RE: [ActiveDir] a bit of AD admin
Title: RE: [ActiveDir] a bit of AD admin Removing a DC will not completey remove that from AD Metabase, you have got to remove that either using NTDSUTIL from command line or ADSIEDIT, GUI. Its all there in MS KB. I have no idea of how to remove that from authorized DHCP Servers. Cheers, Athif -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED]] Sent: Monday, July 12, 2004 9:35 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] a bit of AD admin just wanted to run this by the mailing list i know there to be a whole raft of objects left behind in the directory after unorderly shutdown of DC however even in an orderly demotion seems there is a server object left behind at; CN=servername.,CN=servers,CN=site,CN=configuration,DC= i assume we are safe to delete this and there are no AD dependencies on this object - if there are begs the question why it has been left behind ??? on a similar (perhaps ?) vain i have now contrived to get a couple of duplicate local groups DHCP Users CNF and ditto for DHCP ADministrators CNF ... seems a bit of a coincidence that the server i have removed was a DHCP server is it that the server has not been removed from the list of authorised DHCP servers that these groups have appearred GT - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. -
RE: [ActiveDir] 2000 to 2003 Migrations
unless you really have a badly designed or misbehaving Win2k AD today, there is no reason for you to go through a migration with all the hassles involved (the hassles are worth it for consolidation and other reasons, but not to go from 2000 to 2003). So stick to an inplace upgrade and check out the following KB with more details: http://support.microsoft.com/default.aspx?scid=kb;en-us;325379 You mainly have to be aware of the preparations to take for the mangled attributes during forestprep and the changes in the default security of AD, which could impact some legacy clients. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Dienstag, 13. Juli 2004 00:36 To: [EMAIL PROTECTED] Subject: [ActiveDir] 2000 to 2003 Migrations I know MS has some decent whitepapers on migrations, but I was curious if any of you have any real-world feedback on tips or gotchas to be aware of when going from 2000 to 2003. The kind of migration I'm talking about is for a small environment, all Windows 2000, native mode, 8 DC's in 5 sites, maybe 3000 users. Exchange 2003 is also in use. I'm thinking of doing an in-place upgrade as opposed to a migration with ADMT into a new Forest. I know to run adprep /forestprep and /domainprep. I'm loosely aware of the possible mangled(?) attributes when Exchange is deployed; I'll need to re-read up on that. I haven't decided yet on if I'll perform an OS upgrade of the PDCE to 2003 or try building a new 2003 DC. Most of what I've read/heard about so far is that this type of migration should be pretty straight forward, but I figured I'd ask while still in the early planning stages while I still have time to adjust as necessary. Oh, and if anyone knows of any post 2003 RTM hotfixes that should be applied to the DC's right off the bat, I'd appreciate info on that, too. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Redirecting Comps
as far as I know, you have to be at 2003 domain functional level (native domain), since 2000 (or even NT4) DCs wouldn't know how to handle the redirection. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sonntag, 11. Juli 2004 07:24 To: [EMAIL PROTECTED] Subject: [ActiveDir] Redirecting Comps In pt 8.12 of the AD Cookbook, Robbie talks about modifying the wellknown value by hand. Does this work in a non 2003 native domain? Same with the users CN --Brian ..jjryv
RE: [ActiveDir] DeForestation
wow, i'm replying to my own posts. now its offical, i'm a loser... can you guys direct me to a good reference for what i'm asking(not the loser bit). anything that overs hitches in cross forest coexistance or migration? thanks again and sorry for beating a dead horse. -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DeForestation
I guess my question was too silly Ok, how 'bout this- Has anyone had personal experience doing a forest migration using these tools without the benefit of Alieta or any other third party? thanks -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DeForestation
I guess my question was too silly Ok, how 'bout this- Has anyone had personal experience doing a forest migration using these tools without the benefit of Alieta or any other third party? thanks -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DeForestation
wow, i'm replying to my own posts. now its offical, i'm a loser... can you guys direct me to a good reference for what i'm asking(not the loser bit). anything that overs hitches in cross forest coexistance or migration? thanks again and sorry for beating a dead horse. -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VBS Help
George, I think the email addresses need to be quoted, do they not? e.g. objEmail.From = [EMAIL PROTECTED] mc From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] VBS Help Hi guys, Im trying to create a script that would automatically send me an email message when a service fails on my DC. However, I always get the following error: Script: E:\vbs scripts\mail.vbs Line: 3 Char: 23 Error: Invalid character Code: 800A0408 Source: Microsoft VBScript compilation error The following is the contents of the script: set objArgs = Wscript.Arguments Set objEmail = CreateObject(CDO.Message) objEmail.From = [EMAIL PROTECTED] objEmail.To = [EMAIL PROTECTED] objEmail.Subject = objArgs(0) service is down objEmail.Textbody = The service objArgs(0) has failed. objEmail.Send set objArgs = nothing set objEmail = nothing Any help would be appreciated very much. Cheers, George Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] VBS Help
Try putting the email addresses in quotes. ie. "[EMAIL PROTECTED]" Rick From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 7:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] VBS Help Hi guys, I'm trying to create a script that would automatically send me an email message when a service fails on my DC. However, I always get the following error: Script: E:\vbs scripts\mail.vbs Line: 3 Char: 23 Error: Invalid character Code: 800A0408 Source: Microsoft VBScript compilation error The following is the contents of the script: set objArgs = Wscript.Arguments Set objEmail = CreateObject(CDO.Message) objEmail.From = [EMAIL PROTECTED] objEmail.To = [EMAIL PROTECTED] objEmail.Subject = objArgs(0) service is down objEmail.Textbody = The service objArgs(0) has failed. objEmail.Send set objArgs = nothing set objEmail = nothing Any help would be appreciated very much. Cheers, George Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] DeForestation
Tom, are you saying it over and over again and expecting a different response? I believe there's a definition for that behavior if so ;) As for the tools, it is possible to do this with the Microsoft tools. The reference for this is the migration cookbook. will this work? am i insane? see above for that question; I think you might have answered that (lol) will sid history feature allow my users to still access the shares in the old forest during the migration? that's a question. Why not test it early and find out? I would suspect that you will have some trust issues but otherwise it's possible (you didn't mention a trust or not; see the documentation for migrations and sIDHistory usage). is miis feature pack enough(with mssql and win2k3) to share the GAL?to share the GAL? Yep, it'll do that. is subinacl enough to re-acl all the shares and printes in my new forest?Can't see any reason why not. Not to say in your organization there won't be a few issues. Usually there are a few bumps. what issues can i expectt? is this doable? issues? There'll be a few issues that you'll have to work through. Practice makes perfect and there is no other way to really know what the issues will be in your environment specifically until you go through it. Using sIDHistory is probably not something you want to use long-term (i.e. any longer than you have to) since you won't have control of the central forest. -al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 13, 2004 8:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DeForestation wow, i'm replying to my own posts. now its offical, i'm a loser... can you guys direct me to a good reference for what i'm asking(not the loser bit). anything that overs hitches in cross forest coexistance or migration? thanks again and sorry for beating a dead horse. -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory Monitoring Tools
We would like to do both From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 9:27 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Active Directory Monitoring Tools MOM is a great tool, but I never recommend email alerts if you're also an Exchange shop. If Active Directory is having problems, it's possible that email won't work. Paging or text messaging is much more reliable. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Tuesday, July 13, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Monitoring Tools My company is looking to purchase a tool that will monitor Active Directory and send an email when there are critical errors. What are your recommendations?
