Re: [ActiveDir] I'm Baaaaaaack!
Good idea! BTW, good job on the Cookbook with Robbie. Top-notch, Laura. Rick From: Laura E. Hunter [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] I'm Baaack! Date: Thu, 21 Sep 2006 16:25:10 -0400 Quick! Hide the good silverware! On 9/21/06, Akomolafe, Deji [EMAIL PROTECTED] wrote: Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick Kingslan Sent: Thu 9/21/2006 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-ussource=hmtagline List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- --- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) Author: _Active Directory Cookbook, Second Edition_ (http://tinyurl.com/z7svl) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx _ Try the new Live Search today! http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-usFORM=WLMTAG List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] ADFS and certs
Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? If not - I find that the bigger problem than the fact that self-certs are being used at all. Rick From: Tomasz Onyszko [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFS and certs Date: Sun, 24 Sep 2006 21:21:53 +0200 Joe Kaplan wrote: (...) I also think the ADFS step by step guide leads people down a dark path, in that all the demos are set up with selfssl and self-issued certs, which are ok for demos, but not cool for production (IMO) (...) Will jump with few word from myself again - I can agree on Your point regarding step by step in 100%. When I've tried to setup my first ADFS lab I've decided to use Windows 2003 CA instead of Self issued certs and for me it was far more natural way to use ADFS than this not-realistic SelfSSL scenario, which may be confusing for users. I've exchanged e-mail with peoples on internal mailing list few times about it and one good information is that this point was taken and updated version of step by step document for ADFS should be better on this. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx _ The next generation of Searchsay hello! http://imagine-windowslive.com/minisites/searchlaunch/?locale=en-usFORM=WLMTAG List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] I'm Baaaaaaack!
Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=http://www.microsoft.com/hardware/digitalcommunication/default.mspx?locale=en-ussource=hmtagline List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: Re: [ActiveDir] icmp's
Cool. Now I understand the rationale for what you were getting at. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's Rick came out of the woodwork and rambled: Huh? Can you explain both statements, joe? First statement being, I would rather not set domain policies in GPOs... I am referring to actual domain policy, not a policy applied to all machines in the domain. You know, the original meaning of domain policy. Pushing any policy to domain controllers that has to do with configuration of AD is assinine in my opinion, you already have a mechanism to push those changes through the environment. You don't need to use another one. Also it is a point of confusion for tons and tons of people. There should be a clear divisor between true domain policy and a policy that gets applied to each individual machine. Second statement being programmatically handling settings in policies... You can't set GPO settings programmatically unless you reverse the format of the policy information in sysvol. All you can do is backup/restore/export/import/enable/disable. What if I want to take all policies under the OU Buildings (which could be tens, hundreds, or thousands of policy files) and set one setting, for the sake of argument say password policy for local machinesis equal to some set of values based on the specific OU name that the policy is applied to (say it has finance in the name of the OU) how will you do that programmatically without directly hacking the policy files which last I heard wasn't supported? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:09 PM To: [EMAIL PROTECTED] Subject: RE: Re: [ActiveDir] icmp's joe stood up and attempted to smack Mark Parris with a large trout, saying: I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. Huh? Can you explain both statements, joe? I understand the context of the first, but not why. The second I just am not sure what youre getting at. Help out an old haggard road warrior. ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's Come on, who ya going to believe? Microsoft who has all sorts of typoes in the documentation (I just saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the bruise on my forehead)or our trusted source... Al? :o) Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO functions. I never found it difficult to write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of GPOs. Overall I am ok levelhappy with having a default domain GPO and default dc GPO as the only GPOs. I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Sunday, January 01, 2006 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as either .bat or .cmd files (so-called legacy logon scripts) run in a visible command window; when executed, a command window open up on the screen. To prevent a user from closing the command window (and thus terminating the script), you can the Run legacy logon scripts hidden enable policy. This ensures that all legacy logon scripts run in a hidden window. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 01 January 2006 14:18 To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP
RE: [ActiveDir] WinXP and Win2003
My point exactly However, use of a separate hard drive in a system that is already running something else or 'separation technology (not 100% sure what that is) usually means 'dual boot' to some degree. And, I would really suggest that if you're not learning HOW to manage the BCD in Vista - it might be an idea. Dual booting is a way to do this. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Sunday, January 01, 2006 2:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WinXP and Win2003 ~ Hehe…. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. ~ That's what dedicated systems are for. :) Sure, a VM is not the best option here, depending on what aspect of the OS is being tested, but in that case, using a totally separate hard drive or some other separation technology will still likely prove to be more viable than dual-booting. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/1/06, Rick Kingslan [EMAIL PROTECTED] wrote: Hehe…. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OS's, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed – I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake – this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization…. It's just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you .Š†ÿÁŠŠƒ²§²B§Ã¶v®Š§²rz§ÃŠryýŠŠ™i½® List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WinXP and Win2003
If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... Just dont like VPC, do you? :o) What about USB are you looking for? What does VMWare do with USB that is this vital? I doubt its the USB coffee warmer As to the 64-bit support, I guess that would concern me if my laptop had an x64 chip. But, then I could use VS 2005 R2. But, Im not going to argue the virtues of VMWare vs. VPC. I Use VPC because its what 100% of the material that I get from internal is supplied on. And, I get about 100 or so DVDs with all types of imaginable configurations. Im glad that youve got the time to put together all of these disks, joe. I wish I had that kind of time. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I am not a big workstation OS type of person, I use XP only when I must. Longhorn seems to work ok in a VM. I do agree that it isn't the right thing for all situations, but half the people setting up dual booting blow it anyway. VM is a much simpler solution for most people. Obviousy if you are doing perf or physical hardware related testing it is tough. Heck even if you want USB you can't use VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: [ActiveDir] WinXP and Win2003
One question is all of your validation testing done on VMs or is the final sign off done on production deployable hardware? Im a big advocate of VM testing, just to set the record straight. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Sunday, January 01, 2006 2:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I would have to agree;-) At work I run completely on VMs using ESX. All my testing is done on a Dell PE1800 with about 8VMs including AD, Exchange (clustered), SQL, etc. For those looking to do simple testing of apps check out VM Player http://www.vmware.com/vmplayer You cant create VMs but you can run any pre-built VM, including MS VPC VMs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I am not a big workstation OS type of person, I use XP only when I must. Longhorn seems to work ok in a VM. I do agree that it isn't the right thing for all situations, but half the people setting up dual booting blow it anyway. VM is a much simpler solution for most people. Obviousy if you are doing perf or physical hardware related testing it is tough. Heck even if you want USB you can't use VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: [ActiveDir] OT: Request for Test AD Poplulation Data
Tomasz, I think that Mark is looking to populate his metabase with data other than User 1, User 2, User 3, etc. with simple or blank attributes. So, he's looking for stuff like Homer Simpson, with all of the user data, then Marge, etc. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Monday, January 02, 2006 2:52 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Request for Test AD Poplulation Data Mark Parris wrote: Happy New Year to all. Does anyone know where I can obtain generic user data for importing into various AD's. I am starting to improve my knowledge on the concept of Meta directories and I want a little bit more information in the user fields than User1, 2 , 3 etc etc. This is how to turn the topic to the track :) What do You think by generic user data - I don't think there is something like this? -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WinXP and Win2003
Funny. I was more discussing the direction that the overall thread had taken. Since this no longer is along the lines of what the poster was looking for (hopefully, Al you can be the post police to make sure that nothing goes off-topic or askew any longer. Me, Im done with Active-Dir) Im not going to respond in kind. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 02, 2006 1:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WinXP and Win2003 Hey Rick, can you differentiate for us what the difference would be between 'production deployable' configurations and those that aren't related to virtual machines? Maybe in two sentences or less with hyperlinks? Having used both ESX, and VS 2005 I can honestly say thereis at least one difference maybe more often related to performance; that's not by accident either. I would in no way advocate running Mac-on-IntVista in a VM, but then again I wouldn't advocate running Vista at all and especially not on a 32bit platform at this time. I think the original posters configuration is possible and has some benefits, especially since it sounded like the original poster wants to keep a job. Hopefully she realizes where the error was and is busily fixing it and using the corrected configuration. I think the answer is somewhere in the 30+ posts, but I'm curious about the VM comments you made and I'm hoping to learn something here. Cheers, Al On 1/2/06, Rick Kingslan [EMAIL PROTECTED] wrote: One question is all of your validation testing done on VM's or is the final sign off done on 'production deployable' hardware? I'm a big advocate of VM testing, just to set the record straight. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Sunday, January 01, 2006 2:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I would have to agree;-) At work I run completely on VMs using ESX. All my testing is done on a Dell PE1800 with about 8VMs including AD, Exchange (clustered), SQL, etc. For those looking to do simple testing of apps check out VM Player http://www.vmware.com/vmplayer You can't create VMs but you can run any pre-built VM, including MS VPC VMs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Sunday, January 01, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I am not a big workstation OS type of person, I use XP only when I must. Longhorn seems to work ok in a VM. I do agree that it isn't the right thing for all situations, but half the people setting up dual booting blow it anyway. VM is a much simpler solution for most people. Obviousy if you are doing perf or physical hardware related testing it is tough. Heck even if you want USB you can't use VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OS's, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. It's just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see
RE: [ActiveDir] WinXP and Win2003
Duly corrected. Thanks. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, January 02, 2006 1:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Just to be clear, VS2005R2 does not support 64-bit guests. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, January 02, 2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... Just dont like VPC, do you? :o) What about USB are you looking for? What does VMWare do with USB that is this vital? I doubt its the USB coffee warmer As to the 64-bit support, I guess that would concern me if my laptop had an x64 chip. But, then I could use VS 2005 R2. But, Im not going to argue the virtues of VMWare vs. VPC. I Use VPC because its what 100% of the material that I get from internal is supplied on. And, I get about 100 or so DVDs with all types of imaginable configurations. Im glad that youve got the time to put together all of these disks, joe. I wish I had that kind of time. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I am not a big workstation OS type of person, I use XP only when I must. Longhorn seems to work ok in a VM. I do agree that it isn't the right thing for all situations, but half the people setting up dual booting blow it anyway. VM is a much simpler solution for most people. Obviousy if you are doing perf or physical hardware related testing it is tough. Heck even if you want USB you can't use VPC, you use vmware instead. If you want to test 64 bit you are kind of screwed too, oh wait vmware workstation does that as well... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, January 01, 2006 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: [ActiveDir] icmp's
The real benefit to the GPO method is that you can target scripts to the same _groups_ in which the GPO would affect and you can target Computer groups, which you cant do (for obvious reasons) with logon scripts. This lends itself to some very elegant solutions that Im sure one could do with some fancy environment or user/computer-based variables or attribute checking. Of course, it begs to obvious question Why? If it means developing a whole manner and method to get variables and/or attributes identified and called, when you only would need to use GPO-based scripts, I think the answer becomes self-evident. As to being called Legacy, which seems to be the real problem here, its simply verbiage that I dont think Id get my panties in a bunch over. The user-focused versus the GPO focused scripts are going to be around as far out as I can see (and, thats really not THAT far, to be honest). Cheers! Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Sunday, January 01, 2006 8:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: [ActiveDir] WinXP and Win2003
Hehe. Let me know how that full-out testing of Vista and Aero Glass is going for you in a VPC or a VMWare virtual machine. I agree, dual-booting is not the optimal method to running different OSs, but if you want the OS to have the full machine, rather than the limited virtualized hardware that the VMs are allowed I think dual booting still has a very strong place in the testing / learning environment. And, make no mistake this is coming from a guy that when on the road, has a 250GB external with nothing BUT VMs with VPC and VS 2005 R2 on his laptop. I love virtualization. Its just not the right thing for all situations. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] WinXP and Win2003 I have no clue why it wouldn't allow you to have different names for the OS and then both can be joined at the same time, I have done this often. You did use different directories for the installations right? Any more dual booting is going the way of the dodo, the new thing is to virtualization software so you have both instances up and running at once. Look at Virtual PC or VMWare Workstation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of shereen naser Sent: Sunday, January 01, 2006 6:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WinXP and Win2003 Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you
RE: Re: [ActiveDir] icmp's
joe stood up and attempted to smack Mark Parris with a large trout, saying: I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. Huh? Can you explain both statements, joe? I understand the context of the first, but not why. The second I just am not sure what youre getting at. Help out an old haggard road warrior. ;o) Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's Come on, who ya going to believe? Microsoft who has all sorts of typoes in the documentation (I just saw a reference to objectcategory=user in an MS doc 2 days ago, I still have the bruise on my forehead)or our trusted source... Al? :o) Personally I like theold style logon scripts better than GPO logon scripts. Way too many things impact GPO functions. I never found it difficult to write logon scripts designed to work on specific users nor machines sodidn't need the sorting capability of GPOs. Overall I am ok levelhappy with having a default domain GPO and default dc GPO as the only GPOs. I would rather not set domain policy with GPOs. While I am at it, I think we are far beyond the point that we should have the ability to programmatically handle settings in policies. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Sunday, January 01, 2006 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: Re: [ActiveDir] icmp's This is from the Microsoft article Enterprise logon scripts By default, logon scripts written as either .bat or .cmd files (so-called legacy logon scripts) run in a visible command window; when executed, a command window open up on the screen. To prevent a user from closing the command window (and thus terminating the script), you can the Run legacy logon scripts hidden enable policy. This ensures that all legacy logon scripts run in a hidden window. Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: 01 January 2006 14:18 To: ActiveDir@mail.activedir.org Subject: [Norton AntiSpam] Re: [ActiveDir] icmp's I thought i read somewhere in some MS doc it being refered to as legacy since now you can put multiple logon scripts in GPO's and that they recommend doing it that way. everytime a new OS or feature comes out, MS tends to refer to the previous os/feature as legacy or down-level. maybe i just made a silly assumption that using a logon script as a user attritbute( i guess somewhat simillar to the way NT did it)instead of a GPO was legacy. thanks On 1/1/06, Al Mulnick [EMAIL PROTECTED] wrote: I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL
RE: [ActiveDir] WinXP and Win2003
Re: My message to joe. Maybe 50% of the time - I'd agree. However, if you want to test that snazzy new Fibre HBA or would like to see what the impact for the user is going to be with CAD with the newest High End InterGraph workstation video card - VMs aren't going to work. The hardware selection in VMs is intended to be generic. Which for testing or learning BizTalk and SQL interaction with ADAM and ADFS - it rocks because the hardware doesn't matter. Again - be sure of this - I love VMs. I just can't test Vista on it because Aero Glass is the target, and I can't quite put an LDDM driver on the generic graphics coded in, for example. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Sunday, January 01, 2006 10:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WinXP and Win2003 Did you originally use different names, or the same name for each computer? And I agree with Joe: Dual-booting is becoming obsolete. http://www.ultratech-llc.com/KB/?File=BootMgr.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 1/1/06, shereen naser [EMAIL PROTECTED] wrote: Hi list, I have windows xp sp 2 on my machine, I need to test something so I installed windows 2003 server enterprise edition R2 on the same machine same hard disk, I can see the dual boot screen and choose the OS, but I can only login to the domain if one of the OS's is disconnected from the domain, meaning if I want to login to the windows 2003 I have to go to the windows xp and disjoin the machine from the domain then restart and login to the domain in windows 2003, if I want to login to winxp I go to windows 2003 and disjoin it from the domain then restart and join the xp to the domain and login, locally I can login to both machines no problem. the error is that the computer account is not found on the domain when I try to login and both OSes are joined to the domain. I tried to rename the machine name to different names in each OS but same thing happens. is there a way to do that? (login to domain using both OS's without having to disjoin?) Thank you List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] icmp's
Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. Which, I always thought was a pretty funny way of doing things anyway. As you are well aware, Ping doesnt mean alive and healthy. I know of many people who have spent hours to days troubleshooting a problem just to find that the machine that they first suspected as being the problem pinged just fine. Sadly, it was dead from the neck up and port 389 and 3268 were non-responsive (along with all of the other really important stuff). Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, January 01, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] icmp's I would agree, the old style logon scripts should be fine, UNLESS you have implemented your own speed sensing based on icmpin the logon script (many of us did that long before MS did it for those who didn't figure it out). Note Exchange doesn't take kindly to ICMP echo being disabled either. If Exchange can't ping a DC, DSACCESS does not see that DC unless you have specially configured it. If you never want to fail outside of a segment then that is the way to do it, but most people would rather fail over to any DC versus say, nah, those are two far away even though none of my local DCs are available if things go pear shaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Sunday, January 01, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's I personally haven't heard it referred to as legacy. I think that may be because it wasn't a legacy method when I last heard it ;) I haven't tested this, so your mileage may vary but: the legacy method would have been created and designed for a time before ICMP was the norm. As such, I wouldn't expect that to break if ICMP was disabled. Several things will break, but I don't believe that's one of them. Test it. You'll know for sure then right? Besides, I don't imagine alot of networks out there are configured with ICMPdisabled like that. Al On 12/31/05, Tom Kern [EMAIL PROTECTED] wrote: Thats it. Isn't that the way its refered to in MS-speak? I hope i didn't just make that up... On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: presumably setting the scriptPath attribute on accounts... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 12/30/2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] icmp's When you say legacy way, what does that mean exactly? On 12/30/05, Tom Kern [EMAIL PROTECTED] wrote: would this also affect clients from getting logon scripts? and when i say logon scripts, i mean the legacy way of distributing them, NOT thru GPO's. Thanks again On 12/30/05, Brian Desmond [EMAIL PROTECTED] wrote: You need to enable ICMP echo source clients dest dc's, and icmp echo-reply source dc's dest clients. The rules look something like this: access-list DC_VLAN_OUT line 1 permit icmp any object-group domain_controllers echo access-list DC_VLAN_IN line 1 permit icmp object-group domain_controllers any echo-reply Have your network people considered rate-limiting ICMP packets rather than shutting them down all together. IMHO that's the correct way to handle this. Ping (echo, echo-reply) and traceroute (traceroute, time-exceeded) are necessary pieces of a network. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Fri 12/30/2005 9:25 AM To: activedirectory Subject: [ActiveDir] icmp's What affect would blocking icmp packets on all vlans have on win2k/xp client logons in a win2k forest? any? I know clients ping dc's to see which responds first and later ping dc's to determine round trip time for GPO processing, but would blocking icmp's have any adverse affects on clients? I only ask because my corp blocks icmp's on all our vlans and i get a lot of event id 1000 from Usernev with error code of 59 which when i looked up, refers to network connectivity issues. i think this event id is related to the fact we block icmp packets and i was wondering if thats something i should worry about in a win2k network. Thanks
RE: [ActiveDir] Domain case
Correct. Devon, as much pain as there is in the process, AS I UNDERSTAND IT (I do not speak for PSS) the Domain Rename process is the only supported method of doing what you want to do. Jorge's lab experiment does indicate that you might be able to do it alonghis describedway,but you need to be cautious when doing anything that is outside the supported methods. Though you might not be denied assistance, if the method chosen outside of the supported method proved to be a contributor to a problem some days, months, years down the road - PSS may defer the issue. As it is termed (which some hatethe wording) 'best effort' support may be all that would be offered. And, if you have Exchange in the environment - it greatly complicates any of these, though the rename is still the safest route. Me - I'd deal with the letter case and move on in life. There are so many other things that cause pain that a domain rename is not worth seeing all lower case in a dialog box. But, that's me - YMMV. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, December 08, 2005 12:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain case This is the only thing I would be willing to point at http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Thursday, December 08, 2005 1:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain case So you know exactly how I feel Joe. I really, really, really would like to fix this. Joe can you dig up the doc on how to do this? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, December 08, 2005 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain case I went through this decision tree a long time ago, when I was upgrading a company from NT to 2K and went to Europe I let the European admin enter the name of the domain, I didn't catch the upper case on the domain name EU1 until afterward... It bothered the heck out of me, I worked out how to change it but never had the courage to actually do it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, December 08, 2005 11:10 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain case Agree completely. I also assumed that the name appeared 'wrongly' to users, as well as in ADDT. [hence domain rename] If the only requirement is to change the name in ADDT then benefit versus pain is really skewed towards pain :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 08 December 2005 15:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain case IMHO, a domain rename would be needed if the NetBIOS and/or DNS domain name needed to change. (different structure) Just for changing the case in ADDT a domain rename is not needed. Just did it in my test environment by changing the case of the value of the attribute "dnsRoot" of the object "CN=Domain Name,CN=Partitions,CN=Configuration,DC=Domain Name,DC=tld" The case in ADDT also changed. However. although I have shown it here I DO NOT RECOMMEND IT! (as I do not know what the consequences are of doing it!) It may look better, but WHO CARES? I would leave it as is. A small mistake and you could be in deep sh*t. If it works, don't brake it! Cheers, Jorge From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Thu 12/8/2005 3:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain case I suspect a domain rename is your only option and I would doubt that the benefit outweighs the pain in this scenario. What is the (perceived) issue with the case? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: 08 December 2005 14:08To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain case Is there any way to change the case of a child domain in AD from all upper-case to all lower-case? Example, when I look in Active Directory Domains Trust, I have this: - domain.com + child1.domain.com + child2.domain.com + CHILD3.DOMAIN.COM + child4.domain.com I want to change CHILD3.DOMAIN.COM to child3.domain.com. This also exist when I try to browse the domain tree in ADUC. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by
RE: [ActiveDir] DMZ domains and IPSec - looking for explanation re resource access and authentication
Title: DMZ domains and IPSec - looking for explanation re resource access and authentication I haven't perused the OS source code Right. Rub it in, bud. ;o) Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, December 08, 2005 8:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DMZ domains and IPSec - looking for explanation re resource access and authentication I haven't perused the OS source code for this but from my experience this is how it works... In order for the member server to resolve a name to a SID, it needs to be able to connect to a domain controller of the domain specified. If it can't reach the domain controller, it can't convert the name to a SID. The SID to name conversion on the other hand is handled differently. The machine tries to handle it locally and if it isn't a local SIDit passes it up to the DC that authenticated the computer (i.e. the DMZ DC) and lets it try to resolve it, that machine will look at its local SIDS (objectsid/sidhistory) and then if it doesn't find it there will start chasing through the trusts. I have never tested that specific scenario butyou should be able to add an internal domain secprin to the DMZ member server without working from the DC. It would require a tool that knows how to specify the server to use for the name to sid resolution. Let me think if such a tool exists oh yeah, look at lg on my website - http://www.joeware.net/win/free/tools/lg.htm. There is a -r option to specify the machine you want to use for the name tosid resolution. I added that option so you could add secprins from a domain the machine wasn't a member of yet to the admins group so when you added it to the domain, the membership was already set (great for migration scenarios where you aren't a domain admin in the next domain). Now that being said, I am not a fan of internal networks being accessible from the extranet or from the DMZ unless doing very specific individual server:port based reverse proxy with that single port being heavily defended on the internal host. Anything that compromises one of the DMZ domain machines can at the least most likely enumerate info from the internal domains. If someone wants to be cute, they could easily D.O.S. attack you from there as well. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chakravarty, SaktiSent: Wednesday, December 07, 2005 10:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DMZ domains and IPSec - looking for explanation re resource access and authentication Hi all, I'm looking for an explanation this is a bit of a complicated scenario but I'll try to be succinct. Whilst I have a fair bit of AD experience, I'm not the AD administrator at my current place of work. The AD administrators are not forthcoming with information, hence my post here. We have a corporate network with a Windows 2003 forest (mixed-mode) with multiple domains. We also have a DMZ, in which there is a separate Windows 2003 forest with a single domain. There is an IPSec policy set up between domain controllers in the DMZ domain and domain controllers in one of the domains in the corporate forest (I'll call it the "internal domain"). There is a one-way trust, the DMZ domain trusts the internal domain. Our aim is to provide access to resources in the DMZ domain, by using accounts in the internal domain. My role includes managing Member Servers. We built a server in the internal domain, added some groups from that domain into the Administrators group, then physically moved it to the DMZ. Then, the names in the Administrators group would no longer resolve (since it is still a member of the internal domain, but physically disconnected from it). Next, we made the server a member of the DMZ domain, and the names now resolve. So, it seems the Member Server is talking to the DMZ DC which is querying the internal DC to resolve the name. What we cannot do, is log onto the Member Server in the DMZ and add an account from the internal domain. The reasoning we are given is that the IPSec policy and trust is between DCs only, and not the Member Server. If the DMZ Domain Admin logs onto the DMZ DC, then makes a Computer Management connection to the Member Server, then groups from the internal domain can be added to the Member Server. Can anyone explain to me why this is so? I don't understand why resolving names is different to adding a user, it seems to me the same authentication path is followed. Thanks in advance Sakti **This message is intended for the addressee named and may containprivileged information or confidential information or both. If youare not the intended recipient please delete it and notify the
RE: [ActiveDir] Ntds.dit file corruption
Replication is at an attribute level and the corruption is usually a bit flip - whichisn't replicated. The data itself (a table or an index) is checked and if found to be invalid, I *believe* (joe, ~Eric, brettsh) is marked as such and is no longer replicated. -r --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 2:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Is this guaranteed? How can we/you be sure that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 05 December 2005 19:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ...
