RE: [ActiveDir] Changing Logon server authentication !!

[Almeida Pinto, Jorge de]

check the SITES and SUBNETS configuration...make sure the subnet of the Citrix 
servers in defined in AD and assigned to the correct site.
 
also make sure the server (DC) B has not registered service records for the 
site of the Citrix servers. This can happen when that site initially does not 
have a DC, then a DC is added and the records for server B are for some reason 
not removed...
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Sun 2007-01-28 11:32
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Changing Logon server authentication !!



Hi,

 

 

We have a server A in US. We has a Server BC in India.

 

Global catalog servers are Server A  B.

 

FSMO Roles are with the server B.

 

Right now we are having Citrix member server D in US. When users are logging on 
the Citrix server, it takes logon authentication from Server B. When we use the 
set command it shows logon server name as Server B. Is it any way I can do so 
that it takes authentication only from server A when it is available.

 

Regards,

 

Senthil



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] remove orphan DC from the domain

[Almeida Pinto, Jorge de]

correct!
 
however he never mentioned the OS en SP level... ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Paul Williams
Sent: Fri 2007-01-26 09:25
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] remove orphan DC from the domain



  If the DC that died had FSMO roles, you need to seize them (check which
 DC had FSMO roles with -- NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1.  NTDSUTIL does it for you.  If I
remember correctly, it tries a XFER and then does a Seize (as that's the
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message -
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which DC
had FSMO roles with -- NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other computers (other
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects
that belong to a DC that is not live anymore. Just other like other object
deletions (user, group, etc) the deletions will replicate to other DCs
(assuming replication is working fine) that host the same partitions from
which the objects were removed. Because of that you only need to target ONE
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then click Command
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged on user
does not have administrative permissions, different credentials can be
supplied by specifying the credentials to use before making the connection.
To do this, type set creds DomainNameUserNamePassword, and then press ENTER.
For a null password, type null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive
confirmation that the connection is successfully established. If an error
occurs, verify that the domain controller being used in the connection is
available and the credentials you supplied have administrative permissions
on the server.

Note If you try to connect to the same server that you want to delete, when
you try to delete the server that step 15 refers to, you may receive the
following error message:

Error 2094. The DSA Object cannot be deleted0x2094

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type

RE: [ActiveDir] Overlapping AD Subnet Boundaries

[Almeida Pinto, Jorge de]

it will go for the second site 10.10.41.0/24 (= best matching)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Brian Cline
Sent: Fri 2007-01-26 22:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Overlapping AD Subnet Boundaries



Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, 
and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD 
treat a client address of, say, 10.10.41.104 as a client on the secondary site, 
or will it default to the more general primary subnet? The reason I ask is we 
now have a need for a second AD site (I can see all the enterprise folks 
grinning now) and we have quite a number of other subnets that I'd have to 
manually enter if this is not the case. I don't mind doing it, but I was 
curious either way.

Brian Cline, Applications Developer
Department of Information Technology
GP Trucking Company, Inc.
803.936.8595 Direct Line
800.922.1147 Toll-Free (x8595)
803.739.1176 Fax



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] remove orphan DC from the domain

[Almeida Pinto, Jorge de]

the AD metadata cleanup is nothing more then removal/deletion of objects that 
belong to a DC that is not live anymore. Just other like other object deletions 
(user, group, etc) the deletions will replicate to other DCs (assuming 
replication is working fine) that host the same partitions from which the 
objects were removed. Because of that you only need to target ONE live DC in 
the same domain when using NTDSUTIL.
 
Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain



Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article 

 

1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration parameters 
must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the specific 
server where the changes occur. If the currently logged on user does not have 
administrative permissions, different credentials can be supplied by specifying 
the credentials to use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null password, type 
null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions on 
the server.

Note If you try to connect to the same server that you want to delete, when you 
try to delete the server that step 15 refers to, you may receive the following 
error message: 

Error 2094. The DSA Object cannot be deleted0x2094 

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is the 
last domain controller of that domain.

10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.

11.

Type select site number and press ENTER, where number is the number associated 
with the site the server you are removing is a member of. You should receive a 
confirmation listing the site and domain you chose.

12.

Type list servers in site and press ENTER. A list of servers in the site, each 
with an associated number, is displayed. 

13.

Type select server number, where number is the number associated with the 
server you want to remove. You receive a confirmation listing the selected 
server, its Domain Name System (DNS) host name, and the location of the 
server's computer account you want to remove.

14.

Type quit and press ENTER. The Metadata Cleanup menu appears.

15.

Type remove selected server and press ENTER. You should receive confirmation 
that the removal completed successfully. If you receive the following error 
message, the NTDS Settings object may already be removed from Active Directory 
as the result of another administrator removing the NTDS Settings object or 
replication of the successful removal of the object after running the DCPROMO 
utility. 

Error 8419 (0x20E3)
The DSA object could not be found 



Note You may also see this error when you try to bind to the domain controller 
that will be removed. Ntdsutil has to bind to a domain controller other than 
the one that will be removed with metadata cleanup.

16.

Type quit, and then press ENTER at each menu quit the Ntdsutil utility. You 
should receive confirmation that the connection disconnected successfully.

17.

Remove the cname record in the _msdcs.root domain of forest zone in DNS. 
Assuming that DC will be reinstalled and re-promoted, a new NTDS Settings 
object is created with a new GUID and a matching cname record in DNS. You do 
not want the DCs that 

RE: [ActiveDir] remove orphan DC from the domain

[Almeida Pinto, Jorge de]

I forgot to mention:
 
* If the DC that died had FSMO roles, you need to seize them (check which DC 
had FSMO roles with -- NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if 
you have aging/scavenging enabled
 
Also make sure the GC role and DNS roles is hosted by other computers (other 
DCs)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do automatically.

 

Regards,

 

Senthil

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain

 

the AD metadata cleanup is nothing more then removal/deletion of objects that 
belong to a DC that is not live anymore. Just other like other object deletions 
(user, group, etc) the deletions will replicate to other DCs (assuming 
replication is working fine) that host the same partitions from which the 
objects were removed. Because of that you only need to target ONE live DC in 
the same domain when using NTDSUTIL.

 

Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address

 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,

 

We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article 

 

1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration parameters 
must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the specific 
server where the changes occur. If the currently logged on user does not have 
administrative permissions, different credentials can be supplied by specifying 
the credentials to use before making the connection. To do this, type set creds 
DomainNameUserNamePassword, and then press ENTER. For a null password, type 
null for the password parameter.

5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions on 
the server.

Note If you try to connect to the same server that you want to delete, when you 
try to delete the server that step 15 refers to, you may receive the following 
error message: 

Error 2094. The DSA Object cannot be deleted0x2094 

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.

9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is the 
last domain controller of that domain.

10.

Type list sites and press ENTER. A list of sites, each with an associated 
number, appears.

11.

Type select site number and press ENTER, where number is the number associated 
with the site the server you are removing is a member of. You should receive a 
confirmation listing the site and domain you chose.

12.

Type list servers in site and press ENTER. A list of servers in the site, each 
with an associated number, is displayed. 

13.

Type select server number, where number is the number associated with the 
server you want to remove. You receive a confirmation listing the selected 
server, its Domain Name System (DNS

RE: [ActiveDir] AD Security Auditing

[Almeida Pinto, Jorge de]

Hi,
 
Have a look at:
* http://www.kouti.com/adreport/ (not free)
* ACLReport.vbs v1.01 (free - http://www.kouti.com/scripts.htm
 
ACLReport.vbs v1.01
This script creates an HTML file named ACLReport.htm, that contains all the 
ACLs of a given Active Directory tree. By modifying three lines in the 
beginning of the script, you can choose:
- Only OUs or all objects
- Only normal-view objects or also advanced-view objects
- Whether to display all ACEs or only non-inherited
 
Regards
Jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Casey Robertson
Sent: Tue 2007-01-23 23:33
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security Auditing



We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and individual 
object types (users, computers, etc) so that we can determine who has rights to 
what.  The prospect of doing this manually is daunting at best and for the most 
part I have only seen 3rd party tools (read: expensive) that do this in an easy 
to use fashion.

 

Any suggestions for tools, scripts etc would be appreciated.  Either that or we 
can rebuild our OU structure J

 

Casey Robertson

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Replication Problem !!

[Almeida Pinto, Jorge de]

see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/08/Lingering-objects.aspx
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Senthil Kumar
Sent: Thu 2007-01-18 18:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication Problem !!


Hi,
 
Does any body know how to remove lingering objects. When I use repadmin 
/removelingeringobjects it returns an error invalid arguments. Can anybody help 
me out.
 
Regards,
 
Senthil


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] adminsdholder

[Almeida Pinto, Jorge de]

setting the attribute to 0 only will not help
 
to stop the adminsdholder from managing a certain group/user you either:
* remove it from a protected group, check inheritance and reset admincount to 
not set
* configure dsheuristics (forest-wide config) as mentioned in 
http://support.microsoft.com/?id=817433 for some default protected groups (not 
recommended as you should not use the default admin groups, but instead 
delegate stuff)
 
also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Graham Turner
Sent: Tue 2007-01-16 15:37
To: activedir@mail.activedir.org
Subject: [ActiveDir] adminsdholder



Dear all, i think we experieincing issues re not being able to reset 
permissions on
an object that was previously member of protected groups

i have read that the issue is around the reset of the value of 'admincount' 
attribute.

as i learn this gets set to 1 when it is becomes a member of protected groups, 
but ju

i wanted to confirm that is a 'supported' operation to merely reset this data 
to 0
to undo the effect of adminssdholder ??

or whether there are other changes that need to be considered. ?

G










List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] adminsdholder

[Almeida Pinto, Jorge de]

either explicit or inherited permissions will be replaced by the 
permissions defined on the adminsdholder object
 
so if re-applying inheritance is not enough... you would need to define 
explicit defined permissions...
 
for the default perms you can use the DEFAULT button and all custom added 
permissions would need to be defined again
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Graham Turner
Sent: Tue 2007-01-16 17:37
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] adminsdholder



Jorge, thanks for your reply post

i certainly favour the former option on account of the other being a forest-wide
configuration.

on this basis if we have removed the user from protected groups then doesn't 
setting
do the job ?

the permission we are 'losing' is not one that is set at parent OU level and set
explicitly on the object so inheritance of the permission is not

OR is there something else that needs to be re-enabled by changing the 
inhertiance
on the user object ??

GT


1. removed user from all protected groups


 setting the attribute to 0 only will not help

 to stop the adminsdholder from managing a certain group/user you either:
 * remove it from a protected group, check inheritance and reset admincount to 
 not
 set
 * configure dsheuristics (forest-wide config) as mentioned in
 http://support.microsoft.com/?id=817433 for some default protected groups (not
 recommended as you should not use the default admin groups, but instead 
 delegate
 stuff)

 also see:
 http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/981.aspx

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address

 

 From: [EMAIL PROTECTED] on behalf of Graham Turner
 Sent: Tue 2007-01-16 15:37
 To: activedir@mail.activedir.org
 Subject: [ActiveDir] adminsdholder



 Dear all, i think we experieincing issues re not being able to reset 
 permissions on
 an object that was previously member of protected groups

 i have read that the issue is around the reset of the value of 'admincount'
 attribute.

 as i learn this gets set to 1 when it is becomes a member of protected 
 groups, but
 ju

 i wanted to confirm that is a 'supported' operation to merely reset this data 
 to 0
 to undo the effect of adminssdholder ??

 or whether there are other changes that need to be considered. ?

 G










 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ma/default.aspx




 This e-mail and any attachment is for authorised use by the intended 
 recipient(s)
 only. It may contain proprietary material, confidential information and/or be
 subject to legal privilege. It should not be copied, disclosed to, retained 
 or used
 by, any other party. If you are not an intended recipient then please promptly
 delete this e-mail and any attachment and all copies and inform the sender. 
 Thank
 you.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


winmail.dat

RE: [ActiveDir] R2 Schema

[Almeida Pinto, Jorge de]

just to use the PMC no schema change is needed...
 
however, to deploy printer connections through GPOs and thus create 
corresponding objects in AD (under the GPO used to deploy the printer 
connection) you need to extend the schema
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks 
[MVP]
Sent: Sun 2007-01-14 22:12
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] R2 Schema


(for those on the off chance interested in the SBS impact)

While SBS's r2 release does not give you the functionality of the real R2 
bits, to have DFSRv2 on member servers you have to bump the schema on the SBS 
DC.
The only parts of the real r2 that SBS 2003 R2 gets is FSRM and MMC 3.0.

http://blogs.technet.com/sbs/archive/2006/02/28/420825.aspx
More tech details there.

The printer management console doesn't need a schema update that I recall.. you 
just need the R2 install on that server.  I don't remember (don't think) I did 
anything on my DC when I enabled the Printer Management console on the member 
server.

Vinnie Cardona wrote: 

Excellent.  Thank you.

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Saturday, January 13, 2007 4:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

 

the AD schema is (must be) extended with the R2 stuff when either:

* you want to install R2 on a DC

* you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc.

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 06:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

Thank you Jorge...I was just a bit puzzled by one of the lines in the 
doc on the CD which states that the schema is only extended if you are planning 
on installing W2K3r2 on a W2K3 DC.  I am still in the process of reading up on 
W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS 
requirements...I now understand more on the requirements. 

 

Thank you all for your help.  Really do appreciate it.

 

-vC

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Friday, January 12, 2007 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

 

although the file servers are R2 because of the use of DFS-R (new 
replication mechanism), you MUST extend the AD schema so that the DFS-R 
information can be stored in AD

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 00:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

Interesting.  I have a similar situation.  But in my case they want me 
to
roll out R2 on 10 of my W2K3sp1 file and print servers to take 
advantage of
DFS.  After reading the installation docs from the CD it appears to me 
that
I don't have to extend the schema because the servers I will be 
upgrading
are not DCs...would like a reassurance that this is indeed the case 
with the
community...

-many thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, January 12, 2007 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our

RE: [ActiveDir] R2 Schema

[Almeida Pinto, Jorge de]

the AD schema is (must be) extended with the R2 stuff when either:
* you want to install R2 on a DC
* you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc.
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 06:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema



Thank you Jorge...I was just a bit puzzled by one of the lines in the doc on 
the CD which states that the schema is only extended if you are planning on 
installing W2K3r2 on a W2K3 DC.  I am still in the process of reading up on 
W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS 
requirements...I now understand more on the requirements. 