[ActiveDir] LimitLogin Beta
Is there anyone out there who is currently attempting to beta the resource kit tool LimitLogin? This is the Windows 2003 replacement for Cconnect. I am having some issues with it which Id appreciate any further input on if anyone has any experience of this tool. Let me know if anyone out there has worked with this before I start boring you all with the detail. Cheers Jacqui
[ActiveDir] FW: FindGrp funnies....
Title: FW: FindGrp funnies Tis OK Showgrps did the job. BR Rob -Original Message- From: Rutherford, Robert Sent: 13 July 2004 12:33 To: '[EMAIL PROTECTED]' Subject: FindGrp funnies Morning, Evening, Afternoon All, Typing findgrp domain\username isn't working and pumping 'Finding global groups: Unknown Error: 234' back to me. Any ideas? I've never used it and just curious why I'm getting the error as I can't find anything via a google search. Thanks, Rob This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any
RE: [ActiveDir] Domain Controller Question
As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a backup domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the primary controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been
RE: [ActiveDir] DeForestation
i'm saying it over and over because the thought of migrating a domain into a new forest with free tools by myself is quite possibly making me insane. sorry :) I assume the migration cookbook is on the MS site and it covers win2k to win2k forest migrations? Yes, we plan on having a win2k3 root dc at both forests and maintain a trust. i only ask about the sidHistory for user access to the old forest during the migration. Thank you and i apologize again for my confirmed insanity and more importantly, over posting. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 9:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DeForestation Tom, are you saying it over and over again and expecting a different response? I believe there's a definition for that behavior if so ;) As for the tools, it is possible to do this with the Microsoft tools. The reference for this is the migration cookbook. will this work? am i insane? see above for that question; I think you might have answered that (lol) will sid history feature allow my users to still access the shares in the old forest during the migration? that's a question. Why not test it early and find out? I would suspect that you will have some trust issues but otherwise it's possible (you didn't mention a trust or not; see the documentation for migrations and sIDHistory usage). is miis feature pack enough(with mssql and win2k3) to share the GAL?to share the GAL? Yep, it'll do that. is subinacl enough to re-acl all the shares and printes in my new forest?Can't see any reason why not. Not to say in your organization there won't be a few issues. Usually there are a few bumps. what issues can i expectt? is this doable? issues? There'll be a few issues that you'll have to work through. Practice makes perfect and there is no other way to really know what the issues will be in your environment specifically until you go through it. Using sIDHistory is probably not something you want to use long-term (i.e. any longer than you have to) since you won't have control of the central forest. -al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 13, 2004 8:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DeForestation wow, i'm replying to my own posts. now its offical, i'm a loser... can you guys direct me to a good reference for what i'm asking(not the loser bit). anything that overs hitches in cross forest coexistance or migration? thanks again and sorry for beating a dead horse. -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Active Directory Monitoring Tools
Title: Message Try Quest or Netpro... I haven't used MOM yet but I think that does it 2 now. Rob -Original Message-From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 14:16To: [EMAIL PROTECTED]Subject: [ActiveDir] Active Directory Monitoring Tools My company is looking to purchase a tool that will monitor Active Directory and send an email when there are critical errors. What are your recommendations?This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains.It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes.The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB.
RE: [ActiveDir] OT: Tape drives
Yep, DLT's are still around (although SuperDLT is prolly the better these days due to the capacity increase), LTO, 9940/9940B, even DAT is still hanging around. It really depends on your requirements and who your tape drive / silo vendor is (IBM will try down the LTO path as you discovered). With the costs of SAN's (especially the ATAPI/IDE based ones) dropping so quickly, even this may be an option. G. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug M. Long Sent: Tuesday, 13 July 2004 7:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Tape drives ? What is the deal on tape drives now-a-days? Are DLTs no longer something even worth looking at, cause looking on IBMs site, all I see are LTO drives. If LTO is the way to go, is reliable comparable or better than DLT? Guess I have been out of the backup business for too long (uh oh, thats not good) attachment: winmail.dat
RE: [ActiveDir] Active Directory Monitoring Tools
Also take a look at the NetIQ tools particularly App Manager and some of the SAS tools as well as their Security tools From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: 13 July 2004 15:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Monitoring Tools Microsoft Operations Manager is very good, especially with the newest version (2005) about to come out. Also, NetPro makes a nice suite of products. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ellis, Debbie Sent: Tuesday, July 13, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Monitoring Tools My company is looking to purchase a tool that will monitor Active Directory and send an email when there are critical errors. What are your recommendations?
RE: [ActiveDir] Domain Controller Question
Too much information, thanks mc -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a backup domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the primary controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the
RE: [ActiveDir] VBS Help
Thanks guys, That did the trick. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, July 13, 2004 15:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] VBS Help George, I think the email addresses need to be quoted, do they not? e.g. objEmail.From = [EMAIL PROTECTED] mc From: George Arezina [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 13, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] VBS Help Hi guys, Im trying to create a script that would automatically send me an email message when a service fails on my DC. However, I always get the following error: Script: E:\vbs scripts\mail.vbs Line: 3 Char: 23 Error: Invalid character Code: 800A0408 Source: Microsoft VBScript compilation error The following is the contents of the script: set objArgs = Wscript.Arguments Set objEmail = CreateObject(CDO.Message) objEmail.From = [EMAIL PROTECTED] objEmail.To = [EMAIL PROTECTED] objEmail.Subject = objArgs(0) service is down objEmail.Textbody = The service objArgs(0) has failed. objEmail.Send set objArgs = nothing set objEmail = nothing Any help would be appreciated very much. Cheers, George Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval. Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] Active Directory Monitoring Tools
Thanks, in fact I just downloaded an eval version of App Manager. We used their migration suite and had great results. Have you used App Manager and are you happy with it? From: Peter Johnson [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Monitoring Tools Also take a look at the NetIQ tools particularly App Manager and some of the SAS tools as well as their Security tools From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: 13 July 2004 15:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory Monitoring Tools Microsoft Operations Manager is very good, especially with the newest version (2005) about to come out. Also, NetPro makes a nice suite of products. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Ellis, Debbie Sent: Tuesday, July 13, 2004 8:16 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory Monitoring Tools My company is looking to purchase a tool that will monitor Active Directory and send an email when there are critical errors. What are your recommendations?