RE: [ActiveDir] Ntds.dit file corruption
I've been informed that I'm wrong on this. Please ignore, and listen to joe/~Eric/Dean/Brett/Anyone else. Cheers! -r --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, December 07, 2005 5:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Replication is at an attribute level and the corruption is usually a bit flip - whichisn't replicated. The data itself (a table or an index) is checked and if found to be invalid, I *believe* (joe, ~Eric, brettsh) is marked as such and is no longer replicated. -r --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, December 06, 2005 2:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Is this guaranteed? How can we/you be sure that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve LinehanSent: 05 December 2005 19:26To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the
RE: [ActiveDir] windows installation question
You will need to have two things - One: A separate partition in which to install XP into. Two: a DOS-bootable network enabled floppy to map to a share (in whichan administrative 'dump' of XP has been done)or shared CD drive on another machine. After mapping to one of these two, you could then install across the network, selecting the partition for XP - but NOT the same one that 2000 resides in. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roseta radfarSent: Sunday, November 27, 2005 12:29 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] windows installation question Hello, I have a computer which has a w2k on it. It is on a network and does not have a CD drive. now I want to have a XP on it with out removing w2k. Is there any way that I can install XP through network without damaging my w2k? Thanks in advance. Roseta
RE: [ActiveDir] FRSInlog
Both of the errors deal with journal wrap in the FRS logs A number of issues as to WHY this happens. However, I'd upgrade to UltraSound - the successor to Sonar. It has much better JIT information associated with the errors - and how to fix them. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Green Sent: Saturday, November 26, 2005 12:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSInlog Hi I am using Microsoft Sonar tool to keep an eye on my 6 DCs in 2 domains - FRS / SYSVOL. Last week Sonar flagged few errors - FRSInlog, FRSSets - I am not impressed by the help file you don't get with Sonar - so what do these errors mean? FRSInlog?? or FRSSets?? Thanks for help James _ MSN Messenger 7.5 is now out. Download it for FREE here. http://messenger.msn.co.uk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 SP1 upgrade...
yawn Sometimes, I realize that I commented on something, go back and read the thread and come upon a novella. Occasionally, all I want is a paragraph. Hopefully, all of this information wasn't meant for me, because all I do day in, day out these days is drink from a fire hose - hence why I'm not around so much these days. This hopefully helped others, as it presents no value to me right now at all. I'm versed in this quite well. Yes - the question was meant to stir a conversation - more about interactive as a mechanism to remove a looming hole for accounts that NEED high level permissions but don't NEED to be logged into. Surprisingly, this is a vector that most people forget about. If you don't need to log in to it - why does it have interactive? As to which LUA - the actual, higher level principle of giving nothing (not just people) any more access than it absolutely requires. I made the assumption that the ACLing that you referred to had already removed any and all unnecessary permissions to things unsavory, dangerous, and shiny-but-sharp from touch. Hence the question about interactive. It's not an ACL. And, as to our direction with software and decisions made - I don't comment much public ally anymore. I've gotten myself into too much trouble of late, another reason I'm not here as much. Brett can answer some of these, or get someone from the dev team on Security issues. I'll answer anything you want on MCS and how to implement. But, as to why things are or where they are going to be in future product - I won't be commenting on that. That's another pretty, shiny, sharp-thing. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, November 21, 2005 7:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 SP1 upgrade... No. MS made it now so that you either need to use an ID that has admin rights or you have to change the ACL on the SCM to monitor the services OR the application doing the monitoring needs to know specifically what service to look at AND know how to ask how to open it WITHOUT asking for enumeration rights which is unusual since it was always possible previously because the ACL on the SCM wasn't configurable. All example source showed how to do it in a way that would break after the change. What this change does is require more privileges to do work easily done with an unprivileged account or to require you to partially undo what MS did to lock it down. Since the ability to changethe SCMACL previously wasn't something that could be done at all, I understand the idea to lock it down once it could be modified. However, MS didn't really give much in the way oftools to operate with it set that way. There was one tool, SC that was modifiedin order to work withit and at least initially, it wasn't very well documented. This easily should have been a GPO config item just like the other service ACL configs.Personally, I would have greatly appreciated say a new group... RemoteServiceEnumeration or something like that, then people simply add principals to that group in order to keep their apps working. I have often monitored services on servers remotely with an ID that has normal user rights in the domain. The ID had no permissions on the servers at all other than to look at them. Others have done the same. The monitoring scripts/apps would list all services to see what was running and what wasn't running, any changes whatsoever would be reported so you knew when something got added and when something got removed or if something was started that wasn't previously running or something that was previously running no longer was running. After SP1, it took modifying the ACL or granting admin level rights or required the ID to be used locally on the local machine instead of remotely. This change, forced people, at least initially until documentation started coming out,to use higher power IDs to do somethingthat previously could be done with lower power do-nothing IDs. To put it another way, there is no technical reason whatsoever that an admin ID is required to monitor services. Heck you can even delegate service control to non-admins, I have been giving out ability to stop/start specific services on servers since early NT4 days. BTW, which LUA are you referring to? The actual principal of least user access where you don't give people access to things they shouldn't have or the LUA to allow non-privileged users to actually do things without being an admin? I think the first, but it caught me by surprise and I read it as the second initially because most MS folks are using LUA strictly to speak about the new capability in Vista. I didn't mention LUA but was referring to not having to be an admin to do something simple. I have no problem with locking things down, but don't catch people by
RE: [ActiveDir] exporting group membership
Excel? Otherwise, I'm not completely clear as to what you're trying to accomplish. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Friday, November 25, 2005 10:02 AMTo: ActiveSubject: [ActiveDir] exporting group membership I am trying to export the following fields from Active Directory using CSVDE I ran the following command CSVDE -F c:\output.csv -d "ou=security groups,ou=INTARA,dc=COM" -r "(objectclass=group)" -l cn,description,member,whencreated,whenchanged,info,managedby,mail This retrieves the information I want, however, the Member tab displays a list of users full DN in one single cell and makes it difficult to overview the member list. How can I display a list of the users in there own individualcells going downwards (if that makes sense) does CSVDE allow this? If not any other tools out there? Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
RE: [ActiveDir] Server Disappeared
Harald - You have two NICs installed in this box, which is a DC. (Not a suggested / recommended configuration, but beside the point) Do you also have ICS installed, or Routing and Remote Access with natting installed? (Educated guess, given the 192.168.0.1 address) Be extremely verbose on the server configuration. I suspect that the change of the NIC is going to require some reconfiguration of the ICS or RRAS. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harald Sent: Friday, November 25, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Server Disappeared Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] burped the following on 25/11/2005 10:42 AM: That little guy isn't seeing DHCP or DNS ... on the internal network side who'd handling the DHCP? You can review these Event ID's and see a bit I'm not using DHCP, I never did. All the internal machines have static addresses. EventID.Net: http://www.eventid.net/display.asp?eventid=5781eventno=167source=NET LOGONphase=1 EventID.Net: http://www.eventid.net/display.asp?eventid=20169eventno=25source=Rem oteAccessphase=1 EventID.Net: http://www.eventid.net/display.asp?eventid=31002eventno=557source=ip nathlpphase=1 23/11/20052:34:41 PMipnathlpErrorNone31002 N/ASTARFLEETCMDThe DNS proxy agent was unable to bind to the IP address 192.168.0.1. This error may indicate a problem with TCP/IP networking. The data is the error code. On that entry? In the event viewer can you click on the copy button on that one and paste the entire contents? Yup, here it is. . Date: 23/11/2005Source: ipnathlp Time: 14:34 Category: None Type: Error Event ID: 31002 User: N/A Computer: STARFLEETCMD Description: The DNS proxy agent was unable to bind to the IP address 192.168.0.1. This error may indicate a problem with TCP/IP networking. The data is the error code. Data: Bytes : 1d 27 00 00 -- Harald Gill Without Dreams...Life is Nothing List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server Disappeared
So, then - it's resolved and Harald is all happy? Cool... Now, about that two NICs in a DC attached to the Internet thing. I really hope I NEVER hear an SBSer complain that Windows is not a secure operating system given THAT configuration ;op j/k Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, November 25, 2005 5:59 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Server Disappeared Well it depends on who you are :-) We actually highly recommend two nics in our SBS DCs :-) It was binding order. External nic was first. ICS ...ick... what are we workgroup? I'm an RRAS fan :-) [okay the SBSer will go shut up now :-) Rick Kingslan wrote: Harald - You have two NICs installed in this box, which is a DC. (Not a suggested / recommended configuration, but beside the point) Do you also have ICS installed, or Routing and Remote Access with natting installed? (Educated guess, given the 192.168.0.1 address) Be extremely verbose on the server configuration. I suspect that the change of the NIC is going to require some reconfiguration of the ICS or RRAS. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harald Sent: Friday, November 25, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Server Disappeared Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] burped the following on 25/11/2005 10:42 AM: That little guy isn't seeing DHCP or DNS ... on the internal network side who'd handling the DHCP? You can review these Event ID's and see a bit I'm not using DHCP, I never did. All the internal machines have static addresses. EventID.Net: http://www.eventid.net/display.asp?eventid=5781eventno=167source=NET LOGONphase=1 EventID.Net: http://www.eventid.net/display.asp?eventid=20169eventno=25source=Rem oteAccessphase=1 EventID.Net: http://www.eventid.net/display.asp?eventid=31002eventno=557source=ip nathlpphase=1 23/11/20052:34:41 PMipnathlpErrorNone31002 N/ASTARFLEETCMDThe DNS proxy agent was unable to bind to the IP address 192.168.0.1. This error may indicate a problem with TCP/IP networking. The data is the error code. On that entry? In the event viewer can you click on the copy button on that one and paste the entire contents? Yup, here it is. . Date: 23/11/2005Source: ipnathlp Time: 14:34 Category: None Type: Error Event ID: 31002 User: N/A Computer: STARFLEETCMD Description: The DNS proxy agent was unable to bind to the IP address 192.168.0.1. This error may indicate a problem with TCP/IP networking. The data is the error code. Data: Bytes : 1d 27 00 00 -- Harald Gill Without Dreams...Life is Nothing List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 SP1 upgrade...
True. But, to monitor services does someone have to log on to the server? Would a good and SAFE work around - if the said user doesn't need to log on, to create a service account to do the work, but remove the interactive rights? Seems to me that proxying the access would be the close to ultimate in LUA. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, November 20, 2005 5:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2003 SP1 upgrade... The biggest thing people complaint to me about that isn't documented as an issue below is with the new ACL on the service control manager. The new ACL really locks down who can enumerate services remotely. This has impact on multiple different applications and services, especially any monitoring that isn't using full admin IDs. Kind of sad actually, people trying to run with least privs for the monitors got nailed and had to give out more perms until info started getting out on how to fix the problem. Check out the items exposed by the following query http://www.google.com/search?hl=enlr=safe=offrls=GGLD%2CGGLD%3A2004-07%2CGGLD%3Aenq=sdset+sc+2003+site%3Asupport.microsoft.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Sunday, November 20, 2005 3:47 PMTo: ActiveSubject: [ActiveDir] Windows 2003 SP1 upgrade... Hello all, I am planning on rolling out SP1 to my Domain Controllers. I have looked through msn search to find known issues with applying SP1 to DC's. I found the following kb articles (below)so I can prepare if I have issues. I haven't run into any issues in my test environment however, has anyone else had any undocumented problems they may wish to share? One of my DC's is also a WINS, DNS, DHCP, FSMO role holder, so any issues or pointers that you mayhavecome up against would be appreciated. Also, is there any recommendation as to which DC you choose first when you upgrade to SP1? The Windows Time service may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack 1 http://support.microsoft.com/?id=892501 Network issues that affect TCP/IP and RPC traffic across firewall or VPN http://support.microsoft.com/kb/899148/ The incorrect HAL may be applied if your computer uses a custom HAL http://support.microsoft.com/kb/889101 Thanks Frank Yahoo! FareChase - Search multiple travel sites in one click. Yahoo! FareChase - Search multiple travel sites in one click.
