Re: [ActiveDir] I'm Baaaaaaack!

2006-09-24 Thread Rick Kingslan 

Good idea!  BTW, good job on the Cookbook with Robbie.  Top-notch, Laura.



Rick






From: Laura E. Hunter [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] I'm Baaack!
Date: Thu, 21 Sep 2006 16:25:10 -0400

Quick!  Hide the good silverware!

On 9/21/06, Akomolafe, Deji [EMAIL PROTECTED] wrote:


Yikes! Is it Halloween yet?



Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon


From: Rick Kingslan
Sent: Thu 9/21/2006 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] I'm Baaack!


Be afraid Be very afraid!
:-)




Rick

_
Be

seen and heard with Windows Live Messenger and Microsoft LifeCams


http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-ussource=hmtagline

List

info : http://www.activedir.org/List.aspx

List FAQ :

http://www.activedir.org/ListFAQ.aspx

List archive:

http://www.activedir.org/ml/threads.aspx




--
---
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ 
(http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_ 
(http://tinyurl.com/z7svl)

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


_
Try the new Live Search today!  
http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-usFORM=WLMTAG


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADFS and certs

2006-09-24 Thread Rick Kingslan 

Joe, Tomasz -

Yep, you're right that it may tend to show a bad precedent for people to 
follow.  I haven't taken a look at these particular labs (and having just 
come back from a long hiatus, I didn't see the referenced lab) but is the 
guidance there as to what Best or Preferred Practices SHOULD BE?


If not - I find that the bigger problem than the fact that self-certs are 
being used at all.


Rick






From: Tomasz Onyszko [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADFS and certs
Date: Sun, 24 Sep 2006 21:21:53 +0200

Joe Kaplan wrote:

(...)
 I also think the ADFS step by step guide leads people down a dark
 path, in that all the demos are set up with selfssl and self-issued
 certs, which are ok for demos, but not cool for production (IMO)
(...)

Will jump with few word from myself again - I can agree on Your point 
regarding step by step in 100%. When I've tried to setup my first ADFS lab 
I've decided to use Windows 2003 CA instead of Self issued certs and for me 
it was far more natural way to use ADFS than this not-realistic SelfSSL 
scenario, which may be confusing for users.  I've exchanged e-mail with 
peoples on internal mailing list few times about it and one good 
information is that this point was taken and updated version of step by 
step document for ADFS should be better on this.



--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


_
The next generation of Search—say hello!  
http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-usFORM=WLMTAG


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] I'm Baaaaaaack!

2006-09-21 Thread Rick Kingslan 

Be afraid  Be very afraid!  :-)



Rick

_
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-ussource=hmtagline


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: Re: [ActiveDir] icmp's

2006-01-02 Thread Rick Kingslan 








Cool. Now I understand the rationale
for what you were getting at.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir]
icmp's





Rick came out of the woodwork and rambled:



Huh? Can you explain both
statements, joe?



First statement being, I would rather not
set domain policies in GPOs... I am referring to actual domain policy, not a
policy applied to all machines in the domain. You know, the original meaning of
domain policy. Pushing any policy to domain controllers that has to do with
configuration of AD is assinine in my opinion, you already have a mechanism to
push those changes through the environment. You don't need to use another one.
Also it is a point of confusion for tons and tons of people. There should be a
clear divisor between true domain policy and a policy that gets applied to each
individual machine. 



Second statement being programmatically
handling settings in policies... You can't set GPO settings programmatically
unless you reverse the format of the policy information in sysvol. All you can
do is backup/restore/export/import/enable/disable. What if I want to take all
policies under the OU Buildings (which could be tens, hundreds, or thousands of
policy files) and set one setting, for the sake of argument say password policy
for local machinesis equal to some set of values based on the specific OU
name that the policy is applied to (say it has finance in the name of the OU)
how will you do that programmatically without directly hacking the policy files
which last I heard wasn't supported?

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:09 PM
To: [EMAIL PROTECTED]
Subject: RE: Re: [ActiveDir]
icmp's

joe stood up and attempted to smack Mark
Parris with a large trout, saying:



I would rather not set domain
policy with GPOs. While I am at it, I think we are far beyond the point that we
should have the ability to programmatically handle settings in policies.



Huh? Can you explain both
statements, joe? I understand the context of the first, but not
why. The second  I just am not sure what youre getting
at. Help out an old haggard road warrior.



;o)



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir]
icmp's





Come on, who ya going to believe?
Microsoft who has all sorts of typoes in the documentation (I just saw a
reference to objectcategory=user in an MS doc 2 days ago, I still have the
bruise on my forehead)or our trusted source... Al?



:o)



Personally I like theold style logon
scripts better than GPO logon scripts. Way too many things impact GPO
functions. I never found it difficult to write logon scripts designed to work
on specific users nor machines sodidn't need the sorting capability of
GPOs. Overall I am ok levelhappy with having a default domain GPO and
default dc GPO as the only GPOs. I would rather not set domain policy with
GPOs. While I am at it, I think we are far beyond the point that we should have
the ability to programmatically handle settings in policies. 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Sunday, January 01, 2006
9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir]
icmp's

This is from the Microsoft article  Enterprise logon scripts



By default, logon
scripts written as either .bat or .cmd files (so-called legacy
logon scripts)
run in a visible command window; when executed, a command window open up on the
screen. To prevent a user from closing the command window (and thus terminating
the script), you can the Run legacy logon scripts
hidden enable policy. This ensures that all legacy logon scripts run
in a hidden window.



Mark











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: 01 January 2006 14:18
To: ActiveDir@mail.activedir.org
Subject: [Norton AntiSpam] Re:
[ActiveDir] icmp's







I thought i read somewhere in some MS doc it being refered to as
legacy since now you can put multiple logon scripts in GPO's and
that they recommend doing it that way.











everytime a new OS or feature comes out, MS tends to refer to the
previous os/feature as legacy or down-level.





maybe i just made a silly assumption that using a logon script as a
user attritbute( i guess somewhat simillar to the way NT did it)instead
of a GPO was legacy.





thanks













On 1/1/06, Al
Mulnick [EMAIL PROTECTED]
wrote: 



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP

RE: [ActiveDir] WinXP and Win2003

2006-01-02 Thread Rick Kingslan 
My point exactly  However, use of a separate hard drive in a system that is 
already running something else or 'separation technology (not 100% sure what 
that is) usually means 'dual boot' to some degree.

And, I would really suggest that if you're not learning HOW to manage the BCD 
in Vista - it might be an idea.  Dual booting is a way to do this.

Rick

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Sunday, January 01, 2006 2:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WinXP and Win2003

~
Hehe….  Let me know how that full-out testing of Vista and Aero Glass
is going for you in a VPC or a VMWare virtual machine.
~

That's what dedicated systems are for.  :)

Sure, a VM is not the best option here, depending on what aspect of
the OS is being tested, but in that case, using a totally separate
hard drive or some other separation technology will still likely prove
to be more viable than dual-booting.

-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/



On 1/1/06, Rick Kingslan [EMAIL PROTECTED] wrote:


 Hehe….  Let me know how that full-out testing of Vista and Aero Glass is
 going for you in a VPC or a VMWare virtual machine.



 I agree, dual-booting is not the optimal method to running different OS's,
 but if you want the OS to have the full machine, rather than the limited
 virtualized hardware that the VMs are allowed – I think dual booting still
 has a very strong place in the testing / learning environment.



 And, make no mistake – this is coming from a guy that when on the road, has
 a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop.
  I love virtualization….  It's just not the right thing for all situations.



 Rick


 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 joe
 Sent: Sunday, January 01, 2006 10:40 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] WinXP and Win2003




 I have no clue why it wouldn't allow you to have different names for the OS
 and then both can be joined at the same time, I have done this often. You
 did use different directories for the installations right?





 Any more dual booting is going the way of the dodo, the new thing is to
 virtualization software so you have both instances up and running at once.
 Look at Virtual PC or VMWare Workstation.






 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 shereen naser
 Sent: Sunday, January 01, 2006 6:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] WinXP and Win2003


 Hi list,


 I have windows xp sp 2 on my machine, I need to test something so I
 installed windows 2003 server enterprise edition R2 on the same machine same
 hard disk, I can see the dual boot screen and choose the OS, but I can only
 login to the domain if one of the OS's is disconnected from the domain,
 meaning if I want to login to the windows 2003 I have to go to the windows
 xp and disjoin the machine from the domain then restart and login to the
 domain in windows 2003, if I want to login to winxp I go to windows 2003 and
 disjoin it from the domain then restart and join the xp to the domain and
 login, locally I can login to both machines no problem. the error is that
 the computer account is not found on the domain when I try to login and both
 OSes are joined to the domain. I tried to rename the machine name to
 different names in each OS but same thing happens. is there a way to do
 that? (login to domain using both OS's without having to disjoin?)


 Thank you
.Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠ™i½®

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WinXP and Win2003

2006-01-02 Thread Rick Kingslan 








If you want to test 64 bit you are
kind of screwed too, oh wait vmware workstation does that as well...



Just dont like VPC, do you?
:o) What about USB are you looking for? What does VMWare do with
USB that is this vital? I doubt its the USB coffee warmer



As to the 64-bit support, I guess that
would concern me if my laptop had an x64 chip. But, then I could use VS
2005 R2.



But, Im not going to argue the
virtues of VMWare vs. VPC. I Use VPC because its what 100% of the
material that I get from internal is supplied on. And, I get about 100 or
so DVDs with all types of imaginable configurations. Im
glad that youve got the time to put together all of these disks, joe.
I wish I had that kind of time.



Rick















From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Sunday, January 01, 2006
1:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I am not a big workstation OS type of
person, I use XP only when I must. Longhorn seems to work ok in a VM.



I do agree that it isn't the right thing
for all situations, but half the people setting up dual booting blow it anyway.
VM is a much simpler solution for most people. Obviousy if you are doing perf
or physical hardware related testing it is tough. Heck even if you want USB you
can't use VPC, you use vmware instead. If you want to test 64 bit you are kind
of screwed too, oh wait vmware workstation does that as well... 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003

Hehe. Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine. 



I agree, dual-booting is not the optimal
method to running different OSs, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed
 I think dual booting still has a very strong place in the testing /
learning environment.



And, make no mistake  this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop. I love
virtualization. Its just not the right thing for all
situations.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same
time, I have done this often. You did use different directories for the
installations right? 









Any more dual booting is going the way of
the dodo, the new thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare Workstation.





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: [ActiveDir] WinXP and Win2003

2006-01-02 Thread Rick Kingslan 








One question  is all of your
validation testing done on VMs or is the final sign off done on production
deployable hardware?



Im a big advocate of VM testing,
just to set the record straight.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Sunday, January 01, 2006
2:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I would have to agree;-) At
work I run completely on VMs using ESX. All my testing is done on a Dell
PE1800 with about 8VMs including AD, Exchange (clustered), SQL, etc. 



For those looking to do simple testing of
apps check out VM Player http://www.vmware.com/vmplayer




You cant create VMs but you can run
any pre-built VM, including MS VPC VMs.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
11:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I am not a big workstation OS type of
person, I use XP only when I must. Longhorn seems to work ok in a VM.



I do agree that it isn't the right thing
for all situations, but half the people setting up dual booting blow it anyway.
VM is a much simpler solution for most people. Obviousy if you are doing perf or
physical hardware related testing it is tough. Heck even if you want USB you
can't use VPC, you use vmware instead. If you want to test 64 bit you are kind
of screwed too, oh wait vmware workstation does that as well... 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003

Hehe. Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine. 



I agree, dual-booting is not the optimal
method to running different OSs, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed
 I think dual booting still has a very strong place in the testing /
learning environment.



And, make no mistake  this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop. I love
virtualization. Its just not the right thing for all
situations.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same
time, I have done this often. You did use different directories for the installations
right? 









Any more dual booting is going the way of
the dodo, the new thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare
Workstation.





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: [ActiveDir] OT: Request for Test AD Poplulation Data

2006-01-02 Thread Rick Kingslan 
Tomasz, I think that Mark is looking to populate his metabase with data
other than User 1, User 2, User 3, etc. with simple or blank attributes.
So, he's looking for stuff like Homer Simpson, with all of the user data,
then Marge, etc.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Monday, January 02, 2006 2:52 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data

Mark Parris wrote:
 Happy New Year to all.
 
 Does anyone know where I can obtain generic user data for importing into
 various AD's. I am starting to improve my knowledge on the concept of Meta
 directories and I want a little bit more information in the user fields
than
 User1, 2 , 3 etc etc.

This is how to turn the topic to the track :)
What do You think by generic user data - I don't think there is 
something like this?

-- 
Tomasz Onyszko
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WinXP and Win2003

2006-01-02 Thread Rick Kingslan 








Funny. I was more discussing the
direction that the overall thread had taken. Since this no longer is along the
lines of what the poster was looking for (hopefully, Al  you can be the post
police to make sure that nothing goes off-topic or askew any longer. Me, Im
done with Active-Dir) Im not going to respond in kind.



Cheers.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 02, 2006
1:12 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WinXP and
Win2003







Hey Rick, can you differentiate for us what the difference would be
between 'production deployable' configurations and those that aren't related to
virtual machines? Maybe in two sentences or less with hyperlinks? 











Having used both ESX, and VS 2005 I can honestly say thereis at
least one difference maybe more often related to performance; that's not by
accident either. I would in no way advocate running Mac-on-IntVista
in a VM, but then again I wouldn't advocate running Vista at all and especially
not on a 32bit platform at this time. 











I think the original posters configuration is possible and has some
benefits, especially since it sounded like the original poster wants to keep a
job. Hopefully she realizes where the error was and is busily fixing it
and using the corrected configuration. I think the answer is somewhere in the
30+ posts, but I'm curious about the VM comments you made and I'm hoping to
learn something here. 























Cheers,











Al













On 1/2/06, Rick
Kingslan [EMAIL PROTECTED]
wrote: 



One question  is all of your validation testing done on VM's
or is the final sign off done on 'production deployable' hardware? 



I'm a big advocate of VM testing, just to set the record
straight.



Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Alex Fontana
Sent: Sunday, January 01, 2006
2:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
[ActiveDir] WinXP and Win2003





I would have to agree;-) At work I run completely on
VMs using ESX. All my testing is done on a Dell PE1800 with about 8VMs
including AD, Exchange (clustered), SQL, etc. 



For those looking to do simple testing of apps check out VM
Player http://www.vmware.com/vmplayer




You can't create VMs but you can run any pre-built VM,
including MS VPC VMs.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Sunday, January 01, 2006
11:46 AM 




To: ActiveDir@mail.activedir.org

Subject: RE:
[ActiveDir] WinXP and Win2003









I am not a big workstation OS type of person, I use XP only
when I must. Longhorn seems to work ok in a VM. 



I do agree that it isn't the right thing for all situations,
but half the people setting up dual booting blow it anyway. VM is a much
simpler solution for most people. Obviousy if you are doing perf or physical
hardware related testing it is tough. Heck even if you want USB you can't use
VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed
too, oh wait vmware workstation does that as well... 









From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On Behalf
Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003

Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a
VMWare virtual machine. 



I agree, dual-booting is not the optimal method to running
different OS's, but if you want the OS to have the full machine, rather than
the limited virtualized hardware that the VMs are allowed  I think dual
booting still has a very strong place in the testing / learning environment. 



And, make no mistake  this is coming from a guy that when on
the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on
his laptop. I love virtualization. It's just not the right thing
for all situations. 



Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you to have different
names for the OS and then both can be joined at the same time, I have done this
often. You did use different directories for the installations right? 









Any more dual booting is going the way of the dodo, the
new thing is to virtualization software so you have both instances
up and running at once. Look at Virtual PC or VMWare Workstation. 





















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have
windows xp sp 2 on my machine, I need to test something so I installed windows
2003 server enterprise edition R2 on the same machine same hard disk, I can see

RE: [ActiveDir] WinXP and Win2003

2006-01-02 Thread Rick Kingslan 








Duly corrected. Thanks.



Cheers.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Monday, January 02, 2006
1:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





Just to be clear, VS2005R2 does not
support 64-bit guests.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, January 02, 2006
9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





If you want to test 64 bit you are
kind of screwed too, oh wait vmware workstation does that as well...



Just dont like VPC, do you?
:o) What about USB are you looking for? What does VMWare do with
USB that is this vital? I doubt its the USB coffee warmer



As to the 64-bit support, I guess that
would concern me if my laptop had an x64 chip. But, then I could use VS
2005 R2.



But, Im not going to argue the virtues
of VMWare vs. VPC. I Use VPC because its what 100% of the material
that I get from internal is supplied on. And, I get about 100 or so
DVDs with all types of imaginable configurations. Im glad
that youve got the time to put together all of these disks, joe. I
wish I had that kind of time.



Rick















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
1:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I am not a big workstation OS type of
person, I use XP only when I must. Longhorn seems to work ok in a VM.



I do agree that it isn't the right thing
for all situations, but half the people setting up dual booting blow it anyway.
VM is a much simpler solution for most people. Obviousy if you are doing perf
or physical hardware related testing it is tough. Heck even if you want USB you
can't use VPC, you use vmware instead. If you want to test 64 bit you are kind
of screwed too, oh wait vmware workstation does that as well... 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, January 01, 2006
1:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003

Hehe. Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine. 



I agree, dual-booting is not the optimal
method to running different OSs, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed
 I think dual booting still has a very strong place in the testing /
learning environment.



And, make no mistake  this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop. I love
virtualization. Its just not the right thing for all
situations.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same time,
I have done this often. You did use different directories for the installations
right? 









Any more dual booting is going the way of
the dodo, the new thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare
Workstation.





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: [ActiveDir] icmp's

2006-01-01 Thread Rick Kingslan 








The real benefit to the GPO method is that
you can target scripts to the same _groups_
in which the GPO would affect  and you can target Computer groups, which
you cant do (for obvious reasons) with logon scripts. This lends itself
to some very elegant solutions that Im sure one could do with some fancy
environment or user/computer-based variables or attribute checking. Of course,
it begs to obvious question  Why?



If it means developing a whole manner and
method to get variables and/or attributes identified and called, when you only
would need to use GPO-based scripts, I think the answer becomes self-evident.



As to being called Legacy,
which seems to be the real problem here, its simply verbiage that I dont
think Id get my panties in a bunch over. The user-focused versus the
GPO focused scripts are going to be around as far out as I can see (and, thats
really not THAT far, to be honest).



Cheers!



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Sunday, January 01, 2006
8:18 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] icmp's







I thought i read somewhere in some MS doc it being refered to as
legacy since now you can put multiple logon scripts in GPO's and
that they recommend doing it that way.











everytime a new OS or feature comes out, MS tends to refer to the
previous os/feature as legacy or down-level.





maybe i just made a silly assumption that using a logon script as a
user attritbute( i guess somewhat simillar to the way NT did it)instead
of a GPO was legacy.





thanks













On 1/1/06, Al
Mulnick [EMAIL PROTECTED]
wrote: 



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al









On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL PROTECTED]
on behalf of Tom Kern

Sent: Fri 12/30/2005 9:25 AM

To: activedirectory 

Subject: [ActiveDir] icmp's



What affect would blocking icmp packets on all vlans have on win2k/xp client
logons in a win2k forest? 

any?


I know clients ping dc's to see which responds first and later ping dc's to
determine round trip time for GPO processing, but would blocking icmp's have
any adverse affects on clients? 

I only ask because my corp blocks icmp's on all our vlans and i get a lot of event
id 1000 from Usernev with error code of 59 which when i looked up, refers to
network connectivity issues. i think this event id is related to the fact we
block icmp packets and i was wondering if thats something i should worry about
in a win2k network. 

Thanks

RE: [ActiveDir] WinXP and Win2003

2006-01-01 Thread Rick Kingslan 








Hehe. Let me know how that
full-out testing of Vista and Aero Glass is
going for you in a VPC or a VMWare virtual machine. 



I agree, dual-booting is not the optimal
method to running different OSs, but if you want the OS to have the full
machine, rather than the limited virtualized hardware that the VMs are allowed 
I think dual booting still has a very strong place in the testing / learning
environment.



And, make no mistake  this is
coming from a guy that when on the road, has a 250GB external with nothing BUT
VMs with VPC and VS 2005 R2 on his laptop. I love virtualization.
Its just not the right thing for all situations.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WinXP and
Win2003





I have no clue why it wouldn't allow you
to have different names for the OS and then both can be joined at the same
time, I have done this often. You did use different directories for the
installations right? 









Any more dual booting is going the way of
the dodo, the new thing is to virtualization software so you have
both instances up and running at once. Look at Virtual PC or VMWare
Workstation.





















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser
Sent: Sunday, January 01, 2006
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WinXP and
Win2003



Hi list,





I have windows xp sp 2 on my machine, I need to test something so I
installed windows 2003 server enterprise edition R2 on the same machine same
hard disk, I can see the dual boot screen and choose the OS, but I can only
login to the domain if one of the OS's is disconnected from the domain, meaning
if I want to login to the windows 2003 I have to go to the windows xp and
disjoin the machine from the domain then restart and login to the domain in
windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it
from the domain then restart and join the xp to the domain and login, locally I
can login to both machines no problem. the error is that the computer account
is not found on the domain when I try to login and both OSes are joined to the
domain. I tried to rename the machine name to different names in each OS but
same thing happens. is there a way to do that? (login to domain using both OS's
without having to disjoin?) 





Thank you

RE: Re: [ActiveDir] icmp's

2006-01-01 Thread Rick Kingslan 








joe stood up and attempted to smack Mark
Parris with a large trout, saying:



I would rather not set domain
policy with GPOs. While I am at it, I think we are far beyond the point that we
should have the ability to programmatically handle settings in policies.



Huh? Can you explain both
statements, joe? I understand the context of the first, but not
why. The second  I just am not sure what youre getting
at. Help out an old haggard road warrior.



;o)



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir]
icmp's





Come on, who ya going to believe?
Microsoft who has all sorts of typoes in the documentation (I just saw a
reference to objectcategory=user in an MS doc 2 days ago, I still have the
bruise on my forehead)or our trusted source... Al?



:o)



Personally I like theold style logon
scripts better than GPO logon scripts. Way too many things impact GPO
functions. I never found it difficult to write logon scripts designed to work
on specific users nor machines sodidn't need the sorting capability of
GPOs. Overall I am ok levelhappy with having a default domain GPO and
default dc GPO as the only GPOs. I would rather not set domain policy with
GPOs. While I am at it, I think we are far beyond the point that we should have
the ability to programmatically handle settings in policies. 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Sunday, January 01, 2006
9:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: Re: [ActiveDir] icmp's

This is from the Microsoft article  Enterprise logon scripts



By default, logon
scripts written as either .bat or .cmd files (so-called legacy
logon scripts)
run in a visible command window; when executed, a command window open up on the
screen. To prevent a user from closing the command window (and thus terminating
the script), you can the Run legacy logon scripts
hidden enable policy. This ensures that all legacy logon scripts run
in a hidden window.



Mark











From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: 01 January 2006 14:18
To: ActiveDir@mail.activedir.org
Subject: [Norton AntiSpam] Re:
[ActiveDir] icmp's







I thought i read somewhere in some MS doc it being refered to as
legacy since now you can put multiple logon scripts in GPO's and
that they recommend doing it that way.











everytime a new OS or feature comes out, MS tends to refer to the
previous os/feature as legacy or down-level.





maybe i just made a silly assumption that using a logon script as a
user attritbute( i guess somewhat simillar to the way NT did it)instead
of a GPO was legacy.





thanks













On 1/1/06, Al
Mulnick [EMAIL PROTECTED]
wrote: 



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al









On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL

RE: [ActiveDir] WinXP and Win2003

2006-01-01 Thread Rick Kingslan 
Re: My message to joe.  Maybe 50% of the time - I'd agree.  However, if you
want to test that snazzy new Fibre HBA or would like to see what the impact
for the user is going to be with CAD with the newest High End InterGraph
workstation video card - VMs aren't going to work.

The hardware selection in VMs is intended to be generic.  Which for testing
or learning BizTalk and SQL interaction with ADAM and ADFS - it rocks
because the hardware doesn't matter.

Again - be sure of this - I love VMs.  I just can't test Vista on it because
Aero Glass is the target, and I can't quite put an LDDM driver on the
generic graphics coded in, for example.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Sunday, January 01, 2006 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WinXP and Win2003

Did you originally use different names, or the same name for each computer?

And I agree with Joe:   Dual-booting is becoming obsolete.

http://www.ultratech-llc.com/KB/?File=BootMgr.TXT



-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 1/1/06, shereen naser [EMAIL PROTECTED] wrote:
 Hi list,
 I have windows xp sp 2 on my machine, I need to test something so I
 installed windows 2003 server enterprise edition R2 on the same machine
same
 hard disk, I can see the dual boot screen and choose the OS, but I can
only
 login to the domain if one of the OS's is disconnected from the domain,
 meaning if I want to login to the windows 2003 I have to go to the windows
 xp and disjoin the machine from the domain then restart and login to the
 domain in windows 2003, if I want to login to winxp I go to windows 2003
and
 disjoin it from the domain then restart and join the xp to the domain and
 login, locally I can login to both machines no problem. the error is that
 the computer account is not found on the domain when I try to login and
both
 OSes are joined to the domain. I tried to rename the machine name to
 different names in each OS but same thing happens. is there a way to do
 that? (login to domain using both OS's without having to disjoin?)
 Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] icmp's

2006-01-01 Thread Rick Kingslan 








Note Exchange doesn't take kindly
to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does
not see that DC unless you have specially configured it.



Which, I always thought was a pretty funny
way of doing things anyway. As you are well aware, Ping
doesnt mean alive and healthy. I know of many people who have
spent hours to days troubleshooting a problem just to find that the machine
that they first suspected as being the problem pinged just fine. Sadly,
it was dead from the neck up and port 389 and 3268 were non-responsive (along
with all of the other really important stuff).



Rick









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, January 01, 2006
10:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] icmp's





I would agree, the old style logon scripts
should be fine, UNLESS you have implemented your own speed sensing based on
icmpin the logon script (many of us did that long before MS did it for
those who didn't figure it out). 



Note Exchange doesn't take kindly to ICMP
echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see
that DC unless you have specially configured it. If you never want to fail
outside of a segment then that is the way to do it, but most people would
rather fail over to any DC versus say, nah, those are two far away even though
none of my local DCs are available if things go pear shaped. 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Sunday, January 01, 2006
9:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] icmp's



I personally haven't heard it referred to as legacy.
I think that may be because it wasn't a legacy method when I last heard it ;)











I haven't tested this, so your mileage may vary but: the
legacy method would have been created and designed for a time
before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was
disabled. Several things will break, but I don't believe that's one of
them. 











Test it. You'll know for sure then right? Besides, I don't
imagine alot of networks out there are configured with ICMPdisabled
like that.











Al







On 12/31/05, Tom
Kern [EMAIL PROTECTED]
wrote: 



Thats it.











Isn't that the way its refered to in MS-speak?











I hope i didn't just make that up...









On 12/30/05, Brian
Desmond [EMAIL PROTECTED]
 wrote: 

presumably setting the
scriptPath attribute on accounts...

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



From: [EMAIL PROTECTED]
on behalf of Al Mulnick
Sent: Fri 12/30/2005 8:13 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] icmp's


When you say legacy way, what does that mean exactly?


On 12/30/05, Tom Kern 
[EMAIL PROTECTED] wrote:

 would this also affect clients from
getting logon scripts?
 and when i say logon scripts, i mean the
legacy way of distributing them, NOT thru GPO's. 

 Thanks again 



 On 12/30/05, Brian Desmond [EMAIL PROTECTED]
 wrote:


You need to enable ICMP echo source clients dest dc's, and icmp echo-reply
source dc's dest clients. 


The rules look something like this:


access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers
echo


access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any
echo-reply 


Have your network people considered rate-limiting ICMP packets rather than
shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute,
time-exceeded) are necessary pieces of a network. 


Thanks,

Brian Desmond

[EMAIL PROTECTED]


c - 312.731.3132


 


From: [EMAIL PROTECTED]
on behalf of Tom Kern

Sent: Fri 12/30/2005 9:25 AM

To: activedirectory 

Subject: [ActiveDir] icmp's



What affect would blocking icmp packets on all vlans have on win2k/xp client
logons in a win2k forest? 

any?


I know clients ping dc's to see which responds first and later ping dc's to
determine round trip time for GPO processing, but would blocking icmp's have
any adverse affects on clients? 

I only ask because my corp blocks icmp's on all our vlans and i get a lot of
event id 1000 from Usernev with error code of 59 which when i looked up, refers
to network connectivity issues. i think this event id is related to the fact we
block icmp packets and i was wondering if thats something i should worry about
in a win2k network. 

Thanks

RE: [ActiveDir] Domain case

2005-12-08 Thread Rick Kingslan 



Correct. Devon, as much pain as there is in the 
process, AS I UNDERSTAND IT (I do not speak for PSS) the Domain Rename process 
is the only supported method of doing what you want to do.

Jorge's lab experiment does indicate that you might be able 
to do it alonghis describedway,but you need to be cautious 
when doing anything that is outside the supported methods. Though you 
might not be denied assistance, if the method chosen outside of the supported 
method proved to be a contributor to a problem some days, months, years down the 
road - PSS may defer the issue. As it is termed (which some hatethe 
wording) 'best effort' support may be all that would be 
offered.

And, if you have Exchange in the environment - it greatly 
complicates any of these, though the rename is still the safest 
route.

Me - I'd deal with the letter case and move on in 
life. There are so many other things that cause pain that a domain rename 
is not worth seeing all lower case in a dialog box.

But, that's me - YMMV.

Rick

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, December 08, 2005 12:30 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
case

This is the only thing I would be willing to point 
at

http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Thursday, December 08, 2005 1:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
case


So you know exactly how 
I feel Joe. I really, really, really would like to fix this. Joe can 
you dig up the doc on how to do this?





