will only work on appropriately indexed attributes. Try \20. That would be the appropriate escaped filter. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr ANOSC/FCBSSent: Tuesday, February 07, 2006 11:23 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DSQUERY filter for space character only Have you tried * * Thanks... ... ... ... Sergio J. Olivarez From: Sitton Glen E [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 07, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DSQUERY filter for space character only I need to run an obscure DSQUERY with a filter that finds displayNames with a value of a single space character. I'm stumped. I've tried every escape character possibility that I'm aware of. I know how to find null values, but can't seem to query on a space character alone. It hoses the ldap syntax. When ADUC builds the ldap query itself, it fails: ((objectCategory=user)(displayName= )) The query filter ... is not a valid query string. I've tried: " " ' ' %20 + and escaping it with a \ or a ^ Any ideas? Thanks in advance, - Glen
RE: [ActiveDir] Site Links
Adeel, Ah, the old "best practices" question.You'll get a lot of responses regarding the whole concept of "best practices" which will ultimately say "it depends" :) For instance, what sort of administrators do you have? Are they experienced, well educated in AD, reliable, etc? What's your organizations risk tolerance? Threat profile? Budget? Maturity? To be more helpful, you'll need to fill in some blanks. First off, whats the issue you're trying to fix? Is there an operational problem? Generally speaking, if you have the right site links in place, they don't need to be changed unless the underlying topology changes, or unless a DC goes down. Or is the problem that you don't know if your topology is right to being with? That all being said, some "best practices" which might or might no apply to your situation. 1. Monitoring DCs is critical for a multi-site AD, and especially so for topologies with manual site links. 2. Monitoring replication is also critical 3. If your'e using WS2003, its best to let the KCC sort out this sort of thing and not muck it up manually. There are few situations that the KCC will not handle well in WS2003 AD. 4. Implement strict change control on your topology. The change process should include justification for change, review by someone who understands how replication and KCC work, implementation, and auditing of the final result, including some testing to ensure that the change actually does what you think. 5. Monitoring DCs and replications is really important. 6. And be sure to monitor... HTH, -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel AnsariSent: Tuesday, February 07, 2006 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Site Links AD Experts, Is there any best practices for creatingand managing site links? The problem I am facing where I have manyhub and spoke sites with well over 20 site links. What is the best procedure to fix this issue? -Adeel
RE: [ActiveDir] DNS Restart
net stop dns net start dns From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, February 06, 2006 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Restart Cannot find my notes on this one. What is the command line to restart DNS services without rebooting the DC? Brent EadsEmployee Technology Solutions, Inc.Office: (312) 762-9224Fax: (312) 762-9275The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect.Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. Message scanned by TrendMicro
RE: [ActiveDir] OT: Change Tracking Database
Youve pretty much described ChangeAuditor from NetPro. Its not freeware though. See http://www.netpro.com/products/changeauditor/index.cfm. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Monday, January 30, 2006 8:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Change Tracking Database Hi I am looking for a database (preferably with a web interface) to track all changes made in the network/directory infrastructure. Change something in DNS? Log it. Make some registry changes on a server? Log it. Change a recipient policy in Exchange? Log it. You get the picture. Right now we are using a somewhat-clunky, homegrown, MySQL database. Anything off the shelf or free/shareware? TIA -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.14.24/244 - Release Date: 1/30/2006
RE: [ActiveDir] DC II
If a client can't find a DC in its site, it will then try to find any DC in its domain, regardless of site, based on the weights and priorities associated with the DCs locator records in DNS. Site link cost doesn't enter into the process. However, NETLOGON does use site link cost to determine the covering DC for a DC-less site. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Thursday, January 26, 2006 12:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DC II We are in the process of coming up with a 2nd Data Center for DR. I am working on the AD part of it and I am trying to find out what the process is for finding a DC in DC II of DC I is down. I looked at some of the Domain Locator articles and it talks about how a client finds a DC and what happens if the DC that it contacts is not in its site, etc, etc. What I don't see is what happens if the DC I site is down?... How could it find DC II, is that all part of the site cost?. It has been a while and I am confused, is Site Costs used to find DCs or just for replication? Any articles or explanations are appreciated. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: WMI to retrieve DHCP leases
Title: RE: [ActiveDir] OT: WMI to retrieve DHCP leases Another tack to take is to use something like NMAP. It's a very effective IP discovery tool. I suppose it all depends on what you mean by "out there". Counting objects in AD will tell you the computers have been joined to the domain at some point. They might or might not exist anymore, and if they exist, they might not be in use. Counting DHCP leases will tell you the computers that use DHCP and are on a subnet covered by a DHCP scope. It won't tell you anything about computers with static addresses, or computers whose lease has expired. And you have to know where all your DHCP servers (they might be routers or switches or WAPs (!), and not Windows servers). And some of the leases may be for printers and copiers and such, which might not fit your definition of a computer. UsingNMAPwilltellyouallthedevicesthatarereachableonthesubnetsyouspecify, areturnedon,andhavealoadedIPstack.The nicethingaboutNMAPisthatitwilltellyouwhatkindofadeviceitis,whatOSisloaded,andwhatservicesarerunningonit. It won't tell you anything about devices that aren't turned on. None of these schemes will tell you about standalone computers not on the network. Would you consider a non-networked computer "out there"? Some combination of the three (with appropriate duplicate removal) could give you a very accurate count. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Thursday, January 26, 2006 7:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: WMI to retrieve DHCP leases DHCP is a much better metric than computers joined to the domain for this. You can't count non-domain-joined devices with any AD tool. Chances are however these devices have a DHCP lease. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Thu 1/26/2006 8:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: WMI to retrieve DHCP leases DHCP is NOT the authoritative source for "how many computers are out there"If you could, grab Joe's oldcomp tool and just run it against your domain.You should get something close to accurate from there.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCTMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Mitch ReidSent: Thu 1/26/2006 12:55 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: WMI to retrieve DHCP leasesNo, I need to get a count of how many computers are out there. I'm lacking agood authoritative source and want to use the DHCP servers as a count.My script works that runs NETSH (for each scope on each server) but I like tokeep everything in VB/WMI when possible.Thanks for the replies.On 1/26/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: To the OP: Would you be happy with pulling the info on the client side? Youcould use Win32_NetworkAdapterConfiguration and retrieve the DHCPLeaseObtainedor DHCPLeaseExpire values. back to my rabiit hole, folks :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Alain Lissoir Sent: Wed 1/25/2006 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: WMI to retrieve DHCP leases There is no WMI exposure of the DHCP settings and data. Sorry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mitch Reid Sent: Wednesday, January 25, 2006 1:08 PM To: ActiveDir.Org Subject: [ActiveDir] OT: WMI to retrieve DHCP leases I'm trying to write a _vbscript_ to pull current DHCP leases from a2003 DHCP server. I can do it with NETSH but I'd like to do it only with WMI in VBS. The closest I could find was dhcpobj.dll from the 2000 Resource Kit.However it doesn't appear to be able to pull leases. Is this possible? Thanks, Mitch. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] can variables be used in the registry?