RE: [ActiveDir] Raid suggestions for DC maybe OT
Jonathan - 275 replication links seems, at least to my tired eyes this AM, to be a lot. Are you running a branch office environment, or is this a number of remote sites that link back to a single hub? I'm interested as to why there are so many repl links to your DCs, only if it's one DC. In my experience, that's not optimal, and we can provide some prescriptive guidance to help optimize the topology with no addition of hardware, just some tuning of site/subnet configurations. Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT)Sent: Tuesday, November 08, 2005 6:00 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT I don't know about you but rebuilding DC's is not fun stuff. Especially if it has 275 replication links to it from remote DC's.. believe me spend the money on the fault tolerance.. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, November 07, 2005 10:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT How about just not partitioning the whole disk of the larger disks? Note I didn't come up with that idea, that came from a young whippersnapper I know out of Redmond whom I was discussing the fastest AD disk configs with a few weeks ago. I haven't tried it but it makes sense to me. Just allocate maybe 10-12GB of each of the36GB drives across an array or so. Course you could always say screw the fault tolerant RAIDs, this isn't Exchange, and run commando with a stripe set. If you have enough extra DC capacity in the site you could have them all running really fast and then when one blows it just goes away. Most applications that are written properly for AD handle that just fine except apps that hard sync to a single DC. If I have 7-8 disks, I wouldn't hesitate to put them in a single RAID-10/0+1 type config. OS and Logs are snoring on most DCs. All of the action is around the DIT unless you get that baby into memory which was the first I think 20 responses I got from the whippersnapper. Use 64 bit. I know but... use 64 bit... I know but use 64 bit I know but are you still here, use 64 bit joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carr, Jonathan (OFT)Sent: Monday, November 07, 2005 6:54 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT We have allot of users coming back to our central site and we use the following config. adapter #1 raid 1 ( 2 disk) O/S adapter #2 raid 1 ( 2 disk) AD LOGS adapter #3 === raid 5 (3 disk) with global hot spare AD Data the key to this using this is that all the equipment (SCSI disk,SCSI controller) is Ultra 320 spec with low latency and low seek times (15 K rpm usually). The other thing that has been noticed is that use as small a disk as you can get. (8 GB) Some of the manufacturers are saying they only can supply 36GB drives on new equipment. These drive are ok but the seek time goes up because of the size of the drive this config works good also adapter #1 raid 1 ( 2 disk) O/S adapter #2 raid 1 ( 2 disk) AD LOGS and raid 5 (3 disk) with global hot spare (total of 6 on this channel) hope this helps This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sunday, November 06, 2005 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT LOL. I actually pinged Rick on the "official" guidelines previously for an Enterprise class DC with 4 disks, he was actually one of 4 people I queried since I hadn't seen what I considered good official docs on it. Rick quoted the K3 Deployment guide which is definitely a good start. It indicates RAID 1 - OS RAID 1 - Logs RAID 1 or 0+1- SYSVOL/DIT If you have less than 1000 users using the DC it says you can use one single RAID-1 for the whole thing. Though you have the same issue here as you have for anything, how are the 1000 users using it and what else is using it? Exchange? If so, I doubt I would do a single RAID-1 unless it was very few users. Otherwise you are looking at a minimum of 6 disks for all RAID-1s or 8 disks if 0+1 and RAID-1. When you actually look at it, the OS and the logs are using little IOPS on a dedicated DC and splitting them off onto their own "disk" is probably unneccessary. The DIT assuming it isn't all
RE: [ActiveDir] Hardware Suggestions
Add to that - SATA is not for the desktop only. Check out some of the SAN coming out from most vendors, EMC included. Those drives and connections look a lot like SATA to me. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Tuesday, November 08, 2005 7:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions ~ I don't have a problem with SATA (an upgrade from PATA) if used as designed. It's designed for desktop storage. Not that it can't be adjusted to server/enterprise, but it's price point and architecture are intended for desktops (i.e. cheap but not as reliable as a shared resource). ~ Depends on the size of the enterprise SATA has its place in the server segments of smaller orgs for sure. It's not too long ago that Windows and Intel processors were considered not designed for the enterprise... -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 11/7/05, Al Mulnick [EMAIL PROTECTED] wrote: That's a desktop user? The apple desktop? I don't have a problem with SATA (an upgrade from PATA) if used as designed. It's designed for desktop storage. Not that it can't be adjusted to server/enterprise, but it's price point and architecture are intended for desktops (i.e. cheap but not as reliable as a shared resource). Used appropriately, I'm quite happy with it. But it's intended to be cheap and replaceable. Cheap, fast, reliable - pick two (or something like that ;) That shouldn't last if history is any indication, but for now I'll try not to build too many centrally required applications on that technology unless I can put a lot of abstraction in front of it (large pools that aren't bothered by the loss of several components at a time.) From: Rob MOIR [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org,ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hardware Suggestions Date: Mon, 7 Nov 2005 18:36:10 - I've deployed SATA for storage of large files in Apple XRaid units in a Raid 5+1 config, and so far so good. Ask me in 3 years if I'm still just as happy ;-) but it was the only way to give the user what they wanted inside the budget we had. One advantage of the XRaid is that it's fitted out from the get go to use SATA disks and the only reason you'd ever have to do anything to it is to replace a drive that you already know has gone bad. -Original Message- From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Mon 07/11/2005 17:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions silly no-hair-color alert SATA == Desktop drives. They weren't originally concepted to be enterprise class storage. I see them as being back-engineered to be used this way, but most of what I've seen has been to deploy them as a JBOD in situations where you can absorb the continuous loss of hardware and not impact performance and availability. Typically in pools of disk and hsm solutions (what is it that hsm is called now? ILM? :) If you plan to deploy DAS solutions (internal or external), SATA is not likely the way to go right now. You may want to wait a bit longer if the data is important. For large pools of inexpensive disks, SATA might be worthwhile to investigate if you have a large loading bay, a good support agreement, and close access to the highway. -ajm From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Hardware Suggestions Date: Mon, 07 Nov 2005 09:13:19 -0800 Stupid blonde alert I personally have SATA experience in the tower/desktop world but none in the rack units. Are the physical connections any stronger in the rack world? I like SCSI and IDE not only for their proven track record [server and desktop respectively] but because the dang cables don't get knocked off each time I reach into the case. Those cable connections on the back of the SATA drives are a little worrying. I've accidentally bumped the connection off my workstation at home twice while adding the Happauge card and what not. In SBSland early on we had issues with them getting loaded up, if they are underpowered, we're seeing a bit of bottlenecks, and as one of the SBS support gang said out of Mothership Los Colinas, if your vendor won't guarantee that equipment for 3 years, do you really want to put that data on that device? So far the SATAs that we have running around in SBSland servers are okay, but I'll report back in another 2 years and let you know. I can't speak for the Dell rack stuff, but the
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Ed - With all due respect, both posts that you've made in response to this thread have been negative (George Carlin hasn't written anything original... Blah, blah...) and the fact that I mention that I should beat my admin because of missing a backup. How I choose to treat my employees is my business. I'm not sure why I'm even bothering to defend myself to you. Please. If you have nothing of value to add - don't respond. If you want to be a valued member of the list - try being nice. Or, if it's just me you don't like - filter me out of your list. I really don't appreciate the off-handed, single thought retorts. Who ARE you, anyway? Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Sunday, November 06, 2005 11:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes The admin is not at fault because he wasn't aware that the backup didn't complete? You're an awfully forgiving boss. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 7:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Work with Exchange much? Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. (Well, except for the fact that your backup system didn't page the person in charge to notify it didn't run... Or, that person chose not to respond.) Regardless... Poo-poo happens. At least, now they know. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Not dumb for Microsoft dumb for the Admin to get the drive in that condition and need a KB to wack them upside the head. At the end of the day... it's my responsibility for my network. I won't be complaining to Microsoft that they didn't warn me that bad things might happen if I don't keep nice breathing room on my drives. Rick Kingslan wrote: Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season - it will be the same thing. They just won't understand that if they live on the flood plain, you can't complain that Grandma is floating down the river with a canary on her head. That's why we say things like: A volume is full or almost full. your NTFS just MIGHT have problems. Because there are just those same folks on the Midwest flood plain that will call PSS really upset that their full or almost full NTFS drive has a problem. I'm not saying that the people that call are stupid. I am saying that most Insurance policies and contracts, as well as EULAs - have a ton of words and verbiage that only the well trained lawyer can understand because folks are just well, litigious. And, you have to address the obvious because in segments of the population - the obvious - isn't. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Taking offline... I only berate joe in public... (he fights nasty, too. Spits, eye gouges, hair pulling and all...) Forgot about that when I replied earlier. VBG Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Monday, November 07, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Rick - I was replying to your assertion: Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. An admin may not be at fault because a backup doesn't occur, with that I agree. However, an admin not knowing that the scheduled backups did not occur and not monitoring that the log volume sufficiently to know that it is running out of space is very much at fault. I didn't say anything about beating; that would solely be at your discretion. As to my George Carlin remark, it was intended to be sarcasticly humorous; I apologize if it missed the mark in your perception, and to anyone else on this list who might have been offended by it. I'm an eight-or-nine-year Exchange MVP, and a senior technology consultant for a large multinational technology corporation. I joined this list because a fellow Exchange MVP recommended it as being THE place to discuss Active Directory. Nice to meet you. Who are you? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, November 07, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Ed - With all due respect, both posts that you've made in response to this thread have been negative (George Carlin hasn't written anything original... Blah, blah...) and the fact that I mention that I should beat my admin because of missing a backup. How I choose to treat my employees is my business. I'm not sure why I'm even bothering to defend myself to you. Please. If you have nothing of value to add - don't respond. If you want to be a valued member of the list - try being nice. Or, if it's just me you don't like - filter me out of your list. I really don't appreciate the off-handed, single thought retorts. Who ARE you, anyway? Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Sunday, November 06, 2005 11:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes The admin is not at fault because he wasn't aware that the backup didn't complete? You're an awfully forgiving boss. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 7:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Work with Exchange much? Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. (Well, except for the fact that your backup system didn't page the person in charge to notify it didn't run... Or, that person chose not to respond.) Regardless... Poo-poo happens. At least, now they know. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Not dumb for Microsoft dumb for the Admin to get the drive in that condition and need a KB to wack them upside the head. At the end of the day... it's my responsibility for my network. I won't be complaining to Microsoft that they didn't warn me that bad things might happen if I don't keep nice breathing room on my drives. Rick Kingslan wrote: Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season - it will be the same thing. They just won't understand that if they live on the flood plain, you can't
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
BTW - just so no one thinks anything different, I was a bit harsh with Ed. Apologies from me are, well, too often these days. I'm not going to burden the list with this This one thread has gone WY too far. I would ask that it be allowed to die. Thanks. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Monday, November 07, 2005 5:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Rick - I was replying to your assertion: Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. An admin may not be at fault because a backup doesn't occur, with that I agree. However, an admin not knowing that the scheduled backups did not occur and not monitoring that the log volume sufficiently to know that it is running out of space is very much at fault. I didn't say anything about beating; that would solely be at your discretion. As to my George Carlin remark, it was intended to be sarcasticly humorous; I apologize if it missed the mark in your perception, and to anyone else on this list who might have been offended by it. I'm an eight-or-nine-year Exchange MVP, and a senior technology consultant for a large multinational technology corporation. I joined this list because a fellow Exchange MVP recommended it as being THE place to discuss Active Directory. Nice to meet you. Who are you? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, November 07, 2005 12:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Ed - With all due respect, both posts that you've made in response to this thread have been negative (George Carlin hasn't written anything original... Blah, blah...) and the fact that I mention that I should beat my admin because of missing a backup. How I choose to treat my employees is my business. I'm not sure why I'm even bothering to defend myself to you. Please. If you have nothing of value to add - don't respond. If you want to be a valued member of the list - try being nice. Or, if it's just me you don't like - filter me out of your list. I really don't appreciate the off-handed, single thought retorts. Who ARE you, anyway? Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Sunday, November 06, 2005 11:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes The admin is not at fault because he wasn't aware that the backup didn't complete? You're an awfully forgiving boss. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 7:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Work with Exchange much? Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. (Well, except for the fact that your backup system didn't page the person in charge to notify it didn't run... Or, that person chose not to respond.) Regardless... Poo-poo happens. At least, now they know. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Not dumb for Microsoft dumb for the Admin to get the drive in that condition and need a KB to wack them upside the head. At the end of the day... it's my responsibility for my network. I won't be complaining to Microsoft that they didn't warn me that bad things might happen if I don't keep nice breathing room on my drives. Rick Kingslan wrote: Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season
RE: [ActiveDir] Unreadable Netlogon.dns file
joe, joe, joe. Believe me. Don't DO NOT *DO NOT* call ~Eric's attention my way... (He's my assigned handler... AND He's GOOD at it...) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, November 07, 2005 9:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unreadable Netlogon.dns file ~Eric Who ARE you, anyway?(t) (t) - Trademark, Rick Kingslan. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, November 07, 2005 5:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unreadable Netlogon.dns file Since you are saying the file is there but netdiag can't see it. If I were a betting man, I would say for some reason the context under which netdiag is running does not have perms to read the file. The code in question does an fopen() on it with parameters rt. I suspect, though don't know, that permissions is the likely problem. :) It usually is with other calls such as this one. If you want, let's take this offline. We can report back to the list with the result. I can debug this for you if you're willing? ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Monday, November 07, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unreadable Netlogon.dns file I have just verified that I have the latest version of Netdiag (5.2.3790.0). As for the netlogon.dns file, I have verified it. In fact, I renamed it, restarted netlogon service and it recreated it correctly. I'm running this from a terminal server session on the box itself. I haven't tried running it remotely. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, November 07, 2005 2:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unreadable Netlogon.dns file I *think* there was an updated version of netdiag that came out. It might be useful to ensure you have the latest. Also, have you verified that the file exists? If neither of those relates, can you give some more information? Are you running this remotely from your desktop? From the console? Same results regardless? Al From: Rachui, Scott [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unreadable Netlogon.dns file Date: Mon, 07 Nov 2005 14:20:14 -0600 I have a very odd problem. I am testing Windows 2003 Active Directory (running in W2K Native Mode) and on the W2K3 DCs, I get the following message when running NETDIAG: DNS test . . . . . . . . . . . . . : Failed [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns for reading. [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns for reading. [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns for reading. [FATAL] No DNS servers have the DNS records for this DC registered. I have checked security on the 2 W2K3 DCs (which are in different domains, but are both experiencing this), but can't find any permission that they're missing. Any help with this would be much appreciated. Thanks! Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Work with Exchange much? Miss one or two backups and that volume that holds your log files might experience this issue with no fault of the admin at all. (Well, except for the fact that your backup system didn't page the person in charge to notify it didn't run... Or, that person chose not to respond.) Regardless... Poo-poo happens. At least, now they know. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Not dumb for Microsoft dumb for the Admin to get the drive in that condition and need a KB to wack them upside the head. At the end of the day... it's my responsibility for my network. I won't be complaining to Microsoft that they didn't warn me that bad things might happen if I don't keep nice breathing room on my drives. Rick Kingslan wrote: Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season - it will be the same thing. They just won't understand that if they live on the flood plain, you can't complain that Grandma is floating down the river with a canary on her head. That's why we say things like: A volume is full or almost full. your NTFS just MIGHT have problems. Because there are just those same folks on the Midwest flood plain that will call PSS really upset that their full or almost full NTFS drive has a problem. I'm not saying that the people that call are stupid. I am saying that most Insurance policies and contracts, as well as EULAs - have a ton of words and verbiage that only the well trained lawyer can understand because folks are just well, litigious. And, you have to address the obvious because in segments of the population - the obvious - isn't. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Ken, I agree completely. What I find very interesting in reading this KB is that it appears that the problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very specific conditions need to be met. The third seems to be the element that makes this more unlikely to occur - The scenario involves approximately 1000 simultaneous delete, create, or extend operations on files. What I find most interesting about this KB, and kudos to our stress team - is it seems that we discovered this internally and that no scale of customer impact seems to have occurred. (I don't know this for fact to be true - I just suspect it to be so because some of the Lists that I monitor internally haven't notified us of a large scale impact.) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Sunday, November 06, 2005 12:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Frankly my expectation from a file system that's marked as being robust and enterprise ready is that you should lose nothing if the drive is almost full, and the file system should shut down gracefully if the drive is full, especially in normal situations. Sysadmins should not have to worry that they'll lose data to corruption if the drive is almost full in the normal course of events. If you're doing something like the extreme use cases noted in the KB article, then that's possibly a different situation, but in that type of situation you're probably monitoring your disks with an eagle eye anyway. Additionally, Microsoft is correct to warn that a potential issue does exist. Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, 6 November 2005 3:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Raid suggestions for DC maybe OT
Dan - there will likely be as many opinions on this topic on this list as there are knots on joe's head. Basic rules for a DC are this (IMHO): Mirrored (or RAID1) for OS Mirrored (or RAID1) for DIT and Logs You can certainly host a third mirrored pair for the logs, but that will mostly depend upon how BUSY your AD is and how high the replication traffic, changes, updates etc. that you experience. If you're asking this, you most likely have a newer AD, or are re-architecting. In either case, I'd start with the above and then monitor the performance with PerfMon. Make some decisions on whether to ADD the third mirror based upon the I/O and performance impact of log writes vs. impact on the database reads/writes. Hope this helps! Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan CoxSent: Sunday, November 06, 2005 1:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Raid suggestions for DC maybe OT What would be the suggested RAID and partitioning scheme for a Domain controller. Any suggestions are appreciated. Thanks. Dan Cox
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
All - I've been informed by more than a few folks on this list that I am, for the most part, completely and utterly wrong on this topic. I apologize for any and all misinformation that I have conveyed, and will refrain from posting on topics that I don't have complete and total knowledge of the full circumstances surrounding the issue. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, November 06, 2005 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Ken, I agree completely. What I find very interesting in reading this KB is that it appears that the problem did NOT exist pre-Windows Server 2003 SP1, and that a series of very specific conditions need to be met. The third seems to be the element that makes this more unlikely to occur - The scenario involves approximately 1000 simultaneous delete, create, or extend operations on files. What I find most interesting about this KB, and kudos to our stress team - is it seems that we discovered this internally and that no scale of customer impact seems to have occurred. (I don't know this for fact to be true - I just suspect it to be so because some of the Lists that I monitor internally haven't notified us of a large scale impact.) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Sunday, November 06, 2005 12:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Frankly my expectation from a file system that's marked as being robust and enterprise ready is that you should lose nothing if the drive is almost full, and the file system should shut down gracefully if the drive is full, especially in normal situations. Sysadmins should not have to worry that they'll lose data to corruption if the drive is almost full in the normal course of events. If you're doing something like the extreme use cases noted in the KB article, then that's possibly a different situation, but in that type of situation you're probably monitoring your disks with an eagle eye anyway. Additionally, Microsoft is correct to warn that a potential issue does exist. Cheers Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, 6 November 2005 3:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes
How long have you known joe? Short version PLEASE! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Sunday, November 06, 2005 12:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes damn... do you have a short version of this story? _ From: [EMAIL PROTECTED] on behalf of joe Sent: Sun 11/6/2005 5:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (somewhat): Exchange Server 2003 Service Pack 2 DSProxy Referral Process Changes Oh I understand. I definitely understand I wasn't the only one, I don't think it would have been fixed if it was just me. My contributions included 1. Debating strongly with Alliance PSS (on and offsite people). 2. Debating strongly with onsite MCS. 3. Debating strongly with Dev 4. Wrote Steve Balmer as a concerned MVP. 5. Posted this issue (pointing out the security aspects) both in groups like this and in the public newsgroups. (The public delegates aspect is a security issue). 6. Reposting every single time I saw anything that related to it. Initially I hit it with DLs and I got beaten down by PSS and MCS because they said the design the company had that I worked with at the time (we will call widget company again) was based on the idea that they didn't need DLs so it was specifically designed without DLs in mind and had we wanted DLs the design would have been different because they knew all about this problem. Then several months later reports of issues with public delegates started surfacing. I was working on some other thing at the time, I believe it was setting up web pages to do things like short term delegation of mailbox access so that the third level outlook people could ask to get access to a mailbox and it would all be logged, quota management, mailbox permission reports, conference room setup, etc. Anyway, I sat in the Friday con call while onsite PSS discussed the issue and it sounded like the same GC issue as I had stumbled on before. I mentioned that they would want to check that out and verify what GCs where being talked to and redirect them to a more appropriate GC as I had documented and shown for the DL issue before. I didn't want to jump into it and really look at it as I always seemed to get into some sort of trouble for finding and pointing out MS screwups and any issues in the Exchange design. My boss loved it because it meant we fixed something that would hurt once in production, my bosses boss hated it because it slowed down the project he was being graded on with the execs which was way over budget and way over timeline. Next Monday's con call they still didn't have a clue, more descriptions still sounded like a GC issue, I said so again. Ditto Tuesday con call. On Wednesday we had our everyone gets in one room meeting and discusses the problems and when that problem came up I yet again pointed it out that it really sounded like the GC issue. Either MS really didn't want it to be that and they were looking for anything else it could be or the analysts really had no clue what they were looking at. I expect the later. I told my friends in MCS that the PSS guy was screwing this up and they needed to birddog him because he was going to make MS look like idiots again. They said they couldn't for some reason or another. Thurs con call same issue, no progress. Thurs around 6PM when I was settling into the lab to get some serious work done[1] I got grabbed by one of our third level Outlook folks (a good friend) who was working the issue[2] and she said I had no choice as she would kick my butt and that she was making me work on that issue. Within 15 minutes I proved that what I had said the previous Friday was the issue and also learned about how badly Outlook handled the issue in that if you removed a public delegate it would disappear from the list because it was removed from the store but was still in AD so it was still active and outlook never showed an error message and from them on showed the value incorrectly so someone had permissions to send on behalf of that were not shown unless you looked directly at the directory (security issue). MS PSS reported again in the Friday con call that they had no idea and they were bumping the issue to Sev-A to get ROSS onsite to do a debug and I waited until the TAM was completely done with what she wanted to say and then said, the issue is the GC issue. MS said, no it wasn't, they couldn't confirm that. Then I said that I knew absolutely it was the issue. The people on the call knew me long enough not to question when I said absolutely versus it should be checked or it appears or possibly. So the following week we had the same meetings we had from several months ago only I was holding the hammer and I was bringing up everything MS had said previously about the design and so I asked the obvious question of were
RE: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes
Hmmm. I guess I see this in a different light. In my new, improved view of the way that Microsoft communicates things, no - it doesn't seem to be very dumb at all. The statement and the KB, that is. At this moment, I'm watching George Carlin's new HBO special. He relates that he's always interested when it's flood season in the Midwest. The same people that got flooded out last year get flooded out this year, repaint, re-carpet and move back in. Next season - it will be the same thing. They just won't understand that if they live on the flood plain, you can't complain that Grandma is floating down the river with a canary on her head. That's why we say things like: A volume is full or almost full. your NTFS just MIGHT have problems. Because there are just those same folks on the Midwest flood plain that will call PSS really upset that their full or almost full NTFS drive has a problem. I'm not saying that the people that call are stupid. I am saying that most Insurance policies and contracts, as well as EULAs - have a ton of words and verbiage that only the well trained lawyer can understand because folks are just well, litigious. And, you have to address the obvious because in segments of the population - the obvious - isn't. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, November 05, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FYI: MS-KBQ909360 - Potential file corruption on NTFS volumes Is it me or is that a dumb KB? A volume is full or almost full. Yeah data will start getting screwed up when you have that situation. In SBSland we lose our CAL licenses and other such fun things on a too tight drive. Almeida Pinto, Jorge de wrote: FYI Potential file corruption problem on NTFS volumes during extensive stress tests in Windows Server 2003 Service Pack 1 http://support.microsoft.com/default.aspx?scid=kb;en-us;909360 Cheers, Jorge This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ADMap request fulfillments...