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, December 08, 2005 11:34 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
case

I went 
through this decision tree a long time ago, when I was upgrading a company from 
NT to 2K and went to Europe I let the European 
admin enter the name of the domain, I didn't catch the upper case on the domain 
name EU1 until afterward... It bothered the heck out of me, I worked out how to 
change it but never had the courage to actually do it. 





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, December 08, 2005 11:10 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
case
Agree 
completely. 

I also 
assumed that the name appeared 'wrongly' to users, as well as in ADDT. [hence 
domain rename] 

If the 
only requirement is to change the name in ADDT then benefit versus pain is 
really skewed towards pain :)

neil




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Almeida Pinto, Jorge 
deSent: 08 December 2005 
15:52To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
case


IMHO, a 
domain rename would be needed if the NetBIOS and/or DNS domain name needed to 
change. (different structure)

Just for changing the case in ADDT a 
domain rename is not needed. Just did it in my test environment by changing the 
case of the value of the attribute "dnsRoot" of the object "CN=Domain 
Name,CN=Partitions,CN=Configuration,DC=Domain 
Name,DC=tld"



The case in ADDT also changed. 
However. although I have shown it here I DO NOT RECOMMEND IT! (as I do not know 
what the consequences are of doing it!)

It may look better, but WHO CARES? I 
would leave it as is. A small mistake and you could be in deep 
sh*t.

If it works, don't brake 
it!



Cheers,

Jorge





From: 
[EMAIL PROTECTED] on behalf of 
[EMAIL PROTECTED]Sent: 
Thu 12/8/2005 3:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
case

I suspect 
a domain rename is your only option and I would doubt that the benefit outweighs 
the pain in this scenario.

What is 
the (perceived) issue with the case?

neil



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, DevonSent: 08 December 2005 14:08To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain 
case
Is there any way to change the case 
of a child domain in AD from all upper-case to all lower-case? Example, 
when I look in Active Directory Domains  Trust, I have 
this:

- 
domain.com
 
+ child1.domain.com
 
+ child2.domain.com
 
+ CHILD3.DOMAIN.COM
 
+ child4.domain.com

I want to change CHILD3.DOMAIN.COM 
to child3.domain.com. This also exist when I try to browse the domain tree 
in ADUC.

Devon 
Harding
Windows 
Systems Engineer
Southern Wine 
 Spirits - BSG
954-602-2469




__This 
message and any attachments are solely for the intended 
recipientand may 
contain confidential or privileged information. If you are 
notthe intended 
recipient, any disclosure, copying, use or distribution 
ofthe 
information included in the message and any attachments 
isprohibited. If 
you have received this communication in error, 
pleasenotify us 
by

RE: [ActiveDir] DMZ domains and IPSec - looking for explanation re resource access and authentication

2005-12-08 Thread Rick Kingslan 
Title: DMZ domains and IPSec - looking for explanation re resource access and authentication



 I haven't perused the OS source 
code

Right. Rub it in, 
bud.

;o)

Rick
--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, December 08, 2005 8:09 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DMZ domains and 
IPSec - looking for explanation re resource access and 
authentication

I haven't perused the OS source code for this but from my 
experience this is how it works... 

In order for the member server to resolve a name to a SID, 
it needs to be able to connect to a domain controller of the domain specified. 
If it can't reach the domain controller, it can't convert the name to a SID. 


The SID to name conversion on the other hand is handled 
differently. The machine tries to handle it locally and if it isn't a local 
SIDit passes it up to the DC that authenticated the computer (i.e. the DMZ 
DC) and lets it try to resolve it, that machine will look at its local SIDS 
(objectsid/sidhistory) and then if it doesn't find it there will start chasing 
through the trusts. 

I have never tested that specific scenario butyou 
should be able to add an internal domain secprin to the DMZ member server 
without working from the DC. It would require a tool that knows how to specify 
the server to use for the name to sid resolution. Let me think if such a tool 
exists oh yeah, look at lg on my website - http://www.joeware.net/win/free/tools/lg.htm.

There is a -r option to specify the machine you want to use 
for the name tosid resolution. I added that option so you could add 
secprins from a domain the machine wasn't a member of yet to the admins group so 
when you added it to the domain, the membership was already set (great for 
migration scenarios where you aren't a domain admin in the next domain). 


Now that being said, I am not a fan of internal networks 
being accessible from the extranet or from the DMZ unless doing very specific 
individual server:port based reverse proxy with that single port being heavily 
defended on the internal host. Anything that compromises one of the DMZ domain 
machines can at the least most likely enumerate info from the internal domains. 
If someone wants to be cute, they could easily D.O.S. attack you from there as 
well. 

 joe





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chakravarty, 
SaktiSent: Wednesday, December 07, 2005 10:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DMZ domains and 
IPSec - looking for explanation re resource access and 
authentication

Hi all, 
I'm looking for an explanation  this is a bit of a 
complicated scenario but I'll try to be succinct. Whilst I have a fair bit 
of AD experience, I'm not the AD administrator at my current place of 
work. The AD administrators are not forthcoming with information, hence my 
post here.
We have a corporate network with a Windows 2003 
forest (mixed-mode) with multiple domains. We also have a DMZ, in which 
there is a separate Windows 2003 forest with a single domain. 
There is an IPSec policy set up between domain 
controllers in the DMZ domain and domain controllers in one of the domains in 
the corporate forest (I'll call it the "internal domain").
There is a one-way trust, the DMZ domain trusts the 
internal domain. 
Our aim is to provide access to resources in the DMZ 
domain, by using accounts in the internal domain. 
My role includes managing Member Servers. We 
built a server in the internal domain, added some groups from that domain into 
the Administrators group, then physically moved it to the DMZ. Then, the 
names in the Administrators group would no longer resolve (since it is still a 
member of the internal domain, but physically disconnected from it). Next, 
we made the server a member of the DMZ domain, and the names now resolve. 
So, it seems the Member Server is talking to the DMZ DC which is querying the 
internal DC to resolve the name.
What we cannot do, is log onto the Member Server in 
the DMZ and add an account from the internal domain. The reasoning we are 
given is that the IPSec policy and trust is between DCs only, and not the Member 
Server. If the DMZ Domain Admin logs onto the DMZ DC, then makes a 
Computer Management connection to the Member Server, then groups from the 
internal domain can be added to the Member Server.
Can anyone explain to me why this is so? I 
don't understand why resolving names is different to adding a user, it seems to 
me the same authentication path is followed.
Thanks in advance Sakti **This message is intended for the addressee named and may containprivileged information or confidential information or both. If youare not the intended recipient please delete it and notify the

RE: [ActiveDir] Ntds.dit file corruption

2005-12-07 Thread Rick Kingslan 



Replication is at an attribute level and the corruption is 
usually a bit flip - whichisn't replicated. The data itself (a table 
or an index) is checked and if found to be invalid, I *believe* (joe, ~Eric, 
brettsh) is marked as such and is no longer replicated.

-r

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 2:49 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Ntds.dit file corruption

Is this guaranteed? How can we/you be sure that the system 
will recognise the corruptions and therefore not replicate them? Surely this is 
akin to the new feature added to e2k3 sp1, but which is (sadly) missing from 
AD(?)

I must be missing a subtle point - please show me the light 
:)


neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
LinehanSent: 05 December 2005 19:26To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

We do not replicate corruption so if you have local 
corruption as noted below there is no worry that it would replicate around to 
other servers in the environment.

Thanks,

-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Monday, December 05, 2005 1:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
corruption

Will Read Only DC's take care of this? I don't know much about them yet, 
but it makes sense that if the copy of the dit that a DC has is RO that it won't 
try to replicate that anywhere and would only be the recipient of replication. 
Anyone with more knowledge about how RO DC's will work to comment on that? 


Phil
On 12/5/05, Medeiros, 
Jose [EMAIL PROTECTED] 
wrote: 
Well 
  at least the corruption occurred on just a single DC. One thing that has 
  bugged me about Active Directory is not being able to select if you want a DC 
  in a remote office to not have the ability to replicate back in a large 
  enterprise environment. Since most remote offices only have a few people at 
  the location and a DC is usually placed for improvised logon and 
  authentication time, many companies will either use a very low end server or a 
  very old decommissioned one from their production data center ( Which is 
  probably close to useable life ). I am always concerned that once the NTDS.DIT 
  file becomes corrupt it will replicate the corruption to the other DC's in the 
  Forrest.Maybe I am just being a worry wort and this really is not an 
  issue.Sincerely,Jose MedeirosADP | National Account 
  Services ProBusiness Division | Information Services925.737.7967 | 
  408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On 
  Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
  December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
  think I still said all I know is what the poster said:-)I 
  think I need a course in event log reading because even with the logs, and 
  the default size of the logs, I still don't see a smoking 
  gun.Thedirectory services one is filled with events 'post' 
  blow up.What is interesting is that it seems to me big server land 
  goes .. ohyeah... ntds.dit corruption... and sbsland freaks 
  out.Either we doindeed need to ensure we have a secondary DC 
  or we need to park a secondcopy of a system state offsite [say at the 
  vap/var]Brett Shirley wrote: She replied offline, very likely 
  a single bit flip, tragedy, they aren't one release later (Longhorn), 
  where this would've probably been non-disruptively handled, logged, 
  and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
  Anyway, this kind of thing is usually hardware ... While there 
  are much better disk sub-system testers, one that is freely  available 
  to any box with Exchange is jetstress.You might give that 
  a try.If you can reproduce the event / error with 
  jetstress I would not use that box in production. If 
  you do reproduce the issue several times (several times is key, as you 
   want a trend before you start playing the variable game), some 
  things you might vary (one at a time):- 
  Try making sure you have the latest driver and motherboard / 
  controller firmware.Then see if you can reproduce. 
  - Try a different RAID configuration, such as 
  RAID1/RAID1+0 if you're on RAID5.- Try 
  swapping out the hard drives, one at a time.- 
  Adding the jetstress files to the exclude list in the Anti-Virus  
  software. (A low probablility, I've never heard of Anit-Virus causing 
  this paticular type of error, and I can't imagine the mistake an 
  anti-virus product would have to have to cause this side effect) 
  - If you can reproduce it several times, you could 
  followup with Dell. Good luck. I'm not sure if I 
  answered your question ...

RE: [ActiveDir] Ntds.dit file corruption

2005-12-07 Thread Rick Kingslan 



I've been informed that I'm wrong on this. Please 
ignore, and listen to joe/~Eric/Dean/Brett/Anyone else.

Cheers!

-r

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Wednesday, December 07, 2005 5:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

Replication is at an attribute level and the corruption is 
usually a bit flip - whichisn't replicated. The data itself (a table 
or an index) is checked and if found to be invalid, I *believe* (joe, ~Eric, 
brettsh) is marked as such and is no longer replicated.

-r

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 2:49 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Ntds.dit file corruption

Is this guaranteed? How can we/you be sure that the system 
will recognise the corruptions and therefore not replicate them? Surely this is 
akin to the new feature added to e2k3 sp1, but which is (sadly) missing from 
AD(?)

I must be missing a subtle point - please show me the light 
:)


neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
LinehanSent: 05 December 2005 19:26To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file 
corruption

We do not replicate corruption so if you have local 
corruption as noted below there is no worry that it would replicate around to 
other servers in the environment.

Thanks,

-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Monday, December 05, 2005 1:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file 
corruption

Will Read Only DC's take care of this? I don't know much about them yet, 
but it makes sense that if the copy of the dit that a DC has is RO that it won't 
try to replicate that anywhere and would only be the recipient of replication. 
Anyone with more knowledge about how RO DC's will work to comment on that? 


Phil
On 12/5/05, Medeiros, 
Jose [EMAIL PROTECTED] 
wrote: 
Well 
  at least the corruption occurred on just a single DC. One thing that has 
  bugged me about Active Directory is not being able to select if you want a DC 
  in a remote office to not have the ability to replicate back in a large 
  enterprise environment. Since most remote offices only have a few people at 
  the location and a DC is usually placed for improvised logon and 
  authentication time, many companies will either use a very low end server or a 
  very old decommissioned one from their production data center ( Which is 
  probably close to useable life ). I am always concerned that once the NTDS.DIT 
  file becomes corrupt it will replicate the corruption to the other DC's in the 
  Forrest.Maybe I am just being a worry wort and this really is not an 
  issue.Sincerely,Jose MedeirosADP | National Account 
  Services ProBusiness Division | Information Services925.737.7967 | 
  408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On 
  Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, 
  December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I 
  think I still said all I know is what the poster said:-)I 
  think I need a course in event log reading because even with the logs, and 
  the default size of the logs, I still don't see a smoking 
  gun.Thedirectory services one is filled with events 'post' 
  blow up.What is interesting is that it seems to me big server land 
  goes .. ohyeah... ntds.dit corruption... and sbsland freaks 
  out.Either we doindeed need to ensure we have a secondary DC 
  or we need to park a secondcopy of a system state offsite [say at the 
  vap/var]Brett Shirley wrote: She replied offline, very likely 
  a single bit flip, tragedy, they aren't one release later (Longhorn), 
  where this would've probably been non-disruptively handled, logged, 
  and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx 
  Anyway, this kind of thing is usually hardware ... While there 
  are much better disk sub-system testers, one that is freely  available 
  to any box with Exchange is jetstress.You might give that 
  a try.If you can reproduce the event / error with 
  jetstress I would not use that box in production. If 
  you do reproduce the issue several times (several times is key, as you 
   want a trend before you start playing the variable game), some 
  things you might vary (one at a time):- 
  Try making sure you have the latest driver and motherboard / 
  controller firmware.Then see if you can reproduce. 
  - Try a different RAID configuration, such as 
  RAID1/RAID1+0 if you're on RAID5.- Try 
  swapping out the hard drives, one at a time.- 
  Adding the

RE: [ActiveDir] windows installation question

2005-11-27 Thread Rick Kingslan 



You will need to have two things - One: A separate 
partition in which to install XP into. Two: a DOS-bootable network enabled 
floppy to map to a share (in whichan administrative 'dump' of XP has been 
done)or shared CD drive on another machine.

After mapping to one of these two, you could then install 
across the network, selecting the partition for XP - but NOT the same one that 
2000 resides in.

Rick

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roseta 
radfarSent: Sunday, November 27, 2005 12:29 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] windows installation 
question


Hello,

I have a computer 
which has a w2k on it. It is on a network and does not have a CD drive. now I 
want to have a XP on it with out removing w2k. Is there any way that I can 
install XP through network without damaging my w2k?

Thanks in 
advance.
Roseta

RE: [ActiveDir] FRSInlog

2005-11-26 Thread Rick Kingslan 
Both of the errors deal with journal wrap in the FRS logs  A number of
issues as to WHY this happens.

However, I'd upgrade to UltraSound - the successor to Sonar.  It has much
better JIT information associated with the errors - and how to fix them.

Rick
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James Green
Sent: Saturday, November 26, 2005 12:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FRSInlog

Hi

I am using Microsoft Sonar tool to keep an eye on my 6 DCs in 2 domains -
FRS / SYSVOL.
Last week Sonar flagged few errors - FRSInlog, FRSSets - I am not impressed
by the help file you don't get with Sonar - so what do these errors mean? 
FRSInlog?? or FRSSets??

Thanks for help

James

_
MSN Messenger 7.5 is now out. Download it for FREE here. 
http://messenger.msn.co.uk

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2003 SP1 upgrade...

2005-11-26 Thread Rick Kingslan 



yawn

Sometimes, I realize that I commented on something, go back 
and read the thread and come upon a novella.

Occasionally, all I want is a paragraph. Hopefully, 
all of this information wasn't meant for me, because all I do day in, day out 
these days is drink from a fire hose - hence why I'm not around so much these 
days. This hopefully helped others, as it presents no value to me right 
now at all. I'm versed in this quite well.

Yes - the question was meant to stir a conversation - more 
about interactive as a mechanism to remove a looming hole for accounts that NEED 
high level permissions but don't NEED to be logged into. Surprisingly, 
this is a vector that most people forget about. If you don't need to log 
in to it - why does it have interactive?

As to which LUA - the actual, higher level principle of 
giving nothing (not just people) any more access than it absolutely 
requires. I made the assumption that the ACLing that you referred to had 
already removed any and all unnecessary permissions to things unsavory, 
dangerous, and shiny-but-sharp from touch.

Hence the question about interactive. It's not an 
ACL.

And, as to our direction with software and decisions made - 
I don't comment much public ally anymore. I've gotten myself into too much 
trouble of late, another reason I'm not here as much.

Brett can answer some of these, or get someone from the dev 
team on Security issues. I'll answer anything you want on MCS and how to 
implement. But, as to why things are or where they are going to be in 
future product - I won't be commenting on that. That's another pretty, 
shiny, sharp-thing.

Rick

--Posting is provided "AS IS", and confers no rights or 
warranties ... 







From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, November 21, 2005 7:45 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Windows 2003 SP1 upgrade...

No. MS made it now so that you either need to use an ID 
that has admin rights or you have to change the ACL on the SCM to monitor the 
services OR the application doing the monitoring needs to know specifically what 
service to look at AND know how to ask how to open it WITHOUT asking for 
enumeration rights which is unusual since it was always possible previously 
because the ACL on the SCM wasn't configurable. All example source showed how to 
do it in a way that would break after the change.

What this change does is require more privileges to do work 
easily done with an unprivileged account or to require you to partially undo 
what MS did to lock it down. Since the ability to changethe SCMACL 
previously wasn't something that could be done at all, I understand the idea to 
lock it down once it could be modified. However, MS didn't really give much in 
the way oftools to operate with it set that way. There was one tool, SC 
that was modifiedin order to work withit and at least initially, it 
wasn't very well documented. This easily should have been a GPO config item just 
like the other service ACL configs.Personally, I would have greatly 
appreciated say a new group... RemoteServiceEnumeration or something like that, 
then people simply add principals to that group in order to keep their apps 
working.

I have often monitored services on servers remotely with an 
ID that has normal user rights in the domain. The ID had no permissions on the 
servers at all other than to look at them. Others have done the same. The 
monitoring scripts/apps would list all services to see what was running and what 
wasn't running, any changes whatsoever would be reported so you knew when 
something got added and when something got removed or if something was started 
that wasn't previously running or something that was previously running no 
longer was running. After SP1, it took modifying the ACL or granting admin level 
rights or required the ID to be used locally on the local machine instead of 
remotely.

This change, forced people, at least initially until 
documentation started coming out,to use higher power IDs to do 
somethingthat previously could be done with lower power do-nothing IDs. 
To put it another way, there is no technical reason whatsoever that an 
admin ID is required to monitor services. Heck you can even delegate service 
control to non-admins, I have been giving out ability to stop/start specific 
services on servers since early NT4 days. 

BTW, which LUA are you referring to? The actual principal 
of least user access where you don't give people access to things they shouldn't 
have or the LUA to allow non-privileged users to actually do things without 
being an admin? I think the first, but it caught me by surprise and I read it as 
the second initially because most MS folks are using LUA strictly to speak about 
the new capability in Vista. I didn't mention LUA but was referring to 
not having to be an admin to do something simple. 

I have no problem with locking things down, but don't catch 
people by

RE: [ActiveDir] exporting group membership

2005-11-25 Thread Rick Kingslan 



Excel?

Otherwise, I'm not completely clear as to what you're 
trying to accomplish.

Rick

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Friday, November 25, 2005 10:02 AMTo: 
ActiveSubject: [ActiveDir] exporting group 
membership

I am trying to export the following fields from Active 
Directory using CSVDE

I ran the following command 
CSVDE -F c:\output.csv -d "ou=security groups,ou=INTARA,dc=COM" -r 
"(objectclass=group)" -l 
cn,description,member,whencreated,whenchanged,info,managedby,mail

This retrieves the information I want, however, the Member tab displays a 
list of users full DN in one single cell and makes it difficult to overview the 
member list.

How can I display a list of the users in there own individualcells 
going downwards (if that makes sense) does CSVDE allow this? If not any other 
tools out there?


Yahoo! 
Music Unlimited - Access over 1 million songs. Try it free.

RE: [ActiveDir] Server Disappeared

2005-11-25 Thread Rick Kingslan 
Harald - 

You have two NICs installed in this box, which is a DC.  (Not a suggested /
recommended configuration, but beside the point)

Do you also have ICS installed, or Routing and Remote Access with natting
installed? (Educated guess, given the 192.168.0.1 address)

Be extremely verbose on the server configuration.  I suspect that the change
of the NIC is going to require some reconfiguration of the ICS or RRAS.

Rick
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harald
Sent: Friday, November 25, 2005 1:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server Disappeared

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] burped the following on
25/11/2005 10:42 AM:

 That little guy isn't seeing DHCP or DNS ... on the internal network 
 side who'd handling the DHCP?  You can review these Event ID's and see 
 a bit

I'm not using DHCP, I never did. All the internal machines have static
addresses.


 EventID.Net:
 http://www.eventid.net/display.asp?eventid=5781eventno=167source=NET
 LOGONphase=1



 EventID.Net:
 http://www.eventid.net/display.asp?eventid=20169eventno=25source=Rem
 oteAccessphase=1



 EventID.Net:
 http://www.eventid.net/display.asp?eventid=31002eventno=557source=ip
 nathlpphase=1


 23/11/20052:34:41 PMipnathlpErrorNone31002
 N/ASTARFLEETCMDThe DNS proxy agent was unable to bind to the 
 IP address 192.168.0.1. This error may indicate a problem with TCP/IP 
 networking. The data is the error code.
 On that entry?  In the event viewer can you click on the copy button 
 on that one and paste the entire contents?

Yup, here it is.

.
Date: 23/11/2005Source: ipnathlp
Time: 14:34 Category: None
Type: Error Event ID: 31002
User: N/A
Computer: STARFLEETCMD

Description:
The DNS proxy agent was unable to bind to the IP address 192.168.0.1. 
This error may indicate a problem with TCP/IP networking. The data is the
error code.

Data: Bytes
: 1d 27 00 00


--
Harald Gill
Without Dreams...Life is Nothing

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Server Disappeared

2005-11-25 Thread Rick Kingslan 
So, then - it's resolved and Harald is all happy?  Cool...

Now, about that two NICs in a DC attached to the Internet thing.  I really
hope I NEVER hear an SBSer complain that Windows is not a secure operating
system given THAT configuration  ;op

j/k

Rick 
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Friday, November 25, 2005 5:59 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server Disappeared

Well it depends on who you are :-) We actually highly recommend two nics in
our SBS DCs  :-)

It was binding order.  External nic was first. 

ICS ...ick... what are we workgroup?  I'm an RRAS fan :-)  [okay the SBSer
will go shut up now :-)

 

Rick Kingslan wrote:

Harald -

You have two NICs installed in this box, which is a DC.  (Not a 
suggested / recommended configuration, but beside the point)

Do you also have ICS installed, or Routing and Remote Access with 
natting installed? (Educated guess, given the 192.168.0.1 address)

Be extremely verbose on the server configuration.  I suspect that the 
change of the NIC is going to require some reconfiguration of the ICS or
RRAS.

Rick
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harald
Sent: Friday, November 25, 2005 1:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Server Disappeared

Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] burped the following on
25/11/2005 10:42 AM:

  

That little guy isn't seeing DHCP or DNS ... on the internal network 
side who'd handling the DHCP?  You can review these Event ID's and see 
a bit



I'm not using DHCP, I never did. All the internal machines have static 
addresses.

  

EventID.Net:
http://www.eventid.net/display.asp?eventid=5781eventno=167source=NET
LOGONphase=1



EventID.Net:
http://www.eventid.net/display.asp?eventid=20169eventno=25source=Rem
oteAccessphase=1



EventID.Net:
http://www.eventid.net/display.asp?eventid=31002eventno=557source=ip
nathlpphase=1


23/11/20052:34:41 PMipnathlpErrorNone31002
N/ASTARFLEETCMDThe DNS proxy agent was unable to bind to the 
IP address 192.168.0.1. This error may indicate a problem with TCP/IP 
networking. The data is the error code.
On that entry?  In the event viewer can you click on the copy button 
on that one and paste the entire contents?



Yup, here it is.

.
Date: 23/11/2005Source: ipnathlp
Time: 14:34 Category: None
Type: Error Event ID: 31002
User: N/A
Computer: STARFLEETCMD

Description:
The DNS proxy agent was unable to bind to the IP address 192.168.0.1. 
This error may indicate a problem with TCP/IP networking. The data is 
the error code.

Data: Bytes
: 1d 27 00 00


--
Harald Gill
Without Dreams...Life is Nothing

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2003 SP1 upgrade...

2005-11-20 Thread Rick Kingslan 



True. But, to monitor services does someone have to 
log on to the server? Would a good and SAFE work around - if the said user 
doesn't need to log on, to create a service account to do the work, but remove 
the interactive rights?

Seems to me that proxying the access would be the close to 
ultimate in LUA.

Rick

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Sunday, November 20, 2005 5:21 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 SP1 
upgrade...

The biggest thing people complaint to me about that isn't 
documented as an issue below is with the new ACL on the service control manager. 
The new ACL really locks down who can enumerate services remotely. This has 
impact on multiple different applications and services, especially any 
monitoring that isn't using full admin IDs. Kind of sad actually, people trying 
to run with least privs for the monitors got nailed and had to give out more 
perms until info started getting out on how to fix the 
problem.

Check out the items exposed by the following 
query

http://www.google.com/search?hl=enlr=safe=offrls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aenq=sdset+sc+2003+site%3Asupport.microsoft.com




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Frank 
AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo: 
ActiveSubject: [ActiveDir] Windows 2003 SP1 
upgrade...


Hello all,

I am planning on rolling out SP1 to my 
Domain Controllers. I have looked through msn search to find known issues with 
applying SP1 to DC's.
I found the following kb articles 
(below)so I can prepare if I have issues. I haven't run into any issues in 
my test environment however, has anyone else had any undocumented problems they 
may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder, 
so any issues or pointers that you mayhavecome up against would be 
appreciated.
Also, is there any recommendation as to 
which DC you choose first when you upgrade to SP1? 
The Windows Time service 
may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack 
1
http://support.microsoft.com/?id=892501

Network issues that affect TCP/IP and RPC traffic across firewall or 
VPN
http://support.microsoft.com/kb/899148/

The incorrect HAL may be 
applied if your computer uses a custom HAL
http://support.microsoft.com/kb/889101

Thanks

Frank


Yahoo! 
FareChase - Search multiple travel sites in one click. 


Yahoo! 
FareChase - Search multiple travel sites in one click.

RE: [ActiveDir] Raid suggestions for DC maybe OT

2005-11-08 Thread Rick Kingslan 



Jonathan -

275 replication links seems, at least to my tired eyes this 
AM, to be a lot. Are you running a branch office environment, or is this a 
number of remote sites that link back to a single hub?

I'm interested as to why there are so many repl links to 
your DCs, only if it's one DC. In my experience, that's not optimal, and 
we can provide some prescriptive guidance to help optimize the topology with no 
addition of hardware, just some tuning of site/subnet 
configurations.

Rick [msft]

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan 
(OFT)Sent: Tuesday, November 08, 2005 6:00 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions 
for DC maybe OT

I don't know about you but rebuilding DC's is not fun 
stuff. Especially if it has 275 replication links to it from remote 
DC's.. believe me spend the money on the fault 
tolerance..


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, November 07, 2005 10:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions 
for DC maybe OT

How about just not partitioning the whole disk of the 
larger disks? Note I didn't come up with that idea, that came from a young 
whippersnapper I know out of Redmond whom I was discussing the fastest AD disk 
configs with a few weeks ago. I haven't tried it but it makes sense to me. Just 
allocate maybe 10-12GB of each of the36GB drives across an array or 
so.

Course you could always say screw the fault tolerant RAIDs, 
this isn't Exchange, and run commando with a stripe set. If you have enough 
extra DC capacity in the site you could have them all running really fast and 
then when one blows it just goes away. Most applications that are written 
properly for AD handle that just fine except apps that hard sync to a single DC. 


If I have 7-8 disks, I wouldn't hesitate to put them in a 
single RAID-10/0+1 type config. OS and Logs are snoring on most DCs. All of the 
action is around the DIT unless you get that baby into memory which was the 
first I think 20 responses I got from the whippersnapper. Use 64 bit. I know 
but... use 64 bit... I know but use 64 bit I know but are you still 
here, use 64 bit


 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan 
(OFT)Sent: Monday, November 07, 2005 6:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions 
for DC maybe OT



We have allot of users coming back to our central site and 
we use the following config.


adapter #1  raid 1 ( 2 disk) 
O/S

adapter #2 raid 1 ( 2 disk) AD 
LOGS

adapter #3 === raid 5 (3 disk) with 
global hot spare AD Data


the key to this using this is that all the equipment (SCSI 
disk,SCSI controller) is Ultra 320 spec with low latency and low seek 
times (15 K rpm usually). The other thing that has been 
noticed is that use as small a disk as you can get. (8 GB) 
Some of the manufacturers are saying they only can supply 36GB drives on new 
equipment. These drive are ok but the seek time goes up because of 
the size of the drive



this config works good also


adapter #1  raid 1 ( 2 disk) 
O/S

adapter #2 raid 1 ( 2 disk) AD 
LOGS and raid 5 (3 disk) with global hot 
spare (total of 6 on this channel)



hope this 
helps










This e-mail, including 
any attachments, may be confidential, privileged or otherwise legally protected. 
It is intended only for the addressee. If you received this e-mail in error or 
from someone who was not authorized to send it to you, do not disseminate, copy 
or otherwise use this e-mail or its attachments. Please notify the sender 
immediately by reply e-mail and delete the e-mail from your system. 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Sunday, November 06, 2005 11:12 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Raid suggestions for DC maybe OT

LOL. I actually pinged Rick on the "official" guidelines 
previously for an Enterprise class DC with 4 disks, he was actually one of 4 
people I queried since I hadn't seen what I considered good official docs on it. 
Rick quoted the K3 Deployment guide which is definitely a good start. It 
indicates

RAID 1 - OS
RAID 1 - Logs
RAID 1 or 0+1- SYSVOL/DIT

If you have less than 1000 users using the DC it says you 
can use one single RAID-1 for the whole thing. Though you have the same issue 
here as you have for anything, how are the 1000 users using it and what else is 
using it? Exchange? If so, I doubt I would do a single RAID-1 unless it was very 
few users. 