It would depend on the app that is interpreting the registry entry. The registry itself doesn't automatically do parameter replacement like that. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 26, 2006 8:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] can variables be used in the registry? A discussion this afternoon touched upon the notion of using variables (like %systemroot% or %windir%) in the registry. Is this possible? Has anyone ever done it? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Gauging AD experience
But at least you're not bitter... -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E]Sent: Friday, January 20, 2006 12:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience In my experience, when good directories go bad, it is usually due to three things. Firewalls Firewalls Did I list firewalls? Runner ups would be ADC for Exchange, Clowns posing as Administrators, Clowns posing as DNS experts, Clowns posing as Security experts, and no disaster recovery solution. Todd Myrick Brushing off the dust of my MVP status. From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, January 19, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience When I read Al's post I thought of you Wook, I figured, hey Wook could use a creative presentation name... ;o) I would say When Bad Things Happen To Good Directories is more on par with "When Bad Things Happen To Good People", say like when your nanny gets a flat tire. "When Good Directories Go Bad" is more like when yourgood little daughter hits her teen years and starts going out to parties in fish net stockings and Big Red gum. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Thursday, January 19, 2006 2:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experienceImportance: Low Sorry, I already did that one. My first DEC presentation was entitled When Bad Things Happen To Good Directories. J Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 8:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience when good directories go badsounds like a catchy title for a presentation, Joe. I think of directories and identity management infrastructures a little like networks: you rarely do get to design one from scratch, youre always tweaking an existing one. And I agree that tweaking the existing ones are a lot more interesting than designing from a blank slate. The analogy could be taken too far, but like networks, directories and authentications systems are always morphing due to new technologies, new tools, adding or removing applications. Lots of fun. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 18, 2006 6:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience I would say focusing on the design of big directories is pigeon-holing a little too much. There are only so many big directories that need to be designed. I personally find much more fun in diagnosing good directories that have gone bad than trying to design them. I design if I have to but it isn't what I like. Plus often with the design, it is rarely the case where you actually have all of the info though someone will tell you you do. You find out you don't later on when someone starts complaining or something starts breaking. I am not sure I would go so far to say it is something you let the tools handle though. A lot of the tools out there still aren't doing the greatest job and there are many companies that don't want to spend the millions on those tools that they would be charged for them instead having a few really good people handling it. A tool doesn't see bad things coming when someone is coming at you with the next great thing they want to plug into the AD. If the tool does catch it, it is way too late in the integration cycle. Plus, what if the tool isn't catching the problem? Someone has to be knowledgeable enough too. If you depend solely on your tools to keep your AD running well it is possible you are going to get cut pretty good. When I did Ops, I had several tools that watched what had been determined needed to be watched and then I would just go off and sample things to decide if there was something that maybe could be watched that we weren't watching. That could take the form of just watching a network packets on a DC or a client subnet for an hour or so or just walking the event logs event by event or walking through looking at objects in the directory. Whatever. To get into those positions you want to get in with the companies already mentioned and jump about (and try not to hurt the customer too much with your learning) or find a big company and take whatever entry position you can get and prove yourself and grow into bigger/better positions. Don't expect to, for instance, walk into Walmart and become their AD guy. Maybe you get in as desktop support and get to know the right people and make suggestions on how things can be better and work
RE: [ActiveDir] OU Delegation
when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode Most people mitigate this sort of risk by technical review, automating the change app lication, and testing in a separate test forest. I can't see creating a separate domain as a "safe haven" for screwups like that. And it doesn't provide a safe haven from lots of other potential screwups like replication topology changes or schema mods. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 19, 2006 11:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Exactly. There are good reasons forand against both multiple domains (including empty) and multiple forests. As a safe haven from domain level GPOs or finalQA point for domain level modificationsare things I wouldn't push against. Does it make sense for everyone? Depends on your management structure and concerns - some will see that as an issue that could impact them, others could see it as nothing. As a security barrier to protect hacking of the enterprise/schema admin is one I would pushagainst because it doesn't actually do anything to help that. Organization of the forest is one that could easily go either way, tough to argue it as it really isn't technically based. In larger multidomain environments, I tend to like empty roots because the overhead is usually quite minimal in relation to everything else and it is a great place to deploy new patches, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, January 19, 2006 9:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation candid=on As we've heard before today - do a cost/benefit study. Is it really prudent to build an extra domain with the incurred over heads just in case someone makes a mistake? There are doubtless other mistakes which can only mitigated by building a separate forest. There may be good reasons (and bad ones too) for building a placeholder domain - these reasons need to be weighed against the incurred costs (over at least a 3 year period). candid=off neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: 19 January 2006 14:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation "The biggest thing about an empty forest root is it is a safe haven. Safe haven: A domain where the god rights live and you don't apply any gpo's or other things that can get out of hand and hurt you. This actually saved my a__ once at [deleted] when the GPO guys screwed up on the main account domains. The locked down EVERY single userid to kiosk mode. Fortunately they have no rights in the root domain so couldn't do anything to my IDs so I could log onto my PC with the forest root ID and undo what they did." Verbatim quote fromone of the top [I mean "REALLY TOP] AD guys on this list to me in an offline when I asked him about whether or not I should do an empty root. I did it. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joeSent: Wednesday, January 18, 2006 8:13 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well I didn't say I don't see the benefit of an empty root. I just don't see it as a generic best practice. Sometimes it makes a ton of sense, sometimes someone needs to be slapped for bringing it up. ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 5:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For
RE: [ActiveDir] Permissions vanishing
Title: RE: [ActiveDir] Token Bloat The fact that nothing showed up in the audit log is disturbing. Can you modify the ACL manually and see the audit entries that appear? Is there possibly a group policy that is changing the ACLs? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V Contractor NASIC/SCNASent: Thursday, January 19, 2006 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Permissions vanishing Hey everyone, I am having a issue with a cluster server that shares our our common access data drive. Every other day, the NTFS permissions on the shared clustered drive will revert to only Administrators and System having privleges. I have it set up as follows: X:\SharedData - Share permissions Authenticated Users RWX X:\SharedData - Inherited NTFS permissions Authenticated Users RX,LIST FOLDER CONTENTS Administrators F System F Every other day or so the Authenticated users vanish from the NTFS permissions. I enabled auditing on the folder for permission change, but nothing came up in the security log that stated that the permissions had changed. Any ideas? I would appreciate anything anyone had to suggest. Thanks, Nate
RE: [ActiveDir] ADPrep Version Questions
There are no .dlls that it needs outside of whats in systerm32, but I think there are a bunch of .ldf files in \i386 that it uses. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, January 19, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ok. Promise. Last adprep question: Does adprep need to be run from an i386 directory or can it be run on its own? Does it have dependant files within i386 or is it self-contained? Thanks. From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 18, 2006 5:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions LOL. It isn't a decimal number though... It is a series of variable length decimal numbers separated by the period character... Sort of like an OID 1.2.840.113556.1.4.7000.102.7038 Versioning is a lost art I think though. I am big on xx.yy.zz. xx.=major, yy=minor, zz=really minor, =build. To me... major rev changes for big changes, massive updates or rewrites or drammatic functional changes.minor is added features, bug fixes. really minor is output string changes or remarks in the code being changed, things that don't change thecode flow and don't require any serious testing (I rarely update this one). And build of course ishow many times the bin has been compiled. G:\filever f:\dev\cpp\adfind\adfind.exe--a-- W32i APP ENU 1.29.0.785 shp 950,784 12-22-2005 adfind.exe The current release version ofadfind for instance has been compiled 785 times. Well actually that is incorrect, it has compiled 785 times since V01.08.00. There was a little bug in the routine I had been using to increment the counter and it was resetting on every new minor version rev. If I follow the average I am probably off by 250-300 compile build numbers but I expect it is less than that because as the complexity grew in versions 15 the number of compiles between releases went up due to testing and bug hunting. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 10:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions It's a common source of confusion. Ask a user if version 1.4.4 is newer or older than 1.4.3.4 :) Some say "344 therefore the latter is newer" some say "43 therefore the former is newer" neil PS The purist in me would say that without a leading 0, the 196 below looks like 1 thousand 9 hundred and 60 and 19601830. it's all about justification, when dealing with the decimal notation :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 January 2006 15:13To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Ah don't worry about it, I figured you were just disconnected there when I saw the first question at all. That is why I counted it out. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 8:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Oh (blush) Dont mind me. Im just over here re-learning that whole tens, hundreds, thousands, etc thing. Ugh! (eyes roll skyward, head shakes) ;-) Sorry for the wasted bandwidth. From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 5:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions one thousand eight hundred and thirty is greater than one hundred ninety six. The SP1 version is the most recent and highest version of adprep. 0 1 2 3 4 5 6 ... 194 195 196 197 198 199 200 ... 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 ... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 7:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions yes From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 17, 2006 3:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ADPrep Version Questions Are you asking if 1830 196 ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, January 17, 2006 6:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ADPrep Version Questions Hi- I am preparing to upgrade a W2k domain to W2k3. I want to use the latest version of ADPrep. I have found the following info and am confused: For ADPrep on the following - From Windows Server 2003 CD: 5.2.3790.0 July 22, 2004, 9:07:08 AM from WindowsServer2003-KB889101-SP1-x86-ENU.exe: 5.2.3790.1830 November 07, 2005, 5:48:59 PM listed in MSKB / Hotfix 324392 5.2.3790.196 July 23, 2004, 9:04 Am I reading that correctly: the one from SP1 is a lower version and later date than the one in the hotfix? Which one is the latest? Thanks. -- nme --No virus found in
RE: [ActiveDir] AD computer accounts being removed
When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] AD DNS in Windows delegation to Novell DNS
I'm not familiar with Novell's DNS implementation... I assume it is based on BIND? See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/73c0ae36-8058-43d1-8809-046eb03b73fb.mspxand http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chandra BurraSent: Wednesday, January 18, 2006 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD DNS in Windows delegation to Novell DNS Hi Team, Wanted to know what are the pro's and con's of delegating the DNS zone created in Windows DNS for 2003AD being delegated to Novell DNS as the client wants to use Novell as the primary Regards, Chandra Burra