All - I want to apologize to all those that have been patiently waiting for the ADMap that I promised. It is going to be sent out today. Let's just say that closing out my current project became more hectic than it first appeared. However, I have a slew of names that wanted the tool, and I'm quite pleased at the response. I'll have one mass e-mail going out this afternoon to everyone (well, everyone who requested it... Let's not get TOO crazy), and I'll pick up those later (I'm out of town until Saturday late) that are still straggling in. I will continue to fulfill requests as long as I can. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] BIND on Linux
Peter, Though it may appear that I have a vested interest in keeping you on our OS, those that know me know that if a reasonable argument is presented - I will assist in the migration for our customers. It's simply good practice and good relations. Typically, when I hear that a customer wants to move from Windows DNS to BIND, there is a reason. I'm interested in yours, and will provide guidance in kind. If it's Politically motivated (and you're not the instigator) I think that we can help you with the case to stay the course. Again - there has to be a reason. Management doesn't make decisions lightly (in most cases...). Did someone just get to Gartner (which there is a big Symposium going on this week) and pull a 'hey... Gartner says...' Those are always fun to shoot down. If the issue is of cost - it's not a good one, and I can provide the reasons for why this move will cost more. If it's inter-operability with other BIND implementation, again - I can provide the reasons for why this might not be a good move. If it's Security - let's talk about how to lock down the OS. If it's simply security, Linux is not the answer. If it is that this server is going in the DMZ for external serving of DNS - let's talk about the benefits of getting you there. I, like the rest of this group, want to find out why you want to move your DNS to BIND. Make no mistake - Active Directory works best with Microsoft DNS. Every implementation I have done otherwise has had problems. Not insurmountable, but your BIND Admins have to learn a whole new set of skills to handle those damn Windows Machines. As to answering your questions: 1. Very viable (again, given the caveat that Windows DNS works best when dealing with MS clients and Active Directory - BIND requires some added care and feeding. As to scalability - BIND is as scalable as anything else. It carries less overhead, if it's the only daemon serving off of the system. Scale for BIND is width, not depth, but you can grow a box to meet the requirements, which are more request query (read) oriented, and write with updates from other DNS. 2. Versions used have been 4.x on up through 9. (whatever the latest version of 9 is/was) If for Active Directory, Must be greater than 8.2 (for DDNS support) 3. Because MS-DNS and BIND use two different methods of doing secure updates (authN to the actual box for confirming I can re-write the record or enter a new one) the issue of secure updates isn't even in the picture. To me, it's a low to medium risk issue. It all depends where you're going to use it and how well the rest of the box is secured. Windows DNS with its secure updates may not be as secure as most admins think - security begins at the OS, not the DNS service level. 4. Gotchas... Huh. Biggest one I've already mentioned. MS DNS works best WITH Active Directory. MS DNS works great with BIND as a peer or (in the typical hierarchical DNS structure) parent DNS. Forwarding, conditional, stub zones - they all work extremely well, and IMHO - surpass BIND in capability. There is (not to my knowledge at least) a good interface for BIND. Seems that most BIND admins are pretty much at home with Vi and Lint or Dig. (Funny, though - if someone is so hardcore that they want to do that on Windows - they can) All of these tools exist for use on MS DNS as well. Most shops dedicate ~50% of a resource's time to managing BIND. I'd spend, typically 30 minutes daily checking logs and adding static requests for servers that required such. So, there you have what I can skim off the top of my head. Again - toss your reasons for wanting to do this. I'm sure many of us are quite curious. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 2:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] BIND on Linux I would be interested to here from people who have migrated Windows DNS to Linux. I am aware of the basic issues (need for DDNS and service records.) I am particularly interested in: 1) Viability and scalability 2) Versions used and recommended 3) Security ramifications due to lack of secure updates 4) Gotchas or other ramifications. Regards Peter Jessop List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC replication
There are a number of ports with TCP and UDP/TCP required that must be available for full communication from DC to DC to succeed. Likely one or more of these are blocked and a ping is great for basic connectivity. From both sides of the VPN, run DCDIAG /v dcdiag.log and a netdiag /v netdiag.log Send those pack to us in the list and we'll help you through. As a quick test, try telnet name or IP of DC 389, where name or IP of DC is the DC on the other side of the VPN. Do from both sides. this is just one of the ports that you need. Another would be 445. Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike WilliamsSent: Tuesday, October 18, 2005 10:40 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC replication We just installed a server offsite. It is connected by VPN through a PIX 525 and a PIX 501. After installing it, it was decided that it needs to be a domain controller. Ran dcpromo on it and there were no errors reported. The problem I have with it now is that it seems to be replicating in one direction only. All DC's running 2000 server. Active Directory Sites Services on DC01 and DC02 has all 3 servers listed. DC01 and DC02 do not show any entries in the NTDS settings for DC03. DC03 shows the correct entries for all 3 servers. If I manually add a new active directory connection from DC01 or DC02, it shows all 3 of the DC's in the selection box. After adding it and selecting replicate now, I receive the RPC server is unavailable error. That error refers to DNS errors. I can ping by name to all DC's. Are there other tests I need to run to check DNS? Repadmin shows correct inbound and outbound neighbors on DC01 and DC02. DC03 shows correct inbound neighbors, but no outbound neighbors. DC01 - Main domain controller at main officeDC02 - Secondary domain controller at main officeDC03 - New domain controller at offsite location, VPN connection Thanks in advance Mike Michael P. Williams Information Technology Carlyle Van Lines (660) 747-8128 X 3816 [EMAIL PROTECTED] www.carlylevanlines.com
RE: [ActiveDir] DNS Problem please help
If your DNS is not answering for the domain that AD lives in, the yes - your replication will not work. 1. If you go to the DNS applet, do you have a DNS Forward zone created for your domain? 2. If the domain is there, what is in the DNS zone? Are there other 'folder's' inside, or just DNS name to IP records? 3. Stop NETLOGON - wait 30 seconds. Start NetLogon. This will re-register missing AD records. If none of the above seem correct, from the Server disk in the Support/Tools directory, install the support tools. We will need a DCDIAG /V and NETDIAG /V written out to a log file. Paste those to your message and we will review. Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi DograSent: Tuesday, October 18, 2005 10:55 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS Problem please help Hi All, Need your help for troubleshooting my DNS Server which is also my DC. I have an ADC also which is working fine but unfortunately DNS is not updated. Current scenario is :- Nslookup says:-primary dns non existance domain. Event Viewer says:- replication is not working for me. Please help what should i check to resolve the issue. if any further information is required please revert ASAP. RD
RE: [ActiveDir] BIND on Linux
OK. It makes more sense. 1. Are you moving away from Active Directory to NIS? If not, keeping DNS on Windows is a zero cost / zero impact issue. If it's AD integrated, then the cost is nil. It's a no cost part of the DC package. 2. DNS on a Windows server as the primary system does invoke cost in this case. AD integrate everything that controls the INTERNAL DNS. Allow the external facing accept forwarding from the Windows DNS that is serving the internal servers and workstations. 3. If this primary factor is cost, and only cost - that's a political battle that is hard to win. I would look to your Microsoft resources to help you cost justify our products. Is this in EU? Harder battle, I have to add. Interesting comment on the database (Oracle especially...) thing. What are you replacing SQL with? Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, October 18, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] BIND on Linux I work an IT department of an autonomous goverment ministry. I actually have no wish to move DNS to Linux as it works perfectly ok as it is. At the moment it is integrated. The reason I am asking this question is that now it is the policy to move to Open Source wherever possible. Thus HP-UX will move to Linux, MS office will move to Open Office etc. I don't know the reasons why. They want to cut costs but have not done a cost analysis of the change. Curiously no Open Source alternatives are being considered to replace Oracle. Another problem is that the Windows Network service function really well, give very few problems and so have become invisible. There is no particular advantage to moving DNS to Linux. It will not save licenses in itself. It is simply that I have to analyse service by service the implications and possibilities of moving to Open Source. I am not as extremely specialised. With one coworker I manage about 20 windows servers plus administration policy on 1500 workstation distributed in about 80 buildings. Along with AD we have to manage a mixture of Oracle, SQL Server, Exchange, Cluster Services, SANs, Backups, Documentation, AV etc... along with a fair bit of scripting due to lack of management tools. I have no idea how typical this is as I am fairly isolated here. This list is a lifeline to someone in my position. I am only just beginning to think about all this as I was informed of this today. I thought the DNS move might be fairly simple but was concerned about the security implications of non secure updates and was wondering if there are ways to avoid an internal hacker screwing up the database. I also wondered what versions of Linux people were using to get DNS services and any experience or advice they could give me on such a move. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
Huh. That doesn't appear to be _US_ I wonder if the Engineering Services group knows that a third party (Partner at that) is advertising these services. Honestly, I didn't think that we farmed those services out Checking. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, October 15, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD/DNS BPA? Microsoft AD Health Check: http://www.systems-group.net/En/Consultancy+Services/Solutions/Microsoft+AD+ Health+Check.htm Looks like it's talked about here too Dean Wells wrote: Ooops ... my apologies :O( -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Friday, October 14, 2005 10:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? Boo, hiss. It's Engineering Services that offers it, not MCS. ; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, October 13, 2005 11:22 AM To: Send - AD mailing list Subject: RE: [ActiveDir] AD/DNS BPA? The tool I spoke about in confidence with Tony (just teasing ;o) is an offering from MCS known as the ADHC or AD Health Check ... it is a nicely shrink-wrapped series of powerful interrogation scripts/tools that, when compiled by someone sufficiently trained, produces a very detailed configuration breakdown, useful recommendations and/or general mis-configurations. As I understand it, it is available exclusively via an MCS engagement. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 7:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## # This communication, including any attachments, is confidential. If you are not the intended recipient,
RE: [ActiveDir] AD/ Sites Services
Simple and most forward answer is to create two site - one for each location, with associated subnets assigned to each site. The longer answer is related to how many users in each site, how fast (in AVAILABLE THROUGHPUT) is the connection between, and are you intending to put at least one DC in each physical location. So, hopefully more answers are forthcoming Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rania Sent: Saturday, October 15, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Sites Services Dear All, I have here in My Company, 2 Sepearate Locations, the First one is Head Office , the second one is the Private office . The head office have one single Network with this Range of IP-Address ( 70.0.0.X / 255.255.255.0 ) . We have Wireless -Point-To-Point Between the 2 locations . The Privare office have also one single Network with the same range of IP-Address in the Head office which is ( 70.0.0.X / 255.255.255.0 ). All of them is under Workgroup, and no domains at all . -- -- what we need , is to create domain and to provide users with the authentication from the domain by using user name Password. - My question is here, i am really get confused, what should i follow :- 1- Should i follow Single Site for the 2 locations each site will represented by subnet , so i will have 2 subnets in one site ? Or 2- should i follw Multiple Site with one subnet at least in each site, and each site will represent the location it self ? i really get confused. as i know the site is used for the Replication , so i want to simple the replication it self. CAN ANY ONE GUIDE ME TO THE BEST OF IT. Best Regards, RANIA SAMEER. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD/DNS BPA?
Yes, they (we) do. I'll check into them and give you an overview of what they do If I can, to be more correct. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, October 11, 2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? If find DNSlint to be pretty good, but obviously limited in scope. I think Dean mentioned to me recently that PSS have a tool that provides BPA-like functionality. It sounded like the output might be a little too complicated to make it publicly available. Perhaps Dean has more info on this (assuming it's not under NDA)? Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, 12 October 2005 2:58 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD/DNS BPA? The tools are there, but the interpretation is sometimes lacking G I've been told that several companies are currently offering health checks, but I haven't tested any of them. As for Microsoft tools, I'm a fan of using dcdiag and netdiag right after scanning the event logs. That'll give me an idea of where to focus more effort if needed. Most of what I want to know is going to show up there without having to do too much waving of the magic wand. There are some additional tools, but they get used after these two steps in my normal approach. That'll indicate whether or not I have to dig deeper. Some other tools such as repadmin are useful as well. And there was a tool, SPA that could be helpful in some situations depending on what you want to know. I haven't seen an AD BPA though. Be interesting to see one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 11, 2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/DNS BPA? lurk mode off Stupid question... okay we have Exchange Best practices analyzer right? http://www.microsoft.com/exchange/downloads/2003/exbpa/default.mspx I know you guys don't like GUI...but besides DNSlint, dnsdiag, Sysinternals, Joeware stuff and such things... is there currently enough tools in your bag'o'tricks to ensure DNS/AD is set up right? Do you guys have a tool that you consider 'the' DNS/AD BPA and if so what is it? Or is AD/DNS health review like security log reviews/dump files where it's an art and not a science? And feel free to lob 'SBS could run on ipx/spx' comments my way as well. ;-) lurk mode back on -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ # This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i. # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] salary(OT)
Oh, and given a bit to think. You asked Dean - but you didn't ask me. Huh. NOW I know where *I* stand. In your mind, off the edge, if Dean was just right at ;-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From
RE: [ActiveDir] salary(OT)
Dropping thread... -r -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 16, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I didn't ask Dean. I would not have asked Dean. I know how busy he is and wouldn't want to use our friendship to guilt him into allowing me to steal him away from money making endeavours. Instead I figured I would needle him with one-offs as I hit them and be thankful for the responses. In the end he wasn't able to proof the whole thing, only parts of it. But the parts he did proof of the older material I ended up having to correct a bunch of stuff. He pointed out AD Replication terms and such that the only google hits on were in reference to the book itself. That IM conversation spawned a 90 minute phone call with him and you know how much I hate phones and how much Dean and I can cover in 10 minutes and we had to chop it off at 90 minutes because we both had to be somewhere else. Obviously, I had to change it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, October 16, 2005 8:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh, and given a bit to think. You asked Dean - but you didn't ask me. Huh. NOW I know where *I* stand. In your mind, off the edge, if Dean was just right at ;-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH
RE: [ActiveDir] Knowing when users were deleted.
And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead and therefore wouldn't want to deploy it. I say tough pickles to them. :) Seriously, this could be on by default but configurable (group policy?) to disable it as a performance issue etc. Second, I think that the major benefit is the ability to actually get usable information native to the product vs. having to invest in a third party product. Why? Because today in order to get that information I have to have something that scrapes the Security logs looking for such information. Is this a good idea? I think it is. Is it something that could be native? I think it could and should be native if technically feasible. Making us look in a particular DC's event logs is more difficult than it should be without yet another product. That's fine for the really large
RE: [ActiveDir] Reverse DNS
Oooof. ROTFLMAO! Funny - very funny! Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Friday, October 14, 2005 11:20 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Reverse DNS Why lurk when you can participate so effectively? :) Phil On 10/15/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Or get a better ISP or DNS record keeper that will allow you to do whatyou need to do.okay okay I don't lurk well ... I know I know... Phil Renouf wrote: So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, *rubix cube* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, *Ed Crowley [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I can't fathom why any organization would "have to". Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups! *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Derek Harris *Sent:* Wednesday, October 12, 2005 3:35 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you "have to."Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools.The only gripe I've got with them is that they won't host SPF records. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] *On Behalf Of *Bernard, Aric *Sent:* Wednesday, October 12, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet.Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records.If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *rubix cube *Sent:* Wednesday, October 12, 2005 1:44 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal
RE: [ActiveDir] Knowing when users were deleted.
I suppose that this is why they pay folks who devise solutions to make this stuff work like it's supposed to the big bucks. shrug Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger harddrives if I need to. But give me a big fat audit log file and I'm a happy camper. Al Mulnick wrote: I'll see your Eurocents and add raise you two. :) I fully understand where you're coming from Ulf. Adding this information into the DIT when it is currently possible to get is something that grates against common sense and common engineering principles even if you subscribe to belts and braces methodologies. However, I think two things make this a worthwhile request with a big payoff. First to Laura's point about diminishing returns. I agree, at some point there will be diminishing returns. I also believe that as hardware gets bigger (i.e. Standard 80 GB hard drives, 1 GB memory in workstation machines, etc. [1]) the bar gets raised until we get to the diminishing return. Since we're targeting 80/20 out of the box [2] it seems reasonable that 80% of the deployments would benefit from such a change. The other 20 would be those that a) don't care or know about such things and b) those that can't tolerate the additional overhead
RE: [ActiveDir] Knowing when users were deleted.