Otherwise you are looking at a minimum of 6 disks for all 
RAID-1s or 8 disks if 0+1 and RAID-1. 

When you actually look at it, the OS and the logs are using 
little IOPS on a dedicated DC and splitting them off onto their own "disk" is 
probably unneccessary. The DIT assuming it isn't all

RE: [ActiveDir] Hardware Suggestions

2005-11-08 Thread Rick Kingslan 
Add to that - SATA is not for the desktop only.  Check out some of the SAN
coming out from most vendors, EMC included.  Those drives and connections
look a lot like SATA to me. 

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Tuesday, November 08, 2005 7:13 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Hardware Suggestions

~
I don't have a problem with SATA (an upgrade from PATA) if used as designed.
It's designed for desktop storage.  Not that it can't be adjusted to
server/enterprise, but it's price point and architecture are intended for
desktops (i.e. cheap but not as reliable as a shared resource).
~

Depends on the size of the enterprise

SATA has its place in the server segments of smaller orgs for sure.   
It's not too long ago that Windows and Intel processors were considered not
designed for the enterprise...


-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On 11/7/05, Al Mulnick [EMAIL PROTECTED] wrote:
 That's a desktop user? The apple desktop?

 I don't have a problem with SATA (an upgrade from PATA) if used as
designed.
 It's designed for desktop storage.  Not that it can't be adjusted to 
 server/enterprise, but it's price point and architecture are intended 
 for desktops (i.e. cheap but not as reliable as a shared resource).

 Used appropriately, I'm quite happy with it.  But it's intended to be 
 cheap and replaceable.

 Cheap, fast, reliable - pick two (or something like that ;)

 That shouldn't last if history is any indication, but for now I'll try 
 not to build too many centrally required applications on that 
 technology unless I can put a lot of abstraction in front of it (large 
 pools that aren't bothered by the loss of several components at a 
 time.)







 From: Rob MOIR [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 To: ActiveDir@mail.activedir.org,ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Hardware Suggestions
 Date: Mon, 7 Nov 2005 18:36:10 -
 
 I've deployed SATA for storage of large files in Apple XRaid units in 
 a Raid 5+1 config, and so far so good. Ask me in 3 years if I'm still 
 just as happy ;-) but it was the only way to give the user what they 
 wanted inside the budget we had.
 
 One advantage of the XRaid is that it's fitted out from the get go to 
 use SATA disks and the only reason you'd ever have to do anything to 
 it is to replace a drive that you already know has gone bad.
 
 
 -Original Message-
 From: [EMAIL PROTECTED] on behalf of Al Mulnick
 Sent: Mon 07/11/2005 17:34
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Hardware Suggestions
 
 silly no-hair-color alert
 SATA == Desktop drives.
 
 They weren't originally concepted to be enterprise class storage.  I 
 see them as being back-engineered to be used this way, but most of 
 what I've seen has been to deploy them as a JBOD in situations where 
 you can absorb the continuous loss of hardware and not impact 
 performance and availability.
Typically in pools of disk and hsm solutions (what is it that hsm 
 is called now? ILM? :)
 
 If you plan to deploy DAS solutions (internal or external), SATA is 
 not likely the way to go right now.  You may want to wait a bit 
 longer if the data is important.
 
 
 For large pools of inexpensive disks, SATA might be worthwhile to 
 investigate if you have a large loading bay, a good support 
 agreement, and close access to the highway.
 
 -ajm
 
 
 
  From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
  [EMAIL PROTECTED]
  Reply-To: ActiveDir@mail.activedir.org
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Hardware Suggestions
  Date: Mon, 07 Nov 2005 09:13:19 -0800
  
  Stupid blonde alert
  
  I personally have SATA experience in the tower/desktop world but 
  none in the rack units.  Are the physical connections any stronger 
  in the rack world?
  
  I like SCSI and IDE not only for their proven track record [server 
  and desktop respectively] but because the dang cables don't get 
  knocked off each time I reach into the case.  Those cable 
  connections on the back of the SATA drives are a little worrying.  
  I've accidentally bumped the connection off my workstation at home 
  twice while adding the Happauge
 card
  and what not.
  
  In SBSland early on we had issues with them getting loaded up, if 
  they
 are
  underpowered, we're seeing a bit of bottlenecks, and as one of the 
  SBS support gang said out of Mothership Los Colinas, if your vendor 
  won't guarantee that equipment for 3 years, do you really want to 
  put that data on that device?
  
  So far the SATAs that we have running around in SBSland servers are 
  okay, but I'll report back in another 2 years and let you know.
  
  I can't speak for the Dell rack stuff, but the

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-07 Thread Rick Kingslan 
Ed - 

With all due respect, both posts that you've made in response to this thread
have been negative (George Carlin hasn't written anything original...  Blah,
blah...) and the fact that I mention that I should beat my admin because of
missing a backup.  How I choose to treat my employees is my business.

I'm not sure why I'm even bothering to defend myself to you.

Please.  If you have nothing of value to add - don't respond.  If you want
to be a valued member of the list - try being nice.

Or, if it's just me you don't like - filter me out of your list.

I really don't appreciate the off-handed, single thought retorts.

Who ARE you, anyway?

Rick
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Sunday, November 06, 2005 11:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

The admin is not at fault because he wasn't aware that the backup didn't
complete?  You're an awfully forgiving boss.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, November 06, 2005 7:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Work with Exchange much?  Miss one or two backups and that volume that holds
your log files might experience this issue with no fault of the admin at
all.  (Well, except for the fact that your backup system didn't page the
person in charge to notify it didn't run...  Or, that person chose not to
respond.)

Regardless...  Poo-poo happens.  At least, now they know.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 10:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Not dumb for Microsoft dumb for the Admin to get the drive in that
condition and need a KB to wack them upside the head.

At the end of the day... it's my responsibility for my network.  I won't be
complaining to Microsoft that they didn't warn me that bad things might
happen if I don't keep nice breathing room on my drives.





Rick Kingslan wrote:

Hmmm.  I guess I see this in a different light.  In my new, improved 
view of the way that Microsoft communicates things, no - it doesn't 
seem to be very dumb at all.  The statement and the KB, that is.

At this moment, I'm watching George Carlin's new HBO special.  He 
relates that he's always interested when it's flood season in the 
Midwest.  The same people that got flooded out last year get flooded 
out this year, repaint, re-carpet and move back in.

Next season - it will be the same thing.  They just won't understand 
that if they live on the flood plain, you can't complain that Grandma 
is floating down the river with a canary on her head.

That's why we say things like:

A volume is full or almost full. your NTFS just MIGHT have problems.

Because there are just those same folks on the Midwest flood plain that 
will call PSS really upset that their full or almost full NTFS drive 
has a problem.

I'm not saying that the people that call are stupid.  I am saying that 
most Insurance policies and contracts, as well as EULAs - have a ton of 
words and verbiage that only the well trained lawyer can understand 
because folks are just well, litigious.  And, you have to address 
the obvious because in segments of the population - the obvious - isn't.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 11:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption 
on NTFS volumes

Is it me or is that a dumb KB?

A volume is full or almost full.

Yeah data will start getting screwed up when you have that situation.  
In SBSland we lose our CAL licenses and other such fun things on a too 
tight drive.



Almeida Pinto, Jorge de wrote:

  

FYI

Potential file corruption problem on NTFS volumes during extensive 
stress


tests in Windows Server 2003 Service Pack 1
  

http://support.microsoft.com/default.aspx?scid=kb;en-us;909360

Cheers,
Jorge


This e-mail and any attachment is for authorised use by the intended


recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-07 Thread Rick Kingslan 
Taking offline...  I only berate joe in public...  (he fights nasty, too.
Spits, eye gouges, hair pulling and all...)

Forgot about that when I replied earlier.  VBG

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Monday, November 07, 2005 5:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Rick -

I was replying to your assertion:

Miss one or two backups and that volume that holds your log files might
experience this issue with no fault of the admin at all.

An admin may not be at fault because a backup doesn't occur, with that I
agree.  However, an admin not knowing that the scheduled backups did not
occur and not monitoring that the log volume sufficiently to know that it is
running out of space is very much at fault.  I didn't say anything about
beating; that would solely be at your discretion.

As to my George Carlin remark, it was intended to be sarcasticly humorous; I
apologize if it missed the mark in your perception, and to anyone else on
this list who might have been offended by it.

I'm an eight-or-nine-year Exchange MVP, and a senior technology consultant
for a large multinational technology corporation.  I joined this list
because a fellow Exchange MVP recommended it as being THE place to discuss
Active Directory.  Nice to meet you.  Who are you?

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, November 07, 2005 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Ed - 

With all due respect, both posts that you've made in response to this thread
have been negative (George Carlin hasn't written anything original...  Blah,
blah...) and the fact that I mention that I should beat my admin because of
missing a backup.  How I choose to treat my employees is my business.

I'm not sure why I'm even bothering to defend myself to you.

Please.  If you have nothing of value to add - don't respond.  If you want
to be a valued member of the list - try being nice.

Or, if it's just me you don't like - filter me out of your list.

I really don't appreciate the off-handed, single thought retorts.

Who ARE you, anyway?

Rick
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Sunday, November 06, 2005 11:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

The admin is not at fault because he wasn't aware that the backup didn't
complete?  You're an awfully forgiving boss.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, November 06, 2005 7:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Work with Exchange much?  Miss one or two backups and that volume that holds
your log files might experience this issue with no fault of the admin at
all.  (Well, except for the fact that your backup system didn't page the
person in charge to notify it didn't run...  Or, that person chose not to
respond.)

Regardless...  Poo-poo happens.  At least, now they know.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 10:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Not dumb for Microsoft dumb for the Admin to get the drive in that
condition and need a KB to wack them upside the head.

At the end of the day... it's my responsibility for my network.  I won't be
complaining to Microsoft that they didn't warn me that bad things might
happen if I don't keep nice breathing room on my drives.





Rick Kingslan wrote:

Hmmm.  I guess I see this in a different light.  In my new, improved 
view of the way that Microsoft communicates things, no - it doesn't 
seem to be very dumb at all.  The statement and the KB, that is.

At this moment, I'm watching George Carlin's new HBO special.  He 
relates that he's always interested when it's flood season in the 
Midwest.  The same people that got flooded out last year get flooded 
out this year, repaint, re-carpet and move back in.

Next season - it will be the same thing.  They just won't understand 
that if they live on the flood plain, you can't

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-07 Thread Rick Kingslan 
BTW - just so no one thinks anything different, I was a bit harsh with Ed.
Apologies from me are, well, too often these days.  I'm not going to burden
the list with this

This one thread has gone WY too far.

I would ask that it be allowed to die.

Thanks.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Monday, November 07, 2005 5:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Rick -

I was replying to your assertion:

Miss one or two backups and that volume that holds your log files might
experience this issue with no fault of the admin at all.

An admin may not be at fault because a backup doesn't occur, with that I
agree.  However, an admin not knowing that the scheduled backups did not
occur and not monitoring that the log volume sufficiently to know that it is
running out of space is very much at fault.  I didn't say anything about
beating; that would solely be at your discretion.

As to my George Carlin remark, it was intended to be sarcasticly humorous; I
apologize if it missed the mark in your perception, and to anyone else on
this list who might have been offended by it.

I'm an eight-or-nine-year Exchange MVP, and a senior technology consultant
for a large multinational technology corporation.  I joined this list
because a fellow Exchange MVP recommended it as being THE place to discuss
Active Directory.  Nice to meet you.  Who are you?

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, November 07, 2005 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Ed - 

With all due respect, both posts that you've made in response to this thread
have been negative (George Carlin hasn't written anything original...  Blah,
blah...) and the fact that I mention that I should beat my admin because of
missing a backup.  How I choose to treat my employees is my business.

I'm not sure why I'm even bothering to defend myself to you.

Please.  If you have nothing of value to add - don't respond.  If you want
to be a valued member of the list - try being nice.

Or, if it's just me you don't like - filter me out of your list.

I really don't appreciate the off-handed, single thought retorts.

Who ARE you, anyway?

Rick
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]
Sent: Sunday, November 06, 2005 11:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

The admin is not at fault because he wasn't aware that the backup didn't
complete?  You're an awfully forgiving boss.

Ed Crowley MCSE+Internet MVP
Freelance E-Mail Philosopher
Protecting the world from PSTs and Bricked Backups!T

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, November 06, 2005 7:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Work with Exchange much?  Miss one or two backups and that volume that holds
your log files might experience this issue with no fault of the admin at
all.  (Well, except for the fact that your backup system didn't page the
person in charge to notify it didn't run...  Or, that person chose not to
respond.)

Regardless...  Poo-poo happens.  At least, now they know.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 10:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Not dumb for Microsoft dumb for the Admin to get the drive in that
condition and need a KB to wack them upside the head.

At the end of the day... it's my responsibility for my network.  I won't be
complaining to Microsoft that they didn't warn me that bad things might
happen if I don't keep nice breathing room on my drives.





Rick Kingslan wrote:

Hmmm.  I guess I see this in a different light.  In my new, improved 
view of the way that Microsoft communicates things, no - it doesn't 
seem to be very dumb at all.  The statement and the KB, that is.

At this moment, I'm watching George Carlin's new HBO special.  He 
relates that he's always interested when it's flood season in the 
Midwest.  The same people that got flooded out last year get flooded 
out this year, repaint, re-carpet and move back in.

Next season

RE: [ActiveDir] Unreadable Netlogon.dns file

2005-11-07 Thread Rick Kingslan 
joe, joe, joe. 

Believe me.  Don't DO NOT *DO NOT* call ~Eric's attention my way...

(He's my assigned handler...  AND He's GOOD at it...)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, November 07, 2005 9:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unreadable Netlogon.dns file

 ~Eric

Who ARE you, anyway?(t)




(t) - Trademark, Rick Kingslan.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Monday, November 07, 2005 5:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unreadable Netlogon.dns file

Since you are saying the file is there but netdiag can't see it.
If I were a betting man, I would say for some reason the context under which
netdiag is running does not have perms to read the file. The code in
question does an fopen() on it with parameters rt. I suspect, though don't
know, that permissions is the likely problem. :) It usually is with other
calls such as this one.

If you want, let's take this offline. We can report back to the list with
the result.
I can debug this for you if you're willing?

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott
Sent: Monday, November 07, 2005 1:42 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unreadable Netlogon.dns file

I have just verified that I have the latest version of Netdiag (5.2.3790.0).
As for the netlogon.dns file, I have verified it.  In fact, I renamed it,
restarted netlogon service and it recreated it correctly.

I'm running this from a terminal server session on the box itself.  I
haven't tried running it remotely.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, November 07, 2005 2:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Unreadable Netlogon.dns file

I *think* there was an updated version of netdiag that came out.  It might
be useful to ensure you have the latest.

Also, have you verified that the file exists?

If neither of those relates, can you give some more information?  Are you
running this remotely from your desktop?  From the console? Same results

regardless?

Al



From: Rachui, Scott [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Unreadable Netlogon.dns file
Date: Mon, 07 Nov 2005 14:20:14 -0600

I have a very odd problem.  I am testing Windows 2003 Active Directory 
(running in W2K Native Mode) and on the W2K3 DCs, I get the following 
message when running NETDIAG:

DNS test . . . . . . . . . . . . . : Failed
 [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns
for reading.
 [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns
for reading.
 [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns
for reading.
 [FATAL] No DNS servers have the DNS records for this DC
registered.

I have checked security on the 2 W2K3 DCs (which are in different 
domains, but are both experiencing this), but can't find any permission 
that they're missing.

Any help with this would be much appreciated.

Thanks!

Scott

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-06 Thread Rick Kingslan 
Work with Exchange much?  Miss one or two backups and that volume that holds
your log files might experience this issue with no fault of the admin at
all.  (Well, except for the fact that your backup system didn't page the
person in charge to notify it didn't run...  Or, that person chose not to
respond.)

Regardless...  Poo-poo happens.  At least, now they know.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 10:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Not dumb for Microsoft dumb for the Admin to get the drive in that
condition and need a KB to wack them upside the head.

At the end of the day... it's my responsibility for my network.  I won't be
complaining to Microsoft that they didn't warn me that bad things might
happen if I don't keep nice breathing room on my drives.





Rick Kingslan wrote:

Hmmm.  I guess I see this in a different light.  In my new, improved 
view of the way that Microsoft communicates things, no - it doesn't 
seem to be very dumb at all.  The statement and the KB, that is.

At this moment, I'm watching George Carlin's new HBO special.  He 
relates that he's always interested when it's flood season in the 
Midwest.  The same people that got flooded out last year get flooded 
out this year, repaint, re-carpet and move back in.

Next season - it will be the same thing.  They just won't understand 
that if they live on the flood plain, you can't complain that Grandma 
is floating down the river with a canary on her head.

That's why we say things like:

A volume is full or almost full. your NTFS just MIGHT have problems.

Because there are just those same folks on the Midwest flood plain that 
will call PSS really upset that their full or almost full NTFS drive 
has a problem.

I'm not saying that the people that call are stupid.  I am saying that 
most Insurance policies and contracts, as well as EULAs - have a ton of 
words and verbiage that only the well trained lawyer can understand 
because folks are just well, litigious.  And, you have to address 
the obvious because in segments of the population - the obvious - isn't.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 11:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption 
on NTFS volumes

Is it me or is that a dumb KB?

A volume is full or almost full.

Yeah data will start getting screwed up when you have that situation.  
In SBSland we lose our CAL licenses and other such fun things on a too 
tight drive.



Almeida Pinto, Jorge de wrote:

  

FYI

Potential file corruption problem on NTFS volumes during extensive 
stress


tests in Windows Server 2003 Service Pack 1
  

http://support.microsoft.com/default.aspx?scid=kb;en-us;909360

Cheers,
Jorge


This e-mail and any attachment is for authorised use by the intended


recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and 
any attachment and all copies and inform the sender. Thank you.
  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-06 Thread Rick Kingslan 
Ken, I agree completely. 

What I find very interesting in reading this KB is that it appears that the
problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very
specific conditions need to be met.  The third seems to be the element that
makes this more unlikely to occur - The scenario involves approximately
1000 simultaneous delete, create, or extend operations on files.

What I find most interesting about this KB, and kudos to our stress team -
is it seems that we discovered this internally and that no scale of customer
impact seems to have occurred.  (I don't know this for fact to be true - I
just suspect it to be so because some of the Lists that I monitor internally
haven't notified us of a large scale impact.)

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Sunday, November 06, 2005 12:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Frankly my expectation from a file system that's marked as being robust and
enterprise ready is that you should lose nothing if the drive is almost
full, and the file system should shut down gracefully if the drive is full,
especially in normal situations.

Sysadmins should not have to worry that they'll lose data to corruption if
the drive is almost full in the normal course of events. If you're doing
something like the extreme use cases noted in the KB article, then that's
possibly a different situation, but in that type of situation you're
probably monitoring your disks with an eagle eye anyway. Additionally,
Microsoft is correct to warn that a potential issue does exist.

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, 6 November 2005 3:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Is it me or is that a dumb KB?

A volume is full or almost full.

Yeah data will start getting screwed up when you have that situation.  
In SBSland we lose our CAL licenses and other such fun things on a too tight
drive.



Almeida Pinto, Jorge de wrote:

FYI

Potential file corruption problem on NTFS volumes during extensive stress
tests in Windows Server 2003 Service Pack 1

http://support.microsoft.com/default.aspx?scid=kb;en-us;909360

Cheers,
Jorge

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Raid suggestions for DC maybe OT

2005-11-06 Thread Rick Kingslan 



Dan - there will likely be as many opinions on this topic 
on this list as there are knots on joe's head.

Basic rules for a DC are this (IMHO):

Mirrored (or RAID1) for OS
Mirrored (or RAID1) for DIT and Logs

You can certainly host a third mirrored pair for the logs, 
but that will mostly depend upon how BUSY your AD is and how high the 
replication traffic, changes, updates etc. that you 
experience.

If you're asking this, you most likely have a newer AD, or 
are re-architecting. In either case, I'd start with the above and then 
monitor the performance with PerfMon. Make some decisions on whether to 
ADD the third mirror based upon the I/O and performance impact of log writes vs. 
impact on the database reads/writes.

Hope this helps!

Rick [msft]

--Posting is provided "AS IS", and confers no rights or 
warranties ... 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dan 
CoxSent: Sunday, November 06, 2005 1:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Raid suggestions for 
DC maybe OT

What would be the suggested RAID and partitioning 
scheme for a Domain controller.

Any suggestions are appreciated.
Thanks.

Dan Cox

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-06 Thread Rick Kingslan 
All - 

I've been informed by more than a few folks on this list that I am, for the
most part, completely and utterly wrong on this topic.

I apologize for any and all misinformation that I have conveyed, and will
refrain from posting on topics that I don't have complete and total
knowledge of the full circumstances surrounding the issue.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, November 06, 2005 9:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Ken, I agree completely. 

What I find very interesting in reading this KB is that it appears that the
problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very
specific conditions need to be met.  The third seems to be the element that
makes this more unlikely to occur - The scenario involves approximately
1000 simultaneous delete, create, or extend operations on files.

What I find most interesting about this KB, and kudos to our stress team -
is it seems that we discovered this internally and that no scale of customer
impact seems to have occurred.  (I don't know this for fact to be true - I
just suspect it to be so because some of the Lists that I monitor internally
haven't notified us of a large scale impact.)

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer
Sent: Sunday, November 06, 2005 12:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Frankly my expectation from a file system that's marked as being robust and
enterprise ready is that you should lose nothing if the drive is almost
full, and the file system should shut down gracefully if the drive is full,
especially in normal situations.

Sysadmins should not have to worry that they'll lose data to corruption if
the drive is almost full in the normal course of events. If you're doing
something like the extreme use cases noted in the KB article, then that's
possibly a different situation, but in that type of situation you're
probably monitoring your disks with an eagle eye anyway. Additionally,
Microsoft is correct to warn that a potential issue does exist.

Cheers
Ken

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, 6 November 2005 3:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Is it me or is that a dumb KB?

A volume is full or almost full.

Yeah data will start getting screwed up when you have that situation.  
In SBSland we lose our CAL licenses and other such fun things on a too tight
drive.



Almeida Pinto, Jorge de wrote:

FYI

Potential file corruption problem on NTFS volumes during extensive 
stress
tests in Windows Server 2003 Service Pack 1

http://support.microsoft.com/default.aspx?scid=kb;en-us;909360

Cheers,
Jorge

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes

2005-11-06 Thread Rick Kingslan 
How long have you known joe?  Short version  PLEASE!
 
Rick

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Sunday, November 06, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2
DSProxy Referral Process Changes


damn... do you have a short version of this story?

  _  

From: [EMAIL PROTECTED] on behalf of joe
Sent: Sun 11/6/2005 5:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2
DSProxy Referral Process Changes


Oh I understand. I definitely understand I wasn't the only one, I don't
think it would have been fixed if it was just me. 
 
My contributions included
 
1. Debating strongly with Alliance PSS (on and offsite people).
2. Debating strongly with onsite MCS.
3. Debating strongly with Dev
4. Wrote Steve Balmer as a concerned MVP.
5. Posted this issue (pointing out the security aspects) both in groups like
this and in the public newsgroups. (The public delegates aspect is a
security issue).
6. Reposting every single time I saw anything that related to it.
 
Initially I hit it with DLs and I got beaten down by PSS and MCS because
they said the design the company had that I worked with at the time (we will
call widget company again) was based on the idea that they didn't need DLs
so it was specifically designed without DLs in mind and had we wanted DLs
the design would have been different because they knew all about this
problem. 
 
Then several months later reports of issues with public delegates started
surfacing. I was working on some other thing at the time, I believe it was
setting up web pages to do things like short term delegation of mailbox
access so that the third level outlook people could ask to get access to a
mailbox and it would all be logged, quota management, mailbox permission
reports, conference room setup, etc. Anyway, I sat in the Friday con call
while onsite PSS discussed the issue and it sounded like the same GC issue
as I had stumbled on before. I mentioned that they would want to check that
out and verify what GCs where being talked to and redirect them to a more
appropriate GC as I had documented and shown for the DL issue before. I
didn't want to jump into it and really look at it as I always seemed to get
into some sort of trouble for finding and pointing out MS screwups and any
issues in the Exchange design. My boss loved it because it meant we fixed
something that would hurt once in production, my bosses boss hated it
because it slowed down the project he was being graded on with the execs
which was way over budget and way over timeline. 
 
Next Monday's con call they still didn't have a clue, more descriptions
still sounded like a GC issue, I said so again. Ditto Tuesday con call. On
Wednesday we had our everyone gets in one room meeting and discusses the
problems and when that problem came up I yet again pointed it out that it
really sounded like the GC issue. Either MS really didn't want it to be that
and they were looking for anything else it could be or the analysts really
had no clue what they were looking at. I expect the later. I told my friends
in MCS that the PSS guy was screwing this up and they needed to birddog him
because he was going to make MS look like idiots again. They said they
couldn't for some reason or another. 
 
Thurs con call same issue, no progress. Thurs around 6PM when I was settling
into the lab to get some serious work done[1] I got grabbed by one of our
third level Outlook folks (a good friend) who was working the issue[2] and
she said I had no choice as she would kick my butt and that she was making
me work on that issue. Within 15 minutes I proved that what I had said the
previous Friday was the issue and also learned about how badly Outlook
handled the issue in that if you removed a public delegate it would
disappear from the list because it was removed from the store but was still
in AD so it was still active and outlook never showed an error message and
from them on showed the value incorrectly so someone had permissions to send
on behalf of that were not shown unless you looked directly at the directory
(security issue). 
 
MS PSS reported again in the Friday con call that they had no idea and they
were bumping the issue to Sev-A to get ROSS onsite to do a debug and I
waited until the TAM was completely done with what she wanted to say and
then said, the issue is the GC issue. MS said, no it wasn't, they couldn't
confirm that. Then I said that I knew absolutely it was the issue. The
people on the call knew me long enough not to question when I said
absolutely versus it should be checked or it appears or possibly. So the
following week we had the same meetings we had from several months ago only
I was holding the hammer and I was bringing up everything MS had said
previously about the design and so I asked the obvious question of were

RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes

2005-11-05 Thread Rick Kingslan 
Hmmm.  I guess I see this in a different light.  In my new, improved view
of the way that Microsoft communicates things, no - it doesn't seem to be
very dumb at all.  The statement and the KB, that is.

At this moment, I'm watching George Carlin's new HBO special.  He relates
that he's always interested when it's flood season in the Midwest.  The same
people that got flooded out last year get flooded out this year, repaint,
re-carpet and move back in.

Next season - it will be the same thing.  They just won't understand that if
they live on the flood plain, you can't complain that Grandma is floating
down the river with a canary on her head.

That's why we say things like:

A volume is full or almost full. your NTFS just MIGHT have problems.

Because there are just those same folks on the Midwest flood plain that will
call PSS really upset that their full or almost full NTFS drive has a
problem.

I'm not saying that the people that call are stupid.  I am saying that most
Insurance policies and contracts, as well as EULAs - have a ton of words and
verbiage that only the well trained lawyer can understand because folks are
just well, litigious.  And, you have to address the obvious because in
segments of the population - the obvious - isn't.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, November 05, 2005 11:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on
NTFS volumes

Is it me or is that a dumb KB?

A volume is full or almost full.

Yeah data will start getting screwed up when you have that situation.  
In SBSland we lose our CAL licenses and other such fun things on a too tight
drive.



Almeida Pinto, Jorge de wrote:

FYI

Potential file corruption problem on NTFS volumes during extensive stress
tests in Windows Server 2003 Service Pack 1

http://support.microsoft.com/default.aspx?scid=kb;en-us;909360

Cheers,
Jorge


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] ADMap request fulfillments...

2005-10-22 Thread Rick Kingslan 
All - 

I want to apologize to all those that have been patiently waiting for the
ADMap that I promised.  It is going to be sent out today.  

Let's just say that closing out my current project became more hectic than
it first appeared.  However, I have a slew of names that wanted the tool,
and I'm quite pleased at the response.

I'll have one mass e-mail going out this afternoon to everyone (well,
everyone who requested it...  Let's not get TOO crazy), and I'll pick up
those later (I'm out of town until Saturday late) that are still straggling
in.  I will continue to fulfill requests as long as I can.

Rick [msft]

--
Posting is provided AS IS, and confers no rights or warranties ...
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] BIND on Linux

2005-10-18 Thread Rick Kingslan 
Peter,

Though it may appear that I have a vested interest in keeping you on our OS,
those that know me know that if a reasonable argument is presented - I will
assist in the migration for our customers.  It's simply good practice and
good relations.

Typically, when I hear that a customer wants to move from Windows DNS to
BIND, there is a reason.  I'm interested in yours, and will provide guidance
in kind.

If it's Politically motivated (and you're not the instigator) I think that
we can help you with the case to stay the course.  Again - there has to be a
reason.  Management doesn't make decisions lightly (in most cases...).  Did
someone just get to Gartner (which there is a big Symposium going on this
week) and pull a 'hey...  Gartner says...'  Those are always fun to shoot
down.

If the issue is of cost - it's not a good one, and I can provide the reasons
for why this move will cost more.  

If it's inter-operability with other BIND implementation, again - I can
provide the reasons for why this might not be a good move. 

If it's Security - let's talk about how to lock down the OS.  If it's simply
security, Linux is not the answer.

If it is that this server is going in the DMZ for external serving of DNS -
let's talk about the benefits of getting you there.

I, like the rest of this group, want to find out why you want to move your
DNS to BIND.  Make no mistake - Active Directory works best with Microsoft
DNS.  Every implementation I have done otherwise has had problems.  Not
insurmountable, but your BIND Admins have to learn a whole new set of skills
to handle those damn Windows Machines.