[ActiveDir] RID Pool Allocation renewal
Hi, Inoticed that in our upgradedforest (W2K3, Forest Functional Level 2003) , the domain controllers do not request a new RID pool when they are at 50%. They wait until they are out of RIDs before requesting a new pool.That behavior seems to contradict the Microsoft information as described in this KB article (http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;316201)I don't feel comfortable with this behavior. Also, I am surprised that no entries pop up in the event logs. Does anybody know if this behavior is standard in a Windows 2003 forest or whereI shouldstart looking for the cause of this. regards Bart Vermeire Volvo IT
RE: [ActiveDir] DeForestation
Ok, I said cookbook. I wasn't thinking of Robbie's book, but that would likely have good information in it as well (sorry Robbie, haven't had a copy to read yet). I was thinking of this: http://www.microsoft.com/downloads/details.aspx?familyid=e92cf6a0-76f0-4e25- 8de0-19544062a6e6displaylang=en which has prescriptive documentation in it about migrations. Although it's for NT4 to 2003, almost all of it applies in your case. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 13, 2004 10:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DeForestation i'm saying it over and over because the thought of migrating a domain into a new forest with free tools by myself is quite possibly making me insane. sorry :) I assume the migration cookbook is on the MS site and it covers win2k to win2k forest migrations? Yes, we plan on having a win2k3 root dc at both forests and maintain a trust. i only ask about the sidHistory for user access to the old forest during the migration. Thank you and i apologize again for my confirmed insanity and more importantly, over posting. -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 9:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DeForestation Tom, are you saying it over and over again and expecting a different response? I believe there's a definition for that behavior if so ;) As for the tools, it is possible to do this with the Microsoft tools. The reference for this is the migration cookbook. will this work? am i insane? see above for that question; I think you might have answered that (lol) will sid history feature allow my users to still access the shares in the old forest during the migration? that's a question. Why not test it early and find out? I would suspect that you will have some trust issues but otherwise it's possible (you didn't mention a trust or not; see the documentation for migrations and sIDHistory usage). is miis feature pack enough(with mssql and win2k3) to share the GAL?to share the GAL? Yep, it'll do that. is subinacl enough to re-acl all the shares and printes in my new forest?Can't see any reason why not. Not to say in your organization there won't be a few issues. Usually there are a few bumps. what issues can i expectt? is this doable? issues? There'll be a few issues that you'll have to work through. Practice makes perfect and there is no other way to really know what the issues will be in your environment specifically until you go through it. Using sIDHistory is probably not something you want to use long-term (i.e. any longer than you have to) since you won't have control of the central forest. -al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 13, 2004 8:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DeForestation wow, i'm replying to my own posts. now its offical, i'm a loser... can you guys direct me to a good reference for what i'm asking(not the loser bit). anything that overs hitches in cross forest coexistance or migration? thanks again and sorry for beating a dead horse. -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it can't be resolved in a simple forum List info :
RE: [ActiveDir] Domain Controller Question
Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a backup domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the primary controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Domain Controller Question
Aw thanks Dean. Here I thought you didn't love me. :oP You should have seen my first response. It was even more succinct What are you insane! This was followed by ^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^H^HThis issue with this... Man I have a ton of grammer issues in that note. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, July 12, 2004 9:07 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a backup domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the primary controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar, PA 18915 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] outlook / gc client discovery
Al has posted a ton of good info. A couple of points to add. Another thing to be concerned about with having the client find its own GC is that in some orgs, the GCs that the Exchange servers are likely to hit tend to be very well maintained (heck Exchange is using them, you are in for deep doo doo if you don't...), more so even than regualar DC/GCs. Also you may hit a GC that is out in the boonies that doesn't get replicated too as often as one in the datacenter site with the Exchange Servers. I know that to all good Admins, every DC/GC is equal to the next, however those that have dealt with Exchange will often start to look at the Exchange GCs as more equal right along with the PDC. You tend to have the monitors a little more hair-trigger'ish with the Exchange GCs as most DCs can fail and have no serious impact on the environment, an Exchange GC blows and you end up in front of managers to start trying to explain how DC failover is supposed to work and why they couldn't get their mail and why 50,500,5000,50,000 people chewed them out and etc etc etc. On the second aspect of this, doing the 5.5 architecture. I would take it even further than what Al is indicating. I would say that the 5.5 architecture is when you spin up a separate single domain forest specifically for Exchange. If you have a decent sized environment, I think you should right off think about setting up Exchange in a dedicated site, that way you can handle better what I specify in the paragraph above concerning GC equality without having to hard code the GCs on the Exchange servers - hardcoding is always a pain to work with as someone will forget. If you have a decent sized environment with multiple domains with mail users then the separate single domain forest becomes more and more interesting as a solution. If you are concerned about security and separation of duties between AD Service Admins and Exchange Service Admins, a separate single domain forest is your only feasible solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, July 12, 2004 4:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] outlook / gc client discovery Note quite. Closest GC is a way to tell the LookOut client to use it's own closest GC vs. asking the Exchange server for that information. The danger here of course, is that you *can* get a GC from a domain that has no Exchange information (not domain prepped) and then cause failure. They may have changed that behavior to be similar to the DSAccess process that builds a list of GC's for use based on the criteria, but I haven't looked lately to check. AFAIK, it just uses the Active Directory information and wkstn information to conclude what the closest GC is and uses that. So in the end, you are reading the kb correctly as to when to use this reg key; you want to use when you want to prevent WAN traffic for GAL lookups etc. That leads to the other concept, which is to create the 5.5 topology/architecture from 2003 parts the thinking being that if you cross the wire for mail data, it's not that much more data to get for GAL lookups and you can probably better use the hardware for Exchange Server-specific lookups (Exchange heavily relies on a GC for operations). There's some sound logic in there Local GC's *may* be discovered. If you only have ten GC's in the whole domain, then those are the ten that will be in the list, right? Keep in mind I know nothing of your environment. :) But if you have ten that are local in respect to Exchange, then those would *likely* be the ones handed to the client on startup vs. the one's local to Outlook client location without any client registry modifications. Again, that's because the MAPI knows nothing of Active Directory or sites etc. It knows about a server with a directory and referrals and that's about it. So what happens in normal operation is that the client starts, asks the Exchange server for the directory information and receives a referral to the GC that Exchange hands out on a round-robin basis based on the list populated by DSAccess or manually by the administrator. When I say recreate the 5.5 architecture and toplology, I'm saying that you can create Exchange servers with their own dedicated site and dedicated GCs that you hard code in the list if not 10 of them. That way, when a client starts, it asks for the directory service it needs to use and it's given a GC local to the centralized Exchange server where it's mail is also located. Remember that directory lookups are typically small compared to the data transfer of the messages, so this is not seen as a big hit for most companies that deploy a centralized Exchange topology (strangely, this is exactly the selling mantra of the Exchange product line; but I digress..). The added advantage is that if you deploy a few dedicated Exchange GC's, then you also have GC's that can service the Exchange boxes and don't have
RE: [ActiveDir] Domain Controller Question