Susan, Really - I know you too well. You're not going to lurk. Get in the game. It appears most folks want to hear what you have to say from the Small Business arena. And, if it broadens the message of managing and maintaining the systems - it's good for all. Just please - stop convincing yourself you're lurking You're aren't! You're too valuable to do so... :o) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. sorry .. I know...I know...lurk..lurk The consultant crowd who can't handle 300 SBS boxes hitting their inbox at 6 a.m have asked for a dashboard. I can handle a daily email they can't. At a NTuser group meeting I was at ...some of the dashboard tools in Linux were discussed. Nagios in particular was one they used for monitoring. Monitoring -- MRTG: The Multi Router Traffic Grapher: http://mrtg.hdl.com/mrtg.html Graphical console for Snort - Analysis Console for Intrusion Databases (ACID): http://acidlab.sourceforge.net/ Intrustion detection - Snort.org: http://www.snort.org/ Monitoring - Nagios: Home: http://www.nagios.org/ Traffic probe - ntop - network top: http://www.ntop.org/head.html Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Yup information overload 'is' a problem. And then after the scale its... okay what the heck is the server trying to tell me? I'm still a fan of www.eventid.net over microsoft.com's click here. Rick Kingslan wrote: And, as you know that does work well in SBSland. However, when the scale grows, so do the requirements. IN the Medium to Enterprise space, the idea is more along the lines of a system or series of systems pumping this type of information into paging and making intelligent decisions based on the audit, event, alerts, services, etc. Which, is right where MOM 2005 drops into the picture. If it _IS_ the event aggregator, or if it's pushing up to a bigger overall item such as HP OpenView - that data is available. It's just that instead of getting an e-mail per server (most admins would just begin to create a rule to send these to DEV/NUL after a while...) MOM collects, enforces and reports this same type of information. Scale makes the problem much tougher, as I'm sure you can imagine Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, October 16, 2005 8:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Knowing when users were deleted. here she goes again.. I know ... I'm terrible at lurking In SBSland we have a daily monitoring email [well ... I send it daily anyway, but it's configurable] and it looks at the event logs and tells daily health status of my server. Like today my email tells me my server has been running for 6 hours [just rebooted it last night] and it gives me an overview if auto services are not running, critical alerts and critical errors in the event logs. It tells me memory/disk size, cpu use, top processes, if the backup ran, and aggregates the alerts from all the log files. It's a health mon that dumps it's data into a msde database and builds the email to be sent internally or externally. What it does now, is only pulls data from the one box, the SBS box. but I can go into health mon and build my own monitors and grab those event logs from other machines [need to so that just haven't gotten around to it]. Right now if someone [usually me] fat fingers a password, for example, it gives me an alert in the email of the last time it occurred and how many occurrances. Basically it's tracking the critical alerts in all the event logs and summarizing the events along with the number of events in the email [and showing the last time the event occurred so you can start your investigation from that point back] For SBS it's in the box, it's a gui wizard that builds this pretty little html email that my server builds and hits me every morning at 6 a.m and says Hey here's how I'm doing...how are you?. It's the mid market that doesn't have this. [and yes, we've told Mothership Redmond they need to steal this sucker and put it in the mid market server bundle] Does it make me more aware of events on my server? Oh you betcha it does. Which is why this needs to be as you say...native in small and medium serversheck I'd strongly argue that no server should be shipped without some admin somewhere getting an in your face report on that sucker. I'll go to Frys and buy bigger
RE: [ActiveDir] Documenting AD - ADMap requests fulfilled
You have more than just Steve on the list from Microsoft. If you want ADMap - send me an e-mail via little 'r' (meaning - reply to me directly [EMAIL PROTECTED]) and I'll respond with a mass e-mail of the latest version of ADMap in two batches - on on Tuesday before I head out of town again, and another next weekend after I get back. Happy to oblige Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, October 13, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD I don't know about generally available but Steve Lineham of MS made it temporarily available a few months ago to list members based on a similar thread here , maybe he will do so again if he sees this. There was also the following suggestion from David Adner- If you're a Premier customer ask your TAM (or some other friendly MS employee) for a tool called ADMap This is a tool written by someone in Microsoft that will query your AD configuration and draw it in Visio (preferably version 2002 or higher). Although it's available to customers it's not available for download, hence the request to a MS employee. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim Sent: Thursday, October 13, 2005 12:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD As I understand it, apparently MS used to provide an ADMap-like functionality in Visio 2000, but was removed with 2002. Since I'm at V2003, I was wondering whether the admap program could be made generally available for all our benefit. Thanks, Jim Becker Asst. Dir. of Administrative Systems State University of New York System Administration [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 13, 2005 4:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD I sent the file separately. admap will *not* answer most of the questions you have, however. You will still need to rely upon docs and being a good detective and researcher :) neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Sutton Sent: 13 October 2005 09:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Documenting AD Cheers for the hints so far, folks. keep em coming! :) Phil: I've tried finding a copy of ADMap on the web, but can't seem to download it from the windows-servers.info site. do you know anywhere else I can grab it from? For Troup Bywaters + Anders Tim Sutton T: +44 (0) 113 243 2241 F: +44 (0) 113 242 4024 E: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] W: www.TBandA.com http://www.tbanda.com/ Eastgate House 10 Eastgate Leeds LS2 7JL Office Location Map http://www.multimap.com/map/browse.cgi?client=publicdb=pccidr_client= nonelang=pc=LS27JLadvanced=client=publicaddr2=quicksearch=ls27jla ddr3=addr1= From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: 12 October 2005 16:54 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Documenting AD Some good comments on what to document. I will chime in to say that a lot of the initial stuff can be documented using ADMap and the GPMC, that will save you a bunch of work in Visio. If you have a TAM ask them to send you ADMap. Phil On 10/12/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Additional components: = Schema Database Administrative support model Domain controller spec DC/GC placement Exchange topology and design DNS design (zone type, placement etc etc) SYSVOL/FRS DFS Administration: === User and group admin and tools DC admin/support and tools Forest admin and ownership GPO admin and tools I'll stop there and let others chime in... neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Tim Sutton Sent: 12 October 2005 16:28 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Documenting AD Hey all, Being the local bod with AD knowledge at work I've been volunteered
RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs
Title: Domain Controller Consolidation utilizing Dual Core CPUs joe, Steve may have completely different information that I, but at present I'm not seeing empirical or preferred practice recommendations around 64-bit GCs in relation to Exchange. So, the recommendation is not changing - again, as I know it. Steve's environment is very different from mine and he is likely to have zero-day information that I won't have until it's posted internally on a DL or whitepaper. I'll be looking for his answer, too. Currently, unless I get data that tells me otherwise, Dual Core and MP == ~ same - even more so when dealing with AMD as, IMO Intel blew their first dual core in an effort to get it to market. That being said, I suspect that the very benefit of being able to load up on memory and get the DIT in RAM is going to affect the recommendation more than proc will. By that I mean that it might be very realistic to see that I/O may begin to be a limiting factor - not so much network, but disk subsystems are going to have to be designed a bit more towards performance with the massive number of queries that these systems are capable of. As to the use single proc GCs and scaling not being linear - I would suspect that the very fact that linear performance is not seen in MP has already been taken into account. Otherwise, the recommendation might have been 5 or 6 to 1. When you mention that you see some GCs get 'beta down' when others are pretty light, is this assuming the practice of creating a AD site for Exchange with dedicated DC/GCs, or a general population scheme? If the former, I haven't seen the issue that you citein practice, if the latter - design to the former. I suppose that - in relation to counters, etc., that would be why I like to do a more formal capacity planning and performance gathering over time. I don't believe in point-in-time perf counter gathering as (you know this...)seeing it when the problem is occurring with no history for what is normal is basically - well, useless. I have no trail of bread crumbs in which to track down the problem. In relation to the counter gathering (I have no experience with Argent's offering, and SOME experience with MOM 2000 and 2005) I've found that MOM 2005 and the AD and Exchange MPs do a great job of gathering information that is valuable to me as someone who has to figure out what's wrong with these systems now and then. Before I joined Microsoft, we had MOM installed for just this reason. The history gathering abilities and leveraging AD and EXCH data over time allowed us to see exactly where our pain point was - and fix it in a relatively short period of time. This is as I know it today.. It could change later today or tomorrow :-) Rick [msft] --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 14, 2005 4:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Consolidation utilizing Dual Core CPUs Speaking of which Steve I am starting to see questions of the type of how does 64 bit DC change the best practice 4:1 proc recommendations for Exchange to GC processor. Does PSS/MCS/Dev have any thoughts? Especially if you are able tocache the entire DIT. I have seen some 64 bit testing numbers from third parties but that is far from authoritative in terms of what MS thinks for the best practice numbers which weigh heavily with customers who want to do it the "Microsoft way". Ditto the dual core CPUs. Another one that recently came across my desk was if you have 4000 users on a 4 proc Exchange server and are currently using a single 1 proc GC and then you decide due to load on Exchange (say RPC load due to search/archive software which isn't impacting GCs) you want to go to 2 4 proc Exchange servers with2000 userseach do you have to go to a dual proc GC or add another single proc GC or is it ok to stay with the one single proc GC? Oh and another question I was asked was about using single proc GCs versus MP GCs and how the scaling of MP wasn't linear so should that be somehow involved in the Exchange best practice numbers? It seems from my experience that you do better with making bigger andmore powerfulGCs in general because while Exchange does some limited logic round-robin load balancing at the server level, it doesn't do it at the site level amongst all Exchange servers so you can really start beating down a few GCs while the otherssee relatively light loading. Of course you don't want to have few GCs though in case you do have a problem so you throw a couple of extra larger GCs into the mix for fault tolerance for when you have to bring a GC down for maint or it just falls down for some reason. Also it seems that there is no real good way of determing exactly when you need to change your GC strategy for Exchange because your various
RE: [ActiveDir] salary(OT)
Tony Murray Said: Joe, I've had no complaints about you to date. Good. I'll start. Here's your first. He's an over-bearing know-it-all looking for his first and second million. Plus, he uses more bandwidth than everyone combined. If someone asks, he - Could I stand a second domain controller up for redundant purposes? Can joe just say, Yes. Nope - never. You're going to get 15 pages minimum of OK - here's what *I'd* do. However, all that being said - we love joe and would never want him to change. Well, except for his clothes on occasion. And, dude - you need some of that Power Stripe deodorant. Seriously. And, I'm sorry to hear that a book that isn't even available YET is only going to sell 2000 copies. How in the heck did you and Robbie get O'Reilly to agree to do a 3rd edition? Surely you jest when referencing that number Oh, and I can't even find it referenced on O'Reilly's site yet. How about some pre-print advertising? You think THAT might boost your numbers? Love ya buddy! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 10:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Oh just a joke, I don't think Tony would do it. Though I wouldn't mind Tony occasionally posting the lurker list, I am curious as to how many people I am getting mad at me any given day. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Thursday, October 13, 2005 6:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not to hijack this thread but, I hope lurking remains free. Dan Original Message Subject: RE: [ActiveDir] salary(OT) From: joe [EMAIL PROTECTED] Date: Thu, October 13, 2005 2:50 pm To: ActiveDir@mail.activedir.org I have found that shooting for your contract salary is as good a target as any, but expect to miss unless you didn't get a very good contract rate. I have only seen one case where a company was willing to pay contract level fees to a FTE and that was back when I first got back into the industry (I burned out on it back when I was about 21 or so and left it) and had been completely screwed over by the contract house for my rate where they were making at least as much as I was. When I said I was leaving the FTE offer I received would have been a 60% raise from my previous salary. Unfortunately, the new contract position I was taking was a 100%+ increase and with OT (which you don't get as a FTE) ended up being a 200% increase. Anyway, you tend to take a considerable hit (I have seen reductions of 20%-75% for FTE offers and all but one of which I turned down cold) but you try to make it up in benefits such as vaca, retirement, insurance, etc. As a contractor you tend to have a different mindset than as an FTE as well. As a contractor it is
RE: [ActiveDir] Virtual Servers in Branch Offices
"Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC?" Hmmm interesting. Yes, and no. Physical access is always an issue, but the NTDS.DIT is not out there in the open on a disk as it might be in a traditional DC. However, anyone with a VS *COULD* mount and start your DC - so the same rules apply. Don't allow anyone you do not trust physical access to your systems. As to domain member - I don't recall VS requiring Domain Membership (more, because I just haven't tried...). So, does this mean that a machine that is a work group system could host a VS with a number of DCs? Ummm - yeah. I suppose so. But, if it *IS* a domain member, then yes - it could likely authN off of the VM that it hosts - but obviously not at start up. Brings up a Schrödinger's cat' quandary, now doesn't it? Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the "whole universe as we know it existing under the fingernail of some other giant being..." Whoa, dude! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box. I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production. Any thoughts most welcome. -- nme This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy oruse any part of this communication or disclose anything about it.Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002.. This e-mail message has been scanned for Viruses and Content and cleared by NetIQ
RE: [ActiveDir] salary(OT)
joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, October 13, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Well, if I told you we have around 1500 people subscribed in standard mode and a couple of hundred subscribed in digest mode, would you be surprised? :-) I could post the lurker list, but I don't really want spammers to get hold of it. Personally, I have no problem with lurkers. And, hey, it's my list. :-) On the subject of money, I'm considering operating the list in the style of a TV evangelist. Everyone has to send me 25% of their income. It's only fair really. Tony PS. Joe, I've had no complaints about you to date. Why would people want to bite the hand that feeds them? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, 14 October 2005 12:09 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]
RE: [ActiveDir] salary(OT)
Actually, I think that book and the Windows XP book are the only two that I Haven't reviewed. As to why I wasn't asked - I dunno. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Hey I needed to maintain a certain quality Did you send something to Robbie to say you wanted to review it? In the end we were begging for reviewers, I even took Dean as a reviewer and you know the edge I had to be on for that He kept wanting to spell words wrong. Eventually I just took out all references to the words color, humor, and other or words. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, October 14, 2005 7:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe said: Again, the reviewers did a fantastic job. Of which, you will all notice when the book comes out, I am _NOT_ one of those reviewers. joe said: They kept me honest Which is one of the reason _WHY_ I was not one of those reviewers Rick P.S. Hey, joe :op -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 6:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) Not out yet, I am expecting Mid November or Early December. I sent an email to see if I can find out. The book is NOT written in my voice, I tried as best as possible to maintain the voice that was there. I simply revised it though I did add a Chapter on ADAM and a chapter on some basic Exchange/AD Scripting. If you have the first or second edition I think you will find this edition worthy of picking up even if you don't have Windows Server 2003 SP1 or R2. I tried fleshing out and changing anything I didn't feel was right. Also the reviewers all did a bangup job finding things I missed. I admit I didn't sleep much in August or September. Tony may have noticed a lull in the list volume, me working on that book saved at least 2 bazillion helpless bits from being sacrificed. I learned that revising a book may actually be harder than writing a book from scratch and you get paid less. Well maybe it is depending on if you know what you want to write about. With revising you can't just write, you have to read, reread, write, reread, write, reread, tweak, reread. When you change the flow and feel and voice it is like hitting a brick wall when reading. I am sure I didn't get rid of all of the bricks but I certainly tried to knock the walls down to a point where you can step over them without too much trouble. Anyway, I spent less time writing the ADAM chapter than I spent updating the security chapter. I know now that I probably should have just rewritten from scratch and it would have gone faster. Oh well, live and learn or don't live long. Again, the reviewers did a fantastic job. They kept me honest when I tried to skip over some stuff when I got tired and I thank them profusely. I tried to do them justice in the small space provided to me for acknowledgements. Those are the things people tend not to look at at the front of the book. I do ask that if you pick up the book, you do look. Those, folks, deserve, the: attention. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) joe, Active Directory Third Edition What is this? Where is it? RH _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 14, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] salary(OT) I would not be surprised. I know this list has become quite popular and for good reason. It is one of the few places where I learn things that I don't stumble over myself. Many times I learn things when people make random comments about their environment which kicks a realization in myself on how something probably works in the backend. It is pretty cool. On the downside sounds like my total sales on Active Directory Third Edition will be in the area of 2000 copies which isn't going to buy me a 100ft ocean ready cruiser. ;o) Understood on posting the lurker list. On top of the spammers, I am sure some lurkers would not be happy to be out-ed like that. I don't have an issue with lurkers myself. In fact I would love to hear we have some 25000 lurkers, it means a lot of people are getting a lot of good info. Everyone has to send me 25% of their income. It's only fair really. Does the postal service even deliver to NZ? joe P.S. So now I am feeding everyone? No wonder my pantry is empty! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
RE: [ActiveDir] Adding custom fields to AD
Yur just a problem child. -r -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Yeah, GPOs aren't AD. GPOs are an application that use AD. I hate GPOs. DNS too. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, October 08, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Interesting question - and as to the 'implode point' for ESE/Jet Blue, Brettsh can answer that one. I'm pretty sure that we have a good idea on where the point of diminishing returns is, but it likely FAR exceeds what anyone might practically do today - even with added classes and attributes. As for why ESE - it works, it is self maintaining to a great degree, there is very little overhead in the DB, and it is quite optimized to the type of work that is required for AD. Brettsh can certainly add more. I am one for preaching more svelte attitudes on your AD. As joe mentions - it's for authN purposes first and foremost. It CAN handle DNS, it does GPO (though - truth be told the majority of GPO function is but a link to an attribute, while the actual GPO pieces reside in SYSVOL, so not much AD - lots of FRS), etc. App Parts make sense in some arenas where the amount of data is going to be very small and contained to just a few areas. I, too, like joe advocate ADAM. I try to sell ADAM constantly as THE solution for most anything that doesn't have to do with authN. Customer AppDev wants to stuff new things into AD constantly. Partly, they don't know the down sides. Partly, they think they have to learn something new. Partly, they don't really care if YOUR AD is affected by their decisions, as long as they deliver the solution in the timeframe specified. So, it's up to you, Mr. Admin and Mr. Architect to tell whoever wants to use your AD, no - we don't do it that way because it's very bad. We will use ADAM. Get used to it. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, October 07, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD That's a good point about plonking stuff in AD a case of once a good thing comes along everyone wants to climb aboard. I remember doing ZENworks stuff with Novell where all the application configuration information for software distribution was shunted into NDS/E-Directory... all that bloat adds up replication-wise (still, at least there was partitioning). One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What's the ceiling on actual database size before it caves in (performance-wise)? Mylo joe wrote: I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible
RE: [ActiveDir] Adding custom fields to AD