 

Thank you all for your help.  Really do appreciate it.

 

-vC

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Friday, January 12, 2007 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

 

although the file servers are R2 because of the use of DFS-R (new replication 
mechanism), you MUST extend the AD schema so that the DFS-R information can be 
stored in AD

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address

 



From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 00:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema

Interesting.  I have a similar situation.  But in my case they want me to
roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of
DFS.  After reading the installation docs from the CD it appears to me that
I don't have to extend the schema because the servers I will be upgrading
are not DCs...would like a reassurance that this is indeed the case with the
community...

-many thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, January 12, 2007 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.


winmail.dat

RE: [ActiveDir] DC Locator process\Site Topology

[Almeida Pinto, Jorge de]

 aware once the client discovers there is no DC on its own subnet the 
 dsgetsite api sends an dns query for the SRV  
 _LDAP._tcp.dc._msdcsdomainname, i.e give me a DC that is responsible for 
 the X domain.  DC should then inform the client, based upon the IP 
 information that the client belongs to x Site and for this site are X and  
 X DC's are repsonbile. DsGetDcName finds a DC but in this case a DC in the 
 core location, not its closest. 

 

True when the client is joined to the domain. When it is not joined to the 
domain the client does not issue a give me a DC in site X query. It issues a 
give me a DC in domain XYZ query. It receives a response from DNS with ALL 
the DCs listed that registered the domain wide service resource records. By 
default all the DCs register the domain wide service resource records and the 
site wide service resource records. To prevent, where a client in branch office 
site X is serviced by a DC in branch office site Y after issuing a query for 
give me a DC in domain XYZ, it is a best practice to disable registration of 
the domain wide service resource records by the branch office DCs and only 
allow the HUB (main) office DCs to that. Most probably you have configured that 
as you are saying the object creation is always done in the HUB. If you want to 
target the computer account creation to the nearest DC, either:

· You use NETDOM manually

· You create some script/tool that:

o   Checks IP of client

o   Matches that to a subnet in AD

o   Retrieves the AD site that has that subnet

o   Query DNS for a DC in that site and use that in NETDOM

 

Example: NETDOM JOIN /DOMAIN:domain\DC /userD: domain\user 
/PasswordD:password /OU:DN of OU /REboot

 

---

NETDOM JOIN Joins a workstation or member server to the domain.

 

machine is the name of the workstation or member server to be joined

 

/Domain Specifies the domain which the machine should join. You

can specify a particular domain controller by entering

/Domain:domain\dc. If you specify a domain controller, you

must also include the user's domain. For

example: /UserD:domain\user

 

/UserD  User account used to make the connection with the domain

specified by the /Domain argument

 

/PasswordD  Password of the user account specified by /UserD.  A * means

to prompt for the password

 

/UserO  User account used to make the connection with the machine to

be joined

 

/PasswordO  Password of the user account specified by /UserO.  A * means

to prompt for the password

 

/OU Organizational unit under which to create the machine account.

This must be a fully qualified RFC 1779 DN for the OU.

If not specified, the account will be created under the default

organization unit for machine objects for that domain.

 

/REBoot Specifies that the machine should be shutdown and automatically

rebooted after the Join has completed.  The number of seconds

before automatic shutdown can also be provided.  Default is

30 seconds

---

 

 

Met vriendelijke groeten / Kind regards,

 

 

__

MVP Profile à 
https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10

MVP Home Site à https://mvp.support.microsoft.com/

MVP Overview à https://mvp.support.microsoft.com/mvpexecsum

BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx

__

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holt, Will
Sent: Friday, January 12, 2007 12:43
To: 'activedir@mail.activedir.org'
Subject: [ActiveDir] DC Locator process\Site Topology

 

Hi All,

 

# W2K3 DFM - Windows Server 2003

# FFM - Windows Sever Interim.

 

I have the following site topology.  Network: Two Core locations(MAN Gbps), on 
to which are attached 9 backbone locations(155Mbps).  Access2 locations are 
attached to one backbone with a VPN(ISDN\DSL) fallback back to one of the Core 
locations.  DC's are placed only on the core and backbone locations (this is 
domestic, i.e Germany). There are a total of 872 locations world wide.  For the 
site (objects of type siteLink, subnet and site) information I have a scripted 
solution.

Every network location has a site, and the subnets are allocated at this level 
enabling us to offer service location for DFS and print, i.e I have 
serverless sites which are covered by the relevant DC's on the core and 
backbone levels. I qualify the clients site awareness with nltest 
/server:XX /dsgetsite - no problems.  I then qualify with nltest 
/server:DCNAME / dsgetsitecov that the server is covering the site with the 
value 

RE: [ActiveDir] R2 Schema

[Almeida Pinto, Jorge de]

although the file servers are R2 because of the use of DFS-R (new replication 
mechanism), you MUST extend the AD schema so that the DFS-R information can be 
stored in AD
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Vinnie Cardona
Sent: Sat 2007-01-13 00:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] R2 Schema



Interesting.  I have a similar situation.  But in my case they want me to
roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of
DFS.  After reading the installation docs from the CD it appears to me that
I don't have to extend the schema because the servers I will be upgrading
are not DCs...would like a reassurance that this is indeed the case with the
community...

-many thanks



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Friday, January 12, 2007 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 Schema

I have a customer that is really pushing to have the R2 schema loaded in
our W2K3 SP1 environment.  The plan is to take advantage of the new DFS
extensions.

We don't have any plans to upgrade to R2 in the foreseeable future so
we'd basically be running W2K3 with the R2 schema for several months or
years.  Does anyone see any potential issues with that?
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Seized Roles - Flatten DC?

[Almeida Pinto, Jorge de]

Also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx

from: http://support.microsoft.com/?id=255504

A domain controller whose FSMO roles have been seized should not be
permitted to communicate with existing domain controllers in the forest.
In this scenario, you should either format the hard disk and reinstall
the operating system on such domain controllers or forcibly demote such
domain controllers on a private network and then remove their metadata
on a surviving domain controller in the forest by using the ntdsutil
/metadata cleanup command. The risk of introducing a former FSMO role
holder whose role has been seized into the forest is that the original
role holder may continue to operate as before until it
inbound-replicates knowledge of the role seizure. Known risks of two
domain controllers owning the same FSMO roles include creating security
principals that have overlapping RID pools, and other problems.

Cheers,
jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: donderdag 11 januari 2007 14:12
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Seized Roles - Flatten DC?

Dear collective,

I am at a site where somebody has panicked, and all 5 roles have been
seized in the last month, and have then been transferred back to the
DCs they were previously on.

I had thought that certain roles (RID, Schema and possibly Domain
Naming) being seized meant you had to wipe the DCs, and re-install
Windows before you could use them again.

Problem is - I can't find anything on technet to back this up.  Best I
can find is an article saying that seizing the RID is a 'drastic
measure'.

Can anyone point me towards something which says, ideally - If you
seize role X, you MUST do Y, or the rivers will turn to blood, you
will be visited by a plague of locusts and your firstborn will be
killed.

Thanks in advance,


-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Seized Roles - Flatten DC?

[Almeida Pinto, Jorge de]

You don't need to re-install windows. Forced demotion (offline) (using
out-of-band management solution) and promotion of the DCs is enough with
a metadata cleanup before the promotion however as the DCs have
already been online you might as well use a normal demotion. After that
MAKE SURE all roles are owned by a DC. Check the health of things to be
sure!

With transfering the role is handed over nicely to the other DC...

With seizing the role is hijacked

As the article says the old FSMO role owner still does its work until it
knows someone else hijacked its role. Other DCs might still use the old
FSMO while some use the new. You do not want that kind of stuff.

Cheers,
jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of AdamT
Sent: donderdag 11 januari 2007 15:03
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Seized Roles - Flatten DC?

On 11/01/07, Almeida Pinto, Jorge de
[EMAIL PROTECTED] wrote:
 Also see:
 http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx

 from: http://support.microsoft.com/?id=255504


Thanks Jorge,

Nothing about three days of darkness or locusts or the massacre of
first-borns, but I think it ought to settle the argument.  Of course,
now they'll just want to dpromo the machines down, clean the metadata
and bring them back up again.  Nobody wants to re-install Windows on
servers sitting in a datacentre miles away.
Ho-hum, I tried my best...

-- 
AdamT
A casual stroll through the lunatic asylum shows that faith does not
prove anything. - Nietzsche
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] IIS install

[Almeida Pinto, Jorge de]

As of w2k3 there is a setting that prevents the installation of IIS,
when enabled of course...


Computer configuration\Administrative Templates\Windows
Components\Internet Information Services\Prevent IIS Installation =
[ENABLED | DISABLED]



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda
Sent: donderdag 11 januari 2007 16:01
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] IIS install

I'm having a hard time installing the IIS.  It said that it can copy
files.
Other then bad CD what could be keeping it from installing?  Is there a
GP
setting that I'm not aware of that will keep the IIS from installing?  

Antonio 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Domain Admin

[Almeida Pinto, Jorge de]

If he just needs administrative equivalent permissions on THOSE TWO
MEMBER SERVERS you can put his account into the local administrators
group of each server...If he is logged on, tell him to log out and log
on AFTER you have added his account to the groups. DOMAIN ADMIN
quirevalent permissions is a little bit too much imo as that gives him
full access to everything in AD...

 

Either you need to install the adminpak and/or you need to make them
visible in the start menu

 

For what tasks are the administrative equivalent permissions needed?

 

Cheers,

jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Patrick
Sent: woensdag 10 januari 2007 6:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Domain Admin

 

I have a consultant that is asking for domain admin rights on 2 member
servers. I have google it but nothing seems to work out right. The
servers are on the domain but the consultant just has a domain user
account.

He can logon on to the servers while they are on the domain but the
administrative tools is not there (as it should). I want to creat an OU
and put the two machines in that ou and delegate control to the
consultants domain user account. Any other way to do this without
registry hacks or scripts? 

All assistance welcomed



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

RE: [ActiveDir] How to change login authentication

[Almeida Pinto, Jorge de]

You can't just change the authenticating DC from X to Y.

 

A DC for authentication is located by using DNS. By default clients
search for a DC that has records in DNS for their own site (DCs
physically there or covering the site) and when none found a query for
the DCs that have registered domain wide records (by the default all the
DCs). For that to work correctly you need to:

* Define your sites in AD correctly for one or more locations (most of
the times each location has its own AD site definition)

* Define the subnets within each location in AD and associate each
subnet with an AD site that represents the location of the subnets

 

Also make sure an AD site link exists with the sites associated to it so
that DCs in each site/location can replicate with each other

 

That way a client in site A will go for a DC in site A first and a
client in site B will go for a DC in site B first.

 

Cheers,

jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar
Sent: woensdag 10 januari 2007 15:18
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to change login authentication

 

Hi all,

 

I have one Domain Contoller (name dc01) in India and other one DC (name
dc02) in remote location. Bothe DC can Communication. I have told to
change user login authentication from DC01 to DC02.

So how I can perform this task. Pls  help me. I din't find any doc
related this.

 

Thanks,

Ajay 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

RE: [ActiveDir] How to change login authentication

[Almeida Pinto, Jorge de]

I thought of that...

 

I think you mean DNS Priority (which will always use the DC with the
lowest value) instead of DNS Weight (which would still use the other DC,
but less/more frequently depending on the weight configuration) ;-))

 

You can't just change the authenticating DC from X to Y.-- I mean
redirect a set of clients to one DC and another set of clients to the
other DC (while either set never uses the other DC). 

 

As you said: it depends... because what does he mean with: I have
told to change user login authentication from DC01 to DC02. Everything
is in one site and DC02 must now be used OR clients in remote site must
only use DC02 instead of also use DC01

 

Cheers,

Jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: woensdag 10 januari 2007 15:54
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to change login authentication

 

In addition to the below, if we assume that DC01 and DC02 are both in
the *same* site, then perhaps ajay should consider DNS weighting, so
that DC02 is used 'in preference' to DC01.

 

As usual, it's a 'it depends' style question.

 

neil

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: 10 January 2007 14:39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to change login authentication

You can't just change the authenticating DC from X to Y.

 

A DC for authentication is located by using DNS. By default clients
search for a DC that has records in DNS for their own site (DCs
physically there or covering the site) and when none found a query for
the DCs that have registered domain wide records (by the default all the
DCs). For that to work correctly you need to:

* Define your sites in AD correctly for one or more locations (most of
the times each location has its own AD site definition)

* Define the subnets within each location in AD and associate each
subnet with an AD site that represents the location of the subnets

 

Also make sure an AD site link exists with the sites associated to it so
that DCs in each site/location can replicate with each other

 

That way a client in site A will go for a DC in site A first and a
client in site B will go for a DC in site B first.

 

Cheers,

jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ajay Kumar
Sent: woensdag 10 januari 2007 15:18
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to change login authentication

 

Hi all,

 

I have one Domain Contoller (name dc01) in India and other one DC (name
dc02) in remote location. Bothe DC can Communication. I have told to
change user login authentication from DC01 to DC02.

So how I can perform this task. Pls  help me. I din't find any doc
related this.

 

Thanks,

Ajay 

 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

PLEASE READ: The information contained in this email is confidential and


intended for the named recipient(s) only. If you are not an intended 

recipient of this email please notify the sender immediately and delete
your 

copy from your system. You must not copy, distribute or take any further


action in reliance on it. Email is not a secure method of communication
and 

Nomura International plc ('NIplc') will not, to the extent permitted by
law, 

accept responsibility or liability for (a) the accuracy or completeness
of, 

or (b) the presence of any virus, worm or similar malicious or disabling


code in, this message or any attachment(s) to it. If verification of
this 

email is sought then please request a hard copy. Unless otherwise stated


this email: (1) is not, and should not be treated or relied upon as, 

investment research; (2) contains views or opinions that are solely
those of 

the author and do not necessarily represent those of NIplc; (3) is
intended 

for informational purposes only and is not a recommendation,
solicitation or 

offer to buy or sell securities or related financial instruments. NIplc 

does not provide investment services to private customers. Authorised
and 

regulated by the Financial Services Authority. Registered in England 

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
Martin's-le-Grand, 

London, EC1A 4NP. A member of the Nomura group of companies. 