;o) Our mail filtering product blew up and they had no resilience built in.. The support guys have been playing about all day and I 'think' it's OK now. Cheers Joe. R -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 15:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a backup domain controller on a local terminal server and if I would have a problem with it. They do not see an issue with it. So, basically users would log into a terminal server that is a DC. Can you share your opinion? Also, they also said that we can you have a domain controller sit there doing nothing just waiting for the primary controller to fail (not in a cluster configuration)? Does anyone know anything about this configuration? Can you share? Thanks in advance! Kind Regards, Jennifer Fountain RB Inc 3400 E Walnut Street Colmar,
RE: [ActiveDir] VBS Help
And note that depending on the service, this email may not actually get anywhere... When monitoring a system you should try to depend on delivery of failure messages through a mechanism that doesn't depend on the system being monitored... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Tuesday, July 13, 2004 9:55 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VBS Help Thanks guys, That did the trick. Cheers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, July 13, 2004 15:11To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VBS Help George, I think the email addresses need to be quoted, do they not? e.g. objEmail.From = [EMAIL PROTECTED] mc From: George Arezina [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 13, 2004 8:53 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] VBS Help Hi guys, Im trying to create a script that would automatically send me an email message when a service fails on my DC. However, I always get the following error: Script: E:\vbs scripts\mail.vbs Line: 3 Char: 23 Error: Invalid character Code: 800A0408 Source: Microsoft VBScript compilation error The following is the contents of the script: set objArgs = Wscript.Arguments Set objEmail = CreateObject("CDO.Message") objEmail.From = [EMAIL PROTECTED] objEmail.To = [EMAIL PROTECTED] objEmail.Subject = objArgs(0) " service is down" objEmail.Textbody = "The service " objArgs(0) " has failed." objEmail.Send set objArgs = nothing set objEmail = nothing Any help would be appreciated very much. Cheers, George Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.Informacija sa Opportunity International Serbia putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.The exchange of messages with Opportunity International Serbia via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] Another new joeware tool - GCChk
Agreed on the tuple part. Too bad the AD or the Engine wasn't better at that insertion. If you aren't guaranteeing uniqueness then the user shouldn't really feel that impact. On the CNF part, I am a little confused by what you write. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. It sounds like you start to say the CNF's aren't consistent then are then aren't. It has been my experience that the CNF objects replicate just like normal objects around the rest of the domain (and GCs). This would be correct behavior actually since they are simply an object, doesn't matter who created the object, be it the system or a person. I agree that an additional attribute to flag these would be nice as Robbie indicated. Especially since these aren't ever something good and most likely not expected. The fact that these are handled poorly by most MS apps including ldifde helps point out, I think, that they are special and pretty much unexpected. MS sort of fixed this in K3by fixing the output of distinguishedName to return \0A instead of \n but they missed cn and name. So anyway, doing a search on one dsa for all CNF: objects should catch all of them within the normal rules of loose consistency. Are you saying that this may not be true? If you bump the timeout value in adfind with -t, timeout shouldn't be an issue as I set that on the page retrieval as well as the search init call.If you have a large directory with very few CNFs you could make the search page of 1 record length for return and still have an issue without modifying timeout values. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, July 12, 2004 10:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. Whether this is of interest or not would be related to the # of times the search is run. The more often you plain on doing said search, the easier this is to justify. It should be noted, however, that tuple indexes are one of the most expensive types in AD. A string of length N would yield N-2 index entries where N=3.. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. I think time has told us that this is an unfair assumption. (think lingering objects) If you did want to do this, however, I think this is a good ADAM usage scenario. Use the new AD syncher tool up on www.microsoft.com/adam (currently beta) and do it against ADAM. Light weight, and zero incremental cost on top of the server it sits on. You can also medial substring index it up in ADAM and eat the pef there, probably not a big deal given usage of this dsa. For the timeout problem, have you tried to use a paged search, and just keep requesting the next page as you get the one before it (despite amt of time the page took to deliver)? Does that help the timeout problem at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 12, 2004 8:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. The only things I can think of are 1. Use a standard LDAP query and crank the timeout value through the roof (-t option in adfind). 2. Have a program that keeps track of USN's when it does its searches so that it can have the last USN that was in place when it did its last search. That would drammatically limit the number of objects. However if you pointed at a new DC or had to rebuild the DC or the first time you ran it it would have to start at the beginning anyway. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. Kind of would be interesting to have a "bad" things service that watched for "bad" things in the directory and would flag them out when it found them. These objects would be good things to flag, what else could be flagged? Objects w/o GUIDs? What else? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie AllenSent: Sunday, July 11, 2004 9:56 PMTo: [EMAIL
RE: [ActiveDir] outlook / gc client discovery
hardcoding is always a pain to work with as someone will forget ? That's what scripting is for, Joe ;0) For me, I hate the amount of complexity required to get the solution usable in a dedicated forest scenario. If SQL were licensed with MIIS FP, then I wouldn't have so much heartache about it outside of the additional skill set required to make this reliable. I think it's the licensing that turns me off the solution more than anything. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 11:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] outlook / gc client discovery Al has posted a ton of good info. A couple of points to add. Another thing to be concerned about with having the client find its own GC is that in some orgs, the GCs that the Exchange servers are likely to hit tend to be very well maintained (heck Exchange is using them, you are in for deep doo doo if you don't...), more so even than regualar DC/GCs. Also you may hit a GC that is out in the boonies that doesn't get replicated too as often as one in the datacenter site with the Exchange Servers. I know that to all good Admins, every DC/GC is equal to the next, however those that have dealt with Exchange will often start to look at the Exchange GCs as more equal right along with the PDC. You tend to have the monitors a little more hair-trigger'ish with the Exchange GCs as most DCs can fail and have no serious impact on the environment, an Exchange GC blows and you end up in front of managers to start trying to explain how DC failover is supposed to work and why they couldn't get their mail and why 50,500,5000,50,000 people chewed them out and etc etc etc. On the second aspect of this, doing the 5.5 architecture. I would take it even further than what Al is indicating. I would say that the 5.5 architecture is when you spin up a separate single domain forest specifically for Exchange. If you have a decent sized environment, I think you should right off think about setting up Exchange in a dedicated site, that way you can handle better what I specify in the paragraph above concerning GC equality without having to hard code the GCs on the Exchange servers - hardcoding is always a pain to work with as someone will forget. If you have a decent sized environment with multiple domains with mail users then the separate single domain forest becomes more and more interesting as a solution. If you are concerned about security and separation of duties between AD Service Admins and Exchange Service Admins, a separate single domain forest is your only feasible solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, July 12, 2004 4:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] outlook / gc client discovery Note quite. Closest GC is a way to tell the LookOut client to use it's own closest GC vs. asking the Exchange server for that information. The danger here of course, is that you *can* get a GC from a domain that has no Exchange information (not domain prepped) and then cause failure. They may have changed that behavior to be similar to the DSAccess process that builds a list of GC's for use based on the criteria, but I haven't looked lately to check. AFAIK, it just uses the Active Directory information and wkstn information to conclude what the closest GC is and uses that. So in the end, you are reading the kb correctly as to when to use this reg key; you want to use when you want to prevent WAN traffic for GAL lookups etc. That leads to the other concept, which is to create the 5.5 topology/architecture from 2003 parts the thinking being that if you cross the wire for mail data, it's not that much more data to get for GAL lookups and you can probably better use the hardware for Exchange Server-specific lookups (Exchange heavily relies on a GC for operations). There's some sound logic in there Local GC's *may* be discovered. If you only have ten GC's in the whole domain, then those are the ten that will be in the list, right? Keep in mind I know nothing of your environment. :) But if you have ten that are local in respect to Exchange, then those would *likely* be the ones handed to the client on startup vs. the one's local to Outlook client location without any client registry modifications. Again, that's because the MAPI knows nothing of Active Directory or sites etc. It knows about a server with a directory and referrals and that's about it. So what happens in normal operation is that the client starts, asks the Exchange server for the directory information and receives a referral to the GC that Exchange hands out on a round-robin basis based on the list populated by DSAccess or manually by the administrator. When I say recreate the 5.5 architecture and toplology, I'm saying that you can create Exchange servers with their own dedicated site and dedicated GCs