As to answering your questions:

1.  Very viable (again, given the caveat that Windows DNS works best when
dealing with MS clients and Active Directory - BIND requires some added care
and feeding.  As to scalability - BIND is as scalable as anything else.  It
carries less overhead, if it's the only daemon serving off of the system.
Scale for BIND is width, not depth, but you can grow a box to meet the
requirements, which are more request query (read) oriented, and write with
updates from other DNS.

2.  Versions used have been 4.x on up through 9. (whatever the latest
version of 9 is/was)  If for Active Directory, Must be greater than 8.2
(for DDNS support)

3.  Because MS-DNS and BIND use two different methods of doing secure
updates (authN to the actual box for confirming I can re-write the record or
enter a new one) the issue of secure updates isn't even in the picture.  To
me, it's a low to medium risk issue.  It all depends where you're going to
use it and how well the rest of the box is secured.  Windows DNS with its
secure updates may not be as secure as most admins think - security begins
at the OS, not the DNS service level.

4. Gotchas...  Huh.  Biggest one I've already mentioned.  MS DNS works best
WITH Active Directory.  MS DNS works great with BIND as a peer or (in the
typical hierarchical DNS structure) parent DNS.  Forwarding, conditional,
stub zones - they all work extremely well, and IMHO - surpass BIND in
capability.  There is (not to my knowledge at least) a good interface for
BIND.  Seems that most BIND admins are pretty much at home with Vi and Lint
or Dig.  (Funny, though - if someone is so hardcore that they want to do
that on Windows - they can)  All of these tools exist for use on MS DNS
as well.  Most shops dedicate ~50% of a resource's time to managing BIND.
I'd spend, typically 30 minutes daily checking logs and adding static
requests for servers that required such.

So, there you have what I can skim off the top of my head.  Again - toss
your reasons for wanting to do this.  I'm sure many of us are quite curious.


Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Tuesday, October 18, 2005 2:22 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] BIND on Linux

I would be interested to here from people who have migrated Windows DNS to
Linux.
I am aware of the basic issues (need for DDNS and service records.)

I am particularly interested in:
1) Viability and scalability
2) Versions used and recommended
3) Security ramifications due to lack of secure updates
4) Gotchas or other ramifications.


Regards

Peter Jessop
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC replication

2005-10-18 Thread Rick Kingslan 



There are a number of ports with TCP and UDP/TCP required 
that must be available for full communication from DC to DC to succeed. 
Likely one or more of these are blocked and a ping is great for basic 
connectivity.

From both sides of the VPN, run DCDIAG /v  dcdiag.log 
and a netdiag /v netdiag.log

Send those pack to us in the list and we'll help you 
through.

As a quick test, try telnet name or IP of DC 389, 
where name or IP of DC is the DC on the other side of the VPN. Do 
from both sides. this is just one of the ports that you need. 
Another would be 445.

Rick [msft]

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
WilliamsSent: Tuesday, October 18, 2005 10:40 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC 
replication

We just installed a server offsite. It is connected 
by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that 
it needs to be a domain controller. Ran dcpromo on it and there were no errors 
reported. The problem I have with it now is that it seems to be replicating in 
one direction only.

All DC's running 2000 server.

Active Directory Sites  Services on DC01 and 
DC02 has all 3 servers listed. DC01 and DC02 do not show any entries in the NTDS 
settings for DC03. DC03 shows the correct entries for all 3 servers. If I 
manually add a new active directory connection from DC01 or DC02, it shows all 3 
of the DC's in the selection box. After 
adding it and selecting replicate now, I receive the RPC server is unavailable 
error.

That error refers to DNS errors. I can ping 
by name to all DC's. Are there other tests I need 
to run to check DNS?

Repadmin shows correct inbound and outbound 
neighbors on DC01 and DC02. DC03 shows correct inbound neighbors, but no 
outbound neighbors.
DC01 - Main 
domain controller at main officeDC02 - Secondary domain controller at main 
officeDC03 - New domain controller at offsite location, VPN 
connection

Thanks in advance

Mike
Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 
3816 [EMAIL PROTECTED] www.carlylevanlines.com

RE: [ActiveDir] DNS Problem please help

2005-10-18 Thread Rick Kingslan 



If your DNS is not answering for the domain that AD lives 
in, the yes - your replication will not work.

1. If you go to the DNS applet, do you have a DNS 
Forward zone created for your domain?
2. If the domain is there, what is in the DNS 
zone? Are there other 'folder's' inside, or just DNS name to IP 
records?
3. Stop NETLOGON - wait 30 seconds. Start 
NetLogon. This will re-register missing AD records.

If none of the above seem correct, from the Server disk in 
the Support/Tools directory, install the support tools. We will need a 
DCDIAG /V and NETDIAG /V written out to a log file. Paste those to your 
message and we will review.

Rick [msft]

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ravi 
DograSent: Tuesday, October 18, 2005 10:55 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Problem please 
help

Hi All,

Need your help for troubleshooting my DNS Server which is also my DC.

I have an ADC also which is working fine but unfortunately DNS is not 
updated.
Current scenario is :-

Nslookup says:-primary dns non 
existance domain.

Event Viewer says:- replication is not working for me.


Please help what should i check to resolve the issue. if any further 
information is required please revert ASAP.
RD

RE: [ActiveDir] BIND on Linux

2005-10-18 Thread Rick Kingslan 
OK.  It makes more sense.

1.  Are you moving away from Active Directory to NIS?  If not, keeping
DNS on Windows is a zero cost / zero impact issue.  If it's AD integrated,
then the cost is nil.  It's a no cost part of the DC package.

2.  DNS on a Windows server as the primary system does invoke cost in this
case.  AD integrate everything that controls the INTERNAL DNS.  Allow the
external facing accept forwarding from the Windows DNS that is serving the
internal servers and workstations.

3.  If this primary factor is cost, and only cost - that's a political
battle that is hard to win.  I would look to your Microsoft resources to
help you cost justify our products.

Is this in EU?  Harder battle, I have to add.  Interesting comment on the
database (Oracle especially...) thing.  What are you replacing SQL with? 

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop
Sent: Tuesday, October 18, 2005 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] BIND on Linux

I work an IT department of an autonomous goverment ministry. I actually have
no wish to move DNS to Linux as it works perfectly ok as it is. At the
moment it is integrated.

The reason I am asking this question is that now it is the policy to move to
Open Source wherever possible. Thus HP-UX will move to Linux, MS office will
move to Open Office etc.

I don't know the reasons why. They want to cut costs but have not done a
cost analysis of the change. Curiously no Open Source alternatives are being
considered to replace Oracle.

Another problem is that the Windows Network service function really well,
give very few problems and so have become invisible.

There is no particular advantage to moving DNS to Linux. It will not save
licenses in itself. It is simply that I have to analyse service by service
the implications and possibilities of moving to Open Source.

I am not as extremely specialised. With one coworker I manage about 20
windows servers plus administration policy on 1500 workstation distributed
in about 80 buildings. Along with AD we have to manage a mixture of Oracle,
SQL Server, Exchange, Cluster Services, SANs, Backups, Documentation, AV
etc... along with a fair bit of scripting due to lack of management tools. I
have no idea how typical this is as I am fairly isolated here. This list is
a lifeline to someone in my position.

I am only just beginning to think about all this as I was informed of this
today. I thought the DNS move might be fairly simple but was concerned about
the security implications of non secure updates and was wondering if there
are ways to avoid  an internal hacker screwing up the database. I also
wondered what versions of Linux people were using to get DNS services and
any experience or advice they could give me on such a move.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD/DNS BPA?

2005-10-16 Thread Rick Kingslan 
Huh.  That doesn't appear to be _US_  I wonder if the Engineering
Services group knows that a third party (Partner at that) is advertising
these services.

Honestly, I didn't think that we farmed those services out

Checking.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, October 15, 2005 1:32 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD/DNS BPA?

Microsoft AD Health Check:
http://www.systems-group.net/En/Consultancy+Services/Solutions/Microsoft+AD+
Health+Check.htm

Looks like it's talked about here too

Dean Wells wrote:

Ooops ... my apologies :O(

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Friday, October 14, 2005 10:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/DNS BPA?

Boo, hiss.  It's Engineering Services that offers it, not MCS.  ;

  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Thursday, October 13, 2005 11:22 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] AD/DNS BPA?

The tool I spoke about in confidence with Tony (just teasing
;o) is an offering from MCS known as the ADHC or AD Health Check ... 
it is a nicely shrink-wrapped series of powerful interrogation 
scripts/tools that, when compiled by someone sufficiently trained, 
produces a very detailed configuration breakdown, useful 
recommendations and/or general mis-configurations.  As I understand 
it, it is available exclusively via an MCS engagement.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, October 11, 2005 7:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/DNS BPA?

If find DNSlint to be pretty good, but obviously limited in scope.  I 
think Dean mentioned to me recently that PSS have a tool that provides 
BPA-like functionality.  It sounded like the output might be a little 
too complicated to make it publicly available.

Perhaps Dean has more info on this (assuming it's not under NDA)?

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, 12 October 2005 2:58 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/DNS BPA?

The tools are there, but the interpretation is sometimes lacking G 
I've been told that several companies are currently offering health 
checks, but I haven't tested any of them.

As for Microsoft tools, I'm a fan of using dcdiag and netdiag right 
after scanning the event logs.  That'll give me an idea of where to 
focus more effort if needed. Most of what I want to know is going to 
show up there without having to do too much waving of the magic wand.
There are some additional tools, but they get used after these two 
steps in my normal approach. That'll indicate whether or not I have to 
dig deeper.
Some other tools such as repadmin are useful as well. And there was a 
tool, SPA that could be helpful in some situations depending on what 
you want to know.

I haven't seen an AD BPA though.  Be interesting to see one. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 11, 2005 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/DNS BPA?


lurk mode off

Stupid question... okay we have Exchange Best practices analyzer 
right?
http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
 
I know you guys don't like GUI...but besides DNSlint, dnsdiag, 
Sysinternals, Joeware stuff and such things... is there currently 
enough tools in your bag'o'tricks to ensure DNS/AD is set up right?
Do you guys have a tool that you consider 'the' DNS/AD BPA and if so 
what is it?

Or is AD/DNS health review like security log reviews/dump files where 
it's an art and not a science?

And feel free to lob 'SBS could run on ipx/spx' comments my way as 
well.

;-)

lurk mode back on

--

Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
##
##
#
This communication, including any attachments, is confidential.
If you are not the intended recipient,

RE: [ActiveDir] AD/ Sites Services

2005-10-16 Thread Rick Kingslan 
Simple and most forward answer is to create two site - one for each
location, with associated subnets assigned to each site.

The longer answer is related to how many users in each site, how fast (in
AVAILABLE THROUGHPUT) is the connection between, and are you intending to
put at least one DC in each physical location.

So, hopefully more answers are forthcoming

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rania
Sent: Saturday, October 15, 2005 7:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/ Sites  Services

Dear All, 

I have here in My Company, 2 Sepearate Locations, the First one is Head
Office , the second one is the Private office . 

The head office have one single Network with this Range of IP-Address (
70.0.0.X / 255.255.255.0 ) . 

We have Wireless -Point-To-Point Between the 2 locations . 

The Privare office have also one single Network with the same range of
IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). 

All of them is under Workgroup, and no domains at all .
--
--
what we need , is to create domain and to provide users with the
authentication from the domain by using user name  Password. 
- 

My question is here, i am really get confused, what should i follow :- 

1- Should i follow Single Site for the 2 locations  each site will
represented by subnet , so i will have 2 subnets in one site ?

Or 

2- should i follw Multiple Site with one subnet at least in each site, and
each site will represent the location it self ? 

i really get confused. 

as i know the site is used for the Replication , so i want to simple the
replication it self.

CAN ANY ONE GUIDE ME TO THE BEST OF IT.

Best Regards,
RANIA SAMEER.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD/DNS BPA?

2005-10-16 Thread Rick Kingslan 
Yes, they (we) do.  I'll check into them and give you an overview of what
they do  If I can, to be more correct.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, October 11, 2005 9:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/DNS BPA?

If find DNSlint to be pretty good, but obviously limited in scope.  I think
Dean mentioned to me recently that PSS have a tool that provides BPA-like
functionality.  It sounded like the output might be a little too complicated
to make it publicly available. 

Perhaps Dean has more info on this (assuming it's not under NDA)?

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, 12 October 2005 2:58 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/DNS BPA?

The tools are there, but the interpretation is sometimes lacking G I've
been told that several companies are currently offering health checks, but I
haven't tested any of them.  

As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after
scanning the event logs.  That'll give me an idea of where to focus more
effort if needed. Most of what I want to know is going to show up there
without having to do too much waving of the magic wand.
There are some additional tools, but they get used after these two steps in
my normal approach. That'll indicate whether or not I have to dig deeper.
Some other tools such as repadmin are useful as well. And there was a tool,
SPA that could be helpful in some situations depending on what you want to
know. 

I haven't seen an AD BPA though.  Be interesting to see one. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Tuesday, October 11, 2005 9:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/DNS BPA?


lurk mode off

Stupid question... okay we have Exchange Best practices analyzer right?
http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx
 
I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals,
Joeware stuff and such things... is there currently enough tools in your
bag'o'tricks to ensure DNS/AD is set up right?  Do you guys have a tool that
you consider 'the' DNS/AD BPA and if so what is it?

Or is AD/DNS health review like security log reviews/dump files where it's
an art and not a science?

And feel free to lob 'SBS could run on ipx/spx' comments my way as well.

;-)

lurk mode back on

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

#
This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it.
Thank You.

Please note that this communication does not designate an information system
for the purposes of the NZ Electronic Transactions Act 2002.

This email has been scanned for Viruses and Content and cleared by NetIQ
MailMarshal at Gen-i.

#

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] salary(OT)

2005-10-16 Thread Rick Kingslan 
Oh, and given a bit to think.

You asked Dean - but you didn't ask me.  Huh.  NOW I know where *I*
stand.  In your mind, off the edge, if Dean was just right at  ;-)

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Hey I needed to maintain a certain quality 

Did you send something to Robbie to say you wanted to review it? In the end
we were begging for reviewers, I even took Dean as a reviewer and you know
the edge I had to be on for that He kept wanting to spell words wrong.
Eventually I just took out all references to the words color, humor, and
other or words.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, October 14, 2005 7:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe said: Again, the reviewers did a fantastic job.

Of which, you will all notice when the book comes out, I am _NOT_ one of
those reviewers.

joe said: They kept me honest

Which is one of the reason _WHY_ I was not one of those reviewers

Rick

P.S.  Hey, joe  :op

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Not out yet, I am expecting Mid November or Early December. I sent an email
to see if I can find out. 

The book is NOT written in my voice, I tried as best as possible to maintain
the voice that was there. I simply revised it though I did add a Chapter on
ADAM and a chapter on some basic Exchange/AD Scripting. If you have the
first or second edition I think you will find this edition worthy of picking
up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing
out and changing anything I didn't feel was right. Also the reviewers all
did a bangup job finding things I missed. I admit I didn't sleep much in
August or September. Tony may have noticed a lull in the list volume, me
working on that book saved at least 2 bazillion helpless bits from being
sacrificed.

I learned that revising a book may actually be harder than writing a book
from scratch and you get paid less. Well maybe it is depending on if you
know what you want to write about. With revising you can't just write, you
have to read, reread, write, reread, write, reread, tweak, reread. When you
change the flow and feel and voice it is like hitting a brick wall when
reading. I am sure I didn't get rid of all of the bricks but I certainly
tried to knock the walls down to a point where you can step over them
without too much trouble. Anyway, I spent less time writing the ADAM chapter
than I spent updating the security chapter. I know now that I probably
should have just rewritten from scratch and it would have gone faster. Oh
well, live and learn or don't live long.

Again, the reviewers did a fantastic job. They kept me honest when I tried
to skip over some stuff when I got tired and I thank them profusely. I tried
to do them justice in the small space provided to me for acknowledgements.
Those are the things people tend not to look at at the front of the book. I
do ask that if you pick up the book, you do look. Those, folks, deserve,
the: attention.


  joe





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe,  Active Directory Third Edition
What is this?  Where is it?

RH
_

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)


I would not be surprised. I know this list has become quite popular and for
good reason. It is one of the few places where I learn things that I don't
stumble over myself. Many times I learn things when people make random
comments about their environment which kicks a realization in myself on how
something probably works in the backend. It is pretty cool. 

On the downside sounds like my total sales on Active Directory Third Edition
will be in the area of 2000 copies which isn't going to buy me a 100ft ocean
ready cruiser. ;o)

Understood on posting the lurker list. On top of the spammers, I am sure
some lurkers would not be happy to be out-ed like that. I don't have an
issue with lurkers myself. In fact I would love to hear we have some 25000
lurkers, it means a lot of people are getting a lot of good info. 


 Everyone has to send me 25% of their income. It's only fair really.

Does the postal service even deliver to NZ?


   joe

P.S. So now I am feeding everyone? No wonder my pantry is empty! 


 

-Original Message-
From

RE: [ActiveDir] salary(OT)

2005-10-16 Thread Rick Kingslan 
Dropping thread...

-r 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, October 16, 2005 10:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

I didn't ask Dean. I would not have asked Dean. I know how busy he is and
wouldn't want to use our friendship to guilt him into allowing me to steal
him away from money making endeavours. Instead I figured I would needle him
with one-offs as I hit them and be thankful for the responses. In the end he
wasn't able to proof the whole thing, only parts of it. But the parts he did
proof of the older material I ended up having to correct a bunch of stuff.
He pointed out AD Replication terms and such that the only google hits on
were in reference to the book itself. That IM conversation spawned a 90
minute phone call with him and you know how much I hate phones and how much
Dean and I can cover in 10 minutes and we had to chop it off at 90 minutes
because we both had to be somewhere else. Obviously, I had to change it.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, October 16, 2005 8:14 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Oh, and given a bit to think.

You asked Dean - but you didn't ask me.  Huh.  NOW I know where *I*
stand.  In your mind, off the edge, if Dean was just right at  ;-)

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Hey I needed to maintain a certain quality 

Did you send something to Robbie to say you wanted to review it? In the end
we were begging for reviewers, I even took Dean as a reviewer and you know
the edge I had to be on for that He kept wanting to spell words wrong.
Eventually I just took out all references to the words color, humor, and
other or words.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, October 14, 2005 7:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe said: Again, the reviewers did a fantastic job.

Of which, you will all notice when the book comes out, I am _NOT_ one of
those reviewers.

joe said: They kept me honest

Which is one of the reason _WHY_ I was not one of those reviewers

Rick

P.S.  Hey, joe  :op

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Not out yet, I am expecting Mid November or Early December. I sent an email
to see if I can find out. 

The book is NOT written in my voice, I tried as best as possible to maintain
the voice that was there. I simply revised it though I did add a Chapter on
ADAM and a chapter on some basic Exchange/AD Scripting. If you have the
first or second edition I think you will find this edition worthy of picking
up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing
out and changing anything I didn't feel was right. Also the reviewers all
did a bangup job finding things I missed. I admit I didn't sleep much in
August or September. Tony may have noticed a lull in the list volume, me
working on that book saved at least 2 bazillion helpless bits from being
sacrificed.

I learned that revising a book may actually be harder than writing a book
from scratch and you get paid less. Well maybe it is depending on if you
know what you want to write about. With revising you can't just write, you
have to read, reread, write, reread, write, reread, tweak, reread. When you
change the flow and feel and voice it is like hitting a brick wall when
reading. I am sure I didn't get rid of all of the bricks but I certainly
tried to knock the walls down to a point where you can step over them
without too much trouble. Anyway, I spent less time writing the ADAM chapter
than I spent updating the security chapter. I know now that I probably
should have just rewritten from scratch and it would have gone faster. Oh
well, live and learn or don't live long.

Again, the reviewers did a fantastic job. They kept me honest when I tried
to skip over some stuff when I got tired and I thank them profusely. I tried
to do them justice in the small space provided to me for acknowledgements.
Those are the things people tend not to look at at the front of the book. I
do ask that if you pick up the book, you do look. Those, folks, deserve,
the: attention.


  joe





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe,  Active Directory Third Edition
What is this?  Where is it?

RH

RE: [ActiveDir] Knowing when users were deleted.

2005-10-16 Thread Rick Kingslan 
And, as you know that does work well in SBSland.  However, when the scale
grows, so do the requirements.  IN the Medium to Enterprise space, the idea
is more along the lines of a system or series of systems pumping this type
of information into paging and making intelligent decisions based on the
audit, event, alerts, services, etc.

Which, is right where MOM 2005 drops into the picture.  If it _IS_ the event
aggregator, or if it's pushing up to a bigger overall item such as HP
OpenView - that data is available.  It's just that instead of getting an
e-mail per server (most admins would just begin to create a rule to send
these to DEV/NUL after a while...) MOM collects, enforces and reports this
same type of information.

Scale makes the problem much tougher, as I'm sure you can imagine

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, October 16, 2005 8:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Knowing when users were deleted.

here she goes again.. I know ... I'm terrible at lurking

In SBSland we have a daily monitoring email [well ... I send it daily
anyway, but it's configurable] and it looks at the event logs and tells
daily health status of my server.

Like today my email tells me my server has been running for 6 hours [just
rebooted it last night] and it gives me an overview if auto services are not
running, critical alerts and critical errors in the event logs.

It tells me memory/disk size, cpu use, top processes, if the backup ran,
and aggregates the alerts from all the log files.

It's a health mon that dumps it's data into a msde database and builds the
email to be sent internally or externally.

What it does now, is only pulls data from the one box, the SBS box. but I
can go into health mon and build my own monitors and grab those event logs
from other machines [need to so that just haven't gotten around to it].

Right now if someone [usually me] fat fingers a password, for example, it
gives me an alert in the email of the last time it occurred and how many
occurrances.  Basically it's tracking the critical alerts in all the event
logs and summarizing the events along with the number of events in the email
[and showing the last time the event occurred so you can start your
investigation from that point back]

For SBS it's in the box, it's a gui wizard that builds this pretty
little html email that my server builds and hits me every morning at 6 a.m
and says Hey here's how I'm doing...how are you?.  It's the mid market
that doesn't have this.  [and yes, we've told Mothership Redmond they need
to steal this sucker and put it in the mid market server bundle]

Does it make me more aware of events on my server?  Oh you betcha it does.
Which is why this needs to be as you say...native in small and medium
serversheck I'd strongly argue that no server should be shipped without
some admin somewhere getting an in your face report on that sucker.

I'll go to Frys and buy bigger harddrives if I need to.  But give me a big
fat audit log file and I'm a happy camper. 


Al Mulnick wrote:

I'll see your Eurocents and add raise you two. :)

I fully understand where you're coming from Ulf.  Adding this information
into the DIT when it is currently possible to get is something that grates
against common sense and common engineering principles even if you
subscribe
to belts and braces methodologies. 

However, I think two things make this a worthwhile request with a big
payoff.  First to Laura's point about diminishing returns.  I agree, at
some
point there will be diminishing returns.  I also believe that as hardware
gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation
machines, etc. [1]) the bar gets raised until we get to the diminishing
return.  Since we're targeting 80/20 out of the box [2] it seems reasonable
that 80% of the deployments would benefit from such a change. The other 20
would be those that a) don't care or know about such things and b) those
that can't tolerate the additional overhead and therefore wouldn't want to
deploy it.  I say tough pickles to them.  :)  Seriously, this could be on
by
default but configurable (group policy?) to disable it as a performance
issue etc. 

Second, I think that the major benefit is the ability to actually get
usable
information native to the product vs. having to invest in a third party
product. Why?  Because today in order to get that information I have to
have
something that scrapes the Security logs looking for such information.  Is
this a good idea?  I think it is.  Is it something that could be native?  I
think it could and should be native if technically feasible. 

Making us look in a particular DC's event logs is more difficult than it
should be without yet another product.  That's fine for the really large

RE: [ActiveDir] Reverse DNS

2005-10-16 Thread Rick Kingslan 



Oooof. ROTFLMAO!

Funny - very funny!

Rick [msft]

--Posting is provided "AS IS", and confers no rights or 
warranties ... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Phil 
RenoufSent: Friday, October 14, 2005 11:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Reverse 
DNS

Why lurk when you can participate so effectively? :)

Phil
On 10/15/05, Susan 
Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: 
Or 
  get a better ISP or DNS record keeper that will allow you to do whatyou 
  need to do.okay okay I don't lurk well ... I know  I 
  know... Phil Renouf wrote: So you have a publicly 
  accessible DNS server that you manage and is in your DMZ and an 
  internally accessible DNS server that is on your internal network. Is 
  that right?  You have a domain on your publicly accessible DNS 
  server for your public servers (web, email etc.) and currently you 
  only have a forward lookup zone created on that DNS server. What you 
  want is to be able to  also host reverse DNS for the subnet that you 
  were given by your ISP? If that is the case then the advice 
  has been given; talk to your ISP and have them delegate that subnet to 
  your DNS server and setup a  reverse lookup zone on your publicly 
  accessible DNS server. That or have your ISP host the reverse lookup 
  zone, although that would require them to manage the entries as 
  well. Phil  On 10/13/05, *rubix cube* 
  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
  wrote: I have 2 internal DNS's, one on 
  the DMZ zone which hosts the  public IPs of 
  the servers we publish (email, website, 
  systems, etc... around 15 IPs) and the other 
  DNS which resolves only the internal IPs, I 
  wanted to setup the reverse DNS and publish my 
   internal DNS (the one at the DMZ) because am 
  not sure about my ISP. I went through some 
  trouble trying to create an SPF record with 
  him, and I don't have any control panel or tools for my 
   records on his 
  side On 10/13/05, *Ed Crowley 
  [MVP]* [EMAIL PROTECTED] 
  mailto:[EMAIL PROTECTED]  
  wrote: I can't 
  fathom why any organization would "have 
  to". Ed 
  Crowley MCSE+Internet 
  MVP Freelance E-Mail 
  Philosopher Protecting 
  the world from PSTs and Bricked Backups! 
   
   
  *From:* [EMAIL PROTECTED] 
  mailto:[EMAIL PROTECTED] 
  [mailto: [EMAIL PROTECTED] 
   mailto:[EMAIL PROTECTED]] 
  *On Behalf Of *Derek 
  Harris *Sent:* 
  Wednesday, October 12, 2005 3:35 PM 
   *To:* ActiveDir@mail.activedir.org 
  mailto:ActiveDir@mail.activedir.org 
  *Subject: *RE: [ActiveDir] Reverse 
  DNS I 
  agree with Aric's advice: don't expose your internal 
  DNS server unless you 
  "have to."Network Solutions hosts my DNS 
   records, and I can 
  manage them myself using their 
  web-based 
  tools.The only gripe I've got with them is that they 
  won't host SPF 
  records. 
   
   *From:* [EMAIL PROTECTED] 
  mailto:[EMAIL PROTECTED] 
   [mailto: [EMAIL PROTECTED] 
  mailto:[EMAIL PROTECTED] 
  ] *On Behalf 
  Of *Bernard, 
  Aric *Sent:* 
  Wednesday, October 12, 2005 3:08 
  PM *To:* ActiveDir@mail.activedir.org 
  mailto: ActiveDir@mail.activedir.org 
  *Subject:* RE: [ActiveDir] Reverse 
  DNS 
  You probably do not want to go out and expose your internal 
   DNS server 
  (presumably supporting your internal forest) to 
  the 
  Internet.Your internal DNS names and IP addresses 
  should remain private, 
  unless of course you are using public IP 
   addresses internally 
  and in such a case you would only want 
  to expose those 
  required 
  externally. 
  It is highly likely that your ISP already has some form of a 
   reverse lookup zone 
  in place for your subnet even if it 
  only has generic 
  records.If that is the case, I would probably 
  go about just having 
  them modify the existing zone altering the 
   existing records with 
  the proper names of your systems 
  unless you cannot 
  depend on them for timely changes (find 
  another ISP) or you 
  have a lot of PTR records that need to be 
   published externally 
  or the records you do publish will 
  be fairly 
  dynamic. 
  Regards, 
  Aric 
   
  *From:* [EMAIL PROTECTED] 
   mailto:[EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] 
   mailto:[EMAIL PROTECTED]] 
  *On Behalf Of *rubix 
  cube *Sent:* 
  Wednesday, October 12, 2005 1:44 PM 
   *To:* ActiveDir@mail.activedir.org 
  mailto:ActiveDir@mail.activedir.org 
  *Subject:* Re: [ActiveDir] Reverse DNS 
   
  Thanks 
  all, 
  And when I configure the DNS reverse zone on my internal 
  DSN server and ask my 
  ISP to delegate my subnet (We pay monthly 
   fees for the subnet 
  and internet access), then anything else 
  I should do? to my 
  internal DNS, should I publish my 
  internal

RE: [ActiveDir] Knowing when users were deleted.

2005-10-16 Thread Rick Kingslan 
I suppose that this is why they pay folks who devise solutions to make this
stuff work like it's supposed to the big bucks.

shrug 

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, October 16, 2005 8:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Knowing when users were deleted.

Yup information overload 'is' a problem.

And then after the scale its... okay what the heck is the server trying to
tell me?

I'm still a fan of www.eventid.net over microsoft.com's click here.

Rick Kingslan wrote:

And, as you know that does work well in SBSland.  However, when the 
scale grows, so do the requirements.  IN the Medium to Enterprise 
space, the idea is more along the lines of a system or series of 
systems pumping this type of information into paging and making 
intelligent decisions based on the audit, event, alerts, services, etc.

Which, is right where MOM 2005 drops into the picture.  If it _IS_ the 
event aggregator, or if it's pushing up to a bigger overall item such 
as HP OpenView - that data is available.  It's just that instead of 
getting an e-mail per server (most admins would just begin to create a 
rule to send these to DEV/NUL after a while...) MOM collects, enforces 
and reports this same type of information.

Scale makes the problem much tougher, as I'm sure you can imagine

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, October 16, 2005 8:33 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Knowing when users were deleted.

here she goes again.. I know ... I'm terrible at lurking

In SBSland we have a daily monitoring email [well ... I send it daily 
anyway, but it's configurable] and it looks at the event logs and tells 
daily health status of my server.