RE: [ActiveDir] OT: Gauging AD experience
Yikes, I missed that one! When did that happen? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robinson, ChuckSent: Wednesday, January 18, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience Internosis is now EMC Microsoft Practice. Doug, contact me offline if you are considering this option. [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Gauging AD experience Hiring on with an IT services company that does large Windows projects would probably be the best way to develop the experience you're looking for. That way you get exposure to many different environments, requirements, people, and projects. HP, Internosis, LogicaCMG, and Microsoft Consulting Servicesare some examples, and there are tens or hundreds of others. Some smaller consulting companies like Oxford Computer Group focus on IdM projects and will sometimes get pulled into AD projects in an advisory capacity. From a career standpoint, I would look more to the broader IdM technologies. AD expertise is rapidly becoming comoditized, and inlarger enterprise environments, AD is but one component of the IdM and security infrastructure. Moving forward, MIIS and ADFS are going to take center stage in the WIndows environment, and AD is going to be pushed more into the background. AD will still be a critical component, and there will always be a need for architects who can design large AD infrastructures. ButAD won't be where the action is. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, January 18, 2006 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Gauging AD experience I am trying to figure out how one gauges their AD experience. For example, I have designed, implemented and maintained an AD/Exchange environment of 5000 users with 1000 workstations from the ground up, alone. The environment is only 3 sites, with little complexity. I now work for a company maintaining a directory of about 150 users and 150 workstations. And the more local AD people I talk to, the more confident I am that I know quite a bit about AD compared to them (only talking about the people I have metnot generalizing the entire industry). Although I am not a guru like some on this list, I would like to get myself to the place where I can say yeah, I can design your 50,000 user / 15 site infrastructure. Or is that even possible? Is a project of that size several directory experts working together? I honestly believe that I could perform such a task, but knowing that I would make some mistakes that a VERY experienced person would not. So, I guess my question is: How do I get to where I want to be? Consult? Try to get a job with the biggest company I can? There may be no real answer, but I thought it was worth asking because I have been thinking about it for a couple of months and dont know where to start to move forward, and this is the only place I know that has people that I consider AD gurus (or gods even)
RE: [ActiveDir] AD computer accounts being removed
You might enable auditing on the appropriate OU to find out who is doing the deleting. You need to enable AD auditing in the Domain Controllers group policy, and then add auditing entries on the security descriptor of the appropriate OU, e.g CN=Computers to track creation and deletion of Computer objects. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 12:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] OU Delegation
Tell him he needs to go to DEC. Its where all the cool AD people go :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 3:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, January 12, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the groupings of machines, users, etc. 2. How do you play to do GPOs if at all. 3. How is the administration really going to work. For instance, if you use a provisioning system for managing users (highly recommended) you don't generally want to delegate those to local OU admins but instead keep them in a main OU that the provisioning system only has control to. Why one domain and one root domain? I am not arguing one way or the other, just curious for the reasoning. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, January 11, 2006 4:24 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OU Delegation Were in the process of consolidating 21 child domains into just one and one root. We want to separate the divisions (domains) into different OUs. Is there a guide
RE: [ActiveDir] Migrate domain to separate forest
Someone needs to do a cost-benefit analysis. I would guess that 2 forests = 1.6x the operations costs more or less. I don't know Exchange at all... isn't there some way to constrain the policy to a subset of mailboxes? -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, January 18, 2006 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Because they want to have their out-of-office replies go to the internet hmm - that puts a whole new meaning to the requirements of a different forest. So just to get OOO replies configured the way they want, they're giving up being managed in the same forest and being in the same Exchange Org, having the same GAL as the rest as the company (or requiring extra mechanism to sync the users/contacts), or being able to easily share calendar data, simplifying resource sharing between any part of the company or allowing easy transition of users between other parts of the organiation. way to go. I certainly know of other reasons to create a separate forest, but I hadn't considered OOO configurations to be one of them :-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Mittwoch, 18. Januar 2006 14:50 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migrate domain to separate forest Thanks for your reply, Gil. You wrote: Just out of curiosity, why do they think they want their own forest? Because they want to have their out-of-office replies go to the internet, and our security policy won't let 'em do it because it affects everybody else, too! In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. That's what I thought. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU Delegation
I heard you weren't going to make it this year. High suckage factor. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 4:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, if I were going this time, Id tell you in person which consulting firm he worked for. HINT: its none of the ones weve mentioned in this thread as being AD experts. J Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 3:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Tell him he needs to go to DEC. Its where all the cool AD people go :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, January 18, 2006 3:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Boy, I just had a consultant recommend an empty root as best practice for a divestiture were doing. Like Gil and Joe, I really dont see the benefit (nor could the consultant name anything specifically). We have a single domain and delegate OU rights based basically on an administrative teams need to manage a group of resources, typically computers. Users, groups and Exchange are managed centrally. Moving things around within one domain is a whole lot easier than among domains. AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Thursday, January 12, 2006 10:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation As joe says, "it depends". AD architecture is always a cost/benefit discussion, and most people don't really understand 1) the real benefits of multiple domains, and 2) the additional costs of running multiple domains. For instance, "additional security" is often cited as a benefit of an empty root. An empty root maybe provides a little additional security, but not much. The benefit depends on your own risk evaluation. On the other hand, the ongoing operational cost of a two domainforestis considerably higher than a single domain forest. Additional hardware costs, additional diagnostic complexity, and a more complicated DR situation all add to the costs of running multiple domains. My general recommendationis tostick with a single domain if you can, and add additional domains if you need to for password policy or controlling replicationtraffic. And if you find you have to have multiple domains anyway, use an empty root, because the incremental cost of an additional domain if you already have more than one is pretty small. But, "it depends". -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 12, 2006 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Ah good ol best practices. :) What is recommended? Whatever is best for the customer of course. I guess my question is why one domain and one root versus just one domain? What is the purpose of the root? I am not saying this is bad by any stretch, there are good valid reasons for a root with other domains hanging off of it. Just curious what the decision flow was like to do it. Hopefully it wasn't something along the lines of reading "an empty root" is good somewhere and going for it as it is totally context sensitive. I would say the overall design goal, especially when Exchange is involved is to use a single domain forest. However, if there is a good reason to add more domains, do it. Usually when someone says they have a domain and a root they mean they have a domain and an EMPTY root and I wonder about how the decision was arrived at. We have had this discussion previously on the list where some people are gung ho empty root and some people are gung ho no-empty root and both pointing at best practices. I am more of the does it make sense in this specific situation kind of person. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, January 12, 2006 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation Well, I just thought it would be best practice to consolidate multiple domains to one. Whats recommended? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, January 11, 2006 7:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU Delegation You want to look at a couple of main points 1. How do you plan to delegate the permisisons, I.E. the
RE: [ActiveDir] AD computer accounts being removed
Title: Message Let me find my rolled up newspaper... :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 4:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed NO NO NO NO NO BAD BAD BAD You have to use sysprep. Youre getting duplicate SIDs here bad. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron VisserSent: Wednesday, January 18, 2006 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary, Brian, I do not use Sysprep on my images and have yet to come across any problems, but there may be one big difference with my images, before I ghost them or create the image I put the said machine into a workgroup and then create image. After I have imaged a computer I log on and change the Computer Name reboot and then join the domain with the new computer name, should I be using Sysprep? And Brenda I have experienced your problem but I have never noticed the accounts actually being out of AD, anyways most times for me a simple reboot works although I have had to actually ghost computers in order to rejoin the domain because I do not have any local accounts active on my computers in the school, makes it a little safer J but with that comes more work L From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, January 18, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Gary- Are you implying you dont sysprep your images? Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GarypholdSent: Wednesday, January 18, 2006 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Brenda, FWIW: It happens to me when I clone a workstation then try to join that workstation to the domain in order to change the computer name. AD sees 2 machines with the same name, gives me a notification and lets the 2nd one in. Then when the original machine with that name logs in next time, it isn't seen on the network. Then I have to do the same thing you did - with the original machine. Thenall is wellagain. Don't know if that will help, but it might narrow down the problem some. Gary Gary Polvinale Denton ATD -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed Yes, their computer account in AD is actually gone. Thanks, Brenda Brenda CaseyNetwork Manager Billings Public Schools [EMAIL PROTECTED] 406-247-3792 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, January 18, 2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD computer accounts being removed When you say "lose their account", do you mean the computer object in AD disappears? Or something else? -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, January 18, 2006 10:42 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD computer accounts being removed Occasionally computers will lose their account in Active Directory for no apparent reason.Sometimes it is a computer that has just joined the domain, while other times the machine has been a member of the domain for 2 years. The computer can only be logged on by a local account (not a domain account). To remedy this, the computer has to be disjoined from the domain, join a workgroup, then join the domain again. As I am sure you all are aware, this is not only time consuming, but very inappropriate to have to do. Has anyone else had this experience and how have you fixed it? Thanks, Brenda
RE: [ActiveDir] Migrate domain to separate forest
Just out of curiosity, why do they think they want their own forest? In any case, there's no way that I'm aware of to carve off a domain and make it a new forest root... I think you'll have to create the forest and migrate the users and resources. ADMT would seem to be a reasonable way to go. Or one of the commercial migration products. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Tuesday, January 17, 2006 11:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrate domain to separate forest Hello, colleagues, One of our organizations is in their own domain, a child domain of our root. They want to be in their own forest. Are there tools to migrate them to their own separate forest, or will I need to build the forest first, presumably with 2 new DC's, and then make all their servers join the new forest? And, of course, they have about 140 users. Thanks, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DEC 2006 (way OT ...)