RE: [ActiveDir] Another new joeware tool - GCChk
Are you saying that this may not be true? I am saying it may not be true if there are other, not understood issue. For example, assume you have a lingering object on GC1 but not GC2. Then when each gets an update from DC1 (who say has a writeable copy of the NC) you have a CNF on one DC and not the other. So they should be uniform in the face of perfectly healthy environment. But thats not always the case is all Im saying. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Agreed on the tuple part. Too bad the AD or the Engine wasn't better at that insertion. If you aren't guaranteeing uniqueness then the user shouldn't really feel that impact. On the CNF part, I am a little confused by what you write. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. It sounds like you start to say the CNF's aren't consistent then are then aren't. It has been my experience that the CNF objects replicate just like normal objects around the rest of the domain (and GCs). This would be correct behavior actually since they are simply an object, doesn't matter who created the object, be it the system or a person. I agree that an additional attribute to flag these would be nice as Robbie indicated. Especially since these aren't ever something good and most likely not expected. The fact that these are handled poorly by most MS apps including ldifde helps point out, I think, that they are special and pretty much unexpected. MS sort of fixed this in K3by fixing the output of distinguishedName to return \0A instead of \n but they missed cn and name. So anyway, doing a search on one dsa for all CNF: objects should catch all of them within the normal rules of loose consistency. Are you saying that this may not be true? If you bump the timeout value in adfind with -t, timeout shouldn't be an issue as I set that on the page retrieval as well as the search init call.If you have a large directory with very few CNFs you could make the search page of 1 record length for return and still have an issue without modifying timeout values. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, July 12, 2004 10:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. Whether this is of interest or not would be related to the # of times the search is run. The more often you plain on doing said search, the easier this is to justify. It should be noted, however, that tuple indexes are one of the most expensive types in AD. A string of length N would yield N-2 index entries where N=3.. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. I think time has told us that this is an unfair assumption. (think lingering objects) If you did want to do this, however, I think this is a good ADAM usage scenario. Use the new AD syncher tool up on www.microsoft.com/adam (currently beta) and do it against ADAM. Light weight, and zero incremental cost on top of the server it sits on. You can also medial substring index it up in ADAM and eat the pef there, probably not a big deal given usage of this dsa. For the timeout problem, have you tried to use a paged search, and just keep requesting the next page as you get the one before it (despite amt of time the page took to deliver)? Does that help the timeout problem at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 8:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. The only things I can think of are 1. Use a standard LDAP query and crank the timeout value through the roof (-t option in adfind). 2. Have a program that keeps track of USN's when it does its searches so that it can have the last USN that was in place when it did its last search. That would drammatically limit the number of objects. However if you pointed at a new DC or had to rebuild the DC or the first time
RE: [ActiveDir] 2003 DC Promo Question....
Excuses excuses... I came by a couple of weeks after Todd's post! Your scenario is a cool one, would have been cooler if MS allowed a way to just back up the DIT or allowed a scripted removal of the DIT from the systemstate. Good idea that was partially implemented. I think this goes to MS's methods of testing and dev on small environments. Many of us just sat there and said... Ok, why not this one extra step so that this could be completely automated? The plan I was last involved in had us taking systems states in the data center, stripping out the database, zipping it, then copying it down to a 2K3 at the site that had been a remote hands off restage of the 2K (no hands from local site required). The database compressed nicely to I want to say like a quarter of its size or so. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 12, 2004 6:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question I was truly surprised myself to have missed Todd's original question - I just noticed it when you started answering to it. Been too busy lately to go through all of the Active Dir posts - this awsome list has become very active. And besides that, I know you don't have kids and thus have so much spare time on your hand for answering every single question out there ;-) Ok - now that I know that you seem to be drinking while typing some of the answers, I'll have to do more quality checking again ;-)) Back to the topic: another quick note on inplace-upgrading 2000 - 2003 DCs or other machines: this is a VERY different experience than going from NT4 to 2000. Since the file-structure between 2000/2003 basically stayed the same (other than the name of the OS directory, which changed from WinNT to Windows), you won't really notice a negative impact on a machine which was inplace-upgraded to one, which was installed from scratch. I've also always had a gut-feeling to preferr new-installs over an inplace-upgrade (definitely for NT4 to 2000), and likely people would still feel better when re-installing a 2003 OS instead of in-place uprading... But especially for DCs, the two scenarios can well be combined, as we did at HP: - we first in-place upgraded all 2000 DCs to 2003 to move to 2003 forest functional level as quick as possible - then with more time to spare, we backed-up the systemstate of the 2003 DCs locally, DC-Promoed them down, and re-installed them with 2003 from scratch - at last re-promoted them to DCs using the IFM (install from media) option with the previously backed up systemstate = this got a us to 2003 very easily and had least impact on the WAN durint the re-installation /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Samstag, 10. Juli 2004 00:06 To: 'joe'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question And BTW, where were all you smart guys earlier when Todd was in need of an answer and you could have responded before I made myself look like a boob. Oh yeah, good to see you posting again Guido. Oh and Dean, you have been quiet lately too, but good to see you are still watching for my dumb-a** posts so you can thump me right proper. :o) joe -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 09, 2004 6:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] 2003 DC Promo Question Yeah, I looked around, I can't find where I might have read that and it was a long time ago. I found a doc that I could have interpreted that way had I been out drinking with Guido and Dean, but not sober. So either I was drunk or the doc disappeared, though I swear I had heard this separately as well as I recall being, WTF! But then wasn't too worried as I do not do OS upgrades unless it is absolutely unavoidable which is almost never (NT4 to 2K was an exception, at least for the PDC...) Todd, I am curious what you saw now as I had it in my mind it was a possibility. Now it seems it insn't so what happened? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, July 09, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2003 DC Promo Question I can confirm that you have to tranfer the role manually - 2003 won't try to do this by itself. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Freitag, 9. Juli 2004 16:32 To: Send - AD mailing list Subject: RE: [ActiveDir] 2003 DC Promo Question Hmmm ... re: If you do an OS Upgrade from 2K to K3 on a Domain Controller I believe it will pull the PDC functionality to it; nothing I've witnessed would seem to back that up. In the event I'm just a bad witness or someone with the retention of a Gold Fish and they do indeed do that, it's just plain wrong, wrong, wrong. PDC physical
RE: [ActiveDir] Domain Controller Question