"what would you think would be a good replacement for dns/wins?" There currently isn't one. Not really even a viable option on the table. joe doesn't like DNS. The rest of the planet loves DNS- including those eggheads (loveable eggheads that they are) at IETF are the holders of the standards, and they love DNS too. :-) Microsoft fought hard to get TO standards cooperation . Don't look for anything in the near future to break away from that in regards to DNS. Rick --Posting is provided "AS IS", and confers no rights or warranties ... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Saturday, October 08, 2005 4:44 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding custom fields to AD I've had the reverse- last place i worked at had corrupted WINS at least once every 2 months(this could of been due to my lousy admin skills) i've never had issues with dns(could be my dumb luck) now i work for a corp that has netbios/tcp disabled and relies solely on dns(both MS and BIND) with no name resolution issues. also wins replication seems much more complex than standard primary/secondarydns replication. and i'm not one to think i know anything as an admin or would even think of getting into such a disscussion with someone as experienced and knowldgable as you, but i've always found dns easier than wins and netbios names in general. my only diffculty came with learning dns on BIND/Linux and just wrapping my head around AD intergrated dns when i first came to Windows. sometimes when you learn something via the command line, using the gui just confuses things. then again i'm probably one of those guys who "thinks" he knows dns but really doesn't know anything and hasen't found out yet :( what would you think would be a good replacement for dns/wins? thanks On 10/8/05, joe [EMAIL PROTECTED] wrote: I wasn't saying I like WINS better than DNS or vice versa, just said I don't like DNS. I especially dislike the AD/DNS integration. I don't like chicken and egg problems. BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. 2. Fewer admins had name resolution issues replication based issues with WINS than they do with DNS. 3. The complexity ofDNS seems to put many admins off the deep end, interestingly enough, the same admins who said they couldn't figure out WINS say they know all about DNS. But again, my comment wasn't I like WINS more than DNS, or I like any name resolution systems better than DNS, it was simply I don't like DNS. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, October 08, 2005 12:42 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Adding custom fields to AD ok, i'll bite. GPO's, i understand but whats there to hate about DNS? its better than WINS. I've never had a corrputed dns database. thanks On 10/8/05, joe [EMAIL PROTECTED] wrote: Yeah, GPOs aren't AD. GPOs are an application that use AD. I hate GPOs. DNStoo.:o)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Rick Kingslan Sent: Saturday, October 08, 2005 11:19 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding custom fields to AD Interesting question - and as to the 'implode point' for ESE/Jet Blue,Brettsh can answer that one.I'm pretty sure that we have a good idea onwhere the point of diminishing returns is, but it likely FAR exceeds what anyone might practically do today - even with added classes and attributes.As for why ESE - it works, it is self maintaining to a great degree, thereis very little overhead in the DB, and it is quite optimized to the type of work that is required for AD.Brettsh can certainly add more.I am one for preaching more svelte attitudes on your AD.As joe mentions -it's for authN purposes first and foremost.It CAN handle DNS, it does GPO (though - truth be told the majority of GPO function is but a link to anattribute, while the actual GPO pieces reside in SYSVOL, so not much AD -lots of FRS), etc.App Parts make sense in some arenas where the amount of data is going to be very small and contained to just a few areas.I, too, like joe advocateADAM.I try to sell ADAM constantly as THE solution for most anything thatdoesn't have to do with authN.Customer AppDev wants to stuff new things into AD constantly. Partly, they don't know the down sides.Partly, theythink they have to learn something new.Partly, they don't really care ifYOUR AD is affected by their decisions, as long as they deliver the solution in the timeframe specified.So, it's up to you, Mr. Admin and Mr. Architectto tell whoever wants to use your AD, no - we don't do it that way becauseit's very
RE: [ActiveDir] AD Restore Problem
However, as we have discussed her MANY, MANY times - it might not be SUPPORTED. That simply means that PSS is only going to give best effort. They are NOT going to tell you: Sorry - not supported. click If they do - let me know. I'll love taking that one to the brass. As we know - DCs work quite well virtualized today, thank you very much. Rick [msft, too] P.S. The 'not supported' thing goes for most anything that you can dream up. Believe me - PSS will try to solve nearly anything. They might laugh - but they will try. And, gladly take your $245.00, or whatever per incident is on your given current supported on not supported pain. -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, October 06, 2005 9:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Restore Problem stupid question alert Okay so unless you are insane SBS.. images of your DCs are ixnay. What does Sun, Linux, Mac or any other competing Server OS do in their world to ensure the Kingdom easily and quickly comes back up? yeah I know they don't have AD but they have to have some competing glue, right? What have they done if anything? How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in a Virtual Server environment is not supported... yet we SBSers have gotten word that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment. Brett Shirley wrote: If you have any replicas of those servers, when you restore those VMWare images, you will have corrupted your forest during restore. -BrettSh [msft] This posting is provided AS IS with no warranties, and confers no rights. On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace in the hole. The environment is a TLD with 4 child domains. I am planning on running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put the physical VMWare server and all of the DC virt servers in that site. None of the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation in production. Once I have them running, I plan to use the VM scripting to gracefully shut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes I then restart the virtual servers. This plays into the different hardware scenario since I can use VMWare to abstract the hardware. Of course, this whole process is the backup to the normal system state backup of all my backbone DCs. FWIW - Frank From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search for usn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides. Hunter List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding custom fields to AD
Interesting question - and as to the 'implode point' for ESE/Jet Blue, Brettsh can answer that one. I'm pretty sure that we have a good idea on where the point of diminishing returns is, but it likely FAR exceeds what anyone might practically do today - even with added classes and attributes. As for why ESE - it works, it is self maintaining to a great degree, there is very little overhead in the DB, and it is quite optimized to the type of work that is required for AD. Brettsh can certainly add more. I am one for preaching more svelte attitudes on your AD. As joe mentions - it's for authN purposes first and foremost. It CAN handle DNS, it does GPO (though - truth be told the majority of GPO function is but a link to an attribute, while the actual GPO pieces reside in SYSVOL, so not much AD - lots of FRS), etc. App Parts make sense in some arenas where the amount of data is going to be very small and contained to just a few areas. I, too, like joe advocate ADAM. I try to sell ADAM constantly as THE solution for most anything that doesn't have to do with authN. Customer AppDev wants to stuff new things into AD constantly. Partly, they don't know the down sides. Partly, they think they have to learn something new. Partly, they don't really care if YOUR AD is affected by their decisions, as long as they deliver the solution in the timeframe specified. So, it's up to you, Mr. Admin and Mr. Architect to tell whoever wants to use your AD, no - we don't do it that way because it's very bad. We will use ADAM. Get used to it. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, October 07, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD That's a good point about plonking stuff in AD a case of once a good thing comes along everyone wants to climb aboard. I remember doing ZENworks stuff with Novell where all the application configuration information for software distribution was shunted into NDS/E-Directory... all that bloat adds up replication-wise (still, at least there was partitioning). One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What's the ceiling on actual database size before it caves in (performance-wise)? Mylo joe wrote: I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Adding custom fields to AD
Oh, and just so there is no question - see addition to my post below. (yeah - I'm not yet used to the disclaimer thingie) Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, October 08, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Interesting question - and as to the 'implode point' for ESE/Jet Blue, Brettsh can answer that one. I'm pretty sure that we have a good idea on where the point of diminishing returns is, but it likely FAR exceeds what anyone might practically do today - even with added classes and attributes. As for why ESE - it works, it is self maintaining to a great degree, there is very little overhead in the DB, and it is quite optimized to the type of work that is required for AD. Brettsh can certainly add more. I am one for preaching more svelte attitudes on your AD. As joe mentions - it's for authN purposes first and foremost. It CAN handle DNS, it does GPO (though - truth be told the majority of GPO function is but a link to an attribute, while the actual GPO pieces reside in SYSVOL, so not much AD - lots of FRS), etc. App Parts make sense in some arenas where the amount of data is going to be very small and contained to just a few areas. I, too, like joe advocate ADAM. I try to sell ADAM constantly as THE solution for most anything that doesn't have to do with authN. Customer AppDev wants to stuff new things into AD constantly. Partly, they don't know the down sides. Partly, they think they have to learn something new. Partly, they don't really care if YOUR AD is affected by their decisions, as long as they deliver the solution in the timeframe specified. So, it's up to you, Mr. Admin and Mr. Architect to tell whoever wants to use your AD, no - we don't do it that way because it's very bad. We will use ADAM. Get used to it. Rick [msft] -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, October 07, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD That's a good point about plonking stuff in AD a case of once a good thing comes along everyone wants to climb aboard. I remember doing ZENworks stuff with Novell where all the application configuration information for software distribution was shunted into NDS/E-Directory... all that bloat adds up replication-wise (still, at least there was partitioning). One thing I am curious about though is why MS opted for JET as the DB of choice for AD.. was it the only viable option at the time ? What's the ceiling on actual database size before it caves in (performance-wise)? Mylo joe wrote: I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add
RE: [ActiveDir] Active Directory Permissions
blanks and dupes here -r From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, September 01, 2005 10:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Permissions Michael Smith's last post with this title showed up as blank for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Permissions Is anyone else receiving blank posts, per the enclosed, or occasional dupes? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Thursday, September 01, 2005 8:52 PMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Permissions
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
I suppose it's much like my gaff of a couple weeks ago with our good friend Bernard Aric (sic) from HP. (Cheers, Aric! ) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Monday, August 29, 2005 5:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Yep, that was him. Drat, dunno why I had Luther in my head as being his first name. - L -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 29, 2005 12:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Heavy German accent? I suspect that it was Andreas Luther (and looks nothing like Guido) And - it might have been DEC as Andreas was there for the Identity Management (read:MIIS) portion of the conference. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Sunday, August 28, 2005 7:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Oddly enough, this exact topic came up in a dinner conversation at Tech Ed this year.[1] Luther...oh heck somebody remind me of his last name...had apparently quizzed people with this one at a previous conference (DEC?), only to utimately reveal that the answer was You know how people always ask you what the IM FSMO does? Well, now you can tell them that it's responsible for running /domainprep. [1] Please hold the jokes about having dinner conversations about Active Directory internals until the end, please. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, August 28, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Infrastucture Master and adprep /domainprep Hi all Does anyone know why the documentation suggests that adprep /domainprep be run on the DC holding the IM FSMO role? I heard a rumour to the effect that it was only because that DC is likely to be less busy than the other DCs, but I'd like to know for sure. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
Guido is doing that for me, I'm quite sure. Any time anyone mentions IM to me, I want to add them to my contact list. I'm much like a teenage little girl in that regard (and scream like one too, when frightened! :-) VBG Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, August 29, 2005 6:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep IFM is an odd abbreviation of the Infrstructure Master role. I think IM is more typical. -B On Mon, 29 Aug 2005, Grillenmeier, Guido wrote: Andreas actually teased me with this at the second DEC in US (must have been 2003 in Scottsdale, Arizona), as I also wondered why the IFM would be required for this role. So after a good discussion about the IFM's functions it was clear there was absolutely no technical requirement that adprep /domainprep be performed on the IFM FMSO ;-) The only reason the IFM was chosen to perform this special task is: they had to ensure that the domainprep will only be performed on a single DC in a domain and all the other FMSOs already had many more special tasks than the IFM - this is why the domainprep was bound to be executed on the IFM FSMO. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Montag, 29. August 2005 12:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Yep, that was him. Drat, dunno why I had Luther in my head as being his first name. - L -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 29, 2005 12:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Heavy German accent? I suspect that it was Andreas Luther (and looks nothing like Guido) And - it might have been DEC as Andreas was there for the Identity Management (read:MIIS) portion of the conference. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Sunday, August 28, 2005 7:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Oddly enough, this exact topic came up in a dinner conversation at Tech Ed this year.[1] Luther...oh heck somebody remind me of his last name...had apparently quizzed people with this one at a previous conference (DEC?), only to utimately reveal that the answer was You know how people always ask you what the IM FSMO does? Well, now you can tell them that it's responsible for running /domainprep. [1] Please hold the jokes about having dinner conversations about Active Directory internals until the end, please. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, August 28, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Infrastucture Master and adprep /domainprep Hi all Does anyone know why the documentation suggests that adprep /domainprep be run on the DC holding the IM FSMO role? I heard a rumour to the effect that it was only because that DC is likely to be less busy than the other DCs, but I'd like to know for sure. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: FW: [Fwd: RE: [ActiveDir] Password policy change]
Yep - I've been through this just of late. If the Change at next logon is set, IIS doesn't have that level of function to allow this to take palce through the current functions. Rick -- Posting is provided AS IS, and confers no rights or warranties ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Saturday, August 27, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: Re: FW: [Fwd: RE: [ActiveDir] Password policy change] Yes that enables the password change functionality through OWA, but I don't believe that will help this particular situation. When you set the User Must Change Password at Next Logon bit then logon to OWA I don't think OWA will dump you to a password change screen. That Password Change screen is only something you can access once in OWA as far as I know. To address the question about password expiry and OWA users, when you log in with OWA it will tell you that your password is getting close to expiring so it gives you a heads up that you need to change your password soon, whether that is through the IIS Password change tool or some other password change facility. Phil On 8/27/05, joe [EMAIL PROTECTED] wrote: From a shy lurker MVP It appears it is something you can enable. It isn't strictly part of OWA but the old IIS Password change tool. I recall there being issues with that tool and that is why they stopped enabling it by default but can't recall what they were this late at night or this early in the morning whatever it may be. ;o) Thanks for the assist Mom. :) -Original Message- Sent: Saturday, August 27, 2005 2:24 AM To: [EMAIL PROTECTED] Subject: [Fwd: RE: [ActiveDir] Password policy change] http://www.petri.co.il/enable_password_changing_through_owa_in_exchange_2003 .htm Original Message Subject:RE: [ActiveDir] Password policy change Date: Sat, 27 Aug 2005 02:16:14 -0400 From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Yep, OWA is Outlook Web Access. If you haven't seen it, it is gorgeous in Exchange 2003. It looks almost exactly like Outlook. Unfortunately, if your password is expired (forced or otherwise) you aren't getting into OWA. I also don't believe it has a password change function if you just want to go and change it, but that could be something that could be enabled. Alternatively you set up another web page to do it. As for the OPs original issue. It all comes down to implementation. You told the system to not allow people to change the password if the password age was less than one day and then were confused when it did exactly that. The reason for it is that there is one attribute for password age, pwdLastSet, and it doesn't distinguish between a helpdesk set operation or a normal password change, they are both password changes and you only want one day between every change. The proper way to handle that case is to force the user's to change their password on next logon (which sets the pwdLastSet to 0), but as you know, that will kill OWA users. So you either need another process to follow for OWA only users, install some third party or custom inhouse tool, or drop the minimum password aging. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SysPro Support Sent: Saturday, August 27, 2005 12:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password policy change Your right Aaron, I didn't know what it meant.! I am not an outlook sort of person (we use Notes...), but the inferred statement surprises me. It suggests that if the must change password is set, you can't logon to Outlook Web Access. This would suggest that forcing users to change password after (say) 28 days is also a no-no. And, it would also suggest that Outlook Web Access won't let you change your password. If it did, it would surely allow you to logon, then require you to change the password before you do anything.. This all seems unlikely, given Microsoft's recommended use of forcing password changes on a regular basis and forcing users to change a password when a new user is created. If it is all true, maybe you have to provide some way that the users can go to a Citrix portal and change their password there, then go back and use Outlook Web Access. Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Aaron Visser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, August 27, 2005 8:59 AM Subject: Re: [ActiveDir] Password policy change
RE: [ActiveDir] Infrastucture Master and adprep /domainprep
Heavy German accent? I suspect that it was Andreas Luther (and looks nothing like Guido) And - it might have been DEC as Andreas was there for the Identity Management (read:MIIS) portion of the conference. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Sunday, August 28, 2005 7:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Infrastucture Master and adprep /domainprep Oddly enough, this exact topic came up in a dinner conversation at Tech Ed this year.[1] Luther...oh heck somebody remind me of his last name...had apparently quizzed people with this one at a previous conference (DEC?), only to utimately reveal that the answer was You know how people always ask you what the IM FSMO does? Well, now you can tell them that it's responsible for running /domainprep. [1] Please hold the jokes about having dinner conversations about Active Directory internals until the end, please. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Sunday, August 28, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Infrastucture Master and adprep /domainprep Hi all Does anyone know why the documentation suggests that adprep /domainprep be run on the DC holding the IM FSMO role? I heard a rumour to the effect that it was only because that DC is likely to be less busy than the other DCs, but I'd like to know for sure. Tony List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003AD - 2000AD Trust with LMHOST?
Are you talking about external trusts? If so, then yes. You would follow the same procedures as you would for a win2x to Nt 4.0. You'll need to specify the #DOM, #PRE to get the 1B, 1C records loaded. As we discussed a few weeks ago, this is the rather archaic method to do it, but if you don't have access to the WINS or DNS - you don't have much other options left to choice. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 28, 2005 10:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003AD - 2000AD Trust with LMHOST? Havent been able to find much answers via googling unfortunately :-( I know 2000/2003 - NT4 trust creation can be done via LMHOST/WINS but can 2003 AD - 2000 AD trust creation be done via resolutions provided by LMHOSTs only? Reason being DNS is really out of my control (handled by another team), so conditional forwarding/stub zones are out of the way. Thanks lots! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ports during authentication/logons...
I would really suspect that this is soon not going to be true and may not be at this point (dont know havent asked yet). Think of it this way NAP (Network Access Protection) is going to have one heck of a time working if DC - Member isnt a supported scenario. As to the 135 traffic on AuthN Id happily take a look at the trace. Ill have a few minutes tomorrow. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 11:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... I would normally look at the IPSec route, too, but it's not (as far as I know) supported by MS between domain members and DC's. It's supposed member-member and DC-DC, but not members-DC's. At least, not if Kerberos is used. Not sure how they feel about certs. Shared keys just wouldn't be an option. Specifically, though, they have their backs up with 135. Do you know what's using it during a logon/GPO process/?? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 24, 2005 10:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ports during authentication/logons... David, If you really, really want to use the absolute minimum ports through a firewall, use IPSec tunnel mode. However, your Network Engineers (or whoever manages your Firewalls) may not like it. Reason? Likely the same reason that I got when I suggested this at a previous employer: Well, if you put it in IPSec tunnels, then we wont be able to see or sniff it. My question: Why do you need to sniff or see it? No answer. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service User Login and Authentication and Computer Login and Authentication: 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to what ports are needed... include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
RE: [ActiveDir] OT: Question on WSUS implementation and GPO's...
It's not likely due to GPO processing. GPOs themselves are typically very quick to process, unless there is either Software Install that is taking place through the GPO or complex WMI filtering that would slow it down. Otherwise, GPO is very fast. I've done testing with 1 GPO and with 50 GPOs... Appreciable difference in log on time? Less than 1 second. It's something else other than GPO. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven L Dunn Sent: Thursday, August 25, 2005 9:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Question on WSUS implementation and GPO's... Friends, Our company is about to implement a WSUS server for patching and updates. I am wondering if there is any way to allow for breaking the updates down into groups (say by department) but using only a single GPO to do it? For instance, we have our legal and executive departments using a separate GPO, which would allow for them to get updates Tuesday @ 12:00 or Wednesday @ 12:00, respectively. Our other departments are set up along similar lines, with 5 GPO's in all active. What I'm seeing is a general slowdown in login processing time (from sign in to desktop appearing) due ...I'm guessing, to the GPO having to run through and check against Group Membership or process. I'm looking for any ideas on whether this is the only arrangement for making this happen, or I'm missing something that might be a possibility. Thanks in advance. -Steve -- Steven L. Dunn Director of Information Technology Illinois State Bar Association [EMAIL PROTECTED] | 217-747-1455 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration?