RE: [ActiveDir] list logon user for the services in serveral server

[Almeida Pinto, Jorge de]

for services use a script created by Dean Wells...
 
get it here: http://www.jadonex.com/downloads/dec/DECscripts.zip 
http://www.jadonex.com/downloads/dec/DECscripts.zip  
 
PS joe/Dean: define coming soon ;-)
 
for scheduled tasks create a script using schtasks (w2k3)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Ramon Linan
Sent: Tue 2007-01-09 17:49
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] list logon user for the services in serveral server


Hi,
 
A SA just left the company and I am suspecting he installed several 
applications in several servers using his account, therefore I cant change his 
password or disable his account, is there an easy of finding which services are 
running on his account without having to go to each different server?
 
Thanks
 
Rezuma


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] AD Schema - adding an attribute

[Almeida Pinto, Jorge de]

In addition to what Brian said...
 
If you want to get OIDs for your organization to use in productive environment 
you can get your OIDs using this page:
http://msdn.microsoft.com/certification/ad-registration.asp
 
More info:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/obtaining_a_root_oid_from_an_iso_name_registration_authority.asp
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Tue 2007-01-09 18:08
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Schema - adding an attribute



Well, first off - birthDate already exists - can you take advantage of
it?

Second you need to register a prefix and OID tree with Microsoft on
MSDN. This is how you will get a starting point for OIDs. You'll also
get a prefix so it would be ewu-birthMonth or something.

Don't use oidgen.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: Tuesday, January 09, 2007 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Schema - adding an attribute

How do I add an attribute to AD?

I'd like to add birthMonth, birthDay, birthYear to my Active Directory
Schema for extra data to store for my users.

Looking in MMC - Schema, I see I can add an attribute, but it wants an
Object ID (OID). I know there's a oidgen program somewhere (haven't
found it
yet). but is that the best way to do it?

Thanks,
--
Matt Brown [EMAIL PROTECTED]
Sr. Consultant for Student Technology Fee
website: http://techfee.ewu.edu/
+--+
| 509.359.6972 ph. - 509.359.7087 fx
| 307 MONROE HALL | Cheney, WA 99004
+--+




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Almeida Pinto, Jorge de]

and to remove those orphaned SIDs you could use SUBINACL (make sure you 
download the lastest version from the MS site)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Akomolafe, Deji
Sent: Thu 2007-01-04 10:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SID Deleted users remains in NTS permission.


It's normal. You should be permissioning your resources with groups instead 
of directly with user accounts. Groups tend to last longer, so you don't have 
to deal with the horrible SIDs.
 

Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)
 
AD 2k3 sp1 in FFL mode.
 
When i delete a user or group from AD, and these objects have permissions on 
ntfs permissions, i usually see their sids remaining in those file  directory 
ACLs.
 
Is this normal ? If not,what could be the reason(s)  how to investigate this 
issue ?
 
Thanks,
 
Yann
 
 

__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Is ADAM free?

[Almeida Pinto, Jorge de]

yes, it is free... you would still need to license the OS it runs on
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Tue 2007-01-02 15:36
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is ADAM free?



Is ADAM free? If not, how much does it cost?

Thanks!
-James
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] migration help

[Almeida Pinto, Jorge de]

in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a 
migration to a NEW forest

high-level steps are
* use the W2K3 SP1 CD!
* update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member 
servers)
* introduce w2k3 DCs
* move stuff over from w2k DCs to w2k3 DCs
* demote and decommission W2K DCs
 
also see for additional information:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of badhusha sd
Sent: Fri 2006-12-29 12:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] migration help


Hi all
 
I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the 
users acoounts are spread across all the servers (ie the active directory 
accounts are added to file server directory security to assign access to users 
for folders and files). now i am installing new servers for windows 2003 and i 
want to migrate the users account from windows 2000 to windows 2003 . how to i 
do , what happend to the user acconts after migration , what happens to the 
users accounts added to file server. how to do i retain the same user acconts 
in the file server directory permissions.
 
please give me a solution for a proper migration.
 
Thanks in advance.
 
Bdahusha.s.d.

__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] migration help

[Almeida Pinto, Jorge de]

please read the articles I mailed earlier
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of badhusha sd
Sent: Fri 2006-12-29 13:51
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] migration help


Your right , basically i was thought of it .
 
But company has bought Hp DL G4 servers for new windows 2003 dc , instead of Ml 
530 , i have to use DL G4 servers for new installation .

How do i proceed.
 
Thanks

 
- Original Message 
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Friday, December 29, 2006 11:24:39 AM
Subject: RE: [ActiveDir] migration help


in your case I would suggest an UPGRADE of the domain to w2k3 AD instead of a 
migration to a NEW forest

high-level steps are
* use the W2K3 SP1 CD!
* update schema (only needed to introduce w2k3 DCs, not needed for w2k3 member 
servers)
* introduce w2k3 DCs
* move stuff over from w2k DCs to w2k3 DCs
* demote and decommission W2K DCs

also see for additional information:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/What-information-is-available-when-UPGRADING-from-W2K_2F00_E2K-to-W2K3-_2800_R2_29002F00_E2K3_3F00_.aspx

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of badhusha sd
Sent: Fri 2006-12-29 12:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] migration help


Hi all

I had a windows 2000 domain with 2 domain contraoller , 3 file servers , the 
users acoounts are spread across all the servers (ie the active directory 
accounts are added to file server directory security to assign access to users 
for folders and files). now i am installing new servers for windows 2003 and i 
want to migrate the users account from windows 2000 to windows 2003 . how to i 
do , what happend to the user acconts after migration , what happens to the 
users accounts added to file server. how to do i retain the same user acconts 
in the file server directory permissions.

please give me a solution for a proper migration.

Thanks in advance.

Bdahusha.s.d.

__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com http://mail.yahoo.com/  


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.


__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
winmail.dat

RE: [ActiveDir] Built in Security groups

[Almeida Pinto, Jorge de]

easy... say something like: you cannot delete built-in groups/accounts ;-)
 
that should silence the guys and gals above! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Fri 2006-12-22 17:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Built in Security groups



Does anyone have a reference (preferably from MS) showing that you should not 
remove the Built in Security groups such as Schema Admins, Enterprise Admins, 
etc. It has come down from above that we should be removing these groups and 
while I know better I need some ammunition to back me up. 

Thanks, 
Andrew Fidel


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Built in Security groups

[Almeida Pinto, Jorge de]

by the way? what is the reason? I hope it is not something like security. If 
you were able to delete them, it would create more of a mess compared to the 
added value
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
Sent: Fri 2006-12-22 17:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Built in Security groups


easy... say something like: you cannot delete built-in groups/accounts ;-)
 
that should silence the guys and gals above! ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Fri 2006-12-22 17:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Built in Security groups



Does anyone have a reference (preferably from MS) showing that you should not 
remove the Built in Security groups such as Schema Admins, Enterprise Admins, 
etc. It has come down from above that we should be removing these groups and 
while I know better I need some ammunition to back me up. 

Thanks, 
Andrew Fidel


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

[ActiveDir] WAY OT - BUT LOTS OF FUN: someboby's a$$ got fried ;-)

[Almeida Pinto, Jorge de]

this is fun.. ;-)
 
http://www.gilsblog.com/index.cfm?commentID=93 
http://www.gilsblog.com/index.cfm 
 
cheers,
 
Jorge
 
PS.: sorry Gil! ;-)
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

RE: [ActiveDir] DFS-R replication through a firewall

[Almeida Pinto, Jorge de]

thank you steve!
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Thu 2006-12-21 01:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DFS-R replication through a firewall



You can fix the port using DFSrdiag.  See the following from: 
http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx

Can DFS Replication replicate between branch offices without a VPN connection?
Yes-assuming that there is a private Wide Area Network (WAN) link (not the 
Internet) connecting the branch offices. However, you must open the proper 
ports in external firewalls. DFS Replication uses the RPC Endpoint Mapper (port 
135) and a randomly assigned ephemeral port above 1024. You can use the 
Dfsrdiag command line tool to specify a static port instead of the ephemeral 
port. For more information about how to specify the RPC Endpoint Mapper, see 
article 154596 in the Microsoft Knowledge Base 
(http://go.microsoft.com/fwlink/?LinkId=73991).

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Wednesday, December 20, 2006 6:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DFS-R replication through a firewall

We open port 135 for our subnets only. We made changes to registry to
force high ports through a range and open those ports in firewall policy.

-Z.V.

Almeida Pinto, Jorge de wrote:
 Hi Everyone,

 I assume everyone knows about:
 How to restrict FRS replication traffic to a specific static port
 http://support.microsoft.com/kb/319553

 I was wondering about the configuration for DFS-R. Does anyone have 
 experience with that working through a firewall? (instead of opening 135 and 
 a range of high ports)

 Thanks!

 cheers,
 Jorge

 Met vriendelijke groeten / Kind regards,
 Ing. Jorge de Almeida Pinto
 Senior Infrastructure Consultant
 MVP Windows Server - Directory Services

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
 (   Tel : +31-(0)40-29.57.777
 (   Mobile : +31-(0)6-26.26.62.80
 *   E-mail : see sender address




 This e-mail and any attachment is for authorised use by the intended 
 recipient(s) only. It may contain proprietary material, confidential 
 information and/or be subject to legal privilege. It should not be copied, 
 disclosed to, retained or used by, any other party. If you are not an 
 intended recipient then please promptly delete this e-mail and any attachment 
 and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


winmail.dat

RE: [ActiveDir] OT: DSGET/DSQUERY

[Almeida Pinto, Jorge de]

It should work, I just tried it myself.

 

jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Amy Hunter
Sent: woensdag 20 december 2006 10:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: DSGET/DSQUERY

 

Hello,

Windows 2003 Single Domain

I have a security group with a 120 users which I want to export and add
them to a new Security Group. 

I have tried using the following query but it fails. It says DSMOD
Failed: The parameter is incorrect

This is the query:

dsget group cn=RBAC-Officer-X-X-R,ou=security
groups,ou=testpol,dc=testpol,dc=org,dc=uk -members | dsmod group
cn=MCMSSubscribers-X-A,ou=security
groups,ou=testpol,dc=testpol,dc=org,dc=uk -addmbr

Any ideas? or alternative methods.

Amy

 Send instant messages to your online friends
http://uk.messenger.yahoo.com 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

RE: [ActiveDir] New subdomain

[Almeida Pinto, Jorge de]

Dont know what is described in there but things to take care of are:
* Domain Functional Level
* DNS zone delegations for the new domain
* Forwarding from the new child domain up the tree
* Anonymous access configuration during creation
* OU structure
* GPO structure
* delegation of control
* etc.

Just like every other domain, but nothing special though!

Cheers,
jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thomas Hess
Sent: woensdag 20 december 2006 12:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] New subdomain

i have to create a new Windows 2003 child domain in Active Directory.

I ve found MS KB Q255248 which describes the actions but the KB
applies to Windows Server 2000, only.

Is there anything special with a Win 2003 child domain or can i use
the steps described in KB255248 to create the child domain?

Thanks in advance
Thomas
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] DFS-R replication through a firewall

[Almeida Pinto, Jorge de]

Hi Everyone,
 
I assume everyone knows about:
How to restrict FRS replication traffic to a specific static port
http://support.microsoft.com/kb/319553
 
I was wondering about the configuration for DFS-R. Does anyone have experience 
with that working through a firewall? (instead of opening 135 and a range of 
high ports)
 
Thanks!
 
cheers,
Jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

 


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] AdminSDHolder orphans

[Almeida Pinto, Jorge de]

?
My first thought would be YES, it should reverse the changes it made 
previously...on the other side...why doesn't it already? there is a 
script...2003 is the second AD version... so I suspect something else might be 
the reason why it does not do it
 
adminSDHolder sets the list you mention below when it finds a user or group 
that is a member of some protected group.
That is easy to do because it only checks the known protected users, know 
protected groups and its members. Not that difficult to query.
 
Now remove user X from a protected group or a group that is a member of a 
protected group. What is left over? Permissions still reflect the config of the 
adminSDHolder, inheritance is not enabled and adminCount=1.
 
(1)
By querying known protected users, know protected groups and its members you 
know who is protected. By querying for adminCount=1 you get the protected users 
and the users who once were protected. From that list remove everyone that is 
protected. Left overs are sec. princ. who are not protected anymore but still 
have adminCount=1 (assuming nobody sets adminCount=1 just for fun ;-) ). Set 
adminCount=0, enable inheritance and revert permissions back to schema default. 
Possible issues here are if some programs/apps have set their own permissions 
on objects. You do not know what was previously there except for the schema 
defaulf perms. The same still aplies know when you need to do it manually, so 
there would not be much difference
 
(2) OR
just get everyone with adminCount=1 and check if it is a direct member of a 
protected group or an indirect member of a protected group (group nesting). If 
not set adminCount=0, enable inheritance and revert permissions back to schema 
default.
 
just some euro thoughts ;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Tue 2006-12-19 02:32
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans




Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the 
AdminSDHolder, the next run of the SDProp thread will:

�   Replace the object�s security descriptor with that of the 
AdminSDHolder;
�   Disable permissions inheritance on the object;
�   Set a new adminCount attribute with a value  0 on the object.

If the object is then removed from the protected group(s), the changes made by 
the AdminSDHolder are not reversed.  In other words, the adminCount value 
remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?  What I am 
finding in many environments is a large number of these AdminSDHolder 
�orphans�.  These can arise quite easily, e.g. an account is made a 
temporary member of a privileged group to perform a specific task or someone 
changes role within the organisation.  Of course I realise that in a perfect 
world these scenarios would be minimised by the use of dual accounts for 
splitting standard vs. admin functions, but the reality is that it is all too 
common.

The AdminSDHolder orphans can cause problems when troubleshooting delegation 
issues.  For example, I came across this issue recently when setting up 
permissions for GAL Sync using IIFP.  I had to tidy up before the sync would 
complete without errors.

Does anyone run a regular cleanup using the script provided in this article (or 
similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up after 
itself? 