LOL. This sentence The support guys have been playing about all day and I 'think' it's OK now. makes me think of the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question ;o) Our mail filtering product blew up and they had no resilience built in.. The support guys have been playing about all day and I 'think' it's OK now. Cheers Joe. R -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 15:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes away if you have the users using files on a DC, using printers on a DC, or most definitely have them TSing into a DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Monday, July 12, 2004 5:58 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Domain Controller Question Gotta strange question for you. Powers to be asked if I would install a backup domain controller on a local terminal server and if I would have
RE: [ActiveDir] Another new joeware tool - GCChk
Noted in my ideas folder Thank.you.very.much. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie AllenSent: Monday, July 12, 2004 11:12 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Don't even get me started on medial searches, which in my mind wasone of the glaringdeficiencieswith W2K AD compared to the other LDAP-based directories I'm familiar (e.g., iPlanet/SunOne/Java whatever). With W2K, you might as well not even try them. Horrible performance. In a 50k object domain I've seen medial searches tack on another 10 seconds to the query time (compared to the same query but remove the leading star). Allowing users to configuretuple indexes in W2K3 is fine, but IMO tuple indexing should be the norm for common attributes. Sync'ing objects to another directory for the sole purpose of finding conflict objects sounds like an overcomplicated solution to me. How about if MS just flagged conflict objects as being in conflict via some attribute:-? Telling people to install ADAM and download the AD/ADAM synchronizer is going to sound too much like work to do something as (conceptually) simple as finding conflict objects. Joe, here are the types of objects I consider to be "bad": - conflict objects - lingering objects - objects w/o guids - objects in the LostAndFound container - user objects w/dup SIDs - user objects w/dup UPNs Then there are a bunch of data maintenance related things I consider "not optimal": - missing subnet objects (requires parsing the system event log on DCs) - sites with no subnets (or site links) - computer objects for Windows 2000 and higher computers that have a password age of 6 months or more - groups with no members - GPOs that aren't linked - etc. I'm sure there are manyothers people can think of. Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, July 12, 2004 10:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. Whether this is of interest or not would be related to the # of times the search is run. The more often you plain on doing said search, the easier this is to justify. It should be noted, however, that tuple indexes are one of the most expensive types in AD. A string of length N would yield N-2 index entries where N=3.. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. I think time has told us that this is an unfair assumption. (think lingering objects) If you did want to do this, however, I think this is a good ADAM usage scenario. Use the new AD syncher tool up on www.microsoft.com/adam (currently beta) and do it against ADAM. Light weight, and zero incremental cost on top of the server it sits on. You can also medial substring index it up in ADAM and eat the pef there, probably not a big deal given usage of this dsa. For the timeout problem, have you tried to use a paged search, and just keep requesting the next page as you get the one before it (despite amt of time the page took to deliver)? Does that help the timeout problem at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 12, 2004 8:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. The only things I can think of are 1. Use a standard LDAP query and crank the timeout value through the roof (-t option in adfind). 2. Have a program that keeps track of USN's when it does its searches so that it can have the last USN that was in place when it did its last search. That would drammatically limit the number of objects. However if you pointed at a new DC or had to rebuild the DC or the first time you ran it it would have to start at the beginning anyway. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. Kind of would be interesting to have a "bad" things service that watched for "bad" things in the
RE: [ActiveDir] 2000 to 2003 Migrations
This sounds like a valid approach but would recommend new installs of 2K3 if you can do it versus upgrades. You could show me hundreds of perfectly fine upgrades but will still prefer a fresh install until MS displays a report at the end of the upgrade that tells me what items are using old OS configurations versus new configurations and what I would have to do to correct them to the new configurations. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 13, 2004 8:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] 2000 to 2003 Migrations unless you really have a badly designed or misbehaving Win2k AD today, there is no reason for you to go through a migration with all the hassles involved (the hassles are worth it for consolidation and other reasons, but not to go from 2000 to 2003). So stick to an inplace upgrade and check out the following KB with more details: http://support.microsoft.com/default.aspx?scid=kb;en-us;325379 You mainly have to be aware of the preparations to take for the mangled attributes during forestprep and the changes in the default security of AD, which could impact some legacy clients. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Dienstag, 13. Juli 2004 00:36 To: [EMAIL PROTECTED] Subject: [ActiveDir] 2000 to 2003 Migrations I know MS has some decent whitepapers on migrations, but I was curious if any of you have any real-world feedback on tips or gotchas to be aware of when going from 2000 to 2003. The kind of migration I'm talking about is for a small environment, all Windows 2000, native mode, 8 DC's in 5 sites, maybe 3000 users. Exchange 2003 is also in use. I'm thinking of doing an in-place upgrade as opposed to a migration with ADMT into a new Forest. I know to run adprep /forestprep and /domainprep. I'm loosely aware of the possible mangled(?) attributes when Exchange is deployed; I'll need to re-read up on that. I haven't decided yet on if I'll perform an OS upgrade of the PDCE to 2003 or try building a new 2003 DC. Most of what I've read/heard about so far is that this type of migration should be pretty straight forward, but I figured I'd ask while still in the early planning stages while I still have time to adjust as necessary. Oh, and if anyone knows of any post 2003 RTM hotfixes that should be applied to the DC's right off the bat, I'd appreciate info on that, too. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Another new joeware tool - GCChk
Ah I see, a lingering object spawning the creation of yet another lingering object. Sounds like another good reason for MS to have a nice easy public method of finding lingering objects or maybe a generic database cleanup/audit tool... :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Tuesday, July 13, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Are you saying that this may not be true? I am saying it may not be true if there are other, not understood issue. For example, assume you have a lingering object on GC1 but not GC2. Then when each gets an update from DC1 (who say has a writeable copy of the NC) you have a CNF on one DC and not the other. So they should be uniform in the face of perfectly healthy environment. But thats not always the case is all Im saying. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, July 13, 2004 11:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Agreed on the tuple part. Too bad the AD or the Engine wasn't better at that insertion. If you aren't guaranteeing uniqueness then the user shouldn't really feel that impact. On the CNF part, I am a little confused by what you write. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. It sounds like you start to say the CNF's aren't consistent then are then aren't. It has been my experience that the CNF objects replicate just like normal objects around the rest of the domain (and GCs). This would be correct behavior actually since they are simply an object, doesn't matter who created the object, be it the system or a person. I agree that an additional attribute to flag these would be nice as Robbie indicated. Especially since these aren't ever something good and most likely not expected. The fact that these are handled poorly by most MS apps including ldifde helps point out, I think, that they are special and pretty much unexpected. MS sort of fixed this in K3by fixing the output of distinguishedName to return \0A instead of \n but they missed cn and name. So anyway, doing a search on one dsa for all CNF: objects should catch all of them within the normal rules of loose consistency. Are you saying that this may not be true? If you bump the timeout value in adfind with -t, timeout shouldn't be an issue as I set that on the page retrieval as well as the search init call.If you have a large directory with very few CNFs you could make the search page of 1 record length for return and still have an issue without modifying timeout values. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, July 12, 2004 10:03 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. Whether this is of interest or not would be related to the # of times the search is run. The more often you plain on doing said search, the easier this is to justify. It should be noted, however, that tuple indexes are one of the most expensive types in AD. A string of length N would yield N-2 index entries where N=3.. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. I think time has told us that this is an unfair assumption. (think lingering objects) If you did want to do this, however, I think this is a good ADAM usage scenario. Use the new AD syncher tool up on www.microsoft.com/adam (currently beta) and do it against ADAM. Light weight, and zero incremental cost on top of the server it sits on. You can also medial substring index it up in ADAM and eat the pef there, probably not a big deal given usage of this dsa. For the timeout problem, have you tried to use a paged search, and just keep requesting the next page as you get the one before it (despite amt of time the page took to deliver)? Does that help the timeout problem at all? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, July 12, 2004 8:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has