Like today my email tells me my server has been running for 6 hours 
[just rebooted it last night] and it gives me an overview if auto 
services are not running, critical alerts and critical errors in the event
logs.

It tells me memory/disk size, cpu use, top processes, if the backup 
ran, and aggregates the alerts from all the log files.

It's a health mon that dumps it's data into a msde database and builds 
the email to be sent internally or externally.

What it does now, is only pulls data from the one box, the SBS box. but 
I can go into health mon and build my own monitors and grab those event 
logs from other machines [need to so that just haven't gotten around to
it].

Right now if someone [usually me] fat fingers a password, for example, 
it gives me an alert in the email of the last time it occurred and how 
many occurrances.  Basically it's tracking the critical alerts in all 
the event logs and summarizing the events along with the number of 
events in the email [and showing the last time the event occurred so 
you can start your investigation from that point back]

For SBS it's in the box, it's a gui wizard that builds this pretty 
little html email that my server builds and hits me every morning at 6 
a.m and says Hey here's how I'm doing...how are you?.  It's the mid 
market that doesn't have this.  [and yes, we've told Mothership Redmond 
they need to steal this sucker and put it in the mid market server 
bundle]

Does it make me more aware of events on my server?  Oh you betcha it does.
Which is why this needs to be as you say...native in small and 
medium serversheck I'd strongly argue that no server should be 
shipped without some admin somewhere getting an in your face report on that
sucker.

I'll go to Frys and buy bigger harddrives if I need to.  But give me a 
big fat audit log file and I'm a happy camper.


Al Mulnick wrote:

  

I'll see your Eurocents and add raise you two. :)

I fully understand where you're coming from Ulf.  Adding this 
information into the DIT when it is currently possible to get is 
something that grates against common sense and common engineering 
principles even if you


subscribe
  

to belts and braces methodologies. 

However, I think two things make this a worthwhile request with a big 
payoff.  First to Laura's point about diminishing returns.  I agree, 
at


some
  

point there will be diminishing returns.  I also believe that as 
hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in 
workstation machines, etc. [1]) the bar gets raised until we get to 
the diminishing return.  Since we're targeting 80/20 out of the box 
[2] it seems reasonable that 80% of the deployments would benefit from 
such a change. The other 20 would be those that a) don't care or know 
about such things and b) those that can't tolerate the additional 
overhead

RE: [ActiveDir] Knowing when users were deleted.

2005-10-16 Thread Rick Kingslan 
Susan,

Really - I know you too well.  You're not going to lurk.  Get in the game.
It appears most folks want to hear what you have to say from the Small
Business arena.  And, if it broadens the message of managing and maintaining
the systems - it's good for all.

Just please - stop convincing yourself you're lurking  You're aren't!
You're too valuable to do so...

:o)

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Sunday, October 16, 2005 9:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Knowing when users were deleted.

sorry .. I know...I know...lurk..lurk

The consultant crowd who can't handle 300 SBS boxes hitting their inbox 
at 6 a.m have asked for a dashboard.   I can handle a daily email 
they can't.

At a NTuser group meeting I was at ...some of the dashboard tools in Linux
were discussed.  Nagios in particular was one they used for monitoring.

Monitoring -- MRTG: The Multi Router Traffic Grapher:
http://mrtg.hdl.com/mrtg.html

Graphical console for Snort - Analysis Console for Intrusion Databases
(ACID):
http://acidlab.sourceforge.net/

Intrustion detection -  Snort.org:
http://www.snort.org/

Monitoring - Nagios: Home:
http://www.nagios.org/

Traffic probe - ntop - network top:
http://www.ntop.org/head.html



Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

 Yup information overload 'is' a problem.

 And then after the scale its... okay what the heck is the server 
 trying to tell me?

 I'm still a fan of www.eventid.net over microsoft.com's click here.

 Rick Kingslan wrote:

 And, as you know that does work well in SBSland.  However, when the 
 scale grows, so do the requirements.  IN the Medium to Enterprise 
 space, the idea is more along the lines of a system or series of 
 systems pumping this type of information into paging and making 
 intelligent decisions based on the audit, event, alerts, services, 
 etc.

 Which, is right where MOM 2005 drops into the picture.  If it _IS_ 
 the event aggregator, or if it's pushing up to a bigger overall item 
 such as HP OpenView - that data is available.  It's just that instead 
 of getting an e-mail per server (most admins would just begin to 
 create a rule to send these to DEV/NUL after a while...) MOM 
 collects, enforces and reports this same type of information.

 Scale makes the problem much tougher, as I'm sure you can imagine

 Rick [msft]
 --
 Posting is provided AS IS, and confers no rights or warranties ...
  

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Susan 
 Bradley, CPA aka Ebitz - SBS Rocks [MVP]
 Sent: Sunday, October 16, 2005 8:33 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Knowing when users were deleted.

 here she goes again.. I know ... I'm terrible at lurking

 In SBSland we have a daily monitoring email [well ... I send it daily 
 anyway, but it's configurable] and it looks at the event logs and 
 tells daily health status of my server.

 Like today my email tells me my server has been running for 6 hours 
 [just rebooted it last night] and it gives me an overview if auto 
 services are not running, critical alerts and critical errors in the 
 event logs.

 It tells me memory/disk size, cpu use, top processes, if the backup 
 ran, and aggregates the alerts from all the log files.

 It's a health mon that dumps it's data into a msde database and 
 builds the email to be sent internally or externally.

 What it does now, is only pulls data from the one box, the SBS box. 
 but I
 can go into health mon and build my own monitors and grab those event 
 logs from other machines [need to so that just haven't gotten around 
 to it].

 Right now if someone [usually me] fat fingers a password, for 
 example, it gives me an alert in the email of the last time it 
 occurred and how many occurrances.  Basically it's tracking the 
 critical alerts in all the event logs and summarizing the events 
 along with the number of events in the email [and showing the last 
 time the event occurred so you can start your investigation from that 
 point back]

 For SBS it's in the box, it's a gui wizard that builds this 
 pretty little html email that my server builds and hits me every 
 morning at
 6 a.m
 and says Hey here's how I'm doing...how are you?.  It's the mid 
 market that doesn't have this.  [and yes, we've told Mothership 
 Redmond they need to steal this sucker and put it in the mid market 
 server bundle]

 Does it make me more aware of events on my server?  Oh you betcha it 
 does.
 Which is why this needs to be as you say...native in small and 
 medium serversheck I'd strongly argue that no server should be 
 shipped without some admin somewhere getting an in your face report 
 on that sucker.

 I'll go to Frys and buy bigger

RE: [ActiveDir] Documenting AD - ADMap requests fulfilled

2005-10-15 Thread Rick Kingslan 
You have more than just Steve on the list from Microsoft.

If you want ADMap - send me an e-mail via little 'r' (meaning - reply to me
directly [EMAIL PROTECTED]) and I'll respond with a mass e-mail of the latest
version of ADMap in two batches - on on Tuesday before I head out of town
again, and another next weekend after I get back.

Happy to oblige

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, October 13, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documenting AD

I don't know about generally available but Steve Lineham of MS made it
temporarily available a few months ago to list members based on a similar
thread here , maybe he will do so again if he sees this.

There was also the following suggestion from David Adner- If you're a
Premier customer ask your TAM (or some other friendly MS employee) for a
tool called ADMap This is a tool written by someone in Microsoft that
will query your AD configuration and draw it in Visio (preferably version
2002 or higher).  Although it's available to customers it's not available
for download, hence the request to a MS employee. 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim
Sent: Thursday, October 13, 2005 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documenting AD


As I understand it, apparently MS used to provide an ADMap-like
functionality in Visio 2000, but was removed with 2002.  Since I'm at V2003,
I was wondering whether the admap program could be made generally available
for all our benefit.
 
Thanks, 

Jim Becker 

Asst. Dir. of Administrative Systems
State University of New York
System Administration
[EMAIL PROTECTED] 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, October 13, 2005 4:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documenting AD


I sent the file separately.
 
admap will *not* answer most of the questions you have, however. You will
still need to rely upon docs and being a good detective and researcher :)
 
neil


___ 
Neil Ruston 
Global Technology Infrastructure 
Nomura International plc 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton
Sent: 13 October 2005 09:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Documenting AD


Cheers for the hints so far, folks. keep em coming! :)
 
Phil: I've tried finding a copy of ADMap on the web, but can't seem to
download it from the windows-servers.info site. do you know anywhere else I
can grab it from?
 



For Troup Bywaters + Anders 

Tim Sutton  

T: +44 (0) 113 243 2241 
F: +44 (0) 113 242 4024 
E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]   
W: www.TBandA.com http://www.tbanda.com/


Eastgate House 
10 Eastgate 
Leeds
LS2 7JL
Office Location Map
http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client=
nonelang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jla
ddr3=addr1=  

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: 12 October 2005 16:54
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Documenting AD


Some good comments on what to document. I will chime in to say that a
lot of the initial stuff can be documented using ADMap and the GPMC,
that will save you a bunch of work in Visio. If you have a TAM ask them
to send you ADMap. 
 
Phil

 
On 10/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] 
wrote: 

Additional components:
=
Schema
Database
Administrative support model
Domain controller spec 
DC/GC placement
Exchange topology and design
DNS design (zone type, placement etc etc)
SYSVOL/FRS
DFS

Administration:
===
User and group admin and tools
DC admin/support and tools
Forest admin and ownership
GPO admin and tools

I'll stop there and let others chime in...

neil

___
Neil Ruston
Global Technology Infrastructure
Nomura International plc 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Tim Sutton
Sent: 12 October 2005 16:28
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Documenting AD

Hey all,

Being the local bod with AD knowledge at work I've been
volunteered

RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs

2005-10-15 Thread Rick Kingslan 
Title: Domain Controller Consolidation utilizing Dual Core CPUs



joe,

Steve may have completely different information that I, but 
at present I'm not seeing empirical or preferred practice recommendations around 
64-bit GCs in relation to Exchange. So, the recommendation is not changing 
- again, as I know it. Steve's environment is very different from mine and 
he is likely to have zero-day information that I won't have until it's posted 
internally on a DL or whitepaper. I'll be looking for his answer, 
too.

Currently, unless I get data that tells me otherwise, Dual 
Core and MP == ~ same - even more so when dealing with AMD as, IMO Intel blew 
their first dual core in an effort to get it to market.

That being said, I suspect that the very benefit of being 
able to load up on memory and get the DIT in RAM is going to affect the 
recommendation more than proc will. By that I mean that it might be very 
realistic to see that I/O may begin to be a limiting factor - not so much 
network, but disk subsystems are going to have to be designed a bit more towards 
performance with the massive number of queries that these systems are capable 
of.

As to the use single proc GCs and scaling not being linear 
- I would suspect that the very fact that linear performance is not seen in MP 
has already been taken into account. Otherwise, the recommendation might 
have been 5 or 6 to 1.

When you mention that you see some GCs get 'beta down' when 
others are pretty light, is this assuming the practice of creating a AD site for 
Exchange with dedicated DC/GCs, or a general population scheme? If the 
former, I haven't seen the issue that you citein practice, if the latter - 
design to the former.

I suppose that - in relation to counters, etc., that would 
be why I like to do a more formal capacity planning and performance gathering 
over time. I don't believe in point-in-time perf counter gathering as (you 
know this...)seeing it when the problem is occurring with no history for what is 
normal is basically - well, useless. I have no trail of bread crumbs in 
which to track down the problem.

In relation to the counter gathering (I have no experience 
with Argent's offering, and SOME experience with MOM 2000 and 2005) I've found 
that MOM 2005 and the AD and Exchange MPs do a great job of gathering 
information that is valuable to me as someone who has to figure out what's wrong 
with these systems now and then. Before I joined Microsoft, we had MOM 
installed for just this reason. The history gathering abilities and 
leveraging AD and EXCH data over time allowed us to see exactly where our pain 
point was - and fix it in a relatively short period of time.

This is as I know it today.. It could change 
later today or tomorrow :-)

Rick [msft]
--Posting is provided "AS IS", and confers no rights or warranties 
... 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, October 14, 2005 4:58 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain 
Controller Consolidation utilizing Dual Core CPUs 

Speaking of which Steve

I am starting to see questions of the type of how does 64 
bit DC change the best practice 4:1 proc recommendations for Exchange to GC 
processor. Does PSS/MCS/Dev have any thoughts? Especially if you are able 
tocache the entire DIT. I have seen some 64 bit testing numbers from third 
parties but that is far from authoritative in terms of what MS thinks for the 
best practice numbers which weigh heavily with customers who want to do it the 
"Microsoft way".

Ditto the dual core CPUs. 

Another one that recently came across my desk was if you 
have 4000 users on a 4 proc Exchange server and are currently using a single 1 
proc GC and then you decide due to load on Exchange (say RPC load due to 
search/archive software which isn't impacting GCs) you want to go to 2 4 proc 
Exchange servers with2000 userseach do you have to go to a dual proc 
GC or add another single proc GC or is it ok to stay with the one single proc 
GC?

Oh and another question I was asked was about using single 
proc GCs versus MP GCs and how the scaling of MP wasn't linear so should that be 
somehow involved in the Exchange best practice numbers?

It seems from my experience that you do better with making 
bigger andmore powerfulGCs in general because while Exchange does 
some limited logic round-robin load balancing at the server level, it doesn't do 
it at the site level amongst all Exchange servers so you can really start 
beating down a few GCs while the otherssee relatively light loading. Of 
course you don't want to have few GCs though in case you do have a problem so 
you throw a couple of extra larger GCs into the mix for fault tolerance for when 
you have to bring a GC down for maint or it just falls down for some reason. 


Also it seems that there is no real good way of determing 
exactly when you need to change your GC strategy for Exchange because your 
various

RE: [ActiveDir] salary(OT)

2005-10-14 Thread Rick Kingslan 
 Tony Murray Said:  
 Joe, I've had no complaints about you to date.

Good.  I'll start.  Here's your first.

He's an over-bearing know-it-all looking for his first and second million.
Plus, he uses more bandwidth than everyone combined.

If someone asks, he - Could I stand a second domain controller up for
redundant purposes?

Can joe just say, Yes.  Nope - never.  You're going to get 15 pages
minimum of OK - here's what *I'd* do. 

However, all that being said - we love joe and would never want him to
change.  Well, except for his clothes on occasion.  And, dude - you need
some of that Power Stripe deodorant. Seriously.

And, I'm sorry to hear that a book that isn't even available YET is only
going to sell 2000 copies.  How in the heck did you and Robbie get O'Reilly
to agree to do a 3rd edition?  Surely you jest when referencing that
number  Oh, and I can't even find it referenced on O'Reilly's site yet.
How about some pre-print advertising?  You think THAT might boost your
numbers?

Love ya buddy!

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 10:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

I would not be surprised. I know this list has become quite popular and for
good reason. It is one of the few places where I learn things that I don't
stumble over myself. Many times I learn things when people make random
comments about their environment which kicks a realization in myself on how
something probably works in the backend. It is pretty cool. 

On the downside sounds like my total sales on Active Directory Third Edition
will be in the area of 2000 copies which isn't going to buy me a 100ft ocean
ready cruiser. ;o)

Understood on posting the lurker list. On top of the spammers, I am sure
some lurkers would not be happy to be out-ed like that. I don't have an
issue with lurkers myself. In fact I would love to hear we have some 25000
lurkers, it means a lot of people are getting a lot of good info. 


 Everyone has to send me 25% of their income. It's only fair really.

Does the postal service even deliver to NZ?


   joe

P.S. So now I am feeding everyone? No wonder my pantry is empty! 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, October 13, 2005 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Well, if I told you we have around 1500 people subscribed in standard mode
and a couple of hundred subscribed in digest mode, would you be surprised?
:-)

I could post the lurker list, but I don't really want spammers to get hold
of it.  

Personally, I have no problem with lurkers.  And, hey, it's my list. :-)

On the subject of money, I'm considering operating the list in the style
of a TV evangelist.  Everyone has to send me 25% of their income.   It's
only fair really.

Tony

PS.  Joe, I've had no complaints about you to date.  Why would people want
to bite the hand that feeds them?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, 14 October 2005 12:09 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony
occasionally posting the lurker list, I am curious as to how many people I
am getting mad at me any given day. :o)

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Thursday, October 13, 2005 6:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Not to hijack this thread but, I hope lurking remains free.

Dan

  Original Message 
 Subject: RE: [ActiveDir] salary(OT)
 From: joe [EMAIL PROTECTED]
 Date: Thu, October 13, 2005 2:50 pm
 To: ActiveDir@mail.activedir.org
 
  
 I have found that shooting for your contract salary is as good a 
 target as
any, but expect to miss unless you didn't get a very good contract rate.
I have only seen one case where a company was willing to pay contract level
fees to a FTE and that was back when I first got back into the industry (I
burned out on it back when I was about 21 or so and left it) and had been
completely screwed over by the contract house for my rate where they were
making at least as much as I was. When I said I was leaving the FTE offer I
received would have been a 60% raise from my previous salary. Unfortunately,
the new contract position I was taking was a 100%+ increase and with OT
(which you don't get as a FTE) ended up being a 200% increase.  
   
 Anyway, you tend to take a considerable hit (I have seen reductions of

 20%-75% for FTE offers and all but one of which I turned down cold) 
 but you try to make it up in benefits such as vaca, retirement, 
 insurance, etc. As a contractor you tend to have a different mindset 
 than as an FTE as well. As a contractor it is

RE: [ActiveDir] Virtual Servers in Branch Offices

2005-10-14 Thread Rick Kingslan 



"Does placing the DC inside a virtual machine add any 
security? Would it be harder for someone with physical access to compromise the 
DC?"

Hmmm 
interesting. Yes, and no. Physical access is always an issue, but 
the NTDS.DIT is not out there in the open on a disk as it might be in a 
traditional DC. However, anyone with a VS *COULD* mount and start your DC 
- so the same rules apply. Don't allow anyone you do not trust physical 
access to your systems.

As to domain member - I 
don't recall VS requiring Domain Membership (more, because I just haven't 
tried...). So, does this mean that a machine that is a work group system 
could host a VS with a number of DCs? Ummm - yeah. I suppose 
so.

But, if it *IS* a domain 
member, then yes - it could likely authN off of the VM that it hosts - but 
obviously not at start up. Brings up a Schrödinger's cat' quandary, now 
doesn't it?

Rick


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Noah 
EigerSent: Friday, October 14, 2005 2:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers 
in Branch Offices

Thanks for the thoughts. And thanks Tony for the reference 
-- just finished reading it.

Unfortunately, deploying the DC at HQ or simply 
authenticating over the WAN is not really an option. The WAN links are ok (and 
getting better) but are located in places where environmental (as in the 
weather) conditions often cause short interruptions.

Does placing the DC inside a virtual machine add any 
security? Would it be harder for someone with physcial access to compromise the 
DC? The white paper does not really make this clear. Also, I am assuming that a 
host machine would be a domain member, right? Does it authenticate off the 
virtual DC? [1]

Thanks again.

-- nme

[1] This sort of reminds me of the scene in Animal House 
when they talk about the "whole universe as we know it existing under the 
fingernail of some other giant being..." Whoa, dude!

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 
  12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Virtual Servers in Branch Offices
  
  Other important factors in this scenario must be the 
  physical and logical security of the server housing the DC 
  role.
  
  1. Will the server be securely locked away in the 
  branches? If not, do not deploy a DC.
  2. Do you trust the file server admins to have physical 
  access to the server hosting the DC role?
  3. Who administers theserver that hosts the file 
  and DC roles? Are they also trusted?
  
  When designing the branch office, I would always ask the 
  questions below, too:
  1. Is a local DC required? i.e. what are the drawbacks if 
  a DC is not deployed?
  2. Is logon/startup traffic over the WAN larger than 
  replication traffic over the WAN? If not, consider not deploying a local 
  DC.
  3. Does a local DC offer redundancy in the event of a WAN 
  failure? If other apps are accessed over the WAN, then consider deploying the 
  DC at a central location and not at the branch.
  
  hth,
  neil
  
  
  ___ Neil Ruston Global Technology Infrastructure Nomura International plc 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tony 
  MurraySent: 13 October 2005 01:12To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual 
  Servers in Branch Offices
  
  Here's a link to a Microsoft document that covers what 
  you need to do to run a production DC on Virtual Server 
  2005.
  
  http://tinyurl.com/5enjd
  
  Tony
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Thursday, 13 October 2005 11:30 a.m.To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in 
  Branch Offices
  
  Hi 
  -
  
  Just to follow up 
  on the design thread Since I am placing DCs in small branch offices is 
  there a value in using Virtual Server 2005 to create separate virtual boxes 
  (DC  file server) running on the same physical box? Some users have 
  administrative access to the file server, and I'd love to keep them off the 
  DCs. I am also curious about optimal physical and virtual drive configurations 
  for such a box.
  
  I reviewed the 
  thread here about Virtual Domain Controllers but it seemed to focus on using 
  them as backups. I am talking about production.
  
  Any thoughts most 
  welcome.
  
  -- 
  nme
  
  

  
  This communication, including any attachments, is 
  confidential.If you are not the intended recipient, you should not read it 
  - please contact me immediately, destroy it, and do not copy 
  oruse any part of this communication or disclose anything about 
  it.Thank You. 
  Please note that this communication does not designate an 
  information system for the purposes of the NZ Electronic Transactions Act 
  2002..
  This e-mail message has been scanned for Viruses and Content and cleared by 
  NetIQ

RE: [ActiveDir] salary(OT)

2005-10-14 Thread Rick Kingslan 
joe said: Again, the reviewers did a fantastic job.

Of which, you will all notice when the book comes out, I am _NOT_ one of
those reviewers.

joe said: They kept me honest

Which is one of the reason _WHY_ I was not one of those reviewers

Rick

P.S.  Hey, joe  :op

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Not out yet, I am expecting Mid November or Early December. I sent an email
to see if I can find out. 

The book is NOT written in my voice, I tried as best as possible to maintain
the voice that was there. I simply revised it though I did add a Chapter on
ADAM and a chapter on some basic Exchange/AD Scripting. If you have the
first or second edition I think you will find this edition worthy of picking
up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing
out and changing anything I didn't feel was right. Also the reviewers all
did a bangup job finding things I missed. I admit I didn't sleep much in
August or September. Tony may have noticed a lull in the list volume, me
working on that book saved at least 2 bazillion helpless bits from being
sacrificed.

I learned that revising a book may actually be harder than writing a book
from scratch and you get paid less. Well maybe it is depending on if you
know what you want to write about. With revising you can't just write, you
have to read, reread, write, reread, write, reread, tweak, reread. When you
change the flow and feel and voice it is like hitting a brick wall when
reading. I am sure I didn't get rid of all of the bricks but I certainly
tried to knock the walls down to a point where you can step over them
without too much trouble. Anyway, I spent less time writing the ADAM chapter
than I spent updating the security chapter. I know now that I probably
should have just rewritten from scratch and it would have gone faster. Oh
well, live and learn or don't live long.

Again, the reviewers did a fantastic job. They kept me honest when I tried
to skip over some stuff when I got tired and I thank them profusely. I tried
to do them justice in the small space provided to me for acknowledgements.
Those are the things people tend not to look at at the front of the book. I
do ask that if you pick up the book, you do look. Those, folks, deserve,
the: attention.


  joe





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe,  Active Directory Third Edition
What is this?  Where is it?

RH
_

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)


I would not be surprised. I know this list has become quite popular and for
good reason. It is one of the few places where I learn things that I don't
stumble over myself. Many times I learn things when people make random
comments about their environment which kicks a realization in myself on how
something probably works in the backend. It is pretty cool. 

On the downside sounds like my total sales on Active Directory Third Edition
will be in the area of 2000 copies which isn't going to buy me a 100ft ocean
ready cruiser. ;o)

Understood on posting the lurker list. On top of the spammers, I am sure
some lurkers would not be happy to be out-ed like that. I don't have an
issue with lurkers myself. In fact I would love to hear we have some 25000
lurkers, it means a lot of people are getting a lot of good info. 


 Everyone has to send me 25% of their income. It's only fair really.

Does the postal service even deliver to NZ?


   joe

P.S. So now I am feeding everyone? No wonder my pantry is empty! 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, October 13, 2005 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Well, if I told you we have around 1500 people subscribed in standard mode
and a couple of hundred subscribed in digest mode, would you be surprised?
:-)

I could post the lurker list, but I don't really want spammers to get hold
of it.  

Personally, I have no problem with lurkers.  And, hey, it's my list. :-)

On the subject of money, I'm considering operating the list in the style
of a TV evangelist.  Everyone has to send me 25% of their income.   It's
only fair really.

Tony

PS.  Joe, I've had no complaints about you to date.  Why would people want
to bite the hand that feeds them?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, 14 October 2005 12:09 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]

RE: [ActiveDir] salary(OT)

2005-10-14 Thread Rick Kingslan 
Actually, I think that book and the Windows XP book are the only two that I
Haven't reviewed.

As to why I wasn't asked - I dunno.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Hey I needed to maintain a certain quality 

Did you send something to Robbie to say you wanted to review it? In the end
we were begging for reviewers, I even took Dean as a reviewer and you know
the edge I had to be on for that He kept wanting to spell words wrong.
Eventually I just took out all references to the words color, humor, and
other or words.

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, October 14, 2005 7:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe said: Again, the reviewers did a fantastic job.

Of which, you will all notice when the book comes out, I am _NOT_ one of
those reviewers.

joe said: They kept me honest

Which is one of the reason _WHY_ I was not one of those reviewers

Rick

P.S.  Hey, joe  :op

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 6:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

Not out yet, I am expecting Mid November or Early December. I sent an email
to see if I can find out. 

The book is NOT written in my voice, I tried as best as possible to maintain
the voice that was there. I simply revised it though I did add a Chapter on
ADAM and a chapter on some basic Exchange/AD Scripting. If you have the
first or second edition I think you will find this edition worthy of picking
up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing
out and changing anything I didn't feel was right. Also the reviewers all
did a bangup job finding things I missed. I admit I didn't sleep much in
August or September. Tony may have noticed a lull in the list volume, me
working on that book saved at least 2 bazillion helpless bits from being
sacrificed.

I learned that revising a book may actually be harder than writing a book
from scratch and you get paid less. Well maybe it is depending on if you
know what you want to write about. With revising you can't just write, you
have to read, reread, write, reread, write, reread, tweak, reread. When you
change the flow and feel and voice it is like hitting a brick wall when
reading. I am sure I didn't get rid of all of the bricks but I certainly
tried to knock the walls down to a point where you can step over them
without too much trouble. Anyway, I spent less time writing the ADAM chapter
than I spent updating the security chapter. I know now that I probably
should have just rewritten from scratch and it would have gone faster. Oh
well, live and learn or don't live long.

Again, the reviewers did a fantastic job. They kept me honest when I tried
to skip over some stuff when I got tired and I thank them profusely. I tried
to do them justice in the small space provided to me for acknowledgements.
Those are the things people tend not to look at at the front of the book. I
do ask that if you pick up the book, you do look. Those, folks, deserve,
the: attention.


  joe





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Friday, October 14, 2005 12:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)

joe,  Active Directory Third Edition
What is this?  Where is it?

RH
_

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] salary(OT)


I would not be surprised. I know this list has become quite popular and for
good reason. It is one of the few places where I learn things that I don't
stumble over myself. Many times I learn things when people make random
comments about their environment which kicks a realization in myself on how
something probably works in the backend. It is pretty cool. 

On the downside sounds like my total sales on Active Directory Third Edition
will be in the area of 2000 copies which isn't going to buy me a 100ft ocean
ready cruiser. ;o)

Understood on posting the lurker list. On top of the spammers, I am sure
some lurkers would not be happy to be out-ed like that. I don't have an
issue with lurkers myself. In fact I would love to hear we have some 25000
lurkers, it means a lot of people are getting a lot of good info. 


 Everyone has to send me 25% of their income. It's only fair really.

Does the postal service even deliver to NZ?


   joe

P.S. So now I am feeding everyone? No wonder my pantry is empty! 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED

RE: [ActiveDir] Adding custom fields to AD

2005-10-09 Thread Rick Kingslan 
Yur just a problem child.

-r
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, October 08, 2005 10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding custom fields to AD

Yeah, GPOs aren't AD. GPOs are an application that use AD. I hate GPOs. DNS
too.

:o)

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, October 08, 2005 11:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding custom fields to AD

Interesting question - and as to the 'implode point' for ESE/Jet Blue,
Brettsh can answer that one.  I'm pretty sure that we have a good idea on
where the point of diminishing returns is, but it likely FAR exceeds what
anyone might practically do today - even with added classes and attributes.

As for why ESE - it works, it is self maintaining to a great degree, there
is very little overhead in the DB, and it is quite optimized to the type of
work that is required for AD.  Brettsh can certainly add more.

I am one for preaching more svelte attitudes on your AD.  As joe mentions -
it's for authN purposes first and foremost.  It CAN handle DNS, it does GPO
(though - truth be told the majority of GPO function is but a link to an
attribute, while the actual GPO pieces reside in SYSVOL, so not much AD -
lots of FRS), etc.

App Parts make sense in some arenas where the amount of data is going to be
very small and contained to just a few areas.  I, too, like joe advocate
ADAM.  I try to sell ADAM constantly as THE solution for most anything that
doesn't have to do with authN.  Customer AppDev wants to stuff new things
into AD constantly. Partly, they don't know the down sides.  Partly, they
think they have to learn something new.  Partly, they don't really care if
YOUR AD is affected by their decisions, as long as they deliver the solution
in the timeframe specified.  So, it's up to you, Mr. Admin and Mr. Architect
to tell whoever wants to use your AD, no - we don't do it that way because
it's very bad.  We will use ADAM.  Get used to it.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, October 07, 2005 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding custom fields to AD

That's a good point about plonking stuff in AD a case of once a good
thing comes along everyone wants to climb aboard. I remember doing ZENworks
stuff with Novell where all the application configuration information for
software distribution was shunted into NDS/E-Directory... all that bloat
adds up replication-wise (still, at least there was partitioning).