When you saved a file, it didn't overwrite the old version... You would have files like foo.txt;1 foo.txt;2, etc. until you explicitly removed the old versions. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, January 13, 2006 10:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 (way OT ...) Al, I always wished that Microsoft would support multiple file versions like VMS did. I'm just curious, if you have the time, for my own edification, what was this VMS file system feature? Could you elaborate how it worked? Cheers, BrettSh [msft] SDE - ESE On Thu, 12 Jan 2006, Al Lilianstrom wrote: Don't forget the VAXMate and PCSA v1.1. What a interesting pair... My brother in law worked for DEC at that time and had a VAXStation II and a Pro350 that he had bought from DEC in his basement. Kept trying to sell me the Pro. VMS was great. I turned off my last VAX just over 2 years ago. It had been up and running for 8 years. Great OS, great hardware, lousy company management. I always wished that Microsoft would support multiple file versions like VMS did. al Lee, Wook wrote: Ah, now we're really dragging out the old war horses. My first job at DEC was writing CBI courses for the DECmate WPS+ list processing module. They gave me a Robin (think VT100 with a processor and dual 5.25 floppy disks) to use at home (a little basement studio next to the laundry room in the basement of my apartment building in Acton, MA.) My second job was writing a device driver in C for a Polaroid CRT-to-film peripheral called the Polaroid Palette (had a mini-high resolution BW CRT and a Color-filter wheel all controlled by a Z80 processor) for the very same Rainbow PC. In those days, Digital could not decide on a PC strategy. There were three different product lines that all had some potential but none of them took off. We had the Rainbow which was close to what became mainstream with an 8088 or 8086 processor, the DECmate with was basically a secretarial workstation running WPS+ and not much else and the Pro 350 which was a repackaged PDP-11 that spent a few years as the console device for some of the bigger VAXen. If I recall correctly, the Pro 350 OS was based on RSTS. Those were the good old days before 1987 and Black Tuesday. I think I had some Digital options at something like $150. Sigh. Wook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kat Collins Sent: Wednesday, January 11, 2006 6:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Anyone remember the Rainbow? It was DEC's attempt at a Personal computer. Launched in early '83, if I remember... ran its own proprietary DEC-OS and was not compatible with any IBM-DOS apps. It died a year or two later, but the marketing stickers held up for about 10 years!! I had one stuck to my daughter's mirror and damned if I could get it off!! And the DECwriter and the Gold key. a - sweet memories!! On 1/11/06, joe [EMAIL PROTECTED] wrote: Ah but people using DEC and attending DECUS were smarter than the average bear To this day the people I meet who grew up on DEC are more well rounded and knowledgeable in the field than the norm. The good ol days... Anyone remember Mike Mayfield and the RSTS/E Monitor Internals books he wrote? Only place to get the real scoop on the internals so you could really wreak havoc. I think he also wrote the original Trek too so if your system was still up after poking around in the internals you could play a video game on your DecWriter or VT52. I got my first official corporate support position supporting OS/2 and Win31 on Token Ring back in the mid 90's because I knew DEC. The 8 or so people in the panel interview started asking me questions about the equipment the job was for (OS/2 Win31 tcp/ip Token Ring) and I couldn't answer any of the questions so they saw DEC on my resume and started asking DEC questions and a couple of hours later we were all laughing and I had my choice of the three open positions they had even though I knew nothing about any of them. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John McGlinchey Sent: Tuesday, January 10, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 My experience is just the opposite. I attended DECUS (The other DEC, Digital Equipment Computer Users Society Symposia) a few times back in the 90's and the casinos complained that the attendees were not losing enough money. This was attributed to 1) most of the attendees knew the odds were against them so they kept their money in their pockets where it belonged and 2) the ones
RE: [ActiveDir] [List Owner] Mailing list is 5 today!
That's really cool. Congratulations on creating the best online forum for AD professionals. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 13, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [List Owner] Mailing list is 5 today! congrats Tony! - keep up the good work !!! /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Freitag, 13. Januar 2006 01:57 To: [EMAIL PROTECTED] Subject: [ActiveDir] [List Owner] Mailing list is 5 today! Hi all I started this list on 13th January 2001. Thanks to everyone out there for making it a great place to hang out and learn about AD (and more besides!). Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Congrat Jorge !!!!!
Title: Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Friday, January 13, 2006 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspxCongrat jorge for your nomination as a MVP. :o)Will u have a microsoft professional card as the MCP/MCSE one ?Yann
RE: [ActiveDir] LDAPS SRV Records?
Title: LDAPS SRV Records? Try http://msdn.microsoft.com/library/default.asp?url=""> These are relatively new (WS2003 perhaps?) We developed our own DNS functions over Winsock. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)Sent: Friday, January 13, 2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAPS SRV Records? Does anyone have an idea which Windows API does the DNS registration of SRV records for DCs? I'm very curious as to if that is a public method. The purpose is I'm looking into how feasible it is to write a Windows Service that hooks into netlogon and registers secure LDAP SRV records as needed provided the DC's can speak LDAPS. Think it's a horrible idea? Could be done better? Let me know what you think. I know the ultimate solution is a DCR, but like I said..I'm just brainstorming ideas. -Brandon
RE: [ActiveDir] Congrat Jorge !!!!!
I have my sources... :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, January 13, 2006 5:15 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! I don't think Gil is allowed to say :) NDA, you know ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 1/13/2006 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Thanks everyone! A week ago on january 6th I got notice from the US MVP Lead I have been nominated (blogged that on january 6th http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx) and today (friday the 13th...) I got notice from the dutch MVP lead saying Microsoft awarded me the MVP DS Award (blogged that today http://blogs.dirteam.com/blogs/jorge/archive/2006/01/13/406.aspx) I don't how the process works... Gil, how did you find out? Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Fri 2006-01-13 22:34 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Congrat Jorge ! Amazingly I blogged this a week ago (http://www.gilsblog.com/index.cfm?commentID=44 http://www.gilsblog.com/index.cfm?commentID=44 ) How did Jorge not find out till today? Don't they have email over there? :) Congratulations Jorge, you certainly deserve it. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, January 13, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Congrat Jorge ! Just read jorge's blog @ http://blogs.dirteam.com/blogs/jorge/archive/2006/01/07/387.aspx Congrat jorge for your nomination as a MVP. :o) Will u have a microsoft professional card as the MCP/MCSE one ? Yann List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DEC 2006
Its not Vegas the Green Valley Resort is in Henderson, NV. :) Nope, nothing to see here. No gambling, no shows, no fast women. Just boring technical sessions. Move along. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Tuesday, January 10, 2006 7:55 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Ditto for me… My title doesn’t start with a C _ _ so I’m afraid to even ask for a paid trip to Vegas J ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--”I love the smell of red herrings in the morning” - anonymous From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose MedeirosSent: Monday, January 09, 2006 1:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: DEC 2006 I would love to go, unfortunately as most people on the list unless our employeers pay for it, we just can not afford to attend. Jose - Original Message - From: McLeod, Scotty To: ActiveDir@mail.activedir.org Sent: Monday, January 09, 2006 7:45 AM Subject: RE: [ActiveDir] OT: DEC 2006 Am attending again, looking forward to it. Scotty From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: 05 January 2006 22:17To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€’s. Mark This e-mail and any attachments may contain confidential and privilegedinformation. If you are not the intended recipient, please notify thesender immediately by return e-mail, delete this e-mail and destroy anycopies. Any dissemination or use of this information by a person otherthan the intended recipient is unauthorized and may be illegal. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] OT: DEC 2006
I'll get right on that... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Friday, January 06, 2006 3:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: DEC 2006 Almeida Pinto, Jorge de wrote: it looks like it should be a swiss army bag with a rolling 6 pack cooler that you can take to the gym and is not a burden when drinking at the bar... ehhh I mean doing some quality community interaction ;-) is that possible Gil? You forgot about portable wirelles connection unit :) -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: DEC 2006
Well, I'm going. But I get a free pass... :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Thursday, January 05, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€’s. Mark This e-mail and any attachments may contain confidential and privilegedinformation. If you are not the intended recipient, please notify thesender immediately by return e-mail, delete this e-mail and destroy anycopies. Any dissemination or use of this information by a person otherthan the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] OT: Request for Test AD Poplulation Data
Try ADTEST from MSFT. Along with creating an arbitrarily large AD population, it can also generate authentication and query traffic so you can load test DCs. http://www.microsoft.com/downloads/details.aspx?FamilyID=4814fe3f-92ce-4 871-b8a4-99f98b3f4338DisplayLang=en -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Thursday, January 05, 2006 4:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data That's true.. used it once for generating 25,000 users... if I remember right it'll even do mailboxes (if you can wait)... it's called AD Populator or something :-) Regards, Mylo Peter Johnson wrote: If you download the eval of NetIQ DRA there is a tool in there that will generate users for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 04 January 2006 15:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Request for Test AD Poplulation Data Hi Mark, What I've done once: took the northwind DBs and extracted names and addresses to create sample users for me. Unfortunately don't know where it is anymore, but that's the approach I'd take b/c Northwind contains general sample data, addresses, many locations (I created a OU-Structure out of these), and if you need more you can also take the list of firstnames and lastnames and create more sample users. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F121 4 C811 D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, January 03, 2006 4:03 PM To: ActiveDir.org Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data I utilise VBScript too, but I wanted user data with a little more substance. 500 names in an ldf file is a lot more use to me than a vbs file which creates user 1, 2, 3 etc etc Mark -Original Message- From: Tomasz Onyszko [EMAIL PROTECTED] Date: Tue, 03 Jan 2006 15:49:22 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data Rick Kingslan wrote: Tomasz, I think that Mark is looking to populate his metabase with data other than User 1, User 2, User 3, etc. with simple or blank attributes. So, he's looking for stuff like Homer Simpson, with all of the user data, then Marge, etc. So stuill I don't think he will find such .. I use vbscript to populate my AD with test data. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/g/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Way OT: DC Server monitoring tools