Tony





Sent via the WebMail system at mail.activedir.org



  

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Vista GPO

[Almeida Pinto, Jorge de]

Yes...
* No more SYSVOL bloat as all Administrative Templates are stored in a 
central location
* For domain environments a central store can be created so that 
ADMX/ADML files are NOT stored (which is the default) with EACH GPO (for both 
local and domain).
* Results in less replication traffic for the SYSVOL and less storage 
is needed
* This central store MUST created in 
..\SYSVOL\Domain\Policies\PolicyDefinitions and is thus NOT available by 
default. (Create on the PDC FSMO!)
* Can be used in EVERY domain environment (W2K/W2K3/W2K7/etc.)
* Can ONLY be managed with the GPMC and GPO Editor from Vista and 
Longhorn
* GPMC and GPO Editor will first try to use the central store and then 
the server's local store
* Just Copy %WINDIR%\PolicyDefinitions to ..\SYSVOL\Domain\Policies and 
create your own language specific sub directories if needed (EN-US will be 
available by default)

Cheers,
jorge

Met vriendelijke groeten / Kind regards,


__
MVP Profile → 
https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
__

-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Lu, WeiMing
Sent: Friday, December 15, 2006 00:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

With Vista ADMX format, is it a better implementation to have central
ADMX storage on the DCs?



===
Weiming Lu
Emory College Computing Support
(404)727-7917

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, December 14, 2006 5:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO

Vista introduces a new Admin Template format called ADMX. These are
found on Vista in C:\windows\policydefinitions and, unfortuately cannot
be consumed by earlier versions of Windows. That is you must manage
Vista GP from Vista.

Darren

-Original Message-
From: Za Vue [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 12/14/2006 1:18 PM
Subject: Re: [ActiveDir] Vista GPO

Sorry. Exactly what Ben wrote.

Thanks..

-Z.V.

WATSON, BEN wrote:
 Maybe he may be referring to the location of any possible new ADM
 files included with Vista.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Darren
 Mar-Elia
 Sent: Thursday, December 14, 2006 10:34 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Vista GPO

 What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,

 unless you mean the LDIF files that are in sources\adprep on the Vista

 CD?

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
 Sent: Thursday, December 14, 2006 9:57 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Vista GPO

 Anyone know what and where the GPO plugin for Win2003 on the Vista DVD

 is called and located?

 -Z.V.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/

 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Join a Domain

[Almeida Pinto, Jorge de]

?
why is this service record not DOMAIN related? (or am I missing something here)
 
_ldap._tcp.dc._msdcs.server-2.blackstallions.com.sa
^^^
 
what is SERVER-2? is that a domain? or a DC?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Tony Murray
Sent: Mon 2006-12-11 20:46
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Join a Domain



Also have a look at DNSLint - a great tool for checking your SRV records are 
published in DNS correctly.

http://support.microsoft.com/kb/321046

Tony
-- Original Message --
From: Al Mulnick [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 11 Dec 2006 14:11:16 -0500

Based on that, you *should* have other issues going on with your domain
controllers.

That SRV record is a way for the client (your workstation you're trying to
join) to find the domain controllers in it's site. But it's not finding them
as expected, and therefore is unable to contact the domain.

You'll want to check your DNS server and a) make sure you're using the
proper one and b) ensure that the domain controllers are registering their
records properly.

Al

On 12/11/06, John [EMAIL PROTECTED] wrote:

 There was an error in my one client machine to join a domain. Below are:

 An error occurred when DNS was queried for the service location (SRV)
 resource record used to locate a domain controller for domain
 server-2.blackstallions.com.sa.
 The error was: No records found for given DNS query.
 (error code 0x251D DNS_INFO_NO_RECORDS)
 The query was for the SRV record for _ldap._tcp.dc._msdcs.server-
 2.blackstallions.com.sa

 What does this SRV record means? There is something I need to re-configure
 in the server?

 Let me know expert.
 Thanks.
 John

 --
 Everyone is raving about the all-new Yahoo! Mail 
 beta.http://us.rd.yahoo.com/evt=45083/*http://advision.webevents.yahoo.com/mailbeta









Sent via the WebMail system at mail.activedir.org



  
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] DFS vs Robocopy question

[Almeida Pinto, Jorge de]

I prefer DFS over Robocopy as DFS stores it information in a central location.. 
Active Directory ;-))
I would go for DFS replicated with DFS-R, which is available on R2 servers. 
DFS-R is so much cooler when compared with NTFRS. For example DFS-R ONLY 
replicates changes whereas NTFRS replicates everything, even when only ONE bit 
has changed. Independent of which replication mechanism used, DFS is a site 
aware service. It tries to locate the nearest Root Target and Link Target. 
However, be aware that when auto site link bridging is disable you need 
additional configuration with REPADMIN.

Remember however, domain based DFS is just like it says...domain-based and not 
forest based. A domain DFS namespace can only have root targets from the domain 
where the DFS namespace exists and not from other domains. So, DCs from the 
domain that hosts the domain based DFS root must be available and preferably 
nearby as those are contacted to refer the client to the DFS root, even if a 
client is in another domain in the forest. The DFS link targets can be in any 
domain however.
So if a client wants to connect to \\SOMEDOMAIN.COM\DFSROOT$\DFSLINK

1 it contacts a DC in the SOMEDOMAIN.COM
2 the DCs checks the nearest DFS root for DFSROOT$ and refers the client to it
2 the client contacts the DFS root and refers the client to the nearest DFS 
link target for DFSLINK

I could tell you a complete story about DFS and DFS-R but you can also read it 
yourself. You might wanna have a look at:
Designing Distributed File Systems
http://technet2.microsoft.com/WindowsServer/en/library/1aa249c0-40f3-4974-b67f-e650b602415e1033.mspx?mfr=true


Met vriendelijke groeten / Kind regards,


__
MVP Profile → 
https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10
MVP Home Site → https://mvp.support.microsoft.com/
MVP Overview → https://mvp.support.microsoft.com/mvpexecsum
BLOG → http://blogs.dirteam.com/blogs/jorge/default.aspx
__

-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP
Sent: Wednesday, December 06, 2006 17:34
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DFS vs Robocopy question

Hi all
I'm looking for feedback on a couple of scenarios for our environment. We
have three W2K3 SP1 domains and WAN separated regions in a couple of them.
When deploying software, hotfixes and such I want to go to the 'distribution
point' for that domain/region so as not to traverse the WAN for downloads.
Each distribution point needs to mirror the others. Each region has an app
server where we maintain these distribution points for downloads, patches
and such and currently is managed manually as far as keeping each server
identical to the other. I'm not familiar with DFS other than what is and
does and have not configured or used it. Robocopy seems okay but also has a
lot of configuration to deal with. DFS seems to be the best but wanted to
see what the experts thought. My concern is if I create the DFS hierarchy
I'd still be pointed to one server for the files. In reading the
documentation I see multiple roots can be established which I'm hoping would
provide access to each regional distribution point and still replicate the
latest uploads from one point to all others.

Appreciate any feedback.

Thanks

Jerry


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

If you are member of ADMINISTRATORS directly or indirectly through a
CUSTOM group it will by default list ADMINISTRATORS. Changing the policy
lists the object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN ADMINS
Is this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC
the object was created (also note the date and time). On the DC that is
listed as the originating DC for the account creation check the security
log. If it concerns SECURITY PRINICIPAL objects you might be lucky if
you have configured Account Management for SUCCESS (also the default if
I'm not mistaken). If it concerns OTHER objects you are lucky if you
have configured directory service access for SUCCESS (also the default
if I'm not mistaken) AND you have configured one or more SACLs on
objects or Ous with objects that should be audited

 

jorge

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD
object?

 

I'd say that you should test it. Create and link a policy where you've
set system objects: default owner for objects created by members of the
administrators group to Object creator. Then create a user in AD and
check the ownership.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created
an AD object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Laura A.
Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created
an AD object?

Which will have no effect on the ownership of the directory
objects.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who
created an AD object?

look at the owner

 

if it lists ADMINISTRATORS, you might wanna change the
security option in the default DCs GPO which is called: system objects:
default owner for objects created by members of the administrators
group

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

*   Mobile : +31-(0)6-26.26.62.80

*   E-mail : see sender address

 





From: [EMAIL PROTECTED] on behalf of
Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who
created an AD object?

? 

We had a few user accounts that were deleted and then
recreated and nobody will take responsibility.

I used ADSIedit to verify the creation date/time.

 

While auditing is enabled, the Security log rolled and
we missed the event (yes I know it's an issue).

 

Is there a way to see who created the the user object?

 

 

Thanks, Mitch.

This e-mail and any attachment is for authorised use by
the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should
not be copied, disclosed to, retained or used by, any other party. If
you are not an intended recipient then please promptly delete this
e-mail and any attachment and all copies and inform the sender. Thank
you.

 

--
No virus found in this incoming message

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

?
which part?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Have you tested this?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?



If you are member of ADMINISTRATORS directly or indirectly through a 
CUSTOM group it will by default list ADMINISTRATORS. Changing the policy lists 
the object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN 
ADMINSâEUR¦. Is this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on which DC 
the object was created (also note the date and time). On the DC that is listed 
as the originating DC for the account creation check the security log. If it 
concerns SECURITY PRINICIPAL objects you might be lucky if you have configured 
Account Management for SUCCESS (also the default if IâEUR(tm)m not mistaken). 
If it concerns OTHER objects you are lucky if you have configured directory 
service access for SUCCESS (also the default if IâEUR(tm)m not mistaken) AND 
you have configured one or more SACLs on objects or Ous with objects that 
should be audited

 

jorge

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?

 

I'd say that you should test it. Create and link a policy where you've 
set system objects: default owner for objects created by members of the 
administrators group to Object creator. Then create a user in AD and check 
the ownership.

 

Laura

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?

Which will have no effect on the ownership of the directory 
objects.

 

Laura

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Almeida Pinto, Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine 
who created an AD object?

look at the owner

 

if it lists ADMINISTRATORS, you might wanna change the 
security option in the default DCs GPO which is called: system objects: 
default owner for objects created by members of the administrators group

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*   Tel : +31-(0)40-29.57.777

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

?
just like I wrote it and tony confirmed it
 
do you have other experiences?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Test what I wrote in my other response.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


Have you tested this?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?



If you are member of ADMINISTRATORS directly or indirectly 
through a CUSTOM group it will by default list ADMINISTRATORS. Changing the 
policy lists the object creator.

If you are member of DOMAIN ADMINS also, it will list DOMAIN 
ADMINSâEUR¦. Is this what you mean?

 

If the latter is the case check with REPADMIN /SHOWOBJMETA on 
which DC the object was created (also note the date and time). On the DC that 
is listed as the originating DC for the account creation check the security 
log. If it concerns SECURITY PRINICIPAL objects you might be lucky if you have 
configured Account Management for SUCCESS (also the default if IâEUR(tm)m not 
mistaken). If it concerns OTHER objects you are lucky if you have configured 
directory service access for SUCCESS (also the default if IâEUR(tm)m not 
mistaken) AND you have configured one or more SACLs on objects or Ous with 
objects that should be audited

 

jorge

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Laura A. Robinson
Sent: dinsdag 5 december 2006 18:20
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?

 

I'd say that you should test it. Create and link a policy where 
you've set system objects: default owner for objects created by members of the 
administrators group to Object creator. Then create a user in AD and check 
the ownership.

 

Laura

 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine 
who created an AD object?

? 

can you explain?

 

Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services

 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

*  Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail  : see sender address

 





From: [EMAIL PROTECTED] on behalf of Laura A. Robinson

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

?
oh, and yes I did test it and got the results I mentioned earlier...when not a 
member of DA but a member of Adms it lists the object creator after changing 
the policy
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 22:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?



BTW, speaking strictly about directory objects, if you use an account that
is NOT a member of Domain Admins but IS a member of Administrators (DLG),
the ownership of the object works exactly the same way as it does if the
account is a member of Domain Admins and not a direct member of
Administrators.

File system objects are still a bit different. :-)

Laura

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
 Sent: Tuesday, December 05, 2006 3:12 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?


 I did Laura's test (the thread was wearing me down ;-)).

 Even with the policy set to Object Creator it still shows
 Domain Admins as the owner if I create an object with an
 account that is member of Domain Admins.  In my case the
 Domain Admins group is a member of the built-in
 Administrators group.  This means that I saw the option in
 the security tab to change the ownership from Domain Admins
 to either Administrators or the account I was logged in with.

 The conclusion is that you can't use this policy to change
 the behaviour for AD accounts.  Might be different for local
 accounts on member servers and workstations - but I haven't
 tested this.

 Tony
 -- Original Message --
 From: Laura A. Robinson [EMAIL PROTECTED]
 Reply-To: ActiveDir@mail.activedir.org
 Date:  Tue, 05 Dec 2006 13:44:47 -0500

 Have you tested this?


_ 

 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 12:53 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?



 If you are member of ADMINISTRATORS directly or indirectly
 through a CUSTOM group it will by default list
 ADMINISTRATORS. Changing the policy lists the object creator.

 If you are member of DOMAIN ADMINS also, it will list DOMAIN
 ADMINS�. Is this what you mean?

 

 If the latter is the case check with REPADMIN /SHOWOBJMETA on
 which DC the object was created (also note the date and
 time). On the DC that is listed as the originating DC for the
 account creation check the security log. If it concerns
 SECURITY PRINICIPAL objects you might be lucky if you have
 configured Account Management for SUCCESS (also the default
 if I�m not mistaken). If it concerns OTHER objects you are
 lucky if you have configured directory service access for
 SUCCESS (also the default if I�m not mistaken) AND you have
 configured one or more SACLs on objects or Ous with objects
 that should be audited

 

 jorge

 


_ 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Laura A. Robinson
 Sent: dinsdag 5 december 2006 18:20
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 

 I'd say that you should test it. Create and link a policy
 where you've set system objects: default owner for objects
 created by members of the administrators group to Object
 creator. Then create a user in AD and check the ownership.

 

 Laura

 


_ 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Tuesday, December 05, 2006 2:25 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 ?

 can you explain?