One thing I am curious about though is why MS opted for JET  as the DB of
choice for AD.. was it the only viable option at the time ? What's the
ceiling on actual database size before it caves in (performance-wise)?

Mylo

joe wrote:

I am going to basically say what the other said only I am going to put 
it this way

IF the data needs to be available at all locations or a majority of 
locations where your domain controllers are located, consider adding 
the data to AD.

IF the data is going to be needed only at a couple of sites or a single 
site, put them into another store. My preference being AD/AM unless you 
need to do some complicated joins or queries of the data that LDAP 
doesn't support.

There is also the possibility of using app partitions but if you were 
going to go that far, just use AD/AM.

The thing I have about sticking this data into AD is that AD is 
becoming, in many companies, a dumping ground of all the crap that was 
in all the other directories in the company. I realize this was the 
initial view from MS on how this should work but I worked in a large 
company and thought that was silly even then.

The number one most important thing for AD is to authenticate Windows
users.
Every time you dump more crap into AD you are working towards impacting 
that capability or the capability to quickly restore or the ability to 
quickly add more DCs. The more I see the one stop everything loaded 
into ADs the more I think that the NOS directory should be NOS only.
Plus, I wonder how long before we hit some interesting object size 
limits. I have asked for details from some MS folks a couple of times 
on the issues with admin limit exceeded errors that you get when 
overpopulating a normal multivalue attribute (i.e. not linked) and it 
causing no other attributes to be added to the object. I wonder what 
other
limits like that exist.



   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 09, 2005 12:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding custom fields to AD

Group,

My manager wanted me to check, even though, I don't think that it is 
possible

RE: [ActiveDir] Adding custom fields to AD

2005-10-09 Thread Rick Kingslan 




"what would you think would be a good 
replacement for dns/wins?"

There currently isn't one. Not really even a 
viable option on the table. joe doesn't like DNS. The rest of the 
planet loves DNS- including those eggheads (loveable eggheads that they 
are) at IETF are the holders of the standards, and they love DNS too. 
:-)

Microsoft fought hard to get TO standards cooperation 
. Don't look for anything in the near future to break away from that in 
regards to DNS.

Rick

--Posting is provided "AS IS", and confers no rights or 
warranties ... 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Saturday, October 08, 2005 4:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding custom 
fields to AD

I've had the reverse-
last place i worked at had corrupted WINS at least once every 2 months(this 
could of been due to my lousy admin skills)
i've never had issues with dns(could be my dumb luck)
now i work for a corp that has netbios/tcp disabled and relies solely on 
dns(both MS and BIND) with no name resolution issues.
also wins replication seems much more complex than standard 
primary/secondarydns replication.


and i'm not one to think i know anything as an admin or would even think of 
getting into such a disscussion with someone as experienced and knowldgable as 
you, but i've always found dns easier than wins and netbios names in general. 


my only diffculty came with learning dns on BIND/Linux and just wrapping my 
head around AD intergrated dns when i first came to Windows.
sometimes when you learn something via the command line, using the gui just 
confuses things.

then again i'm probably one of those guys who "thinks" he knows dns but 
really doesn't know anything and hasen't found out yet :(


what would you think would be a good replacement for dns/wins?
thanks
On 10/8/05, joe 
[EMAIL PROTECTED] 
wrote: 

  I wasn't saying I like WINS better than DNS or vice versa, just 
  said I don't like DNS. I especially dislike the AD/DNS integration. I don't 
  like chicken and egg problems. 
  
  BTW, as you bring 
  up WINS. 1. I've never had a corrupted WINS Database. 2. Fewer 
  admins had name resolution issues replication based issues with WINS than they 
  do with DNS. 3. The complexity ofDNS seems to put many admins off the 
  deep end, interestingly enough, the same admins who said they couldn't figure 
  out WINS say they know all about DNS. 
  
  But again, my 
  comment wasn't I like WINS more than DNS, or I like any name resolution 
  systems better than DNS, it was simply I don't like DNS. 
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom 
  KernSent: Saturday, October 08, 2005 12:42 PM 
  To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Adding custom fields to AD
  
  
  ok, i'll bite.
  GPO's, i understand but whats there to hate about DNS?
  its better than WINS.
  I've never had a corrputed dns database.
  
  thanks
  On 10/8/05, joe 
  [EMAIL PROTECTED] 
  wrote: 
  Yeah, 
GPOs aren't AD. GPOs are an application that use AD. I hate GPOs. 
DNStoo.:o)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Rick 
Kingslan Sent: Saturday, October 08, 2005 11:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Adding custom fields to AD Interesting question - and as to the 
'implode point' for ESE/Jet Blue,Brettsh can answer that 
one.I'm pretty sure that we have a good idea onwhere the 
point of diminishing returns is, but it likely FAR exceeds what anyone 
might practically do today - even with added classes and 
attributes.As for why ESE - it works, it is self maintaining to a 
great degree, thereis very little overhead in the DB, and it is quite 
optimized to the type of work that is required for 
AD.Brettsh can certainly add more.I am one for preaching 
more svelte attitudes on your AD.As joe mentions -it's for 
authN purposes first and foremost.It CAN handle DNS, it does GPO 
(though - truth be told the majority of GPO function is but a link to 
anattribute, while the actual GPO pieces reside in SYSVOL, so not much 
AD -lots of FRS), etc.App Parts make sense in some arenas where 
the amount of data is going to be very small and contained to just a few 
areas.I, too, like joe advocateADAM.I try to 
sell ADAM constantly as THE solution for most anything thatdoesn't have 
to do with authN.Customer AppDev wants to stuff new things 
into AD constantly. Partly, they don't know the down 
sides.Partly, theythink they have to learn something 
new.Partly, they don't really care ifYOUR AD is affected by 
their decisions, as long as they deliver the solution in the timeframe 
specified.So, it's up to you, Mr. Admin and Mr. Architectto 
tell whoever wants to use your AD, no - we don't do it that way 
becauseit's very

RE: [ActiveDir] AD Restore Problem

2005-10-08 Thread Rick Kingslan 
However, as we have discussed her MANY, MANY times - it might not be
SUPPORTED.  That simply means that PSS is only going to give best effort.
They are NOT going to tell you:

Sorry - not supported. click

If they do - let me know.  I'll love taking that one to the brass.

As we know - DCs work quite well virtualized today, thank you very much.

Rick [msft, too]

P.S.  The 'not supported' thing goes for most anything that you can dream
up.  Believe me - PSS will try to solve nearly anything.  They might laugh -
but they will try.  And, gladly take your $245.00, or whatever per incident
is on your given current supported on not supported pain.
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, October 06, 2005 9:15 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Restore Problem

stupid question alert

Okay so unless you are insane SBS.. images of your DCs are ixnay.  What does
Sun, Linux, Mac or any other competing Server OS do in their world to ensure
the Kingdom easily and quickly comes back up?  yeah I know they don't have
AD but they have to have some competing glue, right? What have they done if
anything?


How to detect and recover from a USN rollback in Windows Server 2003:
http://support.microsoft.com/?kbid=875495

That KB is interesting as it clearly indicates that having a DC in a Virtual
Server environment is not supported... yet we SBSers have gotten word that
once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard'
box will be supported in a virtual environment.


Brett Shirley wrote:

If you have any replicas of those servers, when you restore those 
VMWare images, you will have corrupted your forest during restore.

-BrettSh [msft]

This posting is provided AS IS with no warranties, and confers no 
rights.


On Thu, 6 Oct 2005, Carroll Frank USGR wrote:

  

I am working my way down the VMWare path also for my ultimate DR ace 
in the hole. The environment is a TLD with 4 child domains. I am 
planning on running a single VMWare server that has virtual DCs for 
all 5 domains. I am going to peel off a dedicated site/vlan and put 
the physical VMWare server and all of the DC virt servers in that 
site. None of the virtual DCs are going to be GCs. The reason for the 
dedicated site is so I can keep people from using them for validation 
in production.
 
Once I have them running, I plan to use the VM scripting to gracefully 
shut them down once a day and then shoot the image file of the 
shutdown DC off to tape, which then goes off-site. After the backup 
completes I then restart the virtual servers.
 
This plays into the different hardware scenario since I can use VMWare 
to abstract the hardware.
 
Of course, this whole process is the backup to the normal system state 
backup of all my backbone DCs.
 
FWIW - Frank



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, 
Hunter
Sent: Wednesday, October 05, 2005 5:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Restore Problem


You will still need to abandon the snapshot/image approach. Go to 
http://www.mail-archive.com/activedir@mail.activedir.org/ and search 
for usn rollback. You can get the same information by searching 
support.microsoft.com, but without the colorful and enlightening 
commentary that the list provides.
 
Hunter



  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Adding custom fields to AD

2005-10-08 Thread Rick Kingslan 
Interesting question - and as to the 'implode point' for ESE/Jet Blue,
Brettsh can answer that one.  I'm pretty sure that we have a good idea on
where the point of diminishing returns is, but it likely FAR exceeds what
anyone might practically do today - even with added classes and attributes.

As for why ESE - it works, it is self maintaining to a great degree, there
is very little overhead in the DB, and it is quite optimized to the type of
work that is required for AD.  Brettsh can certainly add more.

I am one for preaching more svelte attitudes on your AD.  As joe mentions -
it's for authN purposes first and foremost.  It CAN handle DNS, it does GPO
(though - truth be told the majority of GPO function is but a link to an
attribute, while the actual GPO pieces reside in SYSVOL, so not much AD -
lots of FRS), etc.

App Parts make sense in some arenas where the amount of data is going to be
very small and contained to just a few areas.  I, too, like joe advocate
ADAM.  I try to sell ADAM constantly as THE solution for most anything that
doesn't have to do with authN.  Customer AppDev wants to stuff new things
into AD constantly. Partly, they don't know the down sides.  Partly, they
think they have to learn something new.  Partly, they don't really care if
YOUR AD is affected by their decisions, as long as they deliver the solution
in the timeframe specified.  So, it's up to you, Mr. Admin and Mr. Architect
to tell whoever wants to use your AD, no - we don't do it that way because
it's very bad.  We will use ADAM.  Get used to it.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, October 07, 2005 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding custom fields to AD

That's a good point about plonking stuff in AD a case of once a good
thing comes along everyone wants to climb aboard. I remember doing ZENworks
stuff with Novell where all the application configuration information for
software distribution was shunted into NDS/E-Directory... all that bloat
adds up replication-wise (still, at least there was partitioning).

One thing I am curious about though is why MS opted for JET  as the DB of
choice for AD.. was it the only viable option at the time ? What's the
ceiling on actual database size before it caves in (performance-wise)?

Mylo

joe wrote:

I am going to basically say what the other said only I am going to put 
it this way

IF the data needs to be available at all locations or a majority of 
locations where your domain controllers are located, consider adding 
the data to AD.

IF the data is going to be needed only at a couple of sites or a single 
site, put them into another store. My preference being AD/AM unless you 
need to do some complicated joins or queries of the data that LDAP 
doesn't support.

There is also the possibility of using app partitions but if you were 
going to go that far, just use AD/AM.

The thing I have about sticking this data into AD is that AD is 
becoming, in many companies, a dumping ground of all the crap that was 
in all the other directories in the company. I realize this was the 
initial view from MS on how this should work but I worked in a large 
company and thought that was silly even then.

The number one most important thing for AD is to authenticate Windows
users.
Every time you dump more crap into AD you are working towards impacting 
that capability or the capability to quickly restore or the ability to 
quickly add more DCs. The more I see the one stop everything loaded 
into ADs the more I think that the NOS directory should be NOS only. 
Plus, I wonder how long before we hit some interesting object size 
limits. I have asked for details from some MS folks a couple of times 
on the issues with admin limit exceeded errors that you get when 
overpopulating a normal multivalue attribute (i.e. not linked) and it 
causing no other attributes to be added to the object. I wonder what other
limits like that exist.



   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 09, 2005 12:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding custom fields to AD

Group,

My manager wanted me to check, even though, I don't think that it is 
possible, but, I will present the question.

He would like to add some custom fields, about 30, to AD.  He would 
like to add bio information into AD to be pulled by Sharepoint and 
other applications for people to read. I think that this is a waste of 
time, space and effort.  However, it is not my call and if this is what he
wants

What are everyone's thoughts on the topic?

Thanks
S
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ:

RE: [ActiveDir] Adding custom fields to AD

2005-10-08 Thread Rick Kingslan 
Oh, and just so there is no question - see addition to my post below.
(yeah - I'm not yet used to the disclaimer thingie)

Rick [msft] 
--
Posting is provided AS IS, and confers no rights or warranties ...
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, October 08, 2005 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding custom fields to AD

Interesting question - and as to the 'implode point' for ESE/Jet Blue,
Brettsh can answer that one.  I'm pretty sure that we have a good idea on
where the point of diminishing returns is, but it likely FAR exceeds what
anyone might practically do today - even with added classes and attributes.

As for why ESE - it works, it is self maintaining to a great degree, there
is very little overhead in the DB, and it is quite optimized to the type of
work that is required for AD.  Brettsh can certainly add more.

I am one for preaching more svelte attitudes on your AD.  As joe mentions -
it's for authN purposes first and foremost.  It CAN handle DNS, it does GPO
(though - truth be told the majority of GPO function is but a link to an
attribute, while the actual GPO pieces reside in SYSVOL, so not much AD -
lots of FRS), etc.

App Parts make sense in some arenas where the amount of data is going to be
very small and contained to just a few areas.  I, too, like joe advocate
ADAM.  I try to sell ADAM constantly as THE solution for most anything that
doesn't have to do with authN.  Customer AppDev wants to stuff new things
into AD constantly. Partly, they don't know the down sides.  Partly, they
think they have to learn something new.  Partly, they don't really care if
YOUR AD is affected by their decisions, as long as they deliver the solution
in the timeframe specified.  So, it's up to you, Mr. Admin and Mr. Architect
to tell whoever wants to use your AD, no - we don't do it that way because
it's very bad.  We will use ADAM.  Get used to it.

Rick [msft]
--
Posting is provided AS IS, and confers no rights or warranties ...
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, October 07, 2005 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding custom fields to AD

That's a good point about plonking stuff in AD a case of once a good
thing comes along everyone wants to climb aboard. I remember doing ZENworks
stuff with Novell where all the application configuration information for
software distribution was shunted into NDS/E-Directory... all that bloat
adds up replication-wise (still, at least there was partitioning).

One thing I am curious about though is why MS opted for JET  as the DB of
choice for AD.. was it the only viable option at the time ? What's the
ceiling on actual database size before it caves in (performance-wise)?

Mylo

joe wrote:

I am going to basically say what the other said only I am going to put 
it this way

IF the data needs to be available at all locations or a majority of 
locations where your domain controllers are located, consider adding 
the data to AD.

IF the data is going to be needed only at a couple of sites or a single 
site, put them into another store. My preference being AD/AM unless you 
need to do some complicated joins or queries of the data that LDAP 
doesn't support.

There is also the possibility of using app partitions but if you were 
going to go that far, just use AD/AM.

The thing I have about sticking this data into AD is that AD is 
becoming, in many companies, a dumping ground of all the crap that was 
in all the other directories in the company. I realize this was the 
initial view from MS on how this should work but I worked in a large 
company and thought that was silly even then.

The number one most important thing for AD is to authenticate Windows
users.
Every time you dump more crap into AD you are working towards impacting 
that capability or the capability to quickly restore or the ability to 
quickly add more DCs. The more I see the one stop everything loaded 
into ADs the more I think that the NOS directory should be NOS only.
Plus, I wonder how long before we hit some interesting object size 
limits. I have asked for details from some MS folks a couple of times 
on the issues with admin limit exceeded errors that you get when 
overpopulating a normal multivalue attribute (i.e. not linked) and it 
causing no other attributes to be added to the object. I wonder what 
other
limits like that exist.



   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff
Sent: Tuesday, August 09, 2005 12:16 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Adding custom fields to AD

Group,

My manager wanted me to check, even though, I don't think that it is 
possible, but, I will present the question.

He would like to add some custom fields, about 30, to AD.  He would 
like to add

RE: [ActiveDir] Active Directory Permissions

2005-09-03 Thread Rick Kingslan 



blanks and dupes here

-r


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, September 01, 2005 10:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory 
Permissions

Michael Smith's last post with this title showed up as 
blank for me.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send - 
AD mailing listSubject: RE: [ActiveDir] Active Directory 
Permissions

Is 
anyone else receiving blank posts, per the enclosed, or occasional 
dupes?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Thursday, September 01, 2005 8:52 PMTo: 
ActiveDir@mail.activedir.orgCc: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory 
Permissions

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Rick Kingslan 
I suppose it's much like my gaff of a couple weeks ago with our good friend
Bernard Aric (sic) from HP.

(Cheers, Aric! )

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Monday, August 29, 2005 5:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

Yep, that was him.  Drat, dunno why I had Luther in my head as being his
first name.  


- L

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Monday, August 29, 2005 12:32 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Heavy German accent?  I suspect that it was Andreas Luther  (and 
 looks nothing like Guido)
 
 And - it might have been DEC as Andreas was there for the Identity 
 Management (read:MIIS) portion of the conference.
 
 Rick
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura 
 E.
 Sent: Sunday, August 28, 2005 7:02 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Oddly enough, this exact topic came up in a dinner conversation at 
 Tech Ed this year.[1]  Luther...oh heck somebody
remind me of his 
 last name...had apparently quizzed people with this one at a previous 
 conference (DEC?), only to utimately reveal that the answer was You
know how 
 people always ask you what the IM FSMO does? Well, now you can tell
them that 
 it's responsible for running /domainprep.
 
 
 
 [1] Please hold the jokes about having dinner conversations about 
 Active Directory internals until the end, please.  :-)
 
 
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED] On Behalf Of
 Tony Murray
   Sent: Sunday, August 28, 2005 7:36 PM
   To: ActiveDir@mail.activedir.org
   Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
   
   Hi all

   Does anyone know why the documentation suggests that adprep 
   /domainprep be run on the DC holding the IM FSMO role?  I heard a 
   rumour to the effect that it was only because that DC is
  likely to be
   less busy than the other DCs, but I'd like to know for sure.

   Tony
   
  
  
  
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-29 Thread Rick Kingslan 
Guido is doing that for me, I'm quite sure.  Any time anyone mentions IM to
me, I want to add them to my contact list.  I'm much like a teenage little
girl in that regard (and scream like one too, when frightened! :-)

VBG

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, August 29, 2005 6:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

IFM is an odd abbreviation of the Infrstructure Master role.  I think IM is
more typical.

-B

On Mon, 29 Aug 2005, Grillenmeier, Guido wrote:

 Andreas actually teased me with this at the second DEC in US (must 
 have been 2003 in Scottsdale, Arizona), as I also wondered why the IFM 
 would be required for this role.  So after a good discussion about the 
 IFM's functions it was clear there was absolutely no technical 
 requirement that adprep /domainprep be performed on the IFM FMSO ;-)
 
 The only reason the IFM was chosen to perform this special task is:
 they had to ensure that the domainprep will only be performed on a 
 single DC in a domain and all the other FMSOs already had many more 
 special tasks than the IFM - this is why the domainprep was bound to 
 be executed on the IFM FSMO.
 
 /Guido
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura 
 E.
 Sent: Montag, 29. August 2005 12:36
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
 
 Yep, that was him.  Drat, dunno why I had Luther in my head as being 
 his first name.
 
 
 - L
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Rick 
  Kingslan
  Sent: Monday, August 29, 2005 12:32 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Heavy German accent?  I suspect that it was Andreas Luther  (and 
  looks nothing like Guido)
  
  And - it might have been DEC as Andreas was there for the Identity 
  Management (read:MIIS) portion of the conference.
  
  Rick
  
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, 
  Laura E.
  Sent: Sunday, August 28, 2005 7:02 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Oddly enough, this exact topic came up in a dinner conversation at 
  Tech Ed this year.[1]  Luther...oh heck somebody
 remind me of his
  last name...had apparently quizzed people with this one at a 
  previous conference (DEC?), only to utimately reveal that the answer 
  was You
 know how
  people always ask you what the IM FSMO does? Well, now you can tell
 them that
  it's responsible for running /domainprep.
  
  
  
  [1] Please hold the jokes about having dinner conversations about 
  Active Directory internals until the end, please.  :-)
  
  
   
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
  Tony Murray
Sent: Sunday, August 28, 2005 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Infrastucture Master and adprep /domainprep

Hi all
 
Does anyone know why the documentation suggests that adprep 
/domainprep be run on the DC holding the IM FSMO role?  I heard 
a rumour to the effect that it was only because that DC is
   likely to be
less busy than the other DCs, but I'd like to know for sure.
 
Tony

   
   
   
   
   
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: 
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  
  
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: FW: [Fwd: RE: [ActiveDir] Password policy change]

2005-08-28 Thread Rick Kingslan 
Yep - I've been through this just of late.  If the Change at next logon is
set, IIS doesn't have that level of function to allow this to take palce
through the current functions.

Rick

--
Posting is provided AS IS, and confers no rights or warranties ...


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Saturday, August 27, 2005 5:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: FW: [Fwd: RE: [ActiveDir] Password policy change]

Yes that enables the password change functionality through OWA, but I
don't believe that will help this particular situation. When you set
the User Must Change Password at Next Logon bit then logon to OWA I
don't think OWA will dump you to a password change screen. That
Password Change screen is only something you can access once in OWA as
far as I know.

To address the question about password expiry and OWA users, when you
log in with OWA it will tell you that your password is getting close
to expiring so it gives you a heads up that you need to change your
password soon, whether that is through the IIS Password change tool or
some other password change facility.

Phil

On 8/27/05, joe [EMAIL PROTECTED] wrote:
 From a shy lurker MVP
 
 It appears it is something you can enable. It isn't strictly part of OWA
but
 the old IIS Password change tool. I recall there being issues with that
tool
 and that is why they stopped enabling it by default but can't recall what
 they were this late at night or this early in the morning whatever it may
 be. ;o)
 
 Thanks for the assist Mom. :)
 
 
 
 -Original Message-
 Sent: Saturday, August 27, 2005 2:24 AM
 To: [EMAIL PROTECTED]
 Subject: [Fwd: RE: [ActiveDir] Password policy change]
 

http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003
 .htm
 
 
  Original Message 
 Subject:RE: [ActiveDir] Password policy change
 Date:   Sat, 27 Aug 2005 02:16:14 -0400
 From:   joe [EMAIL PROTECTED]
 Reply-To:   ActiveDir@mail.activedir.org
 To: ActiveDir@mail.activedir.org
 
 
 
 Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in
 Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if
your
 password is expired (forced or otherwise) you aren't getting into OWA. I
 also don't believe it has a password change function if you just want to
go
 and change it, but that could be something that could be enabled.
 Alternatively you set up another web page to do it.
 
 As for the OPs original issue. It all comes down to implementation. You
told
 the system to not allow people to change the password if the password age
 was less than one day and then were confused when it did exactly that. The
 reason for it is that there is one attribute for password age, pwdLastSet,
 and it doesn't distinguish between a helpdesk set operation or a normal
 password change, they are both password changes and you only want one day
 between every change. The proper way to handle that case is to force the
 user's to change their password on next logon (which sets the pwdLastSet
to
 0), but as you know, that will kill OWA users. So you either need another
 process to follow for OWA only users, install some third party or custom
 inhouse tool, or drop the minimum password aging.
 
   joe
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support
 Sent: Saturday, August 27, 2005 12:09 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Password policy change
 
 Your right Aaron, I didn't know what it meant.!
 
 I am not an outlook sort of person (we use Notes...), but the inferred
 statement surprises me. It suggests that if the must change password is
 set, you can't logon to Outlook Web Access.
 
 This would suggest that forcing users to change password after (say) 28
days
 is also a no-no.
 
 And, it would also suggest that Outlook Web Access won't let you change
your
 password. If it did, it would surely allow you to logon, then require you
to
 change  the password before you do anything..
 
 This all seems unlikely, given Microsoft's recommended use of forcing
 password changes on a regular basis and forcing users to change a password
 when a new user is created.
 
 If it is all true, maybe you have to provide some way that the users can
go
 to a Citrix portal and change their password there, then go back and use
 Outlook Web Access.
 
  Alan Cuthbertson
 
 
  Policy Management Software:-
  http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml
  ADM Template Editor:-
  http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml
  Policy Log Reporter(Free)
  http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml
 
 
 
 
 - Original Message -
 From: Aaron Visser [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org
 Sent: Saturday, August 27, 2005 8:59 AM
 Subject: Re: [ActiveDir] Password policy change

RE: [ActiveDir] Infrastucture Master and adprep /domainprep

2005-08-28 Thread Rick Kingslan 
Heavy German accent?  I suspect that it was Andreas Luther  (and looks
nothing like Guido)

And - it might have been DEC as Andreas was there for the Identity
Management (read:MIIS) portion of the conference.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Sunday, August 28, 2005 7:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep

Oddly enough, this exact topic came up in a dinner conversation at Tech Ed
this year.[1]  Luther...oh heck somebody remind me of his last name...had
apparently quizzed people with this one at a previous conference (DEC?),
only to utimately reveal that the answer was You know how people always ask
you what the IM FSMO does? Well, now you can tell them that it's responsible
for running /domainprep.



[1] Please hold the jokes about having dinner conversations about Active
Directory internals until the end, please.  :-)


 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
  Sent: Sunday, August 28, 2005 7:36 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] Infrastucture Master and adprep /domainprep
  
  Hi all
   
  Does anyone know why the documentation suggests that adprep 
  /domainprep be run on the DC holding the IM FSMO role?  I heard a 
  rumour to the effect that it was only because that DC is
 likely to be
  less busy than the other DCs, but I'd like to know for sure.
   
  Tony
  
 
 
 
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003AD - 2000AD Trust with LMHOST?

2005-08-28 Thread Rick Kingslan 
Are you talking about external trusts?  If so, then yes.  You would follow
the same procedures as you would for a win2x to Nt 4.0.  You'll need to
specify the #DOM, #PRE to get the 1B, 1C records loaded.

As we discussed a few weeks ago, this is the rather archaic method to do it,
but if you don't have access to the WINS or DNS - you don't have much other
options left to choice.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, August 28, 2005 10:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003AD - 2000AD Trust with LMHOST?

Havent been able to find much answers via googling unfortunately :-(

I know 2000/2003 - NT4 trust creation can be done via LMHOST/WINS but can
2003 AD - 2000 AD trust creation be done via resolutions provided by LMHOSTs
only? 

Reason being DNS is really out of my control (handled by another team), so
conditional forwarding/stub zones are out of the way.

Thanks lots!


Thank you and have a splendid day!
 
Kind Regards,
 
Freddy Hartono
Windows Administrator (ADSM/NT Security) Spherion Technology Group,
Singapore For Agilent Technologies
E-mail: [EMAIL PROTECTED]
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Ports during authentication/logons...

2005-08-25 Thread Rick Kingslan 








I would really suspect that this is soon
not going to be true  and may not be at this point (dont know 
havent asked yet).



Think of it this way  NAP (Network
Access Protection) is going to have one heck of a time working if DC -
Member isnt a supported scenario.



As to the 135 traffic on AuthN  Id
happily take a look at the trace. Ill have a few minutes tomorrow.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
11:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ports
during authentication/logons...





I would normally look at the IPSec route,
too, but it's not (as far as I know) supported by MS between domain members and
DC's. It's supposed member-member and DC-DC, but not
members-DC's. At least, not if Kerberos is used. Not sure
how they feel about certs. Shared keys just wouldn't be an option.



Specifically, though, they have their
backs up with 135. Do you know what's using it during a logon/GPO
process/??









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, August 24, 2005
10:51 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Ports
during authentication/logons...

David,



If you really, really want to use the
absolute minimum ports through a firewall, use IPSec tunnel mode.
However, your Network Engineers (or whoever manages your Firewalls) may not
like it. Reason? Likely the same reason that I got when I suggested
this at a previous employer:



Well, if you put it in IPSec
tunnels, then we wont be able to see or sniff it.



My question: Why do you need
to sniff or see it?



No answer.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ports during
authentication/logons...







It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service User Login and Authentication and Computer Login
and Authentication:

445
TCP/UDP

88
TCP/UDP

389 UDP

53
TCP/UDP

(I would
add ICMP for GPO processing.)

Most
people who normally respond to what ports are needed... include
135.

I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139.

I'm not good
at reading traces so I don't really know what's happening besides the basic
traffic flow. Does anyone know what 135 (and 139 I

suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports.

Thx

RE: [ActiveDir] OT: Question on WSUS implementation and GPO's...

2005-08-25 Thread Rick Kingslan 
It's not likely due to GPO processing. GPOs themselves are typically very
quick to process, unless there is either Software Install that is taking
place through the GPO or complex WMI filtering that would slow it down.
Otherwise, GPO is very fast.

I've done testing with 1 GPO and with 50 GPOs...  Appreciable difference in
log on time?  Less than 1 second.

It's something else other than GPO.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steven L Dunn
Sent: Thursday, August 25, 2005 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's...

Friends,

Our company is about to implement a WSUS server for patching and updates. I
am wondering if there is any way to allow for breaking the updates down into
groups (say by department) but using only a single GPO to do it?

For instance, we have our legal and executive departments using a separate
GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday
@ 12:00, respectively. Our other departments are set up along similar lines,
with 5 GPO's in all active.

What I'm seeing is a general slowdown in login processing time (from sign
in to desktop appearing) due ...I'm guessing, to the GPO having to run
through and check against Group Membership or process. I'm looking for any
ideas on whether this is the only arrangement for making this happen, or
I'm missing something that might be a possibility.

Thanks in advance.

-Steve
-- 
Steven L. Dunn
Director of Information Technology
Illinois State Bar Association
[EMAIL PROTECTED] | 217-747-1455


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?

2005-08-25 Thread Rick Kingslan 
And, given that Science has proven cockroaches will survive a nuclear war,
it's even a worse choice than originally thought

:o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, August 25, 2005 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000
integration?