And, given that Science has proven cockroaches will survive a nuclear war, it's even a worse choice than originally thought :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 25, 2005 9:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Good point. If it's a one-time thing, I'm thinking even 10K is a killer. And MIIS will be like nuking a cockroach. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Thu 8/25/2005 6:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? While I agree that Jerry has a good solution, I'm not sure I understand your complete requirement. Do you have a database that is the start of the identity lifecycle? Or is this a one time create? Is this something that you need to have records of? Any reason not to script it from SQL (very few lines of code to just create a new account object; to manage that account later is much more work instensive and MIIS or other is a better fit.) If this is a one time create, then just use some of the built in tools and SQL. If this is ongoing, then we need to hear some of the needs to put this in perspective. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 8:29 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Ohh... Hmm.. okay... Well, THANKS!! MIIS is very expensive.. So thanks.. On 8/25/05, Jerry Welch [EMAIL PROTECTED] wrote: Kasper - Or you can buy SimpleSync from CPS Systems ( www.cps-systems.com http://www.cps-systems.com/ ) Provides synchronization between any ODBC DB and AD or other LDAP directories. No additional SQL MetaDirectory. Cost for what you describe is about $10K. You can expect to be running in a matter of hours. 240 major companies and government agencies worldwide. As an example, Northrop Grumman uses SimpleSync between PeopleSoft/Oracle and AD to Provision and Maintain 90K user accounts. Online, web based demo anytime you would like. Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-4 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net http://www.skype.net/ ) From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Kasper Sørensen Sent: Thursday, August 25, 2005 7:20 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft MIIS: Server 2003 AD and MSSQL 2000 integration? Well.. If i buy MIIS, will it then be possible to import users that are stored in a MSSQL 2000 database, to Active Directory 2003? -- Best Regards Kasper Sørensen www.mewe.dk http://www.mewe.dk/ -- Best Regards Kasper Sørensen www.mewe.dk List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037)
Inline. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, August 25, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Questions about hotfix 903235 (MS05-037) Hi - I've posted this elsewhere, but thought maybe not a bad idea to run it past this list for those that don't mind (thanks). I'veseen thefollowingbehavior with regard to this hotfix 903235: (1) The bulletinMS05-037 states to check here for its existence (post installation): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0} In the past, the 'norm' for IExpress-type patches has been here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8ade8c02-8da6-4ec1-a9ee-ec00ff73ce98} [note: GUID above is specific to this hotfix] Why this change in documentation? [RTK] Not a change in documentation. The hotfix sets bits in the running of the actual component, so the compatibility flags are manipulated, rather than new moving parts. I acknowledge that the location changes, but this is due to how the hotfix effects the installed component, JView Profiler. (2) I find that the SRVINFO tool does NOT identify this hotfix on SP1 (XP) and SP4 (2000) machines. Was expecting to see it under the Internet Explorer 6 subheading of the SRVINFO output for these O/S. [RTK] Cant confirm or deny this one.. Dont have SRVINFO currently on anything (3) I find that MBSA v.2 neither identifies it as installed nor identifies it as missing on SP1/2 (XP) and SP4 (2000) machines. Can anyone else corrorborate these findings? I'm told by our TAM that nobody else has reported this yet. [RTK] MBSA on my systems detect that it is either installed or not installed. Thanks! -DaveC ReutersIST Service Delivery - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Ports during authentication/logons...
Youve likely seen this, but it does describe ports needed for REPLICATION However, Steve does talk about the benefits of using IPSec through a firewall Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, August 24, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ports during authentication/logons... It's been a few weeks, so time for another question on ports. MS's whitepaper that discusses how to setup AD to communicate through a firewall (the one that focuses primarily on DC to DC communication) lists the following ports needed to service User Login and Authentication and Computer Login and Authentication: 445 TCP/UDP 88 TCP/UDP 389 UDP 53 TCP/UDP (I would add ICMP for GPO processing.) Most people who normally respond to what ports are needed... include 135. I just ran a Netmon trace during a logon from an XP machine and do see some traffic hitting 135. I also see traffic hitting 137 and 139. I'm not good at reading traces so I don't really know what's happening besides the basic traffic flow. Does anyone know what 135 (and 139 I suppose) are being used for? And if they're blocked does it totally break everything or just limit certain functions? I am not worried about DC to DC communication. The scenario is member systems separated from DC's with a firewall and the network folks want to allow the absolute minimum ports. Thx
RE: [ActiveDir] hide an attribute
Tom Kern said: Say i use one of the custom attribute fields that Exchange creates and put a value in there and hide it from Domain users. what would break? how would i go about hiding that? just as an example [RTK] Hey, joe Just a suggestion. If someone asks you what time it is - don't tell him how to build a frelling Rolex! :oD I think all Tom wanted to know (though the background and technical detail is good) was How do I hide the FRELLING ATTRIBUTE? And, IF I DO, will it BREAK ANYTHING? So, Sparky, what have you got to say now? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 12:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] hide an attribute Good good, that is what I like to hear. :o) You will want to buy copies for all your friends too. :o) The chapter may have been clear but it is was off on its examples as it didn't take into account inherited and explicit ACEs. That radically changes whether a delegation (or a denied delegation) will work or not. It still isn't perfect, but IMO, much better. It is a balance of time vs what needs to be done. The example you give is one of the harder things to clean up and no, I personally don't think it should be this hard, but then that is just my opinion. One thing to remember about Exchange, is that some of its access rights for reading attributes can be through Auth Users rights, especially on GCs in a multi-domain environment, I have been bitten by this in the past myself. Consider that permissions are granted to the Exchange Enterprise Servers group which is a domain local group so reading on a GC in another domain would be impacted unless there is some other access mechanism. An alternative would be to convert those DLGs to UGs as previously mentioned by Guido, again, MS PSS may have an issue with it so keep that in mind. The easiest way to handle this is to use the new confidentiality bit capability in SP1. The Exchange attributes shouldn't be Cat 1 attributes (systemflags 16 on their schema definition) so you should be able to lock them up that way. However, you will want to regrant access back to Exchange. Unfortunately, I am not aware of any tools MS has given to allow a good granular way to grant access BACK to this attribute after it is locked down. You will need to grant a CA to the attribute for the Exchange Servers global group in each domain (or grant to the DLGs but convert to UGs) so you maintain read across GCs in each domain. This will have to be done with script because you can't do it via dsacls or the GUI. Also once set, the GUI will have no clue how to display the permission so won't, DSACLS will properly display it. A word of note is that if you have MS Exchange PSS look at your AD, they will probably have a small stroke if they figure out this was done as they get testy when you muck with the visibility of Exchange attributes. However, have the Exchange guy talk to a knowledgable AD PSS guy and things should hopefully be ok though expect to hear lots of grumbles of unsupported. This goes for any solution that does anything to any Exchange attribute. Oh one further note, anyone who has full control or all control access rights to a given object will still be able to see the attribute. The obvious one is full control... Full control is... Well full control. You can't effectively deny someone access to something they have full control to. The all control access rights is a new one though that you have to watch out for. If the confidential bit isn't an option. You are in for some fun. The fact that it is auth users makes things very difficult because everyone that accesses it is an auth user so you can't just actively deny auth users access or else you impact admins and Exchange and everything else. You need to either 1. Invoke a passive deny which means stripping any (explicit or inherited) access permissions granted and regrant the access permissions to Exchange and any anyone else that needs access. It depends here how the access is granted in the first place on what you need to do. 2. Remove any explicit grants and then set up inherited denies for auth users and then explicit grants for Exchange and any other specific groups that need access. The explicit grants will override the inherited denies. For both of these, if the grant is handled through a property set, then you can remove the attribute from the property set (and maybe some others related to exchange you don't to be fully visable to everyone) and add them to a different property set and only grant that to exchange and the admins or whomever else it is that needs to see the info. Overall, before I started doing anything with any of this I would really look at everything and get a great overall plan for security. You need to understand what it is exactly you want and all of the ways things are currently delegated, it isn't unusual to find that there are
RE: [ActiveDir] OT: AD MMC Snap ins
If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark
RE: [ActiveDir] User SIDs...
Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: AD MMC Snap ins
Pardon me - you're absolutely correct. I, in my haste this morning, failed to note the WINDOWS SERVER 2003 SP1. Yes, they are installed and registered by default, but are only added to menus created for the appropriate application or in the Administrative tools. As mentioned, I do view this as some degree of risk, but much less now that I see that it's on Server. One, servers should have tight Interactive and physical controls (i.e. no console access or TS access, except to your most trusted). Two, no one should be able to install server in your environment without your knowledge or control without fear of serious, immediate and dismiss-able consequences. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 8:18 AM To: ActiveDir.org Subject: Re: [ActiveDir] OT: AD MMC Snap ins I have checked at work today, systems that have never seen the admin pak, have the mmc snapins installed. Vanilla 2003 this is the case too. They are Just not visable under admin tools, but are available as mmc snapins, even without the adminpak installed. Mark -Original Message- From: Rick Kingslan [EMAIL PROTECTED] Date: Fri, 19 Aug 2005 07:26:21 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: AD MMC Snap ins If the AdminPak has never been installed on a given system, the snap-ins that are the Administrative Tools say, ADUC, should not be available. Are you saying that you have the snap-ins on a Win2k3 system with SP1 that you are certain the AdminPak was not installed on? Im unclear as to exactly what youre asking. And, yes I do view it as some degree of a Security Risk. As to how high of a risk, that all depends on factors in your environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Friday, August 19, 2005 2:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: AD MMC Snap ins Dear All, On a Windows Server 2003 Service Pack 1 member server that has not had the Adminpak.msi installed, so no AD tools appear in the Administrative tools on the Start Menu or in the control panel. If a new MMC is run from the command line and Add\Remove snap-in is selected should the AD Admin tools listed and registered (such as DSA.MSC)? I have had this on a test machine tonight and for me its potentially a security issue. Many thanks Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
:o) Right, Joe! They don't come from us, as far as I can tell. If you look at the function AllocateAndInitializeSid(), it is hard coded to 8 sub-authorities. However, the customer in question from the 68 bytes max defined his own function with base level calls and worked around the 8 sub-auths by defining a variable that would accept however many he wanted to input. Bottomline: WE might give you the instructions on how to blow your foot off, but generally you are expected to supply your own ammo and finger to pull the trigger. :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 19, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the highest number of RIDs a SID can hold. There is only 1 byte reserved in the first 8 bytes of a the SID structure to store the number of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you). Where do these giant SIDs come from? Most AD SIDs I've seen are 24 or 28 bytes (4 or 5 RIDs respectively). Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User SIDs...
. If I heard someone was trying to create a SID greater than 68 bytes I would ask... Why? [3] Note that ADAM SIDs seem to jump around considerably. I haven't had a chance to sit down and discern the patterns, if any exist, yet. The builtin groups such as administrators/users/readers all have two subauthorities that seem to be randomly generated and the normal users created seem to have 3 additional randomly generated subauthorities and a seemingly randomly generated RID instead of an incrementing RID. This would seem to be a trifle dangerous in a multi-host ADAM instance. I need to play with it. It could be another one of those cases of it isn't likely to happen so we won't worry about it... I am sure it checks itself to see if it is a dupe but if you have two hosts both holding the same instance but not replicating regularly, I could visualize hitting an issue unless each host is its own subauthority which I now realize I never doublechecked. For fun, this is the SID structure stuff out of winnt.h //// // Security Id (SID) // //// // // // Pictorially the structure of an SID is as follows: // // 1 1 1 1 1 1 // 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 // +---+ // | SubAuthorityCount|Reserved1 (SBZ)| Revision| // +---+ // | IdentifierAuthority[0] | // +---+ // | IdentifierAuthority[1] | // +---+ // | IdentifierAuthority[2] | // +---+ // | | // +- - - - - - - - SubAuthority[] - - - - - - - - -+ // | | // +---+ // // -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 19, 2005 2:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... A SID of 68 bytes would have the 15 RIDs, which is as far as I can tell the highest number of RIDs a SID can hold. There is only 1 byte reserved in the first 8 bytes of a the SID structure to store the number of RIDs, so that is basically 15 (since 0 RIDs doesn't do much for you). Where do these giant SIDs come from? Most AD SIDs I've seen are 24 or 28 bytes (4 or 5 RIDs respectively). Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 19, 2005 12:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User SIDs... Having read through most of the replies on this, it's interesting that there was an internal (to Microsoft - just to clarify) discussion on this same topic yesterday. Seems that a customer was having problems with a function calling APIs for SID creation when the SID exceeded 68 bytes. I'll let you determine from that statement what the largest supported SID is. :o) So, take that number into 12000 and I suspect that will give you a clear idea of how memberships would begin to cause issues with Kerberos. However, as al mentions, this can be increased but I don't know what the max supported size is. And, as to figuring out the actual size of a SID, yes there is. I don't have the algorithm at my finger tips, but it can be derived pretty easily - more easily with C/C++, or Perl, IIRC. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Friday, August 19, 2005 7:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User SIDs... Hello All, Does anyone know the default length a users SID (Win2K DC's, WinXP SP2clients ) can be before problems such as http://support.microsoft.com/?kbid=327825 http://support.microsoft.com/?kbid=327825 start occuring ? Also, there anyway to determine the actual length of a users SID??? TIA, Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http
RE: [ActiveDir] Problem at remote site
Jennifer, Thanks for the update and the resolution. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Thursday, August 18, 2005 1:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Hi all: I wanted to update the list on what actually fixed my problem. I ended up calling MS for support because I was at my breaking point :). Turns out that I needed to set my MTU manually to 1390! Doh! That did the trick. I knew it was some simple but I didn't know it was that simple :). Thanks for all of your help Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Replication Topology
Funny that - I lost mine when I JOINED Microsoft. I was told that it might be hard to get as my job doesn't require access to source... Rick P.S. I say just plain blech They're great for throwing As to eating - Have no use for them. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 12:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I am fortunate enough to be provided with source access by Microsoft. Actually, I say Tom-arto since I'm British. ;0) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 1:37 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology No Problem at all.. You say Tomato I say Tamato..I also misunderstood his question as I assumed him meant DC's and not GC's. Thanks for clarifying this is more detail. BTW: How did you get to look at the source code? Jose :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 10:08 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology Jose, I don't wish to continue going back and forth on this topic, the behavior and constraints are what they are. I'm not stating an opinion or an interpretation of a paper, I'm stating a fact based upon the source code of the product (as of 2K and 2K3). Your understanding of the articles you've read is very close but not entirely accurate. Phantoms of this kind are not permitted on GCs ... this is manifested in the interface when you attempt to add a user to a Universal group but the user has not yet replicated to the GC (an error will occur stating exactly that), if phantoms were permitted one would be created based on the info. from the DC used to browse the domain containing the user. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, August 16, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on Replication Topology I am afraid not... One of the common replies and misunderstood rumors is that the Infrastructure Master (IM) is only allowed to run on a Global Catalog Server (GC) if every Domain Controller (DC) in the Forest is Global Catalog Server. That rumor is just based on misleading wording. The infrastructure masters job is to compare objects of the local domain against objects in other domains of the same forest. If the server holding the infrastructure master is also a global catalog it won't ever see any differences, since the global catalog holds a partitial copy of every object in the forest itself. Therefore the infrastructure master won't do anything in its domain. However if every DC in the Domain is also global catalog server there's no job for the IM since the GC already knows about the objects of other domains. So if you look at the job the IM has to do, it's pretty clear that it may reside on a GC if it's a single domain forest (no need to pull updates from other domains). It's also pretty clear that it may reside on a GC if it's in a multiple domain forest but every DC in the domain where the IM runs on the GC are also GCs (no need to pull updates since the GC knows everything). So the following infrastructure is a valid configuration: One domain: R-DC1 (GC + IM) R-DC2 (GC) R-DC3-x (must be GC) Other domain: O-DC1 (GC) O-DC2 (IM) O-DC3-x (might or might not be GC, does not matter) The first domain does not need to pull updates since the GCs know everything, the other domain has the IM running on a non-GC so it pulls the updates and replicates them to other DCs. The following KB states that correctly: http://support.microsoft.com/kb/223346/EN-US/ So to be short: The Infrastructure Master is not allowed to run on a Global Catalog Server if either there are multiple Domains in the Forest there are Domain Controllers in the same Domain which are not Global Catalog Servers The Infrastructure Master is allowed to run on a Global Catalog Server in a Domain if either there's only one Domain in the Forest every Domain Controller in the Domain in question is Global Catalog Server --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dean Wells Sent: Tuesday, August 16, 2005 8:26 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Question on Replication Topology I'm afraid it's not correct, when all DCs are GCs (within a single domain), the IM can happily co-reside with a GC. I'd also mention that the impact
RE: [ActiveDir] HP teaming
OK, new machine (AMD64... oh yeah!) is up and running. I'm not going to go back and catch up on everything, but this one caught my eye. We used NIC teaming for years. We had multitudes of problems, more associated with either our setup team not setting the NICs to 100/Full consistently, or the Network Engineers not doing the same. If this is NOT done, you will have issues. Also, there are specific problems that can crop up with ARP and virtual MACs that the teaming software creates. This becomes most apparent during troubleshooting, but can cause issues that only your Network Engineering team will see - and they really aren't worth irritating, because to a great degree - you need them more than they need you! :o) That being said - in 6 years of doing and managing NIC teaming, our stats showed that we had two NIC failures, which were easy to diagnose and resolve. Conversely, we had uncounted numbers of issues with ARP, MAC, and other teaming related issues that affected troubleshooting, problem resolution, and overall network (subnet or switch scope) performance when things went bad. Given that, we made a decision to bail on teaming (except for very specific systems that it had shown to be a true benefit - and DCs are far from a system that showed benefit) due to the lopsided number of issues caused as related to those actually solved. For me, that's the metric. If a solution is not really solving a problem, or is causing more problems than it is solving - why do it? It's basic Risk Management. However - YMMV. This is just my view. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] HP teaming They are member servers right now with no teaming. About to become DC's. Do you have anything against switch assisted load balancing? Also, which model catalyst did you have an issue with? Thanks a lot! On 8/17/05, Francis Ouellet [EMAIL PROTECTED] wrote: I've had great success using nic teaming on all my DCs running on hp Proliant hardware. They were all configured for FT. Make sure the network side of things fully supports it though, we had to upgrade a few catalyst switches for this to work correctly (I think it was an ARP issue) I'd suggest trying it on a member server first to make sure your networking hardware is capable of supporting it correctly. One last thing, are those DCs currently in place or you're considering nic teaming for future deployments? Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 17, 2005 9:24 AM To: activedirectory Subject: [ActiveDir] HP teaming Any for or against Hp nic teaming on DC's? Also which type would you use(if any)? Fault tolerence or load balancing? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Latest MS patch KB899588
Are you wondering if restarting the server is mandatory? I suspect that it is, unless you really dont want to be protected. Often times, the components being replaced are only read on system startup. Given that the bulletin specifically says: Restart Requirement You must restart your system after you apply this security update. Id say, u, yeah. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Wednesday, August 17, 2005 5:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latest MS patch KB899588 Hi there, I am trying to apply this patch to some windows 2000 servers and I was wondering if the reboot is strictly mandatory?! If I used the /norestart switch to ran it from the command line I do get the patch under add and remove programs. Also the version of the file gets updated under c:\winnt\ssystem32. What do you think? Juan
RE: [ActiveDir] Latest MS patch KB899588
Are you wondering if restarting the server is mandatory? I suspect that it is, unless you really dont want to be protected. Often times, the components being replaced are only read on system startup. Given that the bulletin specifically says: Restart Requirement You must restart your system after you apply this security update. Id say, u, yeah. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Wednesday, August 17, 2005 5:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latest MS patch KB899588 Hi there, I am trying to apply this patch to some windows 2000 servers and I was wondering if the reboot is strictly mandatory?! If I used the /norestart switch to ran it from the command line I do get the patch under add and remove programs. Also the version of the file gets updated under c:\winnt\ssystem32. What do you think? Juan
RE: [ActiveDir] Latest MS patch KB899588
Juan Apparently you didnt read MY message YES its mandatory to apply the patch.. If you DO NOT REBOOT youre going to get slapped by the worm. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Wednesday, August 17, 2005 6:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Latest MS patch KB899588 Thanks. So the reboot is not mandatory/required using this script right? Juan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Wednesday, August 17, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Latest MS patch KB899588 Juan, InstallPatch.vbs: set oshell = wscript.CreateObject(wscript.shell) oshell.run(%PathToPatch%\importantpatch.exe /quiet /norestart) I renamed the patch importantpatch.exe James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, Juan Sent: Thursday, 18 August 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latest MS patch KB899588 Hi there, I am trying to apply this patch to some windows 2000 servers and I was wondering if the reboot is strictly mandatory?! If I used the /norestart switch to ran it from the command line I do get the patch under add and remove programs. Also the version of the file gets updated under c:\winnt\ssystem32. What do you think? Juan