 

 Met vriendelijke groeten / Kind regards,

 Ing. Jorge de Almeida Pinto

 Senior Infrastructure Consultant

 MVP Windows Server - Directory Services

 

 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

 *  Tel : +31-(0)40-29.57.777

 * Mobile : +31-(0)6-26.26.62.80

 * E-mail  : see sender address

 


_ 


 From: [EMAIL PROTECTED] on behalf of Laura
 A. Robinson
 Sent: Tue 2006-12-05 01:45
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Is it possible to determine who
 created an AD object?

 Which will have no effect on the ownership of the directory objects.

 

 Laura

 


_ 


 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Almeida Pinto, Jorge de
 Sent: Monday, December 04, 2006 4:17 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

?
sorry to say, but I have different results...mailed them offline to Laura
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 23:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Just to make sure everybody understands what I am saying, I'm going to 
summarize this one last time.
 
If I create an object in AD while I am logged on with an account that is a 
member of Domain Admins, Domain Admins becomes the owner of the object. NOT the 
Administrators group. NOT the object creator. DOMAIN ADMINS.
 
If I create an obect in AD while I am logged in with an account that is NOT a 
member of Domain Admins and IS a member of the built-in Administrators group in 
Active Directory, DOMAIN ADMINS STILL becomes the owner of the object. NOT 
Administrators, and NOT the object creator.
 
Period. End of story. The group policy setting System objects: Default owner 
for objects created by members of the Administrators group DOES NOT AFFECT 
DIRECTORY OBJECTS.
 
Test. It. Yourself. :-)
 
Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Tuesday, December 05, 2006 3:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


? 
just like I wrote it and tony confirmed it
 
do you have other experiences?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 21:17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


Test what I wrote in my other response.




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 2:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?


? 
which part?
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 19:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who 
created an AD object?


Have you tested this?




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On 
Behalf Of Almeida Pinto, Jorge de
Sent: Tuesday, December 05, 2006 12:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine 
who created an AD object?



If you are member of ADMINISTRATORS directly or 
indirectly through a CUSTOM group it will by default list ADMINISTRATORS. 
Changing the policy lists the object creator.

If you are member of DOMAIN ADMINS also, it will list 
DOMAIN ADMINSâEUR¦. Is this what you mean?

 

If the latter is the case check with REPADMIN 
/SHOWOBJMETA on which DC the object was created (also note the date and time). 
On the DC that is listed as the originating DC for the account creation check 
the security log. If it concerns SECURITY PRINICIPAL objects you might be lucky 
if you have configured Account Management for SUCCESS (also the default if 
IâEUR(tm)m

RE: [ActiveDir] Tombstone.

[Almeida Pinto, Jorge de]

are you asking if it is possible to undelete a tombstone which was created when 
an object was deleted?
Well, yes it is possible.
 
When an object is deleted almost all of its attributes are lost except several 
important attributes. Undeleting the object will not return the values of those 
attributes. Only doing an authoritative restore or an undelete followed by a 
write back of attributes (from some repository) will fully restore the object
 
also see:
MS-KBQ840001_How to restore deleted user accounts and their group memberships 
in Active Directory
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Ajay Kumar
Sent: Mon 2006-12-04 20:03
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Tombstone.


? 
Hi all,
 
I have a query
Is that possible to recover network object from AD tombstone.
If not then wht is use of it.
 
Regards,
Ajay pardeshi


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

look at the owner
 
if it lists ADMINISTRATORS, you might wanna change the security option in the 
default DCs GPO which is called: system objects: default owner for objects 
created by members of the administrators group
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD object?


? 
We had a few user accounts that were deleted and then recreated and nobody will 
take responsibility.
I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the event (yes 
I know it's an issue).
 
Is there a way to see who created the the user object?
 
 
Thanks, Mitch.


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Is it possible to determine who created an AD object?

[Almeida Pinto, Jorge de]

?
can you explain?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Laura A. Robinson
Sent: Tue 2006-12-05 01:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD object?


Which will have no effect on the ownership of the directory objects.
 
Laura




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
Pinto, Jorge de
Sent: Monday, December 04, 2006 4:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it possible to determine who created an AD 
object?


look at the owner
 
if it lists ADMINISTRATORS, you might wanna change the security option 
in the default DCs GPO which is called: system objects: default owner for 
objects created by members of the administrators group
 

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mitch Reid
Sent: Mon 2006-12-04 21:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it possible to determine who created an AD 
object?


? 
We had a few user accounts that were deleted and then recreated and 
nobody will take responsibility.
I used ADSIedit to verify the creation date/time.
 
While auditing is enabled, the Security log rolled and we missed the 
event (yes I know it's an issue).
 
Is there a way to see who created the the user object?
 
 
Thanks, Mitch.

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 
12/4/2006 7:18 AM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.6/567 - Release Date: 12/4/2006 7:18 
AM


winmail.dat

RE: [ActiveDir] How to completely isolate a DC?

[Almeida Pinto, Jorge de]

can you describe the type of change?
 
DCs have two types of replication mechanisms...AD replication and FRS 
replication.
For example disabling outbound AD replication does NOT disable FRS replication
 
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Andy Wang
Sent: Thu 2006-11-16 21:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to completely isolate a DC?


I need to make a change across our domain. My plan is to make the change on one 
DC and test it, then roll out to other 50 DCs.

I tried to temporarily disable outbound replication of Active Directory with 
repadmin by doing this: 

repadmin /options +DISABLE_OUTBOUND_REPL

To my surprise, the change I made still replicated to other DCs immediately. 

So how can I isolate a DC and make sure the change I made not replicate to 
other DCs? 

Thanks for your help!

Andy



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel.

[Almeida Pinto, Jorge de]

and don't forget:
* MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange 
2003
(http://support.microsoft.com/?id http://support.microsoft.com/?id=555262 
=555262)
* MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003 
(http://support.microsoft.com/?id http://support.microsoft.com/?id=822942 
=822942)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Mark Parris
Sent: Fri 2006-11-17 10:16
To: ActiveDir.org
Subject: [ActiveDir] OT: Exchange 2000 to 2003 - upgrade by running in parallel.



Hello all,

I am intending to upgrade an Exchange 2000 environment to Exchange 2003 via a 
parallel installation as a opposed to an upgrade, as the hardware will not 
handle an upgrade

The environment consists of a Front End Server and 4 Mailbox servers, there is 
no clustering involved.

Does anyone have any experience of doing the installation vai this method and 
are there any major gotcha's? Any recomedations or perhaps a document? All I 
can find on ms is physical upgrade documentation.


Many thanks,





Regards,

Mark Parris

Base IT Ltd
Active Directory Consultancy
Tel +44(0)7801 690596
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] How to completely isolate a DC?

[Almeida Pinto, Jorge de]

did you raise it on the DC WITH the PDC FSMO role or just a DC?
 
raising the DFL -- contacts the PDC FSMO
raising the FFL -- contacts the schema master FSMO
 
jorge
 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Friday, November 17, 2006 17:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to completely isolate a DC?


The change is to raise domain functional from Windows 2000
native to Windows 2003 mode.

As I understand, once I raised domain function level, the
ntMixedDomain attribute will be changed along with other functions (like
domain controller rename,user password support on the InetOrgPerson
objectClass, etc). 

I want to test it on a isolated production DC first. Just in
case something happened, we can shutdown this DC without impact the
whole domain. Other than physical isolation or put a firewall in front
of the DC, is there any way to do it? 

Thanks!

Andy




On 11/17/06, joe [EMAIL PROTECTED] wrote: 

What exactly did you change and how did you change it?
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Thursday, November 16, 2006 3:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How to completely isolate a DC?



I need to make a change across our domain. My plan is to
make the change on one DC and test it, then roll out to other 50 DCs.

I tried to temporarily disable outbound replication of
Active Directory with repadmin by doing this: 

repadmin /options +DISABLE_OUTBOUND_REPL

To my surprise, the change I made still replicated to
other DCs immediately. 

So how can I isolate a DC and make sure the change I
made not replicate to other DCs? 

Thanks for your help!

Andy





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

RE: [ActiveDir] How to completely isolate a DC?

[Almeida Pinto, Jorge de]

how did you check the value of the DFL? ADUC?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Andy Wang
Sent: Sat 2006-11-18 00:42
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to completely isolate a DC?


The change is domain function level upgrade.

So I guess the question is what replication mechanism does it use in terms of 
DFL change? Through FRS?

From the test lab, the change replicated to other DCs immediately. Is this 
some kind of Urgent Replication? 

Andy 




On 11/17/06, Almeida Pinto, Jorge de [EMAIL PROTECTED]  wrote: 

can you describe the type of change?

DCs have two types of replication mechanisms...AD replication and FRS 
replication. 
For example disabling outbound AD replication does NOT disable FRS 
replication



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services 

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

 

From: [EMAIL PROTECTED] on behalf of Andy Wang
Sent: Thu 2006-11-16 21:19
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] How to completely isolate a DC?


I need to make a change across our domain. My plan is to make the 
change on one DC and test it, then roll out to other 50 DCs.

I tried to temporarily disable outbound replication of Active Directory 
with repadmin by doing this: 

repadmin /options +DISABLE_OUTBOUND_REPL

To my surprise, the change I made still replicated to other DCs 
immediately.

So how can I isolate a DC and make sure the change I made not replicate 
to other DCs? 

Thanks for your help!

Andy



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you. 




winmail.dat

RE: [ActiveDir] Locating empty GPOs in a domain / forest

[Almeida Pinto, Jorge de]

http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 2006-11-15 11:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Locating empty GPOs in a domain / forest



Does anyone have a script or know of a process which can be used to locate 
empty GPOs? i.e. GPOs which have no settings enabled or set.

The customer has hundreds of GPOs so viewing them one by one using GPMC is not 
a viable option :/ 

Many thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Locating empty GPOs in a domain / forest

[Almeida Pinto, Jorge de]

if a GPO had settings and doesn't anymore, it may be needed by users and 
computers processing GP to undo settings that were previously applied
 
IMHO, no settings means all settings in the GPO are set to Not Defined. 
Wouldn't it, for the case you mention, need to have reverse settings or 
original settings and thus have settings?
 
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Wed 2006-11-15 17:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Well, it depends upon the purpose of you quest, but you're correct. For 
example, you may not want to delete a GPO that has no settings (but does have 
versionNumber 0) because that may be a desirable state for it. In other words, 
if a GPO had settings and doesn't anymore, it may be needed by users and 
computers processing GP to undo settings that were previously applied. Unless 
you know for sure that those settings have been undone, then you can't be sure 
the GPO is unused.
 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 7:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks Darren - that assumes the GPO is empty and always was empty, of course :)
 
neil



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: 15 November 2006 15:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Another option is  to perform an LDAP search on the cn=policies, cn=system 
container for GPC objects, and on each GPC object, look for a versionNumber 
attribute == 0. Its probably slightly faster than first generating the HTML 
report and then parsing it.
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, November 15, 2006 5:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


Thanks horhay :-^
 
I'd found the GPMC script but your extra logic is very useful :)
 
neil



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: 15 November 2006 12:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


http://blogs.dirteam.com/blogs/jorge/archive/2006/11/15/Finding-unused-GPOs.aspx
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 2006-11-15 11:22
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Locating empty GPOs in a domain / forest



Does anyone have a script or know of a process which can be used to locate 
empty GPOs? i.e. GPOs which have no settings enabled or set.

The customer has hundreds of GPOs so viewing them one by one using GPMC is not 
a viable option :/ 

Many thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand

RE: [ActiveDir] Password Police Question on Forest-ChildDomain relationship

[Almeida Pinto, Jorge de]

What passwords are you talking about? For
which accounts?



It will not let you change the password as
the policy mentions: at least 1 day old



Password policies are not defined in the default
domain controllers policy, but in the default domain policy



Cheers,

jorge











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: maandag 13 november 2006
15:56
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Password
Police Question on Forest-ChildDomain relationship







Dear List readers,











I have a Forest (W2K3
FFL) with an empty root domain and a single child domain (W2K3 FFL).
Today I changed the password on all my servers in the child domain including
the domain controllers. I meant to exclude them but did not. Now
they have the same password as my member servers. I went to change the
password again on the DCs in the child domain, but they will not let me.
Your password must be at least 8 characters, cannot repeat any of your
previous 0 passwords and must be at least 1 days old is the error I
get. I have a domain policy set for the computers in the domain,
whichhas the complexity specified above as far as characters, but the
group policy (default Domain Controllers) for my DCs in the child domain is
Not Defined in all of the password policy options. Nor is
there anything defined in the Forest Root Default Domain Controllers policy,
which I thought might be flowing down to my Child Domain DCs. 











I cannot find where the policy might be set keeping me
from changing the password in my Child Domain DCs.











Would anyone know where to find that setting?











I would like to reset my Child DCs so their password
is different.











Rocky Habeeb





Microsoft Systems Administrator





James W. Sewall Company





Old Town, Maine






This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Timeout period on object moves?

[Almeida Pinto, Jorge de]

Can you explain the steps you've taken?
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Mon 2006-11-13 18:23
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Timeout period on object moves?


All-
I'm trying to track down some interesting behavior in GP processing. I am 
wondering how AD deals with object moves. Specifically, I am moving a computer 
object around between OUs and it appears that the computer itself is not 
picking up every move during GP processing as I would expect. I don't see where 
the behavior could be coming from on the client side (I even deleted the value 
in the registry where GP stores the DN of the object) and so I'm wondering if 
AD is doing something here when it returns the results of the LDAP query that 
the client does during GP processing to determine its location in AD. Its 
almost as if AD is caching the previous location of the object to dampen 
excessive object moves. Sounds weird but I'm wondering if anyone has an 
explanation to this?
 
Darren
 
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out www.gpoguy.com 
http://www.gpoguy.com/ -- the best source for GPO FAQs, video training, tools 
and whitepapers. Also check out the Windows Group Policy Guide 
http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bbs_1/104-1133146-9411929?v=glancen=283155
 , the definitive resource for Group Policy information.
 