Good point. If it's a one-time thing, I'm thinking even 10K is a killer. And
MIIS will be like nuking a cockroach.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Thu 8/25/2005 6:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000
integration?


While I agree that Jerry has a good solution, I'm not sure I understand your
complete requirement.  Do you have a database that is the start of the
identity lifecycle?  Or is this a one time create? 
 
Is this something that you need to have records of?  Any reason not to
script
it from SQL (very few lines of code to just create a new account object; to
manage that account later is much more work instensive and MIIS or other is
a
better fit.) 
 
If this is a one time create, then just use some of the built in tools and
SQL.  If this is ongoing, then we need to hear some of the needs to put this
in perspective. 
 
Al

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kasper Sørensen
Sent: Thursday, August 25, 2005 8:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL
2000 integration?


Ohh... Hmm.. okay...
 
Well, THANKS!!
MIIS is very expensive.. So thanks..

 
On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: 

Kasper -
Or you can buy SimpleSync from CPS Systems (
www.cps-systems.com http://www.cps-systems.com/  )
Provides synchronization between any ODBC DB and AD or other
LDAP directories.  No additional SQL MetaDirectory.  Cost for what you
describe is about $10K.  You can expect to be running in a matter of hours. 
240 major companies and government agencies worldwide.  As
an
example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD
to
Provision and Maintain 90K user accounts. 
Online, web based demo anytime you would like.
Thanks,
Jerry
 
Jerry Welch
CPS Systems
US/Canada: 888-666-0277
International: +1 703 827 0919 (-4 GMT)
IP Phone (Skype):  Jerry_Welch  ( www.skype.net
http://www.skype.net/  )
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Kasper Sørensen
Sent: Thursday, August 25, 2005 7:20 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Microsoft MIIS: Server 2003 AD and
MSSQL
2000 integration?

 

Well..
If i buy MIIS, will it then be possible to import users that
are stored in a MSSQL 2000 database, to Active Directory 2003?
-- 
Best Regards
Kasper Sørensen

www.mewe.dk http://www.mewe.dk/  




-- 
Best Regards
Kasper Sørensen

www.mewe.dk 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)

2005-08-25 Thread Rick Kingslan 








Inline.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
Sent: Thursday, August 25, 2005
11:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Questions
about hotfix 903235 (MS05-037)







Hi -











 I've posted this elsewhere, but thought
maybe not a bad idea to run it past this list for those that don't mind
(thanks). I'veseen thefollowingbehavior with regard to
this hotfix 903235:











(1) The bulletinMS05-037 states to check here for its
existence (post installation):






HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}

 In the past, the 'norm' for IExpress-type patches has been here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed
Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98}

 [note: GUID above is specific to this hotfix] Why this change in documentation?



[RTK] Not a change in documentation.
The hotfix sets bits in the running of the actual component, so the compatibility
flags are manipulated, rather than new moving parts. I acknowledge that the
location changes, but this is due to how the hotfix effects the installed component,
JView Profiler. 



(2) I find that the SRVINFO tool does NOT identify this hotfix on SP1 (XP) and
SP4 (2000) machines. Was
expecting to see it under the Internet Explorer 6 subheading of the
SRVINFO output for these O/S.



[RTK] Cant confirm or deny this one..
Dont have SRVINFO currently on anything



(3) I find that MBSA v.2 neither identifies it as installed nor
identifies it as missing on SP1/2 (XP) and SP4 (2000) machines.

 Can anyone else corrorborate
these findings? I'm told by our TAM that nobody else has
reported this yet.



[RTK] MBSA on my systems detect that
it is either installed or not
installed.



Thanks!









-DaveC

ReutersIST Service Delivery



-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo 

Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Ports during authentication/logons...

2005-08-24 Thread Rick Kingslan 








Youve likely seen this, but it does
describe ports needed for REPLICATION However, Steve does
talk about the benefits of using IPSec through a firewall



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Wednesday, August 24, 2005
10:31 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ports during
authentication/logons...







It's been
a few weeks, so time for another question on ports. MS's whitepaper that
discusses how to setup AD to communicate through a firewall (the one that
focuses primarily on DC to DC communication) lists the following ports needed
to service User Login and Authentication and Computer Login
and Authentication:

445
TCP/UDP

88
TCP/UDP

389 UDP

53
TCP/UDP

(I would
add ICMP for GPO processing.)

Most
people who normally respond to what ports are needed... include
135.

I just
ran a Netmon trace during a logon from an XP machine and do see some traffic
hitting 135. I also see traffic hitting 137 and 139.

I'm not
good at reading traces so I don't really know what's happening besides the
basic traffic flow. Does anyone know what 135 (and 139 I

suppose)
are being used for? And if they're blocked does it totally break everything or
just limit certain functions? I am not worried about DC to DC communication.
The scenario is member systems separated from DC's with a firewall and the
network folks want to allow the absolute minimum ports.

Thx

RE: [ActiveDir] hide an attribute

2005-08-21 Thread Rick Kingslan 
Tom Kern said:

 Say i use one of the custom attribute fields that Exchange creates and put
a value in there and hide it from Domain users.
what would break?
how would i go about hiding that?
just as an example

[RTK]

Hey, joe  Just a suggestion. If someone asks you what time it is - don't
tell him how to build a frelling Rolex!  :oD

I think all Tom wanted to know (though the background and technical detail
is good) was How do I hide the FRELLING ATTRIBUTE?  And, IF I DO, will it
BREAK ANYTHING?

So, Sparky, what have you got to say now?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 21, 2005 12:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] hide an attribute

Good good, that is what I like to hear.  :o)  You will want to buy copies
for all your friends too. :o)

The chapter may have been clear but it is was off on its examples as it
didn't take into account inherited and explicit ACEs. That radically changes
whether a delegation (or a denied delegation) will work or not. It still
isn't perfect, but IMO, much better. It is a balance of time vs what needs
to be done.

The example you give is one of the harder things to clean up and no, I
personally don't think it should be this hard, but then that is just my
opinion. One thing to remember about Exchange, is that some of its access
rights for reading attributes can be through Auth Users rights, especially
on GCs in a multi-domain environment, I have been bitten by this in the past
myself. Consider that permissions are granted to the Exchange Enterprise
Servers group which is a domain local group so reading on a GC in another
domain would be impacted unless there is some other access mechanism. An
alternative would be to convert those DLGs to UGs as previously mentioned by
Guido, again, MS PSS may have an issue with it so keep that in mind.



The easiest way to handle this is to use the new confidentiality bit
capability in SP1. The Exchange attributes shouldn't be Cat 1 attributes
(systemflags  16 on their schema definition) so you should be able to lock
them up that way. However, you will want to regrant access back to Exchange.
Unfortunately, I am not aware of any tools MS has given to allow a good
granular way to grant access BACK to this attribute after it is locked down.
You will need to grant a CA to the attribute for the Exchange Servers global
group in each domain (or grant to the DLGs but convert to UGs) so you
maintain read across GCs in each domain. This will have to be done with
script because you can't do it via dsacls or the GUI. Also once set, the GUI
will have no clue how to display the permission so won't, DSACLS will
properly display it. 

A word of note is that if you have MS Exchange PSS look at your AD, they
will probably have a small stroke if they figure out this was done as they
get testy when you muck with the visibility of Exchange attributes. However,
have the Exchange guy talk to a knowledgable AD PSS guy and things should
hopefully be ok though expect to hear lots of grumbles of unsupported. This
goes for any solution that does anything to any Exchange attribute. Oh one
further note, anyone who has full control or all control access rights to a
given object will still be able to see the attribute. The obvious one is
full control... Full control is... Well full control. You can't effectively
deny someone access to something they have full control to. The all control
access rights is a new one though that you have to watch out for.

If the confidential bit isn't an option. You are in for some fun. The fact
that it is auth users makes things very difficult because everyone that
accesses it is an auth user so you can't just actively deny auth users
access or else you impact admins and Exchange and everything else. You need
to either 

1. Invoke a passive deny which means stripping any (explicit or inherited)
access permissions granted and regrant the access permissions to Exchange
and any anyone else that needs access. It depends here how the access is
granted in the first place on what you need to do.

2. Remove any explicit grants and then set up inherited denies for auth
users and then explicit grants for Exchange and any other specific groups
that need access. The explicit grants will override the inherited denies. 


For both of these, if the grant is handled through a property set, then you
can remove the attribute from the property set (and maybe some others
related to exchange you don't to be fully visable to everyone) and add them
to a different property set and only grant that to exchange and the admins
or whomever else it is that needs to see the info. 



Overall, before I started doing anything with any of this I would really
look at everything and get a great overall plan for security. You need to
understand what it is exactly you want and all of the ways things are
currently delegated, it isn't unusual to find that there are

RE: [ActiveDir] OT: AD MMC Snap ins

2005-08-19 Thread Rick Kingslan 








If the AdminPak has never been installed
on a given system, the snap-ins that are the Administrative Tools  say,
ADUC, should not be available.



Are you saying that you have the snap-ins
on a Win2k3 system with SP1 that you are certain the AdminPak was not installed
on? Im unclear as to exactly what youre asking. 



And, yes  I do view it as some
degree of a Security Risk. As to how high of a risk, that all depends on
factors in your environment.



Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mark Parris
Sent: Friday, August 19, 2005 2:15
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: AD MMC
Snap ins





Dear All,



On a Windows Server 2003 Service Pack 1 member server
that has not had the Adminpak.msi installed, so no AD tools appear in the
Administrative tools on the Start Menu or in the control panel. If a new MMC is
run from the command line and Add\Remove snap-in is selected should the AD
Admin tools listed and registered (such as DSA.MSC)?



I have had this on a test machine tonight and for me
its potentially a security issue.



Many thanks 



Mark

RE: [ActiveDir] User SIDs...

2005-08-19 Thread Rick Kingslan 
Having read through most of the replies on this, it's interesting that there
was an internal (to Microsoft - just to clarify) discussion on this same
topic yesterday.

Seems that a customer was having problems with a function calling APIs for
SID creation when the SID exceeded 68 bytes.

I'll let you determine from that statement what the largest supported SID
is.  :o)

So, take that number into 12000 and I suspect that will give you a clear
idea of how memberships would begin to cause issues with Kerberos.  However,
as al mentions, this can be increased but I don't know what the max
supported size is.

And, as to figuring out the actual size of a SID, yes there is.  I don't
have the algorithm at my finger tips, but it can be derived pretty easily -
more easily with C/C++, or Perl, IIRC.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Friday, August 19, 2005 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User SIDs...

Hello All,

Does anyone know the default length a users SID (Win2K DC's, WinXP
SP2clients ) can be before problems such as
http://support.microsoft.com/?kbid=327825
http://support.microsoft.com/?kbid=327825  start occuring ?  Also, there
anyway to determine the actual length of a users SID???

TIA,

Brad


This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: AD MMC Snap ins

2005-08-19 Thread Rick Kingslan 
Pardon me - you're absolutely correct.  I, in my haste this morning, failed
to note the WINDOWS SERVER 2003 SP1.

Yes, they are installed and registered by default, but are only added to
menus created for the appropriate application or in the Administrative
tools.

As mentioned, I do view this as some degree of risk, but much less now that
I see that it's on Server.  One, servers should have tight Interactive and
physical controls (i.e. no console access or TS access, except to your most
trusted).  Two, no one should be able to install server in your environment
without your knowledge or control without fear of serious, immediate and
dismiss-able consequences.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Friday, August 19, 2005 8:18 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] OT: AD MMC Snap ins

I have checked at work today, systems that have never seen the admin pak,
have the mmc snapins installed. Vanilla 2003 this is the case too. They are
Just not visable under admin tools, but are available as mmc snapins, even
without the adminpak installed.

Mark
-Original Message-
From: Rick Kingslan [EMAIL PROTECTED]
Date: Fri, 19 Aug 2005 07:26:21 
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]  OT: AD MMC Snap ins

If the AdminPak has never been installed on a given system, the snap-ins
that are the Administrative Tools  say, ADUC, should not be available.
 
 
 
Are you saying that you have the snap-ins on a Win2k3 system with SP1 that
you are certain the AdminPak was not installed on?  Im unclear as to exactly
what youre asking.  
 
 
 
And, yes  I do view it as some degree of a Security Risk.  As to how high of
a risk, that all depends on factors in your environment.
 
 
 
Rick
 
 
 
 
 
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
 Sent: Friday, August 19, 2005 2:15 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: AD MMC Snap ins
 
 
 
Dear All,
 
 
 
On a Windows Server 2003 Service Pack 1 member server that has not had the
Adminpak.msi installed, so no AD tools appear in the Administrative tools on
the Start Menu or in the control panel. If a new MMC is run from the command
line and Add\Remove snap-in is selected should the AD Admin tools listed and
registered (such as DSA.MSC)?
 
 
 
I have had this on a test machine tonight and for me its potentially a
security issue.
 
 
 
Many thanks 
 
 
 
Mark
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User SIDs...

2005-08-19 Thread Rick Kingslan 
:o)  Right, Joe!  They don't come from us, as far as I can tell.  If you
look at the function AllocateAndInitializeSid(), it is hard coded to 8
sub-authorities.

However, the customer in question from the 68 bytes max defined his own
function with base level calls and worked around the 8 sub-auths by defining
a variable that would accept however many he wanted to input.

Bottomline:  WE might give you the instructions on how to blow your foot
off, but generally you are expected to supply your own ammo and finger to
pull the trigger.  :o)

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 19, 2005 1:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell
the highest number of RIDs a SID can hold.  There is only 1 byte
reserved in the first 8 bytes of a the SID structure to store the number
of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you).


Where do these giant SIDs come from?  Most AD SIDs I've seen are 24 or
28 bytes (4 or 5 RIDs respectively).

Joe K.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, August 19, 2005 12:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

Having read through most of the replies on this, it's interesting that
there
was an internal (to Microsoft - just to clarify) discussion on this same
topic yesterday.

Seems that a customer was having problems with a function calling APIs
for
SID creation when the SID exceeded 68 bytes.

I'll let you determine from that statement what the largest supported
SID
is.  :o)

So, take that number into 12000 and I suspect that will give you a clear
idea of how memberships would begin to cause issues with Kerberos.
However,
as al mentions, this can be increased but I don't know what the max
supported size is.

And, as to figuring out the actual size of a SID, yes there is.  I don't
have the algorithm at my finger tips, but it can be derived pretty
easily -
more easily with C/C++, or Perl, IIRC.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Friday, August 19, 2005 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User SIDs...

Hello All,

Does anyone know the default length a users SID (Win2K DC's, WinXP
SP2clients ) can be before problems such as
http://support.microsoft.com/?kbid=327825
http://support.microsoft.com/?kbid=327825  start occuring ?  Also,
there
anyway to determine the actual length of a users SID???

TIA,

Brad


This email and any attached files are confidential and copyright
protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing,
nothing
stated in this communication shall be legally binding.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately and delete the
original.  Any other use of the email by you is prohibited.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User SIDs...

2005-08-19 Thread Rick Kingslan 
. If I heard someone was
trying to create a SID greater than 68 bytes I would ask... Why?

[3] Note that ADAM SIDs seem to jump around considerably. I haven't had a
chance to sit down and discern the patterns, if any exist, yet. The
builtin groups such as administrators/users/readers all have two
subauthorities that seem to be randomly generated and the normal users
created seem to have 3 additional randomly generated subauthorities and a
seemingly randomly generated RID instead of an incrementing RID. This would
seem to be a trifle dangerous in a multi-host ADAM instance. I need to play
with it. It could be another one of those cases of it isn't likely to
happen so we won't worry about it... I am sure it checks itself to see if
it is a dupe but if you have two hosts both holding the same instance but
not replicating regularly, I could visualize hitting an issue unless each
host is its own subauthority which I now realize I never doublechecked.



For fun, this is the SID structure stuff out of winnt.h


////
//  Security Id (SID) //
////

//
//
// Pictorially the structure of an SID is as follows:
//
// 1   1   1   1   1   1
// 5   4   3   2   1   0   9   8   7   6   5   4   3   2   1   0
//  +---+
//  |  SubAuthorityCount|Reserved1 (SBZ)|   Revision|
//  +---+
//  |   IdentifierAuthority[0]  |
//  +---+
//  |   IdentifierAuthority[1]  |
//  +---+
//  |   IdentifierAuthority[2]  |
//  +---+
//  |   |
//  +- -  -  -  -  -  -  -  SubAuthority[]  -  -  -  -  -  -  -  - -+
//  |   |
//  +---+
//
//






-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 19, 2005 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the
highest number of RIDs a SID can hold.  There is only 1 byte reserved in the
first 8 bytes of a the SID structure to store the number of RIDs, so that is
basically 15 (since 0 RIDs doesn't do much for you).


Where do these giant SIDs come from?  Most AD SIDs I've seen are 24 or
28 bytes (4 or 5 RIDs respectively).

Joe K.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, August 19, 2005 12:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User SIDs...

Having read through most of the replies on this, it's interesting that there
was an internal (to Microsoft - just to clarify) discussion on this same
topic yesterday.

Seems that a customer was having problems with a function calling APIs for
SID creation when the SID exceeded 68 bytes.

I'll let you determine from that statement what the largest supported SID
is.  :o)

So, take that number into 12000 and I suspect that will give you a clear
idea of how memberships would begin to cause issues with Kerberos.
However,
as al mentions, this can be increased but I don't know what the max
supported size is.

And, as to figuring out the actual size of a SID, yes there is.  I don't
have the algorithm at my finger tips, but it can be derived pretty easily -
more easily with C/C++, or Perl, IIRC.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad
Sent: Friday, August 19, 2005 7:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User SIDs...

Hello All,

Does anyone know the default length a users SID (Win2K DC's, WinXP
SP2clients ) can be before problems such as
http://support.microsoft.com/?kbid=327825
http://support.microsoft.com/?kbid=327825  start occuring ?  Also, there
anyway to determine the actual length of a users SID???

TIA,

Brad


This email and any attached files are confidential and copyright protected.
If you are not the addressee, any dissemination of this communication is
strictly prohibited. Unless otherwise expressly agreed in writing, nothing
stated in this communication shall be legally binding.
List info   : http

RE: [ActiveDir] Problem at remote site

2005-08-18 Thread Rick Kingslan 
Jennifer,

Thanks for the update and the resolution.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Thursday, August 18, 2005 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem at remote site

Hi all:

I wanted to update the list on what actually fixed my problem.  I ended
up calling MS for support because I was at my breaking point :).  Turns
out that I needed to set my MTU manually to 1390! Doh! That did the
trick.  I knew it was some simple but I didn't know it was that simple
:).

Thanks for all of your help


Thank you for your time! 
Jennifer
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer
Fountain
Sent: Tuesday, August 09, 2005 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem at remote site

 I ended up sending another Dc to the site so I could just readd this
server to the domain but AD will not start on that box.  I keep getting
an error - rpc server unavailable.  We have approx 9 DCs (4 at HQ and
one at each remote site).   We have dcs at our other remote sites
(diagram below):

Site1
Site2
Site3   (wan connection using private sprint network) -- HQ -- site6
(business cable modem with vpn tunnel to corporate (internet))
Site4
Site5

The new DC can ping but anything else gets a RPC server unavailable
unavailable error.  I thought AD could replicate over a modem
connection? So, I am not sure where I need to go from here.

Any thoughts?


Thank you for your time!
Jennifer



*
The information transmitted is intended only for the person or entity to
which 
it is addressed and may contain confidential and/or privileged material.
Any 
review, retransmission, dissemination or other use of, or taking of any
action 
in reliance upon, this information by persons or entities other than the
intended 
recipient is prohibited. If you received this in error, please contact the
sender 
and delete the material from any computer



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Question on Replication Topology

2005-08-17 Thread Rick Kingslan 
Funny that - I lost mine when I JOINED Microsoft.  I was told that it might
be hard to get as my job doesn't require access to source...

Rick

P.S.  I say just plain blech  They're great for throwing  As to
eating - Have no use for them.  :-)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, August 16, 2005 12:59 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Question on Replication Topology

I am fortunate enough to be provided with source access by Microsoft.

Actually, I say Tom-arto since I'm British. ;0)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Tuesday, August 16, 2005 1:37 PM
To: ActiveDir@mail.activedir.org; Send - AD mailing list
Subject: RE: [ActiveDir] Question on Replication Topology

No Problem at all.. You say Tomato I say Tamato..I also misunderstood his
question as I assumed him meant DC's and not GC's. 

Thanks for clarifying this is more detail. 

BTW: How did you get to look at the source code?

Jose :-)



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dean Wells
Sent: Tuesday, August 16, 2005 10:08 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Question on Replication Topology


Jose, I don't wish to continue going back and forth on this topic, the
behavior and constraints are what they are.  I'm not stating an opinion or
an interpretation of a paper, I'm stating a fact based upon the source code
of the product (as of 2K and 2K3).  Your understanding of the articles
you've read is very close but not entirely accurate.  Phantoms of this kind
are not permitted on GCs ... this is manifested in the interface when you
attempt to add a user to a Universal group but the user has not yet
replicated to the GC (an error will occur stating exactly that), if phantoms
were permitted one would be created based on the info. from the DC used to
browse the domain containing the user.

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Tuesday, August 16, 2005 12:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question on Replication Topology

I am afraid not... 

One of the common replies and misunderstood rumors is that the
Infrastructure Master (IM) is only allowed to run on a Global Catalog Server
(GC) if every Domain Controller (DC) in the Forest is Global Catalog Server.
That rumor is just based on misleading wording.

The infrastructure masters job is to compare objects of the local domain
against objects in other domains of the same forest. If the server holding
the infrastructure master is also a global catalog it won't ever see any
differences, since the global catalog holds a partitial copy of every object
in the forest itself. Therefore the infrastructure master won't do anything
in its domain. However if every DC in the Domain is also global catalog
server there's no job for the IM since the GC already knows about the
objects of other domains. So if you look at the job the IM has to do, it's
pretty clear that it may reside on a GC if it's a single domain forest (no
need to pull updates from other domains). It's also pretty clear that it may
reside on a GC if it's in a multiple domain forest but every DC in the
domain where the IM runs on the GC are also GCs (no need to pull updates
since the GC knows everything).

So the following infrastructure is a valid configuration:

One domain:
R-DC1 (GC + IM)
R-DC2 (GC)
R-DC3-x (must be GC)

Other domain:
O-DC1 (GC)
O-DC2 (IM)
O-DC3-x (might or might not be GC, does not matter)

The first domain does not need to pull updates since the GCs know
everything, the other domain has the IM running on a non-GC so it pulls the
updates and replicates them to other DCs.

The following KB states that correctly:
http://support.microsoft.com/kb/223346/EN-US/
 
So to be short:
The Infrastructure Master is not allowed to run on a Global Catalog Server
if either there are multiple Domains in the Forest there are Domain
Controllers in the same Domain which are not Global Catalog Servers
 
The Infrastructure Master is allowed to run on a Global Catalog Server in a
Domain if either there's only one Domain in the Forest every Domain
Controller in the Domain in question is Global Catalog Server
---

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dean Wells
Sent: Tuesday, August 16, 2005 8:26 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Question on Replication Topology


I'm afraid it's not correct, when all DCs are GCs (within a single domain),
the IM can happily co-reside with a GC.  I'd also mention that the impact

RE: [ActiveDir] HP teaming

2005-08-17 Thread Rick Kingslan 
OK, new machine (AMD64... oh yeah!) is up and running.  I'm not going to go
back and catch up on everything, but this one caught my eye.

We used NIC teaming for years.  We had multitudes of problems, more
associated with either our setup team not setting the NICs to 100/Full
consistently, or the Network Engineers not doing the same.  If this is NOT
done, you will have issues.

Also, there are specific problems that can crop up with ARP and virtual MACs
that the teaming software creates.  This becomes most apparent during
troubleshooting, but can cause issues that only your Network Engineering
team will see - and they really aren't worth irritating, because to a great
degree - you need them more than they need you!  :o)

That being said - in 6 years of doing and managing NIC teaming, our stats
showed that we had two NIC failures, which were easy to diagnose and
resolve.

Conversely, we had uncounted numbers of issues with ARP, MAC, and other
teaming related issues that affected troubleshooting, problem resolution,
and overall network (subnet or switch scope) performance when things went
bad.

Given that, we made a decision to bail on teaming (except for very specific
systems that it had shown to be a true benefit - and DCs are far from a
system that showed benefit) due to the lopsided number of issues caused as
related to those actually solved.

For me, that's the metric.  If a solution is not really solving a problem,
or is causing more problems than it is solving - why do it?  It's basic Risk
Management.

However - YMMV.  This is just my view.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, August 17, 2005 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] HP teaming

They are member servers right now with no teaming. About to become DC's.
Do you have anything against switch assisted load balancing?

Also, which model catalyst did you have an issue with?

Thanks a lot!


On 8/17/05, Francis Ouellet [EMAIL PROTECTED] wrote:
 I've had great success using nic teaming on all my DCs running on hp
 Proliant hardware. They were all configured for FT. Make sure the
 network side of things fully supports it though, we had to upgrade a few
 catalyst switches for this to work correctly (I think it was an ARP
 issue)
 
 I'd suggest trying it on a member server first to make sure your
 networking hardware is capable of supporting it correctly.
 
 One last thing, are those DCs currently in place or you're considering
 nic teaming for future deployments?
 
 Thanks,
 Francis
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: August 17, 2005 9:24 AM
 To: activedirectory
 Subject: [ActiveDir] HP teaming
 
 Any for or against Hp nic teaming on DC's?
 Also which type would you use(if any)? Fault tolerence or load
 balancing?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Latest MS patch KB899588

2005-08-17 Thread Rick Kingslan 








Are you wondering if restarting the server
is mandatory? I suspect that it is, unless you really dont want to
be protected. Often times, the components being replaced are only read on
system startup.



Given that the bulletin specifically says:



Restart Requirement

You
must restart your system after you apply this security update.



Id say, u, yeah.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan
Sent: Wednesday, August 17, 2005
5:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Latest MS
patch KB899588





Hi there, I am trying to apply this patch to some windows
2000 servers and I was wondering if the reboot is strictly mandatory?! If
I used the /norestart switch to ran it from the command line I do get the patch
under add and remove programs. Also the version of the file gets updated under
c:\winnt\ssystem32.



What do you think?



Juan

RE: [ActiveDir] Latest MS patch KB899588

2005-08-17 Thread Rick Kingslan 








Are you wondering if restarting the server
is mandatory? I suspect that it is, unless you really dont want to
be protected. Often times, the components being replaced are only read on
system startup.



Given that the bulletin specifically says:



Restart Requirement

You
must restart your system after you apply this security update.



Id say, u, yeah.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan
Sent: Wednesday, August 17, 2005
5:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Latest MS
patch KB899588





Hi there, I am trying to apply this patch to some windows
2000 servers and I was wondering if the reboot is strictly mandatory?! If
I used the /norestart switch to ran it from the command line I do get the patch
under add and remove programs. Also the version of the file gets updated under
c:\winnt\ssystem32.



What do you think?



Juan

RE: [ActiveDir] Latest MS patch KB899588

2005-08-17 Thread Rick Kingslan 








Juan  



Apparently you didnt read MY
message  YES its mandatory to apply the patch..



If you DO NOT REBOOT youre going to
get slapped by the worm.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan
Sent: Wednesday, August 17, 2005
6:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Latest MS
patch KB899588





Thanks. So the reboot is not
mandatory/required using this script right?

Juan











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James
Sent: Wednesday, August 17, 2005
3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Latest MS
patch KB899588





Juan,



InstallPatch.vbs:



set oshell =
wscript.CreateObject(wscript.shell)
oshell.run(%PathToPatch%\importantpatch.exe /quiet /norestart)


I renamed the patch importantpatch.exe







James













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan
Sent: Thursday, 18 August 2005
8:15 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Latest MS
patch KB899588

Hi there, I am trying to apply this patch to some windows
2000 servers and I was wondering if the reboot is strictly mandatory?! If
I used the /norestart switch to ran it from the command line I do get the patch
under add and remove programs. Also the version of the file gets updated under
c:\winnt\ssystem32.



What do you think?



Juan

RE: [ActiveDir] cloning DC's

2005-08-17 Thread Rick Kingslan 
Tom - 

Regardless of the scenario and how it's done - you never, never, never,
clone DCs.  This will lead to very bad things - possibly including the
appearance of the Anti-Christ, opening of Black Holes, ABBA coming back to
prominence.

Do NOT do this.  Do NOT allow IBM to do it.  Period.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, August 17, 2005 7:56 PM
To: activedirectory
Subject: Re: [ActiveDir] cloning DC's

I went back and i saw B. Shirley's remarks on cloning dc's.
I'm wondering if this applies to my senario below-
cloning a DC with Disk Image and  sysprep and creating new DC's that way?

Is this very very bad? is there an article or paper explaining why?
or anyone care to explain why.
or is this ok?

thanks. sorry to harp but these AD consultants from IBM want to go
this route tomorrow and I'm thinking its not a good idea for some
reason but I'd like to be sure before i bring it up.

Thanks again

On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote:
 I know i read this thread before but i can't seem to find it.
 
 we are creating a new forest root and the IBM consultants here created
 the first root dc and now they want to clone it using Disk Image and
 sysprep to create the other DC's in the root.
 
 I think i heard this is a bad idea. Am I right?
 
 I can't seem to find any article on this but I do remember this being
 spoken of on the list and I don't remeber what the conculsion was.
 
 thanks

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] account operators

2005-08-12 Thread Rick Kingslan 
joe - no need to apologize.  You're absolutely correct.  Once I read your
e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to
go look to satisfy my curiosity.

Honestly, what I saw scared me to a great degree.  AO does have full and
complete access to any user object and property - period.  AO may not be
able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the
scripted CDOEXM, but any other interface that will allow manipulation of the
objects *IS*possible - and that revelation is quite shocking, to say the
least.

For anyone that wants to duplicate what I did - make use of a resource that
is right at your finger tips.  Don't go poking around your production
systems.  And, even if you don't have Exchange, you can still check this
out.  Make use of the TechNet Virtual Labs for checking things out and
determining if an idea will work - with no setup costs at all.  Find a lab
that has the components that you need, and party on.  The labs are not
restricted to allowing you to do only what the lab is designed for.  You can
do practically anything you want - sometimes including adding in extra
Windows and Server System components.