Title: Way OT: DC & Server monitoring tools DirectoryAnalyzer from NetPro. http://www.netpro.com/products/directoryanalyzer/index.cfm. Paid for by the Sell More NetPro Products Committee. (c) 2006 All Rights Reserved. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, January 05, 2006 4:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Way OT: DC Server monitoring tools You will get as many different answers as people that respond to this. Monitoring tends to be a big personal feeling item, especially when you start asking for cheap solutions. Most of the bigger well known names are not inexpensive such as MOM, HP OVO, etc. Something I used for a long time for various things including a majority of the monitoring of the DCs of a very largeAD Deployment I used to do ops forwas called HostMonitor. http://www.ks-soft.com/hostmon.eng/index-price.htm The tool is (or at least was I haven't looked in a while) primarily agentless, in fact agents were an addon if you wanted them. That is one of the things I liked about it. I have personal issues with depending on a server completely monitoring itself. The issues being additional overhead for the agents, the fact that the agents can impact the functioning of the server, and that if the server is bad enough off, the agent can't tell anyone anyway. I much prefer service availability based monitoring, test the services remotely like a client would. I was able to pull most of my custom perl scripts into the engine and let it do the driving of the scripts and the notification for all sorts of things like AD replication, WINS name resolution, etc. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, January 04, 2006 9:55 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Way OT: DC Server monitoring tools Hi all Just looking for some advice on server monitoring tools, and for DC monitoring as well as exchange monitoring I'm currently using Argent but found it much of a hassle to setup and the predefined rules out of the box is very standard and is much more expensive than others as well. Tried installing MOM but the gui isnt easy (havent have time to play around much)... Any suggestions or experience on good monitoring products - preferred agentless.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785
RE: [ActiveDir] OT: DEC 2006
I've passed your comment on to Stella. We've done nice backpacks the last couple of years that seem to be well-regarded. After seeing King Kong, I now have a much greater appreciation of the term "going ape". -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Thursday, January 05, 2006 3:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Just a thought: As most people already have a laptop bag – can we have a bag that we can say use for the gym this year or is it too late? I always get laptop bags (average 6 a year) and they sit in cupboard (closet) until I have too many or my wife goes ape (mad) and I have to dispose of them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil KirkpatrickSent: 05 January 2006 22:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: DEC 2006 Well, I'm going. But I get a free pass... :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark ParrisSent: Thursday, January 05, 2006 3:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com Tomorrow is the last day for the early bird registrations if anyone wants to day some $£€’s. Mark This e-mail and any attachments may contain confidential and privilegedinformation. If you are not the intended recipient, please notify thesender immediately by return e-mail, delete this e-mail and destroy anycopies. Any dissemination or use of this information by a person otherthan the intended recipient is unauthorized and may be illegal.
RE: [ActiveDir] OT: DEC 2006
Jorge, you're speaking at DEC. You already get a free pass. We're not going to make speakers pay for their tickets, at least not until after 2007. :) -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, January 05, 2006 3:51 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 can I get a free pass? jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Thu 2006-01-05 23:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: DEC 2006 Well, I'm going. But I get a free pass... :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, January 05, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: DEC 2006 Of the list how many people are going to DEC this year? www.directoryexpertsconference.com http://www.directoryexpertsconference.com/ Tomorrow is the last day for the early bird registrations if anyone wants to day some $£EUR's. Mark This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADMT Request
How about http://www.microsoft.com/technet/itsolutions/ucs/ds/dmcnmg/default.mspx -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, December 13, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADMT Request www.activedir.org :-) sounds like you want to do a bit of domain collapsing within your forest (which is a good thing, yet it can be more painful than migrating to a new forest). do you have a concrete question? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Dienstag, 13. Dezember 2005 16:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADMT Request Does anyone know of a place to get all the best practices for a windows 2000 multiple domain - Windows 2003 single domain (intra-forest). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, December 12, 2005 5:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADMT Request it's less point and click these days, at least if you do it right, since you should certainly leverage the include-file options to select the objects for the migration (also allows to rename objects during the migration). However, I doubt that James even has a problem with the migration of users and groups (although I've also used multiple sessions to speed up larger scale migrations with ADMTv3). The more lengthy task is obviously the processing/migration of the clients - here multiple sessions are useful for many reasons, especially to run the tool with different credentials so that it can connect with different account data to the various clients (if these reside in various source domains). Or even just to handle processing of batches. Especially now that ADMT has a cool retry option that will go after all those clients that are forever offline (and it even performs post-migration checks on the clients to see that they've migrated successfully...) The way I've helped myself was to use a terminal server with multiple connections for the different sessions - the RDC session name will be visible and allow you to keep the sessions appart. And when connected to a session - your account would tell you that this is the Denver session or you could even add some other notes on the desktop or whereever, if this helps you keep the sessions appart... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Dienstag, 13. Dezember 2005 00:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADMT Request It's been ages since we ran our migration, but at the time we scripted it using the sample scripts that accompanied ADMT. If you go that route, you can have multiple log files that are uniquely named and not run into the session confusion. You'll also get much more consistent results from the scripts, as you won't have mischecked options or typos that seem inevitable in lots of point/click scenarios. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 12, 2005 3:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADMT Request Hi All I am not sure anybody that can do anything with this listens on this list but we have been using ADMT v.3 with great success for a very large scale migration. The multi session ability has been a huge benefit to us. We are running into a problem keeping multiple sessions straight. How hard would it be to include a description field that you can fill in when you start the session that would then show up in the title bar for the session (something like Session DENVER, California, etc) Just a wish. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] AD Defrag
http://www.microsoft.com/technet/itsolutions/cits/mo/winsrvmg/adpog/adpog3.mspx#EZAA recommends that you do it on an "as needed" basis, as determined by available disk space, or after large batch delete operations. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Monday, December 12, 2005 10:25 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Defrag Question: I have 8 AD controllers in several locations. All have different database sizes ranging from 45 MB to 80 MB. Is there a rule of when I should or when I need to do an offline defrag of the Database? I just had to defrag my mail store and I dont want to not be proactive with my Active Directory so Im looking for advice on when, why and how often I should do a defrag. Thanks Mike
RE: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003
If you are talking about restricting access on a DC, you can use the little known feature in AD called the IP Deny List. It was documented in W2K, and still works in WS2K3. Essentially, it is a list of IP addresses and subnets that the DC will not accept AD connections from. You can set the IP Deny list using the W2k of NTDSUTIL, or you can use ADSIEdit and add the strings in hex (yucky). Or write some code, if you're so inclined. The IP deny list is maintained in the lDAPIPDenyList attribute of the queryPolicy object. If you want to deny access to ALL DCs from specified addresses, you can add the lDAPIPDenyList attribute to the CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=your root domain here object. Otherwise, create a new queryPolicy object and attach it to the DCs you are concerned about. The syntax of the lDAPIPDenyList attribute is octet string, but the data is stored as text. So for instance, to deny access from IP address 1.2.3.4, you would add the value 0x31 0x2e 0x32 0x2e 0x33 0x2e 0x34, one address per value. You can also deny access from entire subnets by doing something like 1.2.3.4/24 (in hex). Probably its easier to make the change from a W2K machine. The W2K version of NTDSUTIL doesn't run on a WS2K3 DC AFAIK. I haven't determined if this is supported or not. It seems it would be, since you can make the change to a WS2K3 DC from a W2K machine. But it does work quite well. But of course this doesn't work generically, just on DCs. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Monday, December 12, 2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] TCP/IP Filtering in Windows server 2000/ 2003 May be of interest, but in addition to IPSec, which in no way am I denigrating :0), there are a couple of interesting packet filtering alternatives that perform a similar function as well, particularly on Win2K http://sourceforge.net/projects/pktfilter/ http://force.coresecurity.com/index.php?module=basepage=factsheet#IDAAU ZS I've not used CoreForce but I have used pktfilter under Win2K.. useful if you already know IPFilter. If you're on Win2k3 then you're probably best off with IPSec since it's much improved ... Regards, Mylo Tomasz Onyszko wrote: Medeiros, Jose wrote: Hello everyone, Is there a way I can restrict accepting TCP/IP packets from a specific address in Windows 2000 / 2003 server? I do not see this option in the TCP/IP Filtering menu? No, You can't do that - use IPSec filtering instead of TCP\IP: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/207E34C8-F715-4AA8-8F26-E06BD1ECA808.mspx http://support.microsoft.com/kb/313190 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/I IS/904d3234-18e1-45b3-b7c0-73e6586ea159.mspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FSMO role transfer