 


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Help with Replication Mess

[Almeida Pinto, Jorge de]

point DCB1 to another DNS server and see what 
happens
cheers,
jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Friday, November 10, 2006 21:40To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Help with 
  Replication Mess
  
  
  Hi -
  
  I am trying to sort out a 
  long-standing replication mess. The configuration is three sites (W2k3 FL as 
  per earlier email) connected over T1 lines in series (A-B-C). The layout 
  is:
  
  Site 
  A:
  - DCA1 
  (bridgehead)
  - 
DCA2
  
  Site 
  B:
  - DCB1 (self for 
  DNS)
  - DCB2 (bridgehead; DCA1 for 
  DNS)
  - DCB3 (DCA1  DCA2 for 
  DNS)
  
  Site 
  C:
  - DCC1 
  (bridgehead)
  
  There are two IP site links with 
  equal cost: A-B and A-C.
  
  Site B is the problem. The event 
  logs of DCB1 are filled with KCC and FRS errors. Also, depending on where you 
  point your "Sites and Services" tool, you get different information about what 
  DC is in what Site as well as phantom objects (such as the same DC in two 
  sites, long demoted DCs lingering, dead sites still present). 
  
  
  The goal for the weekend is to 
  remove DCB1 and DCB2, leaving only DCB3. But, I am concerned that replication 
  is not working correctly and that demoting them improperly will lead to bigger 
  problems.
  
  What is the best way to go about 
  cleaning this up? The DCs in Site A and C are fine. Can I just pull 
  replication data from there?
  
  Thanks.
  
  -- 
  nme
  --No virus found in this outgoing message.Checked by 
  AVG Free Edition.Version: 7.1.409 / Virus Database: 268.13.32/523 - 
  Release Date: 11/7/2006
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] [Semi-OT] AD Integrated DNS entries

[Almeida Pinto, Jorge de]

maybe another options is...
 
use joe's ADFIND and query for dnsNode objects and specifically the dnsRecord 
attribute. And see if you can filter differences
 
just a wild idea
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of WATSON, BEN
Sent: Wed 2006-11-08 22:39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [Semi-OT] AD Integrated DNS entries



Hi Al,

 

Thanks for the response.  

 

Yeah, that was much of what I expected.  I figured what I was looking for would 
be somewhere in the realm of extremely difficult to find or impossible and I 
guess I was right.

 

I'll definitely look into the DNSCMD and DSACLS to see if that can provide any 
of the information I am looking for.

 

Thanks again,

~Ben

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, November 08, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Semi-OT] AD Integrated DNS entries

 

One of the nice to have's that was left out of Microsoft's integrated 
implementation was the ability to easily gather this type of information. 

IIRC, DNSCMD coupled with dsacls will give you some of that information.  There 
are also some api's that are available to try and roll your own, but nothing 
that really gives good information IMHO. 

There's a kb somewhere out there that describes how to set the ownership of 
each record using dsacls due to a problem with dhcp registration of records 
using a particular service account. I don't recall exactly the kb, but take a 
look and see if you can't modify the dsacls command to report the ownership of 
the records. 

Al

On 11/7/06, WATSON, BEN [EMAIL PROTECTED] wrote:

Hey guys,

 

Simple question I hope.  I was looking for a way to determine a couple things 
about DNS (A  PTR records) entries in an Active Directory Integrated DNS 
environment...

 

1)  Is there a way to determine whether the entry has been manually defined 
(and thus is never scavenged) or registered through dynamic updates?

2)  Is there a way to determine the current age of a DNS entry?

3)  Is there a way to determine who has the rights to make modifications to 
an entry through dynamic updates?

 

Thanks as always,

~Ben

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

[Almeida Pinto, Jorge de]

if you just want to migrate the servers from one domain to the other, you can 
use ADMT. However... if you also need to translate data, that is another story.
 
File based data - ADMT
Print services - SUBINACL
Services - SUBINACL
Shares - SUBINACL
Registry - SUBINACL
IIS - third party
SQL - third party
Citrix - don't know
 
PS.: SUBINACL is in the resource kit, but make sure to download the latest 
version
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Danny
Sent: Tue 2006-11-07 18:24
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next


Thanks to advice from the ActiveDir community (this mailing list) and 
Microsoft's ADMT and ExMerge, we have successfully completed an interforest 
migration - of users, computers, and mailboxes. Next up: the servers, 12 of 
them. Two DC's, the rest are made up of file, print, Exchange, MS SQL 
(integrated auth), Citrix, and backup. The source forest will no longer be 
necessary in a few weeks. Would you recommend using ADMT for the servers as 
well? I know that the DC's and Exchange server will be done manually.. 

Thanks,
...D



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

[Almeida Pinto, Jorge de]

although SUBINACL does have the ability to what I mentioned, ADMTv3 is a better 
option...
 
my apologies for the quick information
 
lets try this again ;-)
 

File based data ACLs - ADMTv3

Print services ACLs- ADMTv3

Services ACLs- SUBINACL (only needed when ACEs set manually or through a GPO)

Services Accounts- ADMTv3 (make sure you identify the custom service accounts 
FIRST on each server to be migrated. This also prevents the option change 
password at next logon being set as the user account is migrated. All accounts 
NOT identified as service accounts will have the option set. If needed you can 
revert this afterwards with ADMOD/ADModify)

Shares ACLs- ADMTv3

Registry ACLs- ADMTv3

IIS - third party

SQL - third party

Citrix - don't know

 

REMARK: if you have migrated users/groups WITH sIDHistory it may look like 
permissions have been translated. These are really translated when the actual 
translation task has been started/executed.

When the translation task had not been executed (yet), you will see that 
permissions may show as TARGET\SEC PRINC instead of SOURCE\SEC PRINC. 
This is because of the use of sIDHistory within the target domain. The system 
translates this to the TARGET ACCOUNT NAME. In reality, when digging you will 
still see the SID of the source sec. principals. Just something to be aware of. 
This applies to everything that uses sIDs after migrating objects while data 
has not been translated yet

 

For example:

* looking at the ACL of the DNS service after the migration of the computer 
(which I changed prior to the migration of the computer account using an 
account of the source domain)

 

subinacl /service \\w2k3r2srv\dns /display=dacl

 

 /pace =ad\jorgegroupACCESS_ALLOWED_ACE_TYPE-0x0
  SERVICE_ALL_ACCESS
 /pace =ad\jorgeuser ACCESS_ALLOWED_ACE_TYPE-0x0
 SERVICE_ALL_ACCESS

 

subinacl /service \\w2k3r2srv\dns /display=sddl
 
 +Service dns
 
/sddl=O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
 
(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;
 
;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-101
 
9)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1153913138-43527854-1722840164-1020)
 S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

 

S-1-5-21-1153913138-43527854-1722840164-1019 = NT4\jorgegroup

S-1-5-21-1153913138-43527854-1722840164-1020 = NT4\jorgeuser

 

looking with LDP into the objects

 Dn: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN
 2 objectClass: top; group; 
 1 cn: JORGEGROUP; 
 1 distinguishedName: CN=JORGEGROUP,OU=ORG,DC=AD,DC=LAN; 
 1 objectGUID: 7c333aeb-589d-4da2-ad97-13c3f10a4e50; 
 1 objectSid: S-1-5-21-3495709831-2249124843-3216744473-8997; 
 1 sAMAccountName: JORGEGROUP; 
 1 sAMAccountType: 268435456; 
 1 sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1019; 
+++OLD SID
 1 groupType: 0x8002 = ( GROUP_TYPE_ACCOUNT_GROUP | 
GROUP_TYPE_SECURITY_ENABLED ); 
 1 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=AD,DC=LAN; 

 

Dn: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN
 4 objectClass: top; person; organizationalPerson; user; 
 1 cn: JORGEUSER; 
 1 distinguishedName: CN=JORGEUSER,OU=ORG,DC=AD,DC=LAN; 
 1 name: JORGEUSER; 
 1 objectGUID: d719eb60-369a-448e-9554-96af1fae20b9; 
 1 userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD 
); 
 1 objectSid: S-1-5-21-3495709831-2249124843-3216744473-8998; 
 1 sAMAccountName: JORGEUSER; 
 1 sAMAccountType: 805306368; 
 1 sIDHistory: S-1-5-21-1153913138-43527854-1722840164-1020;  
+++OLD SID
 1 userPrincipalName: [EMAIL PROTECTED]; 
 1 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=AD,DC=LAN; 

 

 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Tue 2006-11-07 19:29
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next



ADMT3 can replace subinacl...

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Tuesday, November 07, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Users, Computers, and Mailboxes migrated - Servers next

 

if you just want to migrate the servers from one domain to the other, you can 
use ADMT. However... if you also need to translate data, that is another story.

 

File based data

RE: [ActiveDir] Subnet Object Question

[Almeida Pinto, Jorge de]

Hi Brian,
 
The following represents subnet 10.1.1.0/24, as you can see, it is used in the 
CN and NAME
 
 
Expanding base 
'CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN'...
Result 0: (null)
Matched DNs: 
Getting 1 entries:
 Dn: CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN
 2 objectClass: top; subnet; 
 1 cn: 10.1.1.0/24; 
 1 distinguishedName: 
CN=10.1.1.0/24,CN=Subnets,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 
 1 instanceType: 0x4 = ( IT_WRITE ); 
 1 whenCreated: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight 
Time; 
 1 whenChanged: 09/07/2006 21:17:43 W. Europe Standard Time W. Europe Daylight 
Time; 
 1 uSNCreated: 13938; 
 1 uSNChanged: 13938; 
 1 showInAdvancedViewOnly: TRUE; 
 1 name: 10.1.1.0/24; 
 1 objectGUID: d69ed007-4556-4f85-b018-d6ff405ae2f1; 
 1 systemFlags: 0x4000 = ( FLAG_CONFIG_ALLOW_RENAME ); 
 1 siteObject: CN=HQ,CN=Sites,CN=Configuration,DC=AD,DC=LAN; 
 1 objectCategory: CN=Subnet,CN=Schema,CN=Configuration,DC=AD,DC=LAN
 
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Brian Desmond
Sent: Sun 2006-11-05 22:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Subnet Object Question



Question on Subnet Objects - It appears that there is not an actual property 
designated for the subnet network/mask. Does anyone know does AD use the name 
or cn for this information/

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] _MSDCS changes from 2000 to 2003

[Almeida Pinto, Jorge de]

See:

Best practices for DNS client settings in Windows 2000
Server and in Windows Server 2003

http://support.microsoft.com/?id=825036



cheers,

jorge









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: donderdag 2 november 2006
17:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] _MSDCS
changes from 2000 to 2003





Looking for the general consensus on best
practice for a domain that was upgraded from 2000 to 2003 and switched to 2003
native mode.



Looking at http://support.microsoft.com/kb/817470/,
MS recommends that we point the primary dns of all our DCs to a single root
controller in our empty forest root domain. Then there's some steps to
'switch' to the 2003 way of doing things. Is this going to help us in any
way, and is this article a good idea to follow?



Thanks




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.



~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~

RE: [ActiveDir] ADMT v3 Profile cleanup options

[Almeida Pinto, Jorge de]

* within the same forest -- no need to translate profiles (although different 
SID, GUID takes care of this)
* between different forests -- profile translation is needed (different GUID 
and SID)
 
you can use ADMT or any third party tool
 
as soon as users start to use their new account you need to translate the 
profile
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Danny
Sent: Fri 2006-10-27 15:32
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADMT v3 Profile cleanup options


Computer and user migration with ADMT v3 scenario:

Users have local profiles (non-roaming). It appears as though when you migrate 
user and computer into new forest, the new user in the target forest logs into 
the same computer (now part of target domain) and a new profile is created; 
they are not routed into their existing profile. Just curious how you have all 
managed to get around this without interrupting the users too much. 

Windows Server 2003 and Windows XP Pro SP2 environment.

Thanks,

...D



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] list lastlogontime for every user script

[Almeida Pinto, Jorge de]

I used Joe's tool (no sexual connotation here) because it was easy and fast
 
never mind half of the world does it! ;-)
 
ROTFMAO
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Ramon Linan
Sent: Fri 2006-10-27 20:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] list lastlogontime for every user script


Thanks Matt for the script that you sent and thanks Joe for your tool.
 
I used Joe's tool (no sexual connotation here) because it was easy and fast.
 
I have just one question, I am getting some users with lastlogontimespamp 
/00/00-00:00:00 most of them (or all of them) are system users, like the 
systemmailbox. I bet this is because they never login into the system.
 
This is the command that I used oldcmp -report -age 90 -users -llts
 
is there a way of excluding disabled users from the results?
 
Thanks



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 27, 2006 12:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] list lastlogontime for every user script


It isn't, it is randomly calculated every time logonTime is updated. 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 26, 2006 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] list lastlogontime for every user script



How is this 9-14 day value tracked for each user object, by the way?

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 26, 2006 5:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] list lastlogontime for every user script

 

oldcmp

 

Keep in mind that by default, lastLogonTimeStamp is not updated every day, it 
will be updated about every 9-14 days (14 days with a random swing of minus 0-5 
days).

 

You can output to csv or html, whatever is more convenient for you. 

 

Alternately if you just want to query the value directly, you can use adfind to 
generate the output. 

 

However, oldcmp tends to be easier for most folks.

 

  joe

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Thursday, October 26, 2006 4:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] list lastlogontime for every user script

Hi,

 

I am trying to do an script or something that will list lastlogontime for all 
users so I can receive an email when someone has not use the account for more 
than 30 days.

 

I have seen a couple of examples of half built scripts that don't work, I get 
lost when they start dealing with the converting the number to a date...

 

Does anyone has a script will do some similar? does Joe ware has something 
similar?

 

Thanks

 

Ramon



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] sysvol replication

[Almeida Pinto, Jorge de]

ah yes, very true...
 
In Longhorn, once Domain Functional Level is reached (i.e. all DCs in a 
domain run Longhorn Server and the switch to DFL 3 has been made), the DCs 
will switch to leveraging the new DFSR replication mechanism (which is 
basically what was made available with Win2003 R2). This is a very efficient 
for replicating files as it only replicates the actual changes - incl. 
ACEs.

the changes only are due to RDC (Remote Differencial Compression)
read more here:
http://technet2.microsoft.com/WindowsServer/en/library/f9b98a0f-c1ae-4a9f-9724-80c679596e6b1033.mspx?mfr=true
search for : Remote Differential Compression details
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Fri 2006-10-20 00:45
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sysvol replication



my reply was a little hurried - so what I meant was that in 2k/2k3 the NTFS 
permission/ACL changes will actually trigger a full replication of all files 
and folders that have been affected by the change of permissions (i.e. when the 
changes are applied at the top level, all files will be replicated). This is 
due to a limitation in the current version of FRS which always replicates the 
whole file for any change that happens to the files (and an ACL change is just 
seen as any other change).