RE: [ActiveDir] cloning DC's
Tom - Regardless of the scenario and how it's done - you never, never, never, clone DCs. This will lead to very bad things - possibly including the appearance of the Anti-Christ, opening of Black Holes, ABBA coming back to prominence. Do NOT do this. Do NOT allow IBM to do it. Period. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 7:56 PM To: activedirectory Subject: Re: [ActiveDir] cloning DC's I went back and i saw B. Shirley's remarks on cloning dc's. I'm wondering if this applies to my senario below- cloning a DC with Disk Image and sysprep and creating new DC's that way? Is this very very bad? is there an article or paper explaining why? or anyone care to explain why. or is this ok? thanks. sorry to harp but these AD consultants from IBM want to go this route tomorrow and I'm thinking its not a good idea for some reason but I'd like to be sure before i bring it up. Thanks again On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I know i read this thread before but i can't seem to find it. we are creating a new forest root and the IBM consultants here created the first root dc and now they want to clone it using Disk Image and sysprep to create the other DC's in the root. I think i heard this is a bad idea. Am I right? I can't seem to find any article on this but I do remember this being spoken of on the list and I don't remeber what the conculsion was. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
joe - no need to apologize. You're absolutely correct. Once I read your e-mail, I had doubts, but knowing joe, and knowing what joe knows, I had to go look to satisfy my curiosity. Honestly, what I saw scared me to a great degree. AO does have full and complete access to any user object and property - period. AO may not be able to manipulate it through the easy mechanisms (i.e. the GUI ADUC or the scripted CDOEXM, but any other interface that will allow manipulation of the objects *IS*possible - and that revelation is quite shocking, to say the least. For anyone that wants to duplicate what I did - make use of a resource that is right at your finger tips. Don't go poking around your production systems. And, even if you don't have Exchange, you can still check this out. Make use of the TechNet Virtual Labs for checking things out and determining if an idea will work - with no setup costs at all. Find a lab that has the components that you need, and party on. The labs are not restricted to allowing you to do only what the lab is designed for. You can do practically anything you want - sometimes including adding in extra Windows and Server System components. Find the Virtual Servers at: http://microsoft.demoservers.com Thanks, joe - for calling this to my attention and correcting my 'rosy security' view of separation of duties when it comes to Exchange. It's not as it appears - or as many writers have written. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 12, 2005 12:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators Sorry Rick, I have to correct you on this one. An account operator absolutely has enough rights to mailbox enable a user. AccOps by default have FC over user objects, they can do ANYTHING to a user they want to. The key is they have to know how to. You could for instance use admod or ldifde or adsiedit or anything that allows you to update mailnickname and homemdb. Or for that matter mailnickname and homeMTA. Also I think you can do mailNickname and msExchHomeServerName. The reason an AccOp can not use ADUC or CDOEXM to mailbox enable a user is because the tools are written to enumerate Exchange config info which an AccOp doesn't have access to. I don't know if it was intended as a security feature or not but it is how it works. I wouldn't be surprised if it was a security feature because it aligns with some other silly tool bases security MS did before like for instance being unable to view the admins group from usermgr if you weren't an admin but if you knew other mechanisms you could still do it... Or the GUI not listing hidden shares even though the server sends that info back to the clients requesting the info. RANT The permissioning model of Exchange, especially in AD, quite frankly, sucks ass. It does almost everything it can to make it a pain in the butt to separate administration between AD/NOS stuff and Exchange stuff. Instead of using the mail property set or creating their own they glommed onto the base property sets. In order to do any separation you either have to change the property sets and hear cries of unsupported from PSS or you have to put in a ton of ACEs or a half a ton of ACEs including a bunch of denies. Most admins haven't the foggiest clue how much access they have given away in AD to people. I have fielded many a question on how come some admin can send mail as someone or get access to read mail for other users or mailbox enable users, or how can so and so change mailbox quotes, etc etc. A common delegation in AD is to give full control over user objects or allow low level admins to create users. This is fine (well not really fine...) in a NOS directory, but once you add Exchange to it those folks have a lot more power, probably unintended power, over the mail system than was probably intended. The best answer from a permission standpoint of protecting Exchange from AD folks or protecting AD from Exchange folks is the dedicated Exchange Resource Forest. If you do that and keep to a single domain in that forest you also get away from all of the nasty DSACCESS issues to boot around user and group updates from outlook. /RANT joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] account operators why can't they create a mailbox for a regular user? Simply, the Account Operator is designed to work as a principal that allows work on accounts as they are BY DEFAULT out of Windows Server. The real reason is that there is typically, in most medium to large organizations, there is a mail admin team and a server admin team (at least it was VERY much this way with Exch 5.5). Separation of the functions was a goal to carry forward - but it could only be done by Group membership / permissions
RE: [ActiveDir] ok, last one really
As WMI goes, these are the best books available - period. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 10:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ok, last one really On MSDN, you can find some sample scripts to read from a file. See at http://msdn.microsoft.com/library/en-us/script56/html/sgWorkingWithFiles.asp For instance, Dim fso, ts Const ForReading = 1 Set fso = CreateObject(Scripting. FileSystemObject) Set ts = fso.OpenTextFile(c:\test.txt, ForReading, True) strComputer = ts.ReadLine() ts.Close() Depending on the format of your file, you can read a single line and split the comma separated computer names or You can loop and read lines one-by-one if you have a computer name per line. Your call ... For a book on scripting and WMI, you can always have a look at my web site ;) http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 12, 2005 7:46 AM To: activedirectory Subject: [ActiveDir] ok, last one really How can i change this script so i can just feed it a file of computer names so i can automate the changing of dns servers in the client properties? SCRIPT- On Error Resume Next strComputer = . arrNewDNSServerSearchOrder = Array(192.168.0.1, 192.168.0.2) Set objWMIService = GetObject(winmgmts: _ {impersonationLevel=impersonate}!\\ strComputer \root\cimv2) Set colNicConfigs = objWMIService.ExecQuery _ (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True) WScript.Echo VbCrLf Computer: strComputer For Each objNicConfig In colNicConfigs WScript.Echo VbCrLfNetwork Adapter objNicConfig.Index WScript.Echo DNS Server Search Order - Before: If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo strDNSServer Next End If intSetDNSServers = _ objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder) If intSetDNSServers = 0 Then WScript.Echo Replaced DNS server search order list. Else WScript.Echo Unable to replace DNS server search order list. End If Next WScript.Echo VbCrLf String(80, -) Set colNicConfigs = objWMIService.ExecQuery _ (SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True) For Each objNicConfig In colNicConfigs WScript.Echo VbCrLfNetwork Adapter objNicConfig.Index WScript.Echo DNS Server Search Order - After: If Not IsNull(objNicConfig.DNSServerSearchOrder) Then For Each strDNSServer In objNicConfig.DNSServerSearchOrder WScript.Echo strDNSServer Next End If Next END OF SCRIPT also, can anyone recommend a good VBscript book for Windows admining so i can leave you guys alone? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] My endless question day continued- Exchange attri butes
If this is something that you find of interest, I can look around and see if I can find either public docs that might be a little buried, or docs that can be sanitized and released to you. We've done numerous TechEd presentations on this - more in the 2000 - 2002 timeframe, IIRC. So, I know that the docs exist - many times, it's finding it. Rick [MCS] ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 3:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] My endless question day continued- Exchange attri butes Rick, Thanks for the response and of course you're right. The difficulty though lies with the complexity you refer to. Case in point Exchange Resource Forests. There's a lack of detailed documentation on the MS site. I've been looking at a dual forest solution with an E2k3 forest having an external trust to an account forest and I'm trying to establish what functionality, if any, Exchange-wise, is lost (compared to a normal single forest deployment). I know it's not a particularly common deployment scenario (unless maybe MCS are involved) and that this is an AD group ;-)... but I suspect, short of building a PoC environment or answers from the group, finding out things like mailbox delegation...whether FE/BE topology works etc, means test test test :-) Mylo Rick Kingslan wrote: Mylo, I'll answer this, and when joe gets back online later, I'm sure that he'll correct me. j/k joe! In my mind, you have two choices - a secure and workable solution with separation with a potential of added complexity, or a much less secure, combined environment. I have a saying that goes with this: Security != Easy, or Security and ease of use are diametrically opposed Everyone has to make decisions based upon what their sensitivity to risk is. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Friday, August 12, 2005 11:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] My endless question day continued- Exchange attri butes Apologies for jumping into a semi-dead thread with some OT questions .. Joe, you mentioned the following: Exchange never would have been brought into the main production forest, it would have been in a dedicated single domain resource forest that was entirely managed by the Exchange admins. Are you saying that the Resource (Exchange) Forest is the only workable solution in your mind that provides the necessary separation? I can see it from the whole service autonomy and isolation argument, but the fact that you need to throw provisioning into the equation, issues such as potential single points of failure with MIIS/IIFP, added complexity etc surely that single AD forest/domain is more preferable :-) Cheers, Mylo joe wrote: In my last job we sort of did. I say sort of because you get the point where you are going against AD best practices in how many ACEs you are sticking in the directory. The mechanisms we were thinking about to get around some of the issues such as modifying property sets had PSS looking at us and shaking their heads indicating that doing so could certainly impact their thoughts on how supportable we were. Basically we granted I think one property set and a few more attributes to the Exchange Service Admins but didn't do any of the denies to remove some property set rights they shouldn't have had, say like ability to modify UPNs etc. The specific details are lost to me now on what exactly we did but I wasn't thrilled with the options. If I had it all over to do again for that company, Exchange never would have been brought into the main production forest, it would have been in a dedicated single domain resource forest that was entirely managed by the Exchange admins. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rascher, Raymond Sent: Friday, July 15, 2005 7:41 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] My endless question day continued- Exchange attri butes Did you implement a Split permissions model for exchange? If so I would like to hear how you ACL'd the directory. Also, if anyone has experience creating and using permission sets and can point me in the right direction that would be appreciated. Thanks, Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, July 15, 2005 6:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] My endless question day continued- Exchange attributes Strictly according to Microsoft, Full Mailbox access given to a user should NOT give the ability to send a message as that user. However, this has been broken I think more than it has worked; broken meaning users with Full Mailbox access on a mailbox but not Send As rights can send as that user
RE: [ActiveDir] account operators
No, not the store - it's a bit of a misnomer that to create a mailbox you need to have permissions to the store. If you can create the mailbox attributes on the user account, the first time that a mail message is delivered to the newly mailbox-enabled user, the actual storage area on the store is created. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote: I expect they lack Exchange View Only Admin permissions (or higher). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:27 AM To: activedirectory Subject: [ActiveDir] account operators is there any reason an account operator could create a user but not a mailbox for that user? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] MailBox permissioning
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bryon Barkley Sent: Thursday, August 11, 2005 2:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Mayuresh, You should be able to just give Full Permissions to the user on the mailbox rights tab located under the Exchange Advanced Tab of the user's properties. BB -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MailBox permissioning Hi Gurus, I have a scenario where I have users and mail boxes created on exchange server on one domain. Now I have another set of users in a different domain, who should be able to use these mail boxes, and should have permissions over it. Eg. User A is in retail domain. Correspondingly user A is created in exchange domain with a mailbox. I want to now have the permissions set so as to make the user A in the retail domain use this mailbox. What attributes should I set on the user side or the mailbox side to do this? Ill be doing this permissioning using a meta directory server. Thanks, Mayuresh.
RE: [ActiveDir] account operators
Because, by default, the AO does not have permissions over Exchange attributes. These need to be assigned separately. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators i plan on getting rid of it. my question is really for my own knowldge. if homeMDB and mailNickname are parts of a user attrib and AO has full control on that user by default, why can't they set a mailbox via ADUC? I guess ADUC uses CDOEXM? also, is it a good idea not to use Backup Operators and the other Builtin groups? Thanks On 8/11/05, joe [EMAIL PROTECTED] wrote: Strictly speaking, anyone who has the ability to set mailNickname and homeMDB can create a mailbox. However... It depends on the tool being used. Most tools, especially anything that uses CDOEXM or emulates CDOEXM explicitly, will require Exchange View access to look up the homeMDB URL. If you use LDIF or admod or anything else that can directly update those attributes mentioned above, you are good to go. That being said, while you are new and making changes, take away account op rights. It is a pain to clean up later and you run into issues with adminsdholder when people try to reset each others passwords etc. Acc Ops is there simply for the migration from NT to AD. After that you should go to delegated IDs. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote: I expect they lack Exchange View Only Admin permissions (or higher). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:27 AM To: activedirectory Subject: [ActiveDir] account operators is there any reason an account operator could create a user but not a mailbox for that user? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] account operators
why can't they create a mailbox for a regular user? Simply, the Account Operator is designed to work as a principal that allows work on accounts as they are BY DEFAULT out of Windows Server. The real reason is that there is typically, in most medium to large organizations, there is a mail admin team and a server admin team (at least it was VERY much this way with Exch 5.5). Separation of the functions was a goal to carry forward - but it could only be done by Group membership / permissions on attributes. If you take a look at the Advanced Security properties of a user, and drill in to the permissions granted to the AO, you're going to find that the permission for the Exchange functions are not granted. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 10:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators thats what i thought but then it would make sense that AO group would be able to set that attrib on a user they have full control over. why can't they create a mailbox for a regular user? thanks as always, rick On 8/11/05, Rick Kingslan [EMAIL PROTECTED] wrote: No, not the store - it's a bit of a misnomer that to create a mailbox you need to have permissions to the store. If you can create the mailbox attributes on the user account, the first time that a mail message is delivered to the newly mailbox-enabled user, the actual storage area on the store is created. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 9:57 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] account operators I thought AO had complete rights to the user object which would include exchange attribs. i guess they still need rights to the store? is that it? thanks On 8/11/05, Coleman, Hunter [EMAIL PROTECTED] wrote: I expect they lack Exchange View Only Admin permissions (or higher). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 8:27 AM To: activedirectory Subject: [ActiveDir] account operators is there any reason an account operator could create a user but not a mailbox for that user? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Is this machine JUST a DC? If so, (without going out and having to buy a 3rd party piece of software) you can whack it and rebuild. You'll have to do the MetaDirectory cleanup for a DC removed from a domain improperly. If that's not feasible, when was your last system state backup? You can go into DSRM and initiate a non-authoritative restore. Follow this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera tions/f3bfb611-dcbe-4365-8f1d-3321916aeb63.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Thursday, August 11, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] A bad bad thing...Manual push of AD? So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] csvde syntax
Just put the LDAP filter into an appropriate batch or VBscript file to accomplish http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Thursday, August 11, 2005 1:18 PM To: activedirectory Subject: [ActiveDir] csvde syntax what's the ldap filter to use with csvde to just export all computer objects in a domain to a file? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. attachment: winmail.dat
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Title: RE: [ActiveDir] A bad bad thing...Manual push of AD? Best of all for one object it would be free. Huh. Nice to know. Thanks, Bob. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Bobel Sent: Thursday, August 11, 2005 4:34 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Ok, so sorry in advance for the productplug... Quest hastwo products called Recovery Manager for both AD and for Exchange you could download them and recover the user with the demo license. You would only need to do a Windows backup on a DC where delete has not yet been replicated. This will recover the group memberships etc... Best of all for one object it would be free. Bob From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido Sent: Thu 8/11/2005 4:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? it'll try - but as the version of the tombstone object will then be lower than that of the auth. restored object, the local change on the deleted object itself will simply be disregarded and the object + attributes restored (read: they will be overwritten by the auth. restored object which have a higher version number). but the main point Brett is also making seems to be ignored in the rest of this thread = although we still don't know Shadow Roldan's OS version, the probability is somewhat high that he's not using Win2003 SP1 (maybe not even any non-SP1 Win2003), which means that he has to take special care of the links that the deleted object was linked to (read: mainly the group-memberships he had). Depending on the version of the DC OS, these won't be restored on the unplugged DC (Win2000 won't help you at all, Win2003 would revive the links if they were LVR links, Win2003 SP1 will also get the non-LVR links back and write them to an ldif file so that you can restore the links by importing the ldif file). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Kingslan Sent: Donnerstag, 11. August 2005 22:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] A bad bad thing...Manual push of AD?
I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete operation will essentially be tossed. I mean this is the whole attraction to hot sites is it not? Am I missing something? Cheers, BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad thing, I deleted a user at a different site and marked his mailbox for deletion Immediately recognizing my mistake I *ran* to the server room and yanked the network cable of the dc I was connected to. For now, none of the changes have replicated. I want to bring this machine back online, but I don't want those changes to go through How would you make this happen? Thanks guys S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? :o) You know - I really don't know why. I know the difference, and I continually make that mistake. I can bet, too, that if I go back through any number of books, news posts, documents written by other folks - I'm fairly certain that I can find the mistake made again and again. In fact - I have to go take a look at MOC. I THINK that they have it wrong as well. I'll point it out to Internal if that, is in fact, the case. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? NOT the USN. Everyone makes that mistake ... why can no one keep the version and the USN straight? The USN never resolves replication conflicts, only tells us WHAT to replicate, never WHAT should win. The version is the opposite, it never tells us what we need to replicate, only who should win in case of a conflict ... During auth restore the version is incremented by 10 (per day old the backup is), and the USN is simply allocated from the next available USN (i.e. it is only guaranteed to be at least 1 higher than the last USN, but more likely there is just some random number of USNs in between, so it jumps by some amount ...). Cheers, -BrettSh On Thu, 11 Aug 2005, Rick Kingslan wrote: A Right, right. I forgot the increase of 10 in the USN. This would effectively insure that the newly authed object would not be overwritten by the object on the DC yanked from the network. So, Guido is right (as always). Rebuilding the DC is not even remotely the issue - and is not even necessary once the USN is increased. Got it. Thanks for the clarification, all! Rick _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 11, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? You are both correct... However, what Brett says (and what I thought) is use another DC will the use still in full detail. Boot into DSRM Use NTDSUTIL and an AUTH restore so that the version of the object is increased (by 10) Because the version of the user has been increased the deleted version of the user will be undone. Only after restoring he should bring back the DC online. The deletion will replicate out and the undeletion (the object with a higher version) will replicate in. If he brings the DC back online before doing an auth restore of the object, the deletion will replicate to ther other DCs and then he will, as Brett said, need do do a system state restore. The procedure Brett described below and I above looks like the lag site structure and in this with only one DC and someone who can run really fast... ;-))) Jorge _ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Thu 8/11/2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Brett, How is this going to help him get the DC back online that he yanked the cable on? As soon as that system is plugged back in, it's going to repl out the change, no? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 1:54 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] A bad bad thing...Manual push of AD? Well you're lucky that you yanked the network cable in time, now you don't have to do a system state restore to get the user back ... Find a DC where the user still exists in a pristine condition, all the mailbox details, etc. Reboot the DC in DS Restore mode(DSRM). Use ntdsutil.exe to auth restore just that user's object. You may (probably will) also have to restore links to that user, at this point it'd be nice if you were running on Win2k3 SP1, but if not it is still accomplishable. For Win2k3 Sp1, after auth restoring the user, there should be some ldf file(s) that will allow you to restore the links. Simply use ldifde, to apply these files to the appropriate DCs (up to one ldf per domain). For pre this latest generation (which is more likely, because you could yank the net cable in time), you may have to find the objects that are linked to the user, and restore them yourself. You can do this by performing an LDAP operation that deletes and re-sets the links to that user. BTW, there is a more extensive KB article you might find useful: http://support.microsoft.com/?kbid=840001 Cheers, BrettSh This posting is provided AS IS with no warranties, and confers no rights. On Thu, 11 Aug 2005, Shadow Roldan wrote: So I did a bad