Find the Virtual Servers at:

http://microsoft.demoservers.com

Thanks, joe - for calling this to my attention and correcting my 'rosy
security' view of separation of duties when it comes to Exchange.  It's not
as it appears - or as many writers have written.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 12, 2005 12:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] account operators

Sorry Rick, I have to correct you on this one.

An account operator absolutely has enough rights to mailbox enable a user.
AccOps by default have FC over user objects, they can do ANYTHING to a user
they want to. The key is they have to know how to. You could for instance
use admod or ldifde or adsiedit or anything that allows you to update
mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also
I think you can do mailNickname and msExchHomeServerName. 

The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is
because the tools are written to enumerate Exchange config info which an
AccOp doesn't have access to. I don't know if it was intended as a security
feature or not but it is how it works. I wouldn't be surprised if it was a
security feature because it aligns with some other silly tool bases security
MS did before like for instance being unable to view the admins group from
usermgr if you weren't an admin but if you knew other mechanisms you could
still do it... Or the GUI not listing hidden shares even though the server
sends that info back to the clients requesting the info.


RANT
The permissioning model of Exchange, especially in AD, quite frankly, sucks
ass. It does almost everything it can to make it a pain in the butt to
separate administration between AD/NOS stuff and Exchange stuff. Instead of
using the mail property set or creating their own they glommed onto the base
property sets. In order to do any separation you either have to change the
property sets and hear cries of unsupported from PSS or you have to put in a
ton of ACEs or a half a ton of ACEs including a bunch of denies.

Most admins haven't the foggiest clue how much access they have given away
in AD to people. I have fielded many a question on how come some admin can
send mail as someone or get access to read mail for other users or mailbox
enable users, or how can so and so change mailbox quotes, etc etc. A common
delegation in AD is to give full control over user objects or allow low
level admins to create users. This is fine (well not really fine...) in a
NOS directory, but once you add Exchange to it those folks have a lot more
power, probably unintended power, over the mail system than was probably
intended. 

The best answer from a permission standpoint of protecting Exchange from AD
folks or protecting AD from Exchange folks is the dedicated Exchange
Resource Forest. If you do that and keep to a single domain in that forest
you also get away from all of the nasty DSACCESS issues to boot around user
and group updates from outlook.
/RANT

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, August 11, 2005 12:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] account operators

 why can't they create a mailbox for a regular user?

Simply, the Account Operator is designed to work as a principal that allows
work on accounts as they are BY DEFAULT out of Windows Server.

The real reason is that there is typically, in most medium to large
organizations, there is a mail admin team and a server admin team (at least
it was VERY much this way with Exch 5.5).

Separation of the functions was a goal to carry forward - but it could only
be done by Group membership / permissions

RE: [ActiveDir] ok, last one really

2005-08-12 Thread Rick Kingslan 
As WMI goes, these are the best books available - period.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005 10:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ok, last one really

On MSDN, you can find some sample scripts to read from a file.
See at
http://msdn.microsoft.com/library/en-us/script56/html/sgWorkingWithFiles.asp

For instance,

Dim fso, ts
Const ForReading = 1
Set fso = CreateObject(Scripting. FileSystemObject)
Set ts = fso.OpenTextFile(c:\test.txt, ForReading, True)
strComputer = ts.ReadLine()
ts.Close()

Depending on the format of your file, you can read a single line and split
the comma separated computer names or 
You can loop and read lines one-by-one if you have a computer name per line.
Your call ...

For a book on scripting and WMI, you can always have a look at my web site
;) http://www.lissware.net  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, August 12, 2005 7:46 AM
To: activedirectory
Subject: [ActiveDir] ok, last one really

How can i change this script so i can just feed it a file of computer names
so i can automate the changing of dns servers in the client properties?

SCRIPT-

On Error Resume Next
 
strComputer = .
arrNewDNSServerSearchOrder = Array(192.168.0.1, 192.168.0.2)
 
Set objWMIService = GetObject(winmgmts: _  
{impersonationLevel=impersonate}!\\  strComputer  \root\cimv2) Set
colNicConfigs = objWMIService.ExecQuery _  (SELECT * FROM
Win32_NetworkAdapterConfiguration WHERE IPEnabled = True)
 
WScript.Echo VbCrLf  Computer:   strComputer
 
For Each objNicConfig In colNicConfigs
  WScript.Echo VbCrLfNetwork Adapter   objNicConfig.Index
  WScript.Echo DNS Server Search Order - Before:
  If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
For Each strDNSServer In objNicConfig.DNSServerSearchOrder
  WScript.Echo   strDNSServer
Next
  End If
  intSetDNSServers = _
   objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder)
  If intSetDNSServers = 0 Then
WScript.Echo Replaced DNS server search order list.
  Else
WScript.Echo Unable to replace DNS server search order list.
  End If
Next
 
WScript.Echo VbCrLf  String(80, -)
 
Set colNicConfigs = objWMIService.ExecQuery _  (SELECT * FROM
Win32_NetworkAdapterConfiguration WHERE IPEnabled = True)
 
For Each objNicConfig In colNicConfigs
  WScript.Echo VbCrLfNetwork Adapter   objNicConfig.Index
  WScript.Echo DNS Server Search Order - After:
  If Not IsNull(objNicConfig.DNSServerSearchOrder) Then
For Each strDNSServer In objNicConfig.DNSServerSearchOrder
  WScript.Echo   strDNSServer
Next
  End If
Next

END OF SCRIPT


also, can anyone recommend a good VBscript book for Windows admining so i
can leave you guys alone?

thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] My endless question day continued- Exchange attri butes

2005-08-12 Thread Rick Kingslan 
If this is something that you find of interest, I can look around and see if
I can find either public docs that might be a little buried, or docs that
can be sanitized and released to you.

We've done numerous TechEd presentations on this - more in the 2000 - 2002
timeframe, IIRC.  So, I know that the docs exist - many times, it's finding
it.

Rick [MCS]

;o)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, August 12, 2005 3:30 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] My endless question day continued- Exchange attri
butes

Rick,

Thanks for the response and of course you're right. The difficulty 
though lies with the complexity you refer to. Case in point Exchange 
Resource Forests. There's a lack of detailed documentation on the MS 
site. I've been looking at a dual forest solution with an E2k3 forest 
having an external trust to an account forest and I'm trying to 
establish what functionality, if any, Exchange-wise, is lost (compared 
to a normal single forest deployment). I know it's not a particularly 
common deployment scenario (unless maybe MCS are involved) and that this 
is an AD group ;-)... but I suspect, short of building a PoC environment 
or answers from the group, finding out things like mailbox 
delegation...whether FE/BE  topology works etc, means test test test :-)

Mylo

Rick Kingslan wrote:

Mylo,

I'll answer this, and when joe gets back online later, I'm sure that he'll
correct me.  j/k joe!

In my mind, you have two choices - a secure and workable solution with
separation with a potential of added complexity, or a much less secure,
combined environment.

I have a saying that goes with this:

Security != Easy, or Security and ease of use are diametrically opposed

Everyone has to make decisions based upon what their sensitivity to risk
is.


Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, August 12, 2005 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] My endless question day continued- Exchange attri
butes

Apologies for jumping into a semi-dead thread with some OT questions  ..

Joe, you mentioned the following:

Exchange never would have been brought into the main production forest, it
would have been in a
dedicated single domain resource forest that was entirely managed by the
Exchange admins.

Are you saying that the Resource (Exchange)  Forest is the only workable 
solution in your mind that provides the necessary separation?
I can see it from the whole service autonomy and isolation argument, but 
the fact that you need to throw provisioning into the equation,
issues such as potential single points of failure with MIIS/IIFP, added 
complexity etc  surely that single AD forest/domain is more
preferable :-)

Cheers,
Mylo


joe wrote:

  

In my last job we sort of did. I say sort of because you get the point


where
  

you are going against AD best practices in how many ACEs you are sticking


in
  

the directory. The mechanisms we were thinking about to get around some of
the issues such as modifying property sets had PSS looking at us and


shaking
  

their heads indicating that doing so could certainly impact their thoughts
on how supportable we were. Basically we granted I think one property set
and a few more attributes to the Exchange Service Admins but didn't do any
of the denies to remove some property set rights they shouldn't have had,
say like ability to modify UPNs etc. 

The specific details are lost to me now on what exactly we did but I
wasn't
thrilled with the options. 

If I had it all over to do again for that company, Exchange never would


have
  

been brought into the main production forest, it would have been in a
dedicated single domain resource forest that was entirely managed by the
Exchange admins.

 joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rascher, Raymond
Sent: Friday, July 15, 2005 7:41 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] My endless question day continued- Exchange attri
butes

Did you implement a Split permissions model for exchange? If so I would


like
  

to hear how you ACL'd the directory. 

Also, if anyone has experience creating and using permission sets and can
point me in the right direction that would be appreciated.


Thanks,
Ray
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 15, 2005 6:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] My endless question day continued- Exchange
attributes

Strictly according to Microsoft, Full Mailbox access given to a user
should
NOT give the ability to send a message as that user. However, this has
been
broken I think more than it has worked; broken meaning users with Full
Mailbox access on a mailbox but not Send As rights can send as that user

RE: [ActiveDir] account operators

2005-08-11 Thread Rick Kingslan 
No, not the store - it's a bit of a misnomer that to create a mailbox you
need to have permissions to the store.

If you can create the mailbox attributes on the user account, the first time
that a mail message is delivered to the newly mailbox-enabled user, the
actual storage area on the store is created.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 9:57 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] account operators

I thought AO had complete rights to the user object which would
include exchange attribs.
i guess they still need rights to the store?
is that it?
thanks

On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
 I expect they lack Exchange View Only Admin permissions (or higher).
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, August 11, 2005 8:27 AM
 To: activedirectory
 Subject: [ActiveDir] account operators
 
 is there any reason an account operator could create a user but not a
 mailbox for that user?
 
 thanks
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MailBox permissioning

2005-08-11 Thread Rick Kingslan 








O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);



In the example above, you have a classic
output that contains SDDL (Security Descriptor Definition Language) 



O:sid is the SID of the owner 

G:sid is the SID of the group

D: is a DACL



Ill let you look over the rest and
determine what you have in your strings..



http://msdn.microsoft.com/library/default.asp?url="">



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning





Using a newer version of ldp I could
gather the following things:



The mailbox users have the following
attribute set.

usert -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);



ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372);



ZZZGGG -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368);




ZZZJJJ -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369);




O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)
 This part was common for all entries.



S-1-5-21-3308934242-2785796821-2776977491-
is the objectSID for the object in the other domain to whom I want to give
permissions. Also the attribute msExchMasterAccountSid is set to the value of
object sid.



But this part *** (A;CI;CCLCRC;;; *** before
the objectsid, differs in some entries. What are all these fields? How can I
find out these values programmatically and make a single attribute value which
I can then give to the meta directory for setting?



Regards,

Mayuresh











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning





Yes. But I want to do it using scripting +
Meta directory server.



The steps I understand until now is that:


 give
 appropriate permissions in the security tab to the user in different
 domain.
 give
 appropriate permissions in the Mailbox right.




Since my Meta
directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there
be other ways? I understand that I would have to set the
msexchmailboxsecuritydescriptor attribute. How can I generate a binary value
for this using a perl script, so that I can give this value to the meta dir to
process and set in the exchange entry.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley
Sent: Thursday, August 11, 2005
2:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning







Mayuresh,











You should be able to just give Full
Permissions to the user on the mailbox rights tab located under the Exchange
Advanced Tab of the user's properties. 











BB





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On
Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
4:00 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MailBox
permissioning

Hi Gurus,



I have a scenario where I have users and mail boxes created
on exchange server on one domain. Now I have another set of users in a
different domain, who should be able to use these mail boxes, and should have
permissions over it.



Eg. User A is in retail domain. Correspondingly user A is
created in exchange domain with a mailbox. I want to now have the permissions
set so as to make the user A in the retail domain use this mailbox. What
attributes should I set on the user side or the mailbox side to do this?



Ill be doing this permissioning using a meta
directory server.



Thanks,

Mayuresh.

RE: [ActiveDir] account operators

2005-08-11 Thread Rick Kingslan 
Because, by default, the AO does not have permissions over Exchange
attributes.

These need to be assigned separately.

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] account operators

i plan on getting rid of it.

my question is really for my own knowldge. 
if homeMDB and mailNickname are parts of a user attrib and AO has full
control on that user by default, why can't they set a mailbox via
ADUC? I guess ADUC uses CDOEXM?

also, is it a good idea not to use Backup Operators and the other
Builtin groups?
Thanks

On 8/11/05, joe [EMAIL PROTECTED] wrote:
 Strictly speaking, anyone who has the ability to set mailNickname and
 homeMDB can create a mailbox. However... It depends on the tool being
used.
 Most tools, especially anything that uses CDOEXM or emulates CDOEXM
 explicitly, will require Exchange View access to look up the homeMDB URL.
If
 you use LDIF or admod or anything else that can directly update those
 attributes mentioned above, you are good to go.
 
 That being said, while you are new and making changes, take away account
op
 rights. It is a pain to clean up later and you run into issues with
 adminsdholder when people try to reset each others passwords etc. Acc Ops
is
 there simply for the migration from NT to AD. After that you should go to
 delegated IDs.
 
   joe
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, August 11, 2005 10:57 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] account operators
 
 I thought AO had complete rights to the user object which would include
 exchange attribs.
 i guess they still need rights to the store?
 is that it?
 thanks
 
 On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
  I expect they lack Exchange View Only Admin permissions (or higher).
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Thursday, August 11, 2005 8:27 AM
  To: activedirectory
  Subject: [ActiveDir] account operators
 
  is there any reason an account operator could create a user but not a
  mailbox for that user?
 
  thanks
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] account operators

2005-08-11 Thread Rick Kingslan 
 why can't they create a mailbox for a regular user?

Simply, the Account Operator is designed to work as a principal that allows
work on accounts as they are BY DEFAULT out of Windows Server.

The real reason is that there is typically, in most medium to large
organizations, there is a mail admin team and a server admin team (at least
it was VERY much this way with Exch 5.5).

Separation of the functions was a goal to carry forward - but it could only
be done by Group membership / permissions on attributes.

If you take a look at the Advanced Security properties of a user, and drill
in to the permissions granted to the AO, you're going to find that the
permission for the Exchange functions are not granted.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] account operators

thats what i thought but then it would make sense that AO group would
be able to set that attrib on a user they have full control over.
why can't they create a mailbox for a regular user?
thanks as always, rick

On 8/11/05, Rick Kingslan [EMAIL PROTECTED] wrote:
 No, not the store - it's a bit of a misnomer that to create a mailbox you
 need to have permissions to the store.
 
 If you can create the mailbox attributes on the user account, the first
time
 that a mail message is delivered to the newly mailbox-enabled user, the
 actual storage area on the store is created.
 
 Rick
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
 Sent: Thursday, August 11, 2005 9:57 AM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] account operators
 
 I thought AO had complete rights to the user object which would
 include exchange attribs.
 i guess they still need rights to the store?
 is that it?
 thanks
 
 On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote:
  I expect they lack Exchange View Only Admin permissions (or higher).
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
  Sent: Thursday, August 11, 2005 8:27 AM
  To: activedirectory
  Subject: [ActiveDir] account operators
 
  is there any reason an account operator could create a user but not a
  mailbox for that user?
 
  thanks
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
  http://www.mail-archive.com/activedir%40mail.activedir.org/
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A bad bad thing...Manual push of AD?

2005-08-11 Thread Rick Kingslan 
Is this machine JUST a DC?  If so, (without going out and having to buy a
3rd party piece of software) you can whack it and rebuild.  You'll have to
do the MetaDirectory cleanup for a DC removed from a domain improperly.

If that's not feasible, when was your last system state backup?  You can go
into DSRM and initiate a non-authoritative restore.

Follow this:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera
tions/f3bfb611-dcbe-4365-8f1d-3321916aeb63.mspx

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan
Sent: Thursday, August 11, 2005 1:13 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] A bad bad thing...Manual push of AD?

So I did a bad thing, I deleted a user at a different site and marked
his mailbox for deletion

Immediately recognizing my mistake I *ran* to the server room and yanked
the network cable of the dc I was connected to.

For now, none of the changes have replicated.

I want to bring this machine back online, but I don't want those changes
to go through

How would you make this happen?

Thanks guys

 

S

 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] csvde syntax

2005-08-11 Thread Rick Kingslan 
Just put the LDAP filter into an appropriate batch or VBscript file to
accomplish

http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Thursday, August 11, 2005 1:18 PM
To: activedirectory
Subject: [ActiveDir] csvde syntax

what's the ldap filter to use with csvde to just export all computer
objects in a domain to a file?
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A bad bad thing...Manual push of AD?

2005-08-11 Thread Rick Kingslan 
A Right, right.  I forgot the increase of 10 in the USN.  This
would effectively insure that the newly authed object would not be
overwritten by the object on the DC yanked from the network.

So, Guido is right (as always).  Rebuilding the DC is not even remotely the
issue - and is not even necessary once the USN is increased.

Got it.  Thanks for the clarification, all!

Rick

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, August 11, 2005 3:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?

 

You are both correct...

 

However, what Brett says (and what I thought) is use another DC will the use
still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so
that the version of the object is increased (by 10) Because the version
of the user has been increased the deleted version of the user will be
undone. Only after restoring he should bring back the DC online. The
deletion will replicate out and the undeletion (the object with a higher
version) will replicate in.

 

If he brings the DC back online before doing an auth restore of the object,
the deletion will replicate to ther other DCs and then he will, as Brett
said, need do do a system state restore.

 

The procedure Brett described below and I above looks like the lag site
structure and in this with only one DC and someone who can run really
fast... ;-)))

 

Jorge

 

  _  

From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Thu 8/11/2005 9:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?

Brett, 

How is this going to help him get the DC back online that he yanked the 
cable on?  As soon as that system is plugged back in, it's going to repl out

the change, no? 

Rick 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley 
Sent: Thursday, August 11, 2005 1:54 PM 
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? 

 

Well you're lucky that you yanked the network cable in time, now you don't 
have to do a system state restore to get the user back ... 

Find a DC where the user still exists in a pristine condition, all the 
mailbox details, etc.  Reboot the DC in DS Restore mode(DSRM).  Use 
ntdsutil.exe to auth restore just that user's object. 

You may (probably will) also have to restore links to that user, at this 
point it'd be nice if you were running on Win2k3 SP1, but if not it is 
still accomplishable. 

For Win2k3 Sp1, after auth restoring the user, there should be some ldf 
file(s) that will allow you to restore the links.  Simply use ldifde, to 
apply these files to the appropriate DCs (up to one ldf per domain). 

For pre this latest generation (which is more likely, because you could 
yank the net cable in time), you may have to find the objects that are 
linked to the user, and restore them yourself.  You can do this by 
performing an LDAP operation that deletes and re-sets the links to that 
user. 

BTW, there is a more extensive KB article you might find useful: 
  http://support.microsoft.com/?kbid=840001 

Cheers, 
BrettSh 

This posting is provided AS IS with no warranties, and confers no 
rights. 

On Thu, 11 Aug 2005, Shadow Roldan wrote: 

 So I did a bad thing, I deleted a user at a different site and marked 
 his mailbox for deletion 
 
 Immediately recognizing my mistake I *ran* to the server room and yanked 
 the network cable of the dc I was connected to. 
 
 For now, none of the changes have replicated. 
 
 I want to bring this machine back online, but I don't want those changes 
 to go through 
 
 How would you make this happen? 
 
 Thanks guys 
 
  
 
 S 
 
  
 List info   : http://www.activedir.org/List.aspx 
 List FAQ: http://www.activedir.org/ListFAQ.aspx 
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.


attachment: winmail.dat

RE: [ActiveDir] A bad bad thing...Manual push of AD?

2005-08-11 Thread Rick Kingslan 
Title: RE: [ActiveDir] A bad bad thing...Manual push of AD?








 Best of all for one
object it would be free.



Huh. Nice to know. Thanks, Bob.



Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bobel
Sent: Thursday, August 11, 2005
4:34 PM
To: ActiveDir@mail.activedir.org;
ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad
thing...Manual push of AD?









Ok, so sorry in advance for the
productplug...











Quest hastwo products called Recovery Manager for both
AD and for Exchange you could download them and recover the user with the demo
license. You would only need to do a Windows backup on a DC where delete has
not yet been replicated. This will recover the group memberships etc... 











Best of all for one object it would be free.






Bob















From:
[EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 8/11/2005 4:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad
thing...Manual push of AD?





it'll try
- but as the version of the tombstone object will then be
lower than that of the auth. restored object, the local change on the
deleted object itself will simply be disregarded and the object +
attributes restored (read: they will be overwritten by the auth.
restored object which have a higher version number).

but the main point Brett is also making seems to be ignored in the rest
of this thread = although we still don't know Shadow Roldan's OS
version, the probability is somewhat high that he's not using Win2003
SP1 (maybe not even any non-SP1 Win2003), which means that he has to
take special care of the links that the deleted object was linked to
(read: mainly the group-memberships he had).
Depending on the version of the DC OS, these won't be restored on the
unplugged DC (Win2000 won't help you at all, Win2003 would revive the
links if they were LVR links, Win2003 SP1 will also get the non-LVR
links back and write them to an ldif file so that you can restore the
links by importing the ldif file).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Rick Kingslan
Sent: Donnerstag, 11. August 2005 22:10
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?

Brett,

How is this going to help him get the DC back online that he yanked the
cable on? As soon as that system is plugged back in, it's going to repl
out
the change, no?

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Brett Shirley
Sent: Thursday, August 11, 2005 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD?


Well you're lucky that you yanked the network cable in time, now you
don't
have to do a system state restore to get the user back ...

Find a DC where the user still exists in a pristine condition, all the
mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use
ntdsutil.exe to auth restore just that user's object.

You may (probably will) also have to restore links to that user, at this
point it'd be nice if you were running on Win2k3 SP1, but if not it is
still accomplishable.

For Win2k3 Sp1, after auth restoring the user, there should be some ldf
file(s) that will allow you to restore the links. Simply use ldifde, to
apply these files to the appropriate DCs (up to one ldf per domain).

For pre this latest generation (which is more likely, because you could
yank the net cable in time), you may have to find the objects that are
linked to the user, and restore them yourself. You can do this by
performing an LDAP operation that deletes and re-sets the links to that
user.

BTW, there is a more extensive KB article you might find useful:
 http://support.microsoft.com/?kbid=840001

Cheers,
BrettSh

This posting is provided AS IS with no warranties, and confers no
rights.

On Thu, 11 Aug 2005, Shadow Roldan wrote:

 So I did a bad thing, I deleted a user at a different site and marked
 his mailbox for deletion

 Immediately recognizing my mistake I *ran* to the server room and
yanked
 the network cable of the dc I was connected to.

 For now, none of the changes have replicated.

 I want to bring this machine back online, but I don't want those
changes
 to go through

 How would you make this happen?

 Thanks guys



 S


 List info : http://www.activedir.org/List.aspx
 List FAQ : http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List

RE: [ActiveDir] A bad bad thing...Manual push of AD?

2005-08-11 Thread Rick Kingslan 
I agree completely - that is the attraction of the lag sites - I have
something in which I can push a change back out from a time delayed replica
to where the object sill exists.

And I agree as well - if there is a DC that has the object required - by all
means, repl it back out authoritatively.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, August 11, 2005 3:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?

Hmmm, maybe I misunderstoood ...

I understood he has a user deleted on some DCs, but not on others.  He
doesn't want the user deleted.  He can then just take a DC with the user,
auth restore the user, let that replicate out.  Yes, the delete change
will try to replicate out, but when it hits the auth restore the delete
operation will essentially be tossed.  

I mean this is the whole attraction to hot sites is it not? Am I missing
something?

Cheers,
BrettSh

On Thu, 11 Aug 2005, Rick Kingslan wrote:

 Brett,
 
 How is this going to help him get the DC back online that he yanked the
 cable on?  As soon as that system is plugged back in, it's going to repl
out
 the change, no?
 
 Rick
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
 Sent: Thursday, August 11, 2005 1:54 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD?
 
 
 Well you're lucky that you yanked the network cable in time, now you don't
 have to do a system state restore to get the user back ...
 
 Find a DC where the user still exists in a pristine condition, all the
 mailbox details, etc.  Reboot the DC in DS Restore mode(DSRM).  Use
 ntdsutil.exe to auth restore just that user's object.
 
 You may (probably will) also have to restore links to that user, at this
 point it'd be nice if you were running on Win2k3 SP1, but if not it is
 still accomplishable.
 
 For Win2k3 Sp1, after auth restoring the user, there should be some ldf
 file(s) that will allow you to restore the links.  Simply use ldifde, to
 apply these files to the appropriate DCs (up to one ldf per domain).
 
 For pre this latest generation (which is more likely, because you could
 yank the net cable in time), you may have to find the objects that are
 linked to the user, and restore them yourself.  You can do this by
 performing an LDAP operation that deletes and re-sets the links to that
 user.
 
 BTW, there is a more extensive KB article you might find useful:
   http://support.microsoft.com/?kbid=840001
 
 Cheers,
 BrettSh
 
 This posting is provided AS IS with no warranties, and confers no
 rights.
 
 On Thu, 11 Aug 2005, Shadow Roldan wrote:
 
  So I did a bad thing, I deleted a user at a different site and marked
  his mailbox for deletion
  
  Immediately recognizing my mistake I *ran* to the server room and yanked
  the network cable of the dc I was connected to.
  
  For now, none of the changes have replicated.
  
  I want to bring this machine back online, but I don't want those changes
  to go through
  
  How would you make this happen?
  
  Thanks guys
  
   
  
  S
  
   
  List info   : http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
  
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] A bad bad thing...Manual push of AD?

2005-08-11 Thread Rick Kingslan 
 NOT the USN.  Everyone makes that mistake ... why can no one keep the
version and the USN straight?

:o)  You know - I really don't know why.  I know the difference, and I
continually make that mistake.  I can bet, too, that if I go back through
any number of books, news posts, documents written by other folks - I'm
fairly certain that I can find the mistake made again and again.

In fact - I have to go take a look at MOC.  I THINK that they have it wrong
as well.

I'll point it out to Internal if that, is in fact, the case.

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, August 11, 2005 5:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?

NOT the USN.  Everyone makes that mistake ... why can no one keep the
version and the USN straight?

The USN never resolves replication conflicts, only tells us WHAT to
replicate, never WHAT should win.  The version is the opposite, it never
tells us what we need to replicate, only who should win in case of a
conflict ...

During auth restore the version is incremented by 10 (per day old the
backup is), and the USN is simply allocated from the next available USN
(i.e. it is only guaranteed to be at least 1 higher than the last USN, but
more likely there is just some random number of USNs in between, so it
jumps by some amount ...).

Cheers,
-BrettSh


On Thu, 11 Aug 2005, Rick Kingslan wrote:

 A Right, right.  I forgot the increase of 10 in the USN.  This
 would effectively insure that the newly authed object would not be
 overwritten by the object on the DC yanked from the network.
 
 So, Guido is right (as always).  Rebuilding the DC is not even remotely
the
 issue - and is not even necessary once the USN is increased.
 
 Got it.  Thanks for the clarification, all!
 
 Rick
 
   _  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
 Jorge de
 Sent: Thursday, August 11, 2005 3:34 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?
 
  
 
 You are both correct...
 
  
 
 However, what Brett says (and what I thought) is use another DC will the
use
 still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so
 that the version of the object is increased (by 10) Because the
version
 of the user has been increased the deleted version of the user will be
 undone. Only after restoring he should bring back the DC online. The
 deletion will replicate out and the undeletion (the object with a higher
 version) will replicate in.
 
  
 
 If he brings the DC back online before doing an auth restore of the
object,
 the deletion will replicate to ther other DCs and then he will, as Brett
 said, need do do a system state restore.
 
  
 
 The procedure Brett described below and I above looks like the lag site
 structure and in this with only one DC and someone who can run really
 fast... ;-)))
 
  
 
 Jorge
 
  
 
   _  
 
 From: [EMAIL PROTECTED] on behalf of Rick Kingslan
 Sent: Thu 8/11/2005 9:10 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD?
 
 Brett, 
 
 How is this going to help him get the DC back online that he yanked the 
 cable on?  As soon as that system is plugged back in, it's going to repl
out
 
 the change, no? 
 
 Rick 
 
 -Original Message- 
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley 
 Sent: Thursday, August 11, 2005 1:54 PM 
 To: ActiveDir@mail.activedir.org 
 Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? 
 
  
 
 Well you're lucky that you yanked the network cable in time, now you don't

 have to do a system state restore to get the user back ... 
 
 Find a DC where the user still exists in a pristine condition, all the 
 mailbox details, etc.  Reboot the DC in DS Restore mode(DSRM).  Use 
 ntdsutil.exe to auth restore just that user's object. 
 
 You may (probably will) also have to restore links to that user, at this 
 point it'd be nice if you were running on Win2k3 SP1, but if not it is 
 still accomplishable. 
 
 For Win2k3 Sp1, after auth restoring the user, there should be some ldf 
 file(s) that will allow you to restore the links.  Simply use ldifde, to 
 apply these files to the appropriate DCs (up to one ldf per domain). 
 
 For pre this latest generation (which is more likely, because you could 
 yank the net cable in time), you may have to find the objects that are 
 linked to the user, and restore them yourself.  You can do this by 
 performing an LDAP operation that deletes and re-sets the links to that 
 user. 
 
 BTW, there is a more extensive KB article you might find useful: 
   http://support.microsoft.com/?kbid=840001 
 
 Cheers, 
 BrettSh 
 
 This posting is provided AS IS with no warranties, and confers no 
 rights. 
 
 On Thu, 11 Aug 2005, Shadow Roldan wrote: 
 
  So I did a bad

  1   2   3   4   5   6   7   8   9   10   >