RE: [ActiveDir] OT:EXCHANGE weirdness
i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same thing Now, the questions- 1.how could this just change? I know the root domain guys took us out of the Exchange org and used the delegation wizard to give us full access to our admin group thru ESM. same thing for the blackberry account, except view only. do we still need to be delegated something at the org level? it would seem to be so. to be able to administer our admin group, would we still need some rights on the org level? 2. how can i take ownership with no rights on an object. can a domain admin in a child domain write to the config container of a forest? This is why i want our own forest. If you see my previous threads, its always about how to break away from the forest or what a child domain admin can or can't do without enterprise admin access, dependency on the root, etc. we always have issues with the guys on top screwing us up on the bottom and the serious lack of communication. they seem to think that as child domain admins we can't screw THEM. i'm trying to convince my CIO to beak away or at least ask for enterprise admin rights. I want to at least show them that we can screw them up or get access to enterprise admin so they would then give us this access or we would leave the forest(since as a sister corp, we are on equal footing with them in everyway. its just politics). thank you guys so much for all your help. -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't even read the permissions from a certain level on is screaming someone changed the permissions AT THAT level. The fun thing is if you don't have permissions to see the permissions, you will have to take ownership to see them or figure out what account has the perms necessary to see them. Once you can see them, then you can figure out how bad it is. I would personally try to do a dsacls dump of each layer under the Exchange Services level and see where the perms start locking down. Again, you may have to take ownership at some point to see anything. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 2:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i
RE: [ActiveDir] MACS
That was the impression I got too, when looking throught the ACS slides (wasn't at the session either): here's what it says on some slides * ACS will ship with MOM management pack * ACS is a Windows platform technology- not a complete solution * ACS is specifically focused on security event collection in high-security environments * MOM 2005 management pack provides a front-end to ACS * ACS provides open interfaces for 3rd party extension [MOM not a requirement] and * Release - TBD (probably pretty soon) * Licensing - TBD = so I'm currently not sure if you basically buy the MOM mgmt pack to get ACS, or vice-versa. But they still seem to be working on the licensing, which would suggest it's not for free. But at least you don't NEED MOM for it. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Samstag, 29. Mai 2004 06:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS It was announced at TechEd (although its second-hand information from one of our PMs; I wasn't at that session.) -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Where did you hear that? Last I heard in the beta group it was to be included in the next 2K/2003 SP's but I am not as well connected as you are :-] Maybe ~eric can answer G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, May 28, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS And, as I understand it, it is not going to be a free download or Resource Kit component any more. MSFT is going to charge for it. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, May 28, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MACS Anyone know where MS are with MACS now? MACS is now called The Microsoft Windows Audit Collection Services (ACS) Release Candidate 1 became available to beta testers at the end of April. ACS Release Candiate changes include: 1) Simplified and updated database schema 2) Updated communcations protocol 3) Complete support for SSL/TLS authentication 4) Improved performance scalability 5) Improved setup experience 6) Improved security (on Windows XP and Windows Server 2003, ACS runs as NetworkService) 7) Improved manageability 8) Database included 9) Many quality stability improvements -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Friday, May 28, 2004 6:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] MACS Anyone know where MS are with MACS now? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Sysvol Damaged
Title: Message Ma problem, i dont have the backup as itz a new promoted ADC Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com -Original Message-From: MAI ANH TUAN [mailto:[EMAIL PROTECTED] Sent: Friday, 28 May 2004 3:50 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Sysvol Damaged Same as my problem, I delete sysvol, restore the backup and share it again. __Mai Anh TuanNetworking and system service - Information technology center - Electricity of Vietnam.' 04-9741910 (672) 0912177199+ [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 5:39 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged Yes, but still many issues with FRS, DCPRMO, will it solve all the issues bcoz that will be thru a WAN Link. Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com -Original Message-From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 May 2004 1:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged Are all your other DC's still running clean? If so then I'd suggest a DCpromo down and then up again. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 2004 11:27To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged Yes i did restart FRS before DCDIAG Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com -Original Message-From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 May 2004 12:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged Did you restart the FRS service before running the below dcdiag? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 2004 10:13To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged Domain membership test . . . . . . : FailedSONYDC failed test kccevent Starting test: frssysvol Error: No record of File Replication System, SYSVOL started. The Active Directory may be prevented from starting. There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . SONYDC passed test frssysvol Starting test: kccevent An Warning Event occured. EventID: 0x84F1 Time Generated: 05/26/2004 11:55:32 (Event String could not be retrieved) An Warning Event occured. EventID: 0x84F1 Time Generated: 05/26/2004 11:55:56 (Event String could not be retrieved) Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] "Save Internet, Keep all the systems patched" Web: http://alfaisaliah.com -Original Message-From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, 26 May 2004 11:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged restartthe File Replication Service and run your dcdiag again. Any change? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 May 2004 09:20To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Sysvol Damaged Guyz still the SYSVOL is not shared?? how do i troubleshoot this critical problem Regards,
[ActiveDir] PTR records - why?
We have a Windows 2000 forest with multiple child domains. No web servers. No remote hosted mail servers. No external access. (That I know about at least!) Our DNS is integrated to active directory. Fellow administrators are adamant we should create reverse lookup zones for all our subnets. This would assist name resolution for our NT4 workstations they claim. Stuff and nonsense I claim. Is there any reason to use PTR records on an AD domain? Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/