In Longhorn, once Domain Functional Level is reached (i.e. all DCs in a domain 
run Longhorn Server and the switch to DFL 3 has been made), the DCs will switch 
to leveraging the new DFSR replication mechanism (which is basically what was 
made available with Win2003 R2). This is a very efficient for replicating files 
as it only replicates the actual changes - incl. ACEs.

and yes the SYSVOL replication follows your site-link schedules - however, 
since Win2k3 SP1 (and Win2k SP4) you can also (finally) trigger it manually via 
the NTFRSUTL tool. Also I've seen ocations where SYSVOL actually replicated 
outside the site-link schedule window - can't tell you right now under which 
circumstances this is the case.

/Guido




From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de
Sent: Thu 10/19/2006 8:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sysvol replication


won't change until you deploy Longhorn and switch to LH DFL

Guido, can you explain what you mean with this?

(I know SYSVOL will be replicated with DFSR as soon as DFL=W2K7 is reached)

thanks
jorge

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 2006-10-19 19:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sysvol replication



Yes, not only for Win2k, but also for Win2k3 (won't change until you deploy 
Longhorn and switch to LH DFL)

/Guido

---
sent wirelessly using iPAQ 6900

-Original Message-
From: Graham Turner [EMAIL PROTECTED]
To: activedir@mail.activedir.org activedir@mail.activedir.org
Sent: 10/19/06 5:29 PM
Subject: [ActiveDir] sysvol replication

Just a quick query on sysvol replication

we have put in place strategy for delegation of directory shared as netlogon by 
way
of adding an ACE to the NTFS permissions

is it correct that on DC's running Windows 2000 SP4 that a change in the NTFS
permissions will generate the change notifications such that the NTFS permission
change is replicated to all DC's ??

in terms of schedule for sysvol does it use the schedule as determined by site 
link
configuration ??

Thanks







List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail

RE: [ActiveDir] Security-enable all your distribution lists?

[Almeida Pinto, Jorge de]

have a look at:
 
Addressing Problems Due to Access Token Limitation
http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=en#filelist
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265cDisplayLang=en
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Harvey Kamangwitz
Sent: Sat 2006-10-21 01:10
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Security-enable all your distribution lists?


Hi all,
 
I'm interested in your opinion here, and perhaps a heads-up on requirements 
that may be coming your way.
 
We have a request from the sharepoint team to security-enable all of our 18,000 
distribution lists. Our concern, naturally, is token size. What will this do to 
Joe User's access token? The issue is tied in to Sharepoint. 
 
Setting permissions on Sharepoint sites has always been kind of a pain, partly 
because of Sharepoint itself but also because of the nature of what you're 
doing. (DISCLAIMER: I'm nothing more than a just-beyond-basic Sharepoint user.) 
When you set up a teamsite for a project, you want to enable access to the site 
to the project people. Typically you use an existing group of people in your 
org ( e.g. your work group for a weekly meeting site), or you create a new 
group to manage access. 
 
Most work groups have mailing distribution lists, but I'll bet most are not 
security-enabled. So when you set up your teamsite, you have to wait and ask 
for IT to security-enable your DL so you can use it on your shiny new teamsite. 
(Unless you're one of us, in which case you can do it yourself :) In the 
current version of sharepoint, you can work around this by going to the GAL and 
manually adding individual users to site access. 
 
Apparently the next version of Sharepoint does not allow you to do this, 
forcing everyone that needs group access to security-enable their group. That's 
why they want to enable ALL of them, not just piecemeal.
 
Our analysis shows that the MEDIAN number of distribution lists per user is 
relatively small (5-6) and the MEDIAN number of groups in Joe User's token is 
relatively small (40-50). But we have lots of users in the 100+ groups range, 
and the winner for greatest number of groups is 400! 
 
So...we have to do what we can to mitigate the impact for the large--token 
people. Do you folks have any feel for a you really don't want to go beyond 
there limit on token size? Any direct experience? There's no way we can know 
all the apps out there that might be affected by this. 
 
Thanks,
Harvey


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Vista WMI

[Almeida Pinto, Jorge de]

joe,

if you are talking about the "operatingSystem" attribute in 
AD, wellit depends

Using the 
latest available builds here...

if OS="Longhorn" and serverRole="writable DC"and 
media="Full Install" then "operatingSystem" attribute DOES NOT contain special 
characters
if 
OS="Longhorn" and serverRole="read-only DC"and media="Full 
Install"then "operatingSystem" attribute DOES NOT contain special 
characters
if OS="Longhorn" and serverRole="member server"  and 
media="Server Core" then "operatingSystem" attribute DOES contain special 
characters
if 
OS="Longhorn" and serverRole="member server" and media="Full Install" then 
"operatingSystem" attribute DOES contain special 
characters
if OS="Vista 
Ultimate" then "operatingSystem" attribute DOES contain special 
characters

Just bugged it again with 
MS

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Thursday, October 19, 2006 01:05To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Vista  
  WMI
  
  This "corruption" is probably the fact that MSFT[1] put a 
  copyright symbol in the name of the OS, it is even reflected in AD. I bugged 
  this some time ago and got back a "you need to go talk to someone else" 
  initially and then ~Eric tried to push it forward, I don't think it got fixed 
  for Vista. Hopefully they will fix it for Longhorn because there will be quite 
  a few people bitching who are doing things at the command line or like you 
  with scripts.
  
   joe
  
  
  [1] 
  That was said with a sneer and pretend I also said, "ITIW"
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
  DevonSent: Wednesday, October 18, 2006 5:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Vista  
  WMI
  
  
  Im trying to get a script working 
  in Vista with no success. For some 
  reason the OS caption on Vista looks 
  corrupted, but when I enter it as its displayed in wmic, my script ignores 
  it. I even tried to correct it, and still no success. Heres the 
  script:
  
  Dim 
  WshShell
  strComputer = 
  "."
  Set WshShell = 
  WScript.CreateObject("WScript.Shell")
  On Error Resume 
  Next
  
  ' If Workstation, exit 
  script
  Dim objWMIService, 
  colOperatingSystems, objOperatingSystem, strComputer, 
  objFSO
  Set objWMIService = 
  GetObject("winmgmts:"  "{impersonationLevel=impersonate}!\\"  
  strComputer  "\root\cimv2")
  Set colOperatingSystems = 
  objWMIService.ExecQuery ("Select * from 
  Win32_OperatingSystem")
  For Each objOperatingSystem in 
  colOperatingSystems
  If objOperatingSystem.Caption = 
  "Microsoft Windows 2000 Professional" then wscript.quit 
  
  If objOperatingSystem.Caption = 
  "Microsoft Windows XP Professional" then wscript.quit 
  
  If objOperatingSystem.Caption = 
  "Microsoftr Windows VistaT Ultimate" then 
  wscript.quit
  If objOperatingSystem.Caption = 
  "Microsoft Windows Vista Ultimate" then wscript.quit 
  
  Next
  
  ' Check / Set registry settings 
  for screen saver. Logoff user if settings are 
  updated
  Dim isLocked, ssTimeout, ssActive, 
  ScrnSave, wmi, objSet 
  
  isLocked = WshShell.RegRead 
  ("HKCU\Control 
Panel\Desktop\ScreenSaverIsSecure")
  ssTimeout = WshShell.RegRead 
  ("HKCU\Control Panel\Desktop\ScreenSaveTimeout")
  ssActive = WshShell.RegRead 
  ("HKCU\Control Panel\Desktop\ScreenSaveActive")
  ScrnSave = WshShell.RegRead 
  ("HKCU\Control Panel\Desktop\SCRNSAVE.EXE")
  
  If (isLocked = 0) or 
  (CInt(ssTimeout) 900) Or (ssActive = 0) Or (ScrnSave = "") 
  Then
   
  WshShell.RegWrite "HKCU\Control 
  Panel\Desktop\ScreenSaverIsSecure",1,"REG_SZ"
   
  WshShell.RegWrite "HKCU\Control 
  Panel\Desktop\ScreenSaveActive",1,"REG_SZ"
   
  WshShell.RegWrite "HKCU\Control 
  Panel\Desktop\ScreenSaveTimeout",900,"REG_SZ"
   
  WshShell.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","%system 
  root%\system32\logon.scr","REG_SZ"
   WshShell.Popup 
  "ScreenSaver settings were not previously set. Settings have been 
  updated. A logout is required to activate new settings. Click Ok 
  and the system will logout you out now. Auto-logoff in 20 seconds.", 20, 
  , 0 + 64 
   
  WshShell.Run LogonServer  "\netlogon\shutdown.exe /l 
  /f",0,true
  End 
  If--- 
  This message (including any attachments) is intended only for the use 
  of the individual or entity to which it is addressed and may contain 
  information that is non-public, proprietary, privileged, confidential, and 
  exempt from disclosure under applicable law or may constitute as attorney work 
  product. If you are not the intended recipient, you are hereby notified that 
  any use, dissemination, distribution, or copying of this communication is 
  strictly prohibited. If you have received this communication in error, notify 
  us immediately by 

RE: [ActiveDir] sysvol replication

[Almeida Pinto, Jorge de]

The addition/change of an ACE on a folder or file is like the addition/change 
of file/folder...
 
within a site it will replicate immediately and between sites according to the 
schedule as soon as the replication window opens
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Graham Turner
Sent: Thu 2006-10-19 17:01
To: activedir@mail.activedir.org
Subject: [ActiveDir] sysvol replication



Just a quick query on sysvol replication

we have put in place strategy for delegation of directory shared as netlogon by 
way
of adding an ACE to the NTFS permissions

is it correct that on DC's running Windows 2000 SP4 that a change in the NTFS
permissions will generate the change notifications such that the NTFS permission
change is replicated to all DC's ??

in terms of schedule for sysvol does it use the schedule as determined by site 
link
configuration ??

Thanks







List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] sysvol replication

[Almeida Pinto, Jorge de]

won't change until you deploy Longhorn and switch to LH DFL
 
Guido, can you explain what you mean with this?
 
(I know SYSVOL will be replicated with DFSR as soon as DFL=W2K7 is reached)
 
thanks
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Grillenmeier, Guido
Sent: Thu 2006-10-19 19:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] sysvol replication



Yes, not only for Win2k, but also for Win2k3 (won't change until you deploy 
Longhorn and switch to LH DFL)

/Guido

---
sent wirelessly using iPAQ 6900

-Original Message-
From: Graham Turner [EMAIL PROTECTED]
To: activedir@mail.activedir.org activedir@mail.activedir.org
Sent: 10/19/06 5:29 PM
Subject: [ActiveDir] sysvol replication

Just a quick query on sysvol replication

we have put in place strategy for delegation of directory shared as netlogon by 
way
of adding an ACE to the NTFS permissions

is it correct that on DC's running Windows 2000 SP4 that a change in the NTFS
permissions will generate the change notifications such that the NTFS permission
change is replicated to all DC's ??

in terms of schedule for sysvol does it use the schedule as determined by site 
link
configuration ??

Thanks







List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Lingering info following domain rename with rendom

[Almeida Pinto, Jorge de]

Tony,

Don't forget to rename the DCs as that is an additional action after the
domain rename

jorge

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, October 17, 2006 05:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lingering info following domain 
rename with rendom

Aha, the rendom /clean was what I hadn't run.  In typical 
fashion I ignored everything after /rendom /end (and 
GPFixUp). This is a lab environment after all :-)

Thanks Steve - it was driving me nuts.

Tony

-- Original Message --
From: Steve Linehan [EMAIL PROTECTED]
Reply-To: ActiveDir@mail.activedir.org
Date:  Mon, 16 Oct 2006 20:10:15 -0700

Have you run the rendom /clean operation yet?  Also what is 
the output of netdom /enumerate:ALLNAMES ?


Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, October 16, 2006 9:19 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Lingering info following domain rename 
with rendom

Hi all

I've renamed a domain using the rendom utility.  All appears 
to have gone well, but I now get 5781 Netlogon errors in the 
System event log complaining that it can't register DNS 
records associated with the old domain.  This doesn't appear 
to affect anything, but I'm keen to know why this is happening.

The SRV records for the new domain name are all registered 
correctly (AD integrated DNS).

If I look in the netlogon.dns file I see records 
representing both the old domain name (let's say old.com) 
and the new domain name (new.com).

The old zone was AD integrated, so I've trawled through AD 
looking for references to the old zone, but I can't find 
anything.  I've looked in the following locations, but all 
seems normal, i.e. references to the new domain name.

CN=MicrosoftDNS,CN=System,DomainDN
DC=DomainDNSZones,DomainDN
DC-ForestDNSZones,DomainDN

I've tried clearing the server cache, but no joy.

I've tried deleting the netlogon.dns and netlogon.dnb and 
restarting the netlogon service, but that didn't help.  Each 
time the newly created netlogon.dns contains records 
corresponding to the old domain.

The netlogon log file (with debugging turned on) contains 
the following references to the old domain:

10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating 
DnsDomainNameAlias from (null) to old.com
10/17 14:26:18 [DOMAIN] NlUpdateDnsRootAlias: Updating 
DnsForestNameAlias from (null) to old.com

Any thoughts on where the old domain information might be 
coming from?

Tony





Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] WAY WAY OT: I'm shareing the Best Kept Secret I know.

[Almeida Pinto, Jorge de]

1 nothing
2 nothing
3 nothing
4 nothing
5 nothing
6 nothing
7 nothing
8 nothing
9 nothing
10 nothing (just to be sure)

;-)

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Fleming, Dave 
  (DotComm)Sent: Tuesday, October 17, 2006 15:29Subject: 
  [ActiveDir] I'm shareing the "Best Kept Secret" I know.
  
  
  Top Ten Things Men Understand About Women
  
  1.
  2.
  3.
  4.
  5.
  6.
  7.
  8.
  9.
  10.
  