By definition, the impact of a maintenance task is expected to be low. But the behavior of a server isn't always predictable after you change the software and/or configuration and reboot it. Sometimes just the power or temperature fluctuation is enough to kick a marginal component over the edge. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 12:16 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer If you want 100% insurance then yes transfering the FSMO roles prior to the maintenance task could prevent an eventual seize if the particular DC dies for some reason. Maybe dependent on the maintenance task that is performed a decision should be made if the FSMO roles should be transfered or not. So.. define maintenance task... what is the impact of the maintenance task? jorge From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Tue 11/29/2005 6:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer I'd move the FSMOs just in case something happens and the DC in fact doesn't come back in 2 hours. How many times have you done PM on a machine only to have it completely f* up and have to restore? It seems like about a 1-in-25 chance that something will go wrong. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, November 29, 2005 9:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FSMO role transfer First, look at each role and see what it does... Forest FSMOs * Schema Master -- needed when updating the schema * Domain Naming master -- needed when adding or removing domains within the forest Domain FSMOs * PDC Emulator -- needed for legacy clients (NT4, W9x) when changing passwords, used for time sync, is used for pwd checking when a user enters an incorrect pwd at another DC, used by DFS roots to get DFS info * RID Master -- needed to distribute RID pools to DCs that have exhausted their current RID pool for 50% (=250 RIDs) * Infrastructure -- needed to update references between domains in a forest (does not do anything in a single domain forest) If you look at this, there is no need to first transfer the FSMO roles to another DC, just to carry out maintenance activities. It also depends on the FSMO role. The most used ones in your case will be the RID and the PDC FSMO. Only if you create more than 500 security principals (users, groups and computers) during the moment that the DC with the RID FSMO is down, you will experience a problem on the DC that is left. If you still have legacy clients and they want to change the password that will not be possible. And if those clients have the DSClient installed that will not be an issue either. In short: leave as is. it will be OK for those 2 hours Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter Sent: Tuesday, November 29, 2005 16:43 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FSMO role transfer Hi guys, We have two DC's, one which holds the Forest FSMO roles, the other which holds the domain FSMO roles. I plan to take each server down at different times so that one of the two servers can provide authentication etc while the other gets maintained. Initially, I was planning on moving the FSMO roles to the other DC while maintainance work is carried out and transferring it back once it's online again. I would then do the same for the other DC. I was then told that you don't need to move the FSMO roles when you perform maintenance on a DC holding the roles. Each server will be down for about 2hrs. Does anyone have advice for me? I would like to move the roles for peace of mind knowing they are available, but if I don't need to do that, I won! 't bother Is there any recommended practice? Amy To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre http://us.rd.yahoo.com/mail/uk/taglines/default/security_centre/*http:/ /uk.security.yahoo.com/ . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
RE: [ActiveDir] Active Directory 3rd Book
Yes and yes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, November 18, 2005 9:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Is Robbie Allen still going to MIT for his Masters or is he back at Cisco? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, November 18, 2005 7:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book LOL. Umm no. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Friday, November 18, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Who wants to hear Joe do a Cornet solo at DEC???!!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, November 18, 2005 9:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book You will probably find me, if you can find me there, in the penny slots or on one of those darn Wheel of Fortune slot machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, November 16, 2005 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book I am hoping to bring a copy with me to Henderson, NV in March 2006 (DEC2006). Hopefully, the author will be there to sign it! Mike Thommes From: [EMAIL PROTECTED] on behalf of Medeiros, Jose Sent: Wed 11/16/2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Hey Joe, If I buy it. Will you autograph it? I already asked Robbie to present at our user group and do a book signing. Would you be interested as well? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, November 16, 2005 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Not available yet, it is Active Directory Third Edition. From O'Reilly publishing. As soon as Amazon has it available I will have a link to it from my website - http://www.joeware.net and announce it in my blog http://blog.joeware.net. If you don't like purposely enflaming blog entries I recommend pointing the RSS feed at the tech specific links though you still won't avoid them, just the non-technical ones. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Etts, Russell Sent: Tuesday, November 15, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book I'm sorry for coming into this late - can you give me the exact name of the book so I can look for it?? Thanks Russ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, November 05, 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory 3rd Book Interesting, O'Reilly doesn't even have it listed yet. I just heard from the O'Reilly that it is finally out of copy-edit. On the co-author piece. Alistaire wrote the initial edition, Robbie did the 2nd Edition update, I did the 3rd Edition update. You may want to ask the reviewers (they almost all read and response heavily on this list) but I am quite sure there is sufficient updates to warrant someone who has the 2nd Edition to get the 3rd Edition. There should be a chapter that will be floating around for the book that you can look at, I requested that it be Chapter 11 which is the security chapter as I spent considerable time reworking it. If someone is familiar with an older edition they will almost certainly note the changes. I go into great detail on the evil that is SBS and why it shouldn't be used. Or did I??? Hmmm the SBS folks will just have to buy it to find out. ;o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Irwan Hadi Sent: Tuesday, November 01, 2005 11:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory 3rd Book The Active Directory 3rd Book with Joe as co-author seems will be released somewhere in February 2006 based on http://www.bookpool.com/sm/0596101732 . (Bookpool is having discounted O'reilly book sale this month, and accept pre-order, though I do not have any relation with bookpool other than being as a customer who is looking to buy a couple books and noticed this book) List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Audit Collection Services
They certainly realize that small firms want those features, but they will leave it to the ISV community to satisfy the need, at least for now. There are at least a dozen third-party log collection products, probably more, some of them very inexpensive. Or there's MSFTs own free LogParser. ACS's primary advantage is its scalability, which is not generally an issue for small organizations. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, November 14, 2005 6:23 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Audit Collection Services And hopefully Microsoft will realize that even small firm markets that they've traditionally never sold MOM to will possibly want audit collection features and thus have a Mom-lite edition. Sincerely, the annoying SBSer with the toy server networks where we don't buy MOM for our networks where we barely have one server let alone 10. Tomasz Onyszko wrote: Free, Bob wrote: Well the other Eric F from MS has weighed in (! ~eric) Once again the landscape has changed. It is going to be part of MOM...after all. Yup, You should not expect the ACS as separated product. it will be shiped with a MOM in its next version. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Directory Experts Conference 2006 call for presentations
Title: Directory Experts Conference 2006 call for presentations The URL I provided is messed up... its www.dec2006.com/callforpapers.cfm. I somehow managed to get a file:// inserted in the original link. -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Tuesday, November 08, 2005 5:02 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Directory Experts Conference 2006 call for presentations Greetings list-members DEC 2006 is coming up in March, and I'd like to extend this invitation to you to submit a proposal for a presentation. For those who have not attended DEC before, it is a technology conference focused on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually from a large enterprise deployment, with at least a couple of years of AD experience under their belt. We will also be hosting a "Masters Track" for AD, targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the idea). The conference is in Vegas March 26-29, and promises to be a lot of fun, with great sessions and speakers, and loads of networking opportunities. Feel free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm. And remember, be excellent to each other, and party on, dudes. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Netlogon.dns (2)
Were the entries dropped off the end of the file, or were they missing from the middle? Any pattern to the entries that were missing? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Tuesday, November 08, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Netlogon.dns (2) Instead of hijacking another thread I'm going to start my own ;) What I've seen recently and was pretty surprised: A customer of mine had incomplete netlogon.dns-files, they had some of the records which were supposed to be there but not all. On some DCs about 50% of the netlogon.dns was missing. Really bad about this is that the tools like dcdiag only test the content of the netlogon.dns against the DNS-Service, and that the netlogon-process does not check the content of the netlogon.dns without any changes unless the file is missing. So the customer had missing DNS-Informations for ages and never noticed it - not everyone is digging around in DNS and knows what's supposed to be there ;) DCs were W2k SP4. Anyone seen this before? OK - I've already fixed it by renaming netlogon.dns and restarting netlogon, but I'm curious if anyone has ideas where this might come from and if anyone has seen it before. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
[ActiveDir] Directory Experts Conference 2006 call for presentations
Title: Directory Experts Conference 2006 call for presentations Greetings list-members DEC 2006 is coming up in March, and I'd like to extend this invitation to you to submit a proposal for a presentation. For those who have not attended DEC before, it is a technology conference focused on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually from a large enterprise deployment, with at least a couple of years of AD experience under their belt. We will also be hosting a Masters Track for AD, targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the idea). The conference is in Vegas March 26-29, and promises to be a lot of fun, with great sessions and speakers, and loads of networking opportunities. Feel free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm. And remember, be excellent to each other, and party on, dudes. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Directory Experts Conference 2006 call for presentations