RE: [ActiveDir] DeForestation
Al, Tom, are you saying it over and over again and expecting a different response? I believe there's a definition for that behavior if so ;) That's the definition of marketing isn't it? Tom, I would say the one lone 2k3 DC needs a partner before you start this. I would agree with Al that what is mentioned should work but it implementation of it and things you don't mention that will probably stick you so you do want to dry run this in a lab to get a good feel of it. I also agree that you shouldn't keep the SID History around very long. In fact unless things are ACLed directly to user objects you should be able to move users without using much sid history at all if you repopulate the groups the users are in (and assuming not global groups) with the new userids. That may be a lot of work but it also indicates you know for sure what you are moving. Sometimes people just start picking up things and slapping them around with out any strong understanding of everything involved and just hope that MS covers the bases for them and in many cases this works fine but if it breaks, people are then learning how it all works while being shot at which isn't a fun place to be. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, July 13, 2004 9:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DeForestation Tom, are you saying it over and over again and expecting a different response? I believe there's a definition for that behavior if so ;) As for the tools, it is possible to do this with the Microsoft tools. The reference for this is the migration cookbook. will this work? am i insane? see above for that question; I think you might have answered that (lol) will sid history feature allow my users to still access the shares in the old forest during the migration? that's a question. Why not test it early and find out? I would suspect that you will have some trust issues but otherwise it's possible (you didn't mention a trust or not; see the documentation for migrations and sIDHistory usage). is miis feature pack enough(with mssql and win2k3) to share the GAL?to share the GAL? Yep, it'll do that. is subinacl enough to re-acl all the shares and printes in my new forest?Can't see any reason why not. Not to say in your organization there won't be a few issues. Usually there are a few bumps. what issues can i expectt? is this doable? issues? There'll be a few issues that you'll have to work through. Practice makes perfect and there is no other way to really know what the issues will be in your environment specifically until you go through it. Using sIDHistory is probably not something you want to use long-term (i.e. any longer than you have to) since you won't have control of the central forest. -al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, July 13, 2004 8:35 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DeForestation wow, i'm replying to my own posts. now its offical, i'm a loser... can you guys direct me to a good reference for what i'm asking(not the loser bit). anything that overs hitches in cross forest coexistance or migration? thanks again and sorry for beating a dead horse. -Original Message- From: Kern, Tom Sent: Friday, July 09, 2004 8:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] DeForestation I'm migrating a child domain from one win2k forest to a new one. the source forest is running win2k3 in the root and i have a destination forest with one empty winn2k3 dc. i'm using admt, miis feature pack and exchange migration wizard(both forests will have exchange2k in native mode). i'm also using subinacls to re-acl everything. all my source dc's in the child domain are winsk though i have some NT member servers. my clients are all win2k pro and winXP. i have one brand new server that is running the win2k3 root in the dest. forest. will this work? am i insane? will sid history feature allow my users to still access the shares in the old forest during the migration? is miis feature pack enough(with mssql and win2k3) to share the GAL? is subinacl enough to re-acl all the shares and printes in my new forest? what issues can i expectt? is this doable? I apologize for all the questions but my cio wants to leave our current forest for polotical reasons in 2 weeks and i'm the only one doing this migration and i thought you guys could help me even see if this is feasible(he doesn't want to spend the money for Alieta or any other third party apps!!??). the only AD aware or dependent app we have is exchange2k(the root domain is using SAP but i don't know if this will affect it). i'd just like some input. i know this si a broad and big topic but just any advice or war stories or even no don;t do this, are you insane!, would be great. thanks alot and again, my apologies for throwing such a big diverse topic out there. i know it
RE: [ActiveDir] Domain Controller Question
quote the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem /quote ... that's you that is :) -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question LOL. This sentence The support guys have been playing about all day and I 'think' it's OK now. makes me think of the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question ;o) Our mail filtering product blew up and they had no resilience built in.. The support guys have been playing about all day and I 'think' it's OK now. Cheers Joe. R -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 15:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the heart of the security of your network. On top of that, DCs sometimes have to be rebooted for various replication issues, etc. Normally this is something that is transparent to the user as they don't need a DC all of the time and even if they needed one while the one was down, they would find another and use it. This obviously goes
RE: [ActiveDir] Another new joeware tool - GCChk
Where is STEWART KWAN when you need him to chime in about this. Trying to see if the key word notification system works. Joe, I am running one more scan, I will send you the results and we can discuss it more. I will share with the rest once I am complete my analysis. Thanks, Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 13, 2004 3:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Ah I see, a lingering object spawning the creation of yet another lingering object. Sounds like another good reason for MS to have a nice easy public method of finding lingering objects or maybe a generic database cleanup/audit tool... :o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, July 13, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Are you saying that this may not be true? I am saying it may not be true if there are other, not understood issue. For example, assume you have a lingering object on GC1 but not GC2. Then when each gets an update from DC1 (who say has a writeable copy of the NC) you have a CNF on one DC and not the other. So they should be uniform in the face of perfectly healthy environment. But thats not always the case is all Im saying. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 11:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Agreed on the tuple part. Too bad the AD or the Engine wasn't better at that insertion. If you aren't guaranteeing uniqueness then the user shouldn't really feel that impact. On the CNF part, I am a little confused by what you write. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. It sounds like you start to say the CNF's aren't consistent then are then aren't. It has been my experience that the CNF objects replicate just like normal objects around the rest of the domain (and GCs). This would be correct behavior actually since they are simply an object, doesn't matter who created the object, be it the system or a person. I agree that an additional attribute to flag these would be nice as Robbie indicated. Especially since these aren't ever something good and most likely not expected. The fact that these are handled poorly by most MS apps including ldifde helps point out, I think, that they are special and pretty much unexpected. MS sort of fixed this in K3by fixing the output of distinguishedName to return \0A instead of \n but they missed cn and name. So anyway, doing a search on one dsa for all CNF: objects should catch all of them within the normal rules of loose consistency. Are you saying that this may not be true? If you bump the timeout value in adfind with -t, timeout shouldn't be an issue as I set that on the page retrieval as well as the search init call.If you have a large directory with very few CNFs you could make the search page of 1 record length for return and still have an issue without modifying timeout values. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, July 12, 2004 10:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Another new joeware tool - GCChk Hmm I can't think of a single way that is more efficient to get that info... Worse yet that is a medial search and I'm betting no one has set their cn index to be a tuple index. Whether this is of interest or not would be related to the # of times the search is run. The more often you plain on doing said search, the easier this is to justify. It should be noted, however, that tuple indexes are one of the most expensive types in AD. A string of length N would yield N-2 index entries where N=3.. 3.Have some sort of sinking tool that just watched for those objects and when it found them, synced them to another directory and you could just pull them out of there. This statement comes with the assumption that all CNFs are consistently found on all dsas throughout the forest as if this is not true, looking at one DSAs CNFs does not mean you know the CNFs found on another DSA. I think time has told us that this is an unfair assumption. (think lingering objects) If you did want to do this, however, I think this is a good ADAM usage scenario. Use the new AD syncher tool up on www.microsoft.com/adam (currently beta) and do it against ADAM. Light weight, and zero incremental cost on top of the server it sits on. You can also medial substring index it up in ADAM and eat the pef there, probably not a big deal given usage of this dsa. For the timeout problem, have you tried to use a paged search, and just keep requesting the next page as
RE: [ActiveDir] Domain Controller Question
Nah, I love pinball... Plus I never fix anything, I just complain and I wholeheartedly stand by that story. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, July 13, 2004 4:32 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question quote the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem /quote ... that's you that is :) -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question LOL. This sentence The support guys have been playing about all day and I 'think' it's OK now. makes me think of the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question ;o) Our mail filtering product blew up and they had no resilience built in.. The support guys have been playing about all day and I 'think' it's OK now. Cheers Joe. R -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 15:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else doesn't. Basically I can say something is unsafe but I can't with certainty declare something irrefutably safe. Recall that DCs are KDCs. No one in the business of running KDCs whether they be on UNIX, Windows, VMS, or other think it is a good idea to let normal users anywhere near them. It is the
[ActiveDir] Possibly OT: Flash Media Detection
Title: Possibly OT: Flash Media Detection Hello, Is there a group policy restricting use of flash media (USB drives, iPods, camera cards, etc.) and/or any third party detection tools for use in a network environment? Thank you, Mitchell D. Lawrence Director, Network Administrator ITS Department North Bay Hospital 1711 W. Wheeler Ave Aransas Pass, TX 78336 ph: (361) 758-0580 fx: (361) 758-0581 pg: (361) 270-0421 [EMAIL PROTECTED] [EMAIL PROTECTED] (home) ** Good | Cheap | Fast (Pick Two)** This email and any files transmitted with it may contain PRIVILEGED and/or CONFIDENTIAL information and may only be read and/or used by the intended recipient. If you are not the intended recipient of this email and/or any attachments, please be advised that you have received this email in error and that any use, dissemination, distribution, forwarding, printing, or copying of this email and/or any attached files is strictly prohibited. If you have received this email and/or any attachments in error, please replyor contactthe senderexplaining that you have received this email and/or any attachments in error and that you have purged this email and/or any attachments from your system.
Re: [ActiveDir] Domain Controller Question
Are you related to Paul Sr. on American Chopper? :-/ Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED]; 'Send - AD mailing list' [EMAIL PROTECTED] Sent: Tue Jul 13 17:45:40 2004 Subject: RE: [ActiveDir] Domain Controller Question Nah, I love pinball... Plus I never fix anything, I just complain and I wholeheartedly stand by that story. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, July 13, 2004 4:32 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question quote the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem /quote ... that's you that is :) -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question LOL. This sentence The support guys have been playing about all day and I 'think' it's OK now. makes me think of the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question ;o) Our mail filtering product blew up and they had no resilience built in.. The support guys have been playing about all day and I 'think' it's OK now. Cheers Joe. R -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 15:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can get access to. I go by the basic tenet that I am not the smartest person in the universe when making decisions around security. In that I mean that even though I may not know of a hole or exploit or how to crack a given system, it doesn't mean someone else
RE: [ActiveDir] DeForestation
Actually, the migration may not happen now. The sticking point is not being able to synch free/busy info bet forests. also, we have some secerataries in one forest who would need to open and update the calenders of thier managers who would be in a diff. forest. i can't see this working without disrupting the end user in someway. Finally, I'm not sure SAP or MS content management server will work cross forests. Thanks for all your help and i promise not to repost so much again. winmail.dat
RE: [ActiveDir] Domain Controller Question
I didn't know he liked pinball. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Mezzone Sent: Tuesday, July 13, 2004 6:41 PM To: '[EMAIL PROTECTED]' Subject: Re: [ActiveDir] Domain Controller Question Are you related to Paul Sr. on American Chopper? :-/ Robert -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED]; 'Send - AD mailing list' [EMAIL PROTECTED] Sent: Tue Jul 13 17:45:40 2004 Subject: RE: [ActiveDir] Domain Controller Question Nah, I love pinball... Plus I never fix anything, I just complain and I wholeheartedly stand by that story. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, July 13, 2004 4:32 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question quote the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem /quote ... that's you that is :) -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 13, 2004 3:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question LOL. This sentence The support guys have been playing about all day and I 'think' it's OK now. makes me think of the support guys going to play pinball or something and that one guy in the corner who doesn't talk to anyone goes and fixes the problem. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question ;o) Our mail filtering product blew up and they had no resilience built in.. The support guys have been playing about all day and I 'think' it's OK now. Cheers Joe. R -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 15:51 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question Oh yeah, I am officially scared now... BTW, look at the end of this message, it looks like your guys' eventsync went a little crazy tacking on the disclaimer there... I counted like 23 occurrences. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. Such as full mailboxes from this disclaimer. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, July 13, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question As always and pitched at the perfect level Many hours/days of sweat and tears have been saved thanks to everyone's input on here. Hey, I love you guys :O) 'He Says', grinning inanely, while readjusting his Joeware thong and stroking the picture of Dean sat beside his monitor. -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: 13 July 2004 02:07 To: Send - AD mailing list Subject: RE: [ActiveDir] Domain Controller Question Importance: High For those of you that don't always read the more lengthy, complex replies ... read this one, it's simple (and to some, its content may even seem obvious) but, IMHO, it's brilliantly put! Joe's post manages to succinctly address the whys of an incredibly complex topic ... with all due respect, FANTASTIC job Joe, just great! Deano -- Dean Wells MSEtechnology * Tel: +1 (954) 501-4307 * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 12, 2004 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Question This issue with this is at that is opens more attack vectors on the DC. Normally the only vectors you have are 1. Anyone with physical access 2. Any services that expose remotely exploitable holes. With 1, you can put compensating controls into place such as locking the DC into a room or locking the cabinet or something like that. However, any person who has physical access (there has to be someone) that isn't a domain/ent admin is still a danger. With 2, you compensate by not running any services that are not explicitely required for authenticating/authorizing people and keeping the system well patched. However any new remote non-authenticated exploit is still a serious danger. When you allow users to TS into the machine you now allow any additional vectors that require local desktop for privilege escalation, PLUS, unless you have specially built a load to harden against local users like that you probably have numerous other security issues in terms of what users can