  Dave 
  FlemingNetwork 
  AdministratorDouglas-Omaha Technology Commission408 So. 18th 
  St.Omaha NE 68102[EMAIL PROTECTED](402) 444-6290 
  
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Forest trust divestitures

[Almeida Pinto, Jorge de]

very very true

interim forests...
AND another part is responsability...first it's mine and 
THEN it is yours (and there is very little to nothing in between). In other 
words... a clear hand-over moment.
although the selling company is responsable for the first 
phase the buying company should be involved in the first phase (although not 
leading) to be sure they know what they get and of course also how they get it. 
The buying company should setup requirements and discuss these with the selling 
company

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
  GuidoSent: Tuesday, October 10, 2006 21:45To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trust 
   divestitures
  
  
  If 
  I were the security officer for Company B, I would have real issues with this 
  plan. 
  
  Most 
  companies with sufficient understanding of AD Security would not want any of 
  their DCs placed in any location where the other companys network is still 
  active (i.e. DCs from company A and company B on same network). Thats 
  different in a merger, where the full IT infrastructure will be merged 
  anyways. But youre talking about a divestiture of a PART of a 
  company.
  
  The 
  plan youre describing doesnt really scale well over time  not sure if 
  youre considering issues youre experiencing during the migration  how long 
  are you willing to run forest B without PDC/RID etc?
  
  What 
  Ive done in similar situations is to implement an interims forest. 
  
  Step 
  1: 
  implement Interims Forest C in Company As network  migrate objects and 
  resources from divested BU over from Forest A to C. Test that the divested BU 
  works in Forest C and that other Company A Bus continue to work fine as well. 
  Potentially change naming convention of objects to that of Company B during 
  the migration to Forest C. Troubleshoot as necessary.
  Step2: 
  when ready separate network of Forest C from Company A and integrated it with 
  network from Company B
  Step3: 
  with sufficient time for planning the integration, migrate objects and 
  resources from Forest C to B. If not done previously, adjust naming of objects 
  convention during this migration.
  
  This 
  sounds like a whole lot of extra work, but usually it pays off: it is the most 
  secure way to separate the divested part of the company and doesnt put either 
  company at (unwanted) risks. It also gives you more flexibility on when 
  to do which step and wont cause any issues with either of the operational 
  forests.
  
  /Guido
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Harvey KamangwitzSent: Monday, October 09, 2006 
  7:58 PMTo: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Forest trust  divestitures
  
  
  Hi all,
  
  
  
  I'm consulting on a divestiture, and naturally the 
  companies want their respective AD forests to have the minimum amount of 
  contact necessary to migrate the security principals in the divestiture from 
  company A to company B. I wanted to sanity check with this brain trust that we 
  can do a one-wayforest trust in this firewalled situation. (They're 
  going to use Quest Migration Manager for AD, and though technically it doesn't 
  REQUIRE a one-way trust, the Quest SE says it's an order of magnitude easier. 
  A one-way outgoing trust has been approved by the various security players so 
  it can be done.) 
  
  
  
  - ForestA (multiple domains) and ForestB (single domain). 
  In the beginning, no communication between them.
  
  
  
  - ForestB DCs are physically landed at various Company A 
  locations in pocket networks that can talk back
  
   to Company B, so they're healthy.Though 
  they're at Company A, they are firewalled from A until D-day. 
  
  
   All forest B pocket network DCs can talk to each 
  other as well as back home.
  
  
  
  D-Day:
  
  - Transfer PDC and RID FSMOs toone of company 
  B'spocket network DCs. (see next step for why.)
  
  
  
  - Firewall off communication to company B's network, and 
  open up comm to company A's network.
  
   This will make for a temporarily unhappy company B 
  forest, but it will be okay for the duration of the migration. More 
  importantly,
  
   it'll make the PDC available on the company A 
  network for the forest trust setup and the RID master also available 
  
  
   to hand out more RIDs during the 
  migration.
  
   There should now be a functional company B forest on 
  company A's network (though it'll be complaining about missing 
  DCs).
  
  
  
  - Configure DNS conditional forwarding in forest A to find 
  forest B's pocket network DCs and vice versa.
  
   Would I have to set up forwarding on every DNS 
  server in forestA? They have a lot of DCs.
  
  
  
  - Establish the forest trust from A to 
  B.
  
   Would selective authentication on the trust protect 
  the visibility of A's security principals? It's mainly designed to 

RE: [ActiveDir] OT: Ello!

[Almeida Pinto, Jorge de]

sh!t..he found the list...and I hoped he would never find it
well... I guess it did not work when I told him it was something like edir.org
;-)
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Paul van Geldrop
Sent: Tue 2006-10-10 17:37
To: ActiveDir
Subject: [ActiveDir] OT: Ello!


Ello!
 
Just thought I'd at least have the decency to announce my presence on this 
list. ;)
Joined today and looking forward to learning from all the grey matter 
frequenting this list!
 
Regards,
 
Paul


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] finding users that password never expire.

[Almeida Pinto, Jorge de]

to search for accounts that HAVE 
the option "DONT_EXPIRE_PASSWORD" enabled
ADFIND 
-bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"

and to use it with a saved query 
use as the LDAP filter:
((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

with joe's ADFIND you can just 
specify AND or OR without the need to know the OID
OR is by the way: 1.2.840.113556.1.4.804

for the other values 
see:
MS-KBQ305144_How to Use the 
UserAccountControl Flags to Manipulate User Account 
Properties

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  YannSent: Monday, October 09, 2006 17:44To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that 
  password never expire.
  
  Hello all,
  
  I had to dodump in ADall users whose password never 
  expires.
  I used the saved queries with this custom ldap query :
  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
  DONT_EXPIRE_PASSWORD properties flag.
  BUT i found that this search was not complete, because some users have 
  other properties flagsuch as 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
  UF_NOT_DELEGATED ... :(
  
  So the question is:
  How to search for user accounts that have at least the 
  DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
  Is there a way to do it with a custom ldap query ?
  
  Thanks,
  
  Yann
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
  sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos 
  opinions et vos expériences. Cliquez 
  ici. 
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: RE : RE: [ActiveDir] finding users that password never expire.

[Almeida Pinto, Jorge de]

userAccountControl=65536
check if all enabled options/bits (unique combination) represent a total of 
65536
 
userAccountControl:1.2.840.113556.1.4.803:=65536
check if only the option/bit represented by 65536 is enabled
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Yann
Sent: Mon 2006-10-09 20:24
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] finding users that password never expire.


Yes !  thanks, that works so well !! :o)
 
But many questions i have..
What is the difference between the query userAccountControl=65536 and 
(userAccountControl:1.2.840.113556.1.4.803:=65536) ? 
Why couldn(t i find any results with my first query ?
And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query  
??
 
Thanks for your answer :)
 
Yann


Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit :

to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD 
enabled
ADFIND -bit -default -f 
((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))
 
and to use it with a saved query use as the LDAP filter:

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
 
with joe's ADFIND you can just specify AND or OR without the need to 
know the OID
OR is by the way: 1.2.840.113556.1.4.804
 
for the other values see:
MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User 
Account Properties
 
jorge




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of 
Yann
Sent: Monday, October 09, 2006 17:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding users that password never expire.


Hello all,
 
I had to do dump in AD all users whose password never expires.
I used the saved queries with this custom ldap query :
useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
DONT_EXPIRE_PASSWORD properties flag.
BUT i found that this search was not complete, because some 
users have other properties flag such as 
UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD 
or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
UF_NOT_DELEGATED ... :(
 
So the question is:
How to search for user accounts that have at least the 
DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
Is there a way to do it with a custom ldap query ?
 
Thanks,
 
Yann


Découvrez un nouveau moyen de poser toutes vos questions quel 
que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, 
vos opinions et vos expériences. Cliquez ici 
http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.




Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses 
http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com .
winmail.dat

RE: [ActiveDir] User account deletion

[Almeida Pinto, Jorge de]

by, you really cannot find it anymore when querying AD 
;-)

jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Chris 
  PohlschneiderSent: Friday, October 06, 2006 14:34To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account 
  deletion
  
  
  Is there a way to tell if a user 
  account has been deleted?
  
  
  
  Thanks,
  
  
  Chris
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] what is the meaning of OT in front of the subject

[Almeida Pinto, Jorge de]

OT = Off Topic

http://en.wikipedia.org/wiki/Off-topic

;-) 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Thursday, October 05, 2006 15:40
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] what is the meaning of OT in front 
of the subject

Some of the subjects have that OT preceding the subject, what's that?

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] MORE OT OT: wikis

[Almeida Pinto, Jorge de]

only 10 types of people understand binary...
one type does understand and the other type does not understand
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 2006-10-05 20:22
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis



Careful, I recall a math professor in my differential equations class or
maybe it was higher throwing a proof up on the board showing that 1 + 1 != 2
and it wasn't a numberical base trick

I didn't follow through it, I just closed my eyes and shook my head and
thought forward to my communications class as the sights were easier on the
eyes...

I still wonder why I went into a field with such a high ratio of men to
women... :)


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, October 05, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: wikis

999,998 + 2 = 1,000,000, not 100,000. ;-)

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims
 Sent: Thursday, October 05, 2006 11:49 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: wikis


  It's funny how we quote wikis as definitive sources of information,
  when they can be edited by anyone and everyone :)
 
  Who vets the edits and how much does that person know about the
  subject matter??

 Anyone can edit, which is why they are generally correct. 
 When 100,000 people view a record, and 2 people want to
 change it to be incorrect,
 999,998 will want to correct it.

 I wouldn't use a wiki as a great historical or technical
 source.  But for encyclopedia entries, which give a good
 summation of a subject, they are great.


 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

[Almeida Pinto, Jorge de]

are you by any chance trying to promote a R2 DC? If yes, use ADPREP from the 
SECOND CD from the R2 distribution set
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Steve Egan (Temp)
Sent: Thu 2006-10-05 22:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Major screwup on AD for my company - Can't install AD on 
remote server now



I'm the System/Network Engineer for Purcell Systems, and I'm afraid I've
screwed the pooch on my network. Here's how:

Shut down an antiquated FTP server after transferring files to the new
FTP server.  The old one's OS was Win2K, the new one is Win2003.

I *did not* do anything to AD at the time this occurred.

A day before I started working here (8/8/06) the server in Sweden was
rebuilt by a local consultant.  Hardware failure.  He rebuilt from bare
metal, and set up the DNS and AD incorrectly.  The end result was a
server sitting in its own domain.  DNS was somehow told to replicate to
the server, and was working fine.

I next tried to put/rename/move the Sweden server into the Purcell.com
domain.  Oops, have to upgrade out of Win2000 mixed mode.  No problem,
I'll just transfer the AD, DNS, and PDC to a master machine running
Win2003 and have lotsa machines (okay, one or two) running as PDCs and
alternate DNS and AD, right?

Here's where the pooch got this way - I'm a n00b when it comes to AD,
and somehow in the transfer of functions I've messed up the domain
something fierce.  AD and DNS work just fine (replicate) on the USA and
Poland servers, but I tried upgrading the Sweden server to the forest
and things got cranky - it wouldn't upgrade because it swore up and down
that the domain was still in pre-Win2003 mode.  In frustration, I tore
down DNS and AD on the Sweden server, and rebuilt them - not an easy
task by remote control...

The DNS rebuilt just peachy on the Sweden server, but when I go to
install AD on it, it tells me that the domain ain't ready for prime time
- I have to run adprep on the domain.  I ran adprep the first time, and
everything appeared to work just fine.  Subsequent attempts are rebuffed
- I've already prepared the domain, it tells me.  The Sweden server just
refuses to accept that the AD in the domain is Win2003 mode.  I've
checked - it's mode 2 on all the AD machines.  The necessary containers
for a Win2003 AD have been built!  SOMEthing is preventing the ADPREP
from executing properly.  Here's a partial log entry from the Sweden
server (adprep.log?):

10/05 01:34:26 [INFO] Searching for a domain controller for the domain
PURCELLSYSTEMS.COM that contains the account PURCELLABSWE$10/05 01:34:27
[INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM for domain
PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS for
server \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time sync
10/05 01:34:27 [INFO] Forcing a time synch with
\\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the
current time on \\FTP1.PURCELLSYSTEMS.COM: 5
10/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5).
Ignoring
10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO]
Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service
NETLOGON to 1 returned 0
10/05 01:35:32 [INFO] Stopped NETLOGON
10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
10/05 01:35:36 [INFO] Created system volume path
10/05 01:35:36 [INFO] Copying initial Directory Service database file
C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36
[INFO] Installing the Directory Service10/05 01:35:36 [INFO] Calling
NtdsInstall for PURCELLSYSTEMS.COM
10/05 01:35:36 [INFO] Starting Active Directory installation
10/05 01:35:36 [INFO] Validating user supplied options
10/05 01:35:36 [INFO] Determining a site in which to install
10/05 01:35:36 [INFO] Examining an existing Active Directory forest
10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizard
cannot continue because the forest is not prepared for installing
Windows Server 2003. Use the Adprep command-line tool to prepare both
the forest and the domain. For more information about using the Adprep,
see Active Directory Help. (8467)
10/05 01:35:40 [INFO] NtdsInstall for PURCELLSYSTEMS.COM returned 8467
10/05 01:35:40 [INFO] DsRolepInstallDs returned 8467
10/05 01:35:40 [ERROR] Failed to install to Directory Service (8467)
10/05 01:35:49 [INFO] Starting service NETLOGON10/05 01:35:49 [INFO]
Configuring service NETLOGON to 2 returned 0
10/05 01:35:49 [INFO] The attempted domain controller operation has
completed10/05 01:35:49 [INFO] DsRolepSetOperationDone returned 0

RE: [ActiveDir] Forest trusts

[Almeida Pinto, Jorge de]

Both forests can be connected to each other as long as within the
connected environment each domain name is unique (NetBIOS and DNS)...

So if you have a forest called DOMAIN.COM (NetBIOS = DOMAIN) and another
forest called SUB.DOMAIN.COM (NetBIOS = SUB) you can connect them to
each and setup trusts between the forests.

jorge

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek
Sent: Tuesday, October 03, 2006 15:35
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Forest trusts 

Hello evr.
I have two independent forests.
Is it possible to trust forests which share a same name 
space. For example. I have domain in first forest domain.com 
and a domain in second forest my.domain.com. If not is it 
possible to migrate with some tools a domain my.domain.com 