Title: Directory Experts Conference 2006 call for presentations J -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, November 08, 2005 5:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Directory Experts Conference 2006 call for presentations The first two times, I read DEC 2006 is coming up in March... and I'm thinking WTF is this dude telling me December 2006 is coming up in March?? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, November 08, 2005 7:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Directory Experts Conference 2006 call for presentations Greetings list-members DEC 2006 is coming up in March, and I'd like to extend this invitation to you to submit a proposal for a presentation. For those who have not attended DEC before, it is a technology conference focused on MSFT Identity and Access technologies, including AD, ADFS, MIIS, InfoCard, and AZMAN. The typical attendee is an AD or MIIS architect or engineer, usually from a large enterprise deployment, with at least a couple of years of AD experience under their belt. We will also be hosting a Masters Track for AD, targeting the true AD gear-heads (think joe, Dean, and Guido, and you get the idea). The conference is in Vegas March 26-29, and promises to be a lot of fun, with great sessions and speakers, and loads of networking opportunities. Feel free to send your proposals to me, or submit them through the DEC web site, www.dec2006.com/callforpapers.cfm. And remember, be excellent to each other, and party on, dudes. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Global Catalog
Hi Ulf, Nice to have met you too.. Put your fingers on the table! Slap! ;-) [3] Yes - sorry - I'm german ;-) It sounds more like you're a Catholic nun! We're pretty much in agreement. The real answer (as it always seems to be) is to analyze the threats, assess the risks, and make the appropriate cost/benefit tradeoffs of risk vs. mitigation. Multiple forests increase costs but provide more isolation. Do the costs outweigh the benefits? It all depends on the particular organization. BTW, ich bin halb-deutsch. Mein mutter ist aus Berlin. -g -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, October 17, 2005 11:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Global Catalog Hi Gil, (btw - was nice meeting you finally in person) You're right, that might be a better wording. However I didn't mean that I do not agree that the forest is the security boundary, however I do not like people using that term without being more specific. This will lead customers who are not enough into details to deploy multiple forests in scenarious where multiple domains (if even that) would have been sufficient. Keeping viruses, malware, and the regular I'm admin - so let's surf the web aside. Companies who might trust their admins but have to many users to trust each of them might deploy multiple forests b/c they are afraid that users might try to (hack/)try to get into other domains. However case like this it _might_ be overrated to deploy different forest, cause it's way harder for a regular user to get into another domain (and to valuable data there) than it is for a admin, the scenario is more difficult to administer (which might lead to loosened security and/or more admins you'll have to trust) and the phyiscal security might not be in place to justify such a scenario (the users might still hop around in the same building without distinguished building security[1] or network boundaries[2]). I do not think that all domain admin threads are in the non-malicious category, and I don't think that forests shouldn't be mentioned as security boundary, however I think if you do mention that you also need to clarify against which threads you're deploying additional forests and what also needs to be applied in the company if you need that level of security for certain parts. In many cases a proper investment into security is better placed by drilling security into the heads of the admins (you're surfing the web as admin? Put your fingers on the table! Slap! ;-) [3] ) than deploying multiple forests without taking additional measures and wrongly believe it's buying you 100% security. Ulf [1] meaning that people having access to forest A only shouldn't have physical access to any machines in the office running in forest B and vice versa [2] different wires, VLANs, or a generic network with people VPNing into their infrastructure. I don't trust our friends aka the unintentional fighter against security aka devs. There are somewhere passwords on the wire in almost every network, and this thread is dependant on your number of in-house developed apps IMHO. [3] Yes - sorry - I'm german ;-) |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Gil |Kirkpatrick |Sent: Tuesday, October 18, 2005 1:56 AM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |I think it is better to describe a domain as a policy and |administration boundary (and a replication boundary), rather |than a weak security boundary. It is more precise, and IMO, |given the automatic domain trusts in a forest, there is not |much of a security boundary between domains. | |And given the ease with which malware is distributed (through |email and web pages for instance), the distinction between |criminal and unintentional is thin, if not non-existent. |People with criminal intent subvert administrative machines |and accounts all the time. So even if you think your domain |admin threats are all in the non-malicious category (not a |smart way to think in any case), once the domain admin is |exposed to some malware script, they've effectively taken on |the criminal intent. | |-gil | |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. |Simon-Weidner |Sent: Monday, October 17, 2005 3:14 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | ||So why don't you agree with the general - forest is the security ||boundary - statement? | |Cause IMHO the domain is a security boundary against |accidential security issues, the forest against malicious/criminal. | |Companies usually trust their admins of different domains but |might want to protect them against accidential mistakes or |gaining rights easily. A different domain would be sufficient |then. However if you want to protect yourself against admins |with criminal energy (and I
RE: [ActiveDir] slightly OT: MissionControl for MIIS
Hi David, The licensing scheme is per-production-MIIS-server-processor (like MIIS), plus a charge for each 5 management agents. Test servers, or processors not used by MIIS aren't counted. The rest of the questions I'll leave to others, as I suspect my opinions are biased :) You might get more feedback on MIIS-related topics from the MMSUG Yahoo group. -gil CTO, NetPro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McClure David Sent: Monday, October 17, 2005 9:19 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] slightly OT: MissionControl for MIIS Hi listers, I'm considering MIIS for a project haven't been able to find much non-MS information about MIIS out there on the web. Hoping for help from y'all. One of the minor knocks against MIIS seems to be a lack of mgmt/troubleshooting tools. Netpro claims to have filled this gap with MissionControl for MIIS. Does anyone have any experience with this tool that you'd be willing to share? I'm interested in high-level stuff at this point, such as: What's the licensing scheme? In your opinion, does MissionControl fulfill it's promises? What's your impression of ease of implementation, usability, overall bang-for-the-buck, etc? Thanks! --- This message and any included attachments are from Siemens Medical Solutions USA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you received this message in error, or have reason to believe you are not authorized to receive it, please promptly delete this message and notify the sender by e-mail with a copy to [EMAIL PROTECTED] Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Global Catalog
I think it is better to describe a domain as a policy and administration boundary (and a replication boundary), rather than a weak security boundary. It is more precise, and IMO, given the automatic domain trusts in a forest, there is not much of a security boundary between domains. And given the ease with which malware is distributed (through email and web pages for instance), the distinction between criminal and unintentional is thin, if not non-existent. People with criminal intent subvert administrative machines and accounts all the time. So even if you think your domain admin threats are all in the non-malicious category (not a smart way to think in any case), once the domain admin is exposed to some malware script, they've effectively taken on the criminal intent. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Monday, October 17, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Global Catalog |So why don't you agree with the general - forest is the |security boundary - statement? Cause IMHO the domain is a security boundary against accidential security issues, the forest against malicious/criminal. Companies usually trust their admins of different domains but might want to protect them against accidential mistakes or gaining rights easily. A different domain would be sufficient then. However if you want to protect yourself against admins with criminal energy (and I consider manipulating SID-History on purpose as criminal energy) the forest is the security boundary. So I agree a plain vanilla statement the domain is the security boundary is wrong, however I don't like the same plain vanilla statement of the forest - should be more clearly pointed out if we are talking about criminal intentions or accidential intentions (which includes let's try quickly if we are able to ... - does not include hacking). Ulf |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, Jorge de |Sent: Monday, October 17, 2005 11:59 PM |To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | |Well, I call it that way because a user can authenticate with |only DCs from its domain available (assuming the requirement |for a GC is disabled) but cannot authenticate without a DC |from its domain while having a GC available. You are correct |that any GC in the forest may be used if the GC requirement is |enabled (by default) or even use the crappy universal group |caching feature. So you need a DC from your domain to |authenticate and that is why a domain is called the |authentication boundary (at least for me ;-) ) | |So why don't you agree with the general - forest is the |security boundary - statement? |Jorge | | | |From: [EMAIL PROTECTED] on behalf of Ulf B. |Simon-Weidner |Sent: Mon 10/17/2005 11:24 PM |To: ActiveDir@mail.activedir.org |Subject: RE: [ActiveDir] Global Catalog | | | |Hmm - I wouldn't 100% call the domain the authentication boundary. | |Authentication in a W2k+ Network without any mods not to rely |on the GC is done - as you said - via DC of the same domain |the account resides plus any GC of the forest - not |necessarily that a GC which resides in the same domain is |available but the logon will work. | |Ulf I also don't agree with the general 'Forest is the |security boundary'-statement B. Simon-Weidner | ||-Original Message- ||From: [EMAIL PROTECTED] ||[mailto:[EMAIL PROTECTED] On Behalf Of |Almeida Pinto, ||Jorge de ||Sent: Monday, October 17, 2005 6:47 PM ||To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org ||Subject: RE: [ActiveDir] Global Catalog || ||Yes you are correct. The answer is No. A domain within a |forest is the ||authentication boundary. So when all DCs of domain other.biz are ||unavailable the users from other.biz ||will not be able to log on as there is no DC available to |authenticate ||the user at logon and create the access token. ||During logon a GC is contacted to check if universal group |memberships ||exist for the user account logging on. || ||Jorge || || || ||From: [EMAIL PROTECTED] on behalf of Pete ||Sent: Mon 10/17/2005 5:57 PM ||To: ActiveDir@mail.activedir.org ||Subject: [ActiveDir] Global Catalog || || || ||Hi || ||Just a quick and easy question to profs: || ||Can AD domain controller of one domain (one.com) with Global Catalog ||function enabled somehow process logon request of user from different ||domain (other.biz), in case when all domain controllers for |that other ||domain (other.biz) are not reachable? || ||I believe - no. ||Am I right? || ||Thanks, || ||Pete || || ||-- ||Bezmaksas e-pasta adreses piedava http://pasts.delfi.lv/ ||List info : http://www.activedir.org/List.aspx ||List FAQ: http://www.activedir.org/ListFAQ.aspx ||List archive:
RE: [ActiveDir] Knowing when users were deleted.
shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
RE: [ActiveDir] Knowing when users were deleted.
I get to be Burt Reynolds! :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Friday, October 14, 2005 10:33 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. Ok, now you've done it Gil :-) I guess this is the geek version of "dueling banjos" :-) shameless plug2 Quest's InTrust for Active Directory provides detailed, real-time auditing and alerting of all changes to AD and Group Policy Objects (GPOs), including changes to AD configuration and GPO settings. It also provides all information behind important changes, including who made the change and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/ /shamelessplug2 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Knowing when users were deleted. shameless plug NetPro's ChangeAuditor for AD does this without requiring auditing. The change log includes what was changed, before and after values, when, where, and by whom. See http://www.netpro.com/products/changemanager/ /shameless plug From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Thursday, October 13, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Knowing when users were deleted. Hi there, I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :( So my boss urge me to find the guilty user AND the time of deletion. I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one. Any idea ? Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
[ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts)K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database /required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please emailyour shipping particularsto me at mailto:[EMAIL PROTECTED], andI will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-valueprizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Title: Most common cause of Active Directory "failures"? We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? mcThis e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Interesting idea... what say you joe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, October 10, 2005 7:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Start a blog? :) Since that takes some time to get traffic, perhaps joe would be willing to post your survey on his blog? I imagine hegets some good traffic to his blog. Phil On 10/10/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? mc This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Adding custom fields to AD
Much of AD's heritage lies in the old Exchange directory, which was ESE-based. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What do you feel is wrong with ESE (aka Jet Blue)? What's the ceiling on actual database size before it caves in (performance-wise)? Max size for an ESE DB for AD is ~16TB (8KB pages * 2147483646 max pages [1]). As for when it caves perf wise from an AD standpoint it really depends on what you are doing with it and what you have indexed from what I have seen. If someone is issuing crappy inefficient queries it will seem to be pretty slow pretty fast with relatively little data. The largest DB I have seen in production has been ~20GB and that was with W2K on a GC and a bunch of that data shouldn't have been in the AD like duplicated ACEs and misc unneeded objects, etc. Going to K3 would probably reduce that DB to about 10-12GB or better due to single instance store, cleanup would reduce it even further. One Fortune 5 company I have worked with had a K3 GC DB in the area of 5GB and that was for some 250,000 users with Exchange and multiple custom attributes. joe [1] See the docs for JetCreateDatabase - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese /jet createdatabase.asp?frame=true -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, October 07, 2005 9:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD That's a good point about plonking stuff in AD a case of once a good thing comes along everyone wants to climb aboard. I remember doing ZENworks stuff with Novell where all the application configuration information for software distribution was shunted into NDS/E-Directory... all that bloat adds up replication-wise (still, at least there was partitioning). One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What's the ceiling on actual database size before it caves in (performance-wise)? Mylo joe wrote: I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Server Roles
As you mentioned, this topic has been debated frequently on this list. Running other services on a DC raises the hackles on the back of my neck, and I expect that most on the list will have similar reactions. And you've listed most of the reasons why the proposed deployment would be a bad idea. But truthfully, the right answer has to be based on a proper risk assessment for your client's environment. I think in the past most people either a) never did a risk assessment, or b) didn't understand the risks with branch office DCs running multiple services. Consequently, most AD professionals now default to its pure insanity when asked about this kind of deployment. The answer of course, as with most everything, is it depends. Because every organization has different perceptions of and sensitivities to different kinds of threats (some organizations have a high tolerance for service failure, but a low tolerance for trade-secret theft, for instance), and because the threat profile is different for each organization (how protected are the remote DCs? How accessible is the network? How effective is patch deployment?) the only way to evaluate the proposed deployment is to do a proper risk analysis in the context of the organizational environment. So if I were faced with this situation, I would recommend a threat assessment and risk analysis project to evaluate the risks associated with this sort of deployment. A good paper is Butler and Fishbeck's Multi-Attribute Risk Assessment http://www.cs.cmu.edu/~Compose/paper_abstracts/butler-fishbeck-02.html, but your favorite CISSP text covers it as well. Because you understand the threats and risks in the proposed deployment, you can make sure that they are properly represented in the analysis, and the customer can weigh the (definite) costs of additional servers against the (potential) costs of a security failure. That all being said, I think that running Exchange, SMS, or IIS on a DC is a Really Bad Idea (tm). My $.25... -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Thursday, October 06, 2005 11:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server Roles Hi All, It's a well trodden path (in these forums anyway) that I'm about to discuss but I'd like to get our resident experts 10 cents worth on a rather interesting issue I've run into.. I'm working at a client, reviewing an AD design, where 2 support providers are providing a migration path to an AD2003/Exchange 2003 solution (from NT4/Ex5.5). One of the providers is responsible for AD (desktop/SMS/File and Print) design and the other E-Mail design/deployment. This is a single forest/single domain solution where both have agreed to work in concert, together in the spirit of harmony and SLA's... There's a possibility that proxy tools may be used (e.g. Aelita/Quest type tooling) to 'limit' or delegate AD activities for each party, with these interfaces largely limited to managing AD delegation of OU/user/group/machine objects ... resource management (AV/Backup/SMS/DHCP/DNS/WINS etc) still requires native or 3rd party tooling. The problem lies in the fact that the client (on the advice of the support provider) has opted for consolidating File and print / SMS/ AD roles onto a single server at sites of up to around 200 users. Above this size the solution scales out to multiple servers, but continues to adhere to the principal of dual role, namely placing File and Print together with domain controllers and/or SMS and IIS together with a domain controller. In the legacy solution these roles were separated onto different serves and the file and print locally managed (also meaning that there's an awful lot of crap that will be migrated into AD as a result of combining these roles into one box) ... The combined role approach was given the green light largely for (I believe) cost reasons, but I do have *ahem* a number of concerns with this approach. Security = - multiple roles on a single server and no-no's such as placing IIS and SMS on a DC - it tends to look at security from a 'top down' perspective (i.e. it's a single AD provider therefore we're safe)... i don't think this flies simply because of the implications of using 3rd party s/w such as anti-virus and backup on dual-role servers where local admin rights are required, which equates to domain admin rights; providing a rather scary escalation path to being able to doing anything to anybody in the domain. Scenarios where the AD provider outsources to another party (e.g. in smaller countries)if A (the client) trusts B (the support provider) who trusts C (outsourcee), should A trust C? ... I knew trusts would come in handy one day :-) Stability = - Print Services on domain controllers - Migrating clutter off the legacy file and print into AD (10,000's local/global groups) - If there's a mail server on-site with a combined server then e-Mail
[ActiveDir] Anyone ever run into this problem?
Title: Anyone ever run into this problem? I haven't seen this myself, and I was curious if anyone else had. http://support.microsoft.com/default.aspx?scid=kb;en-us;898613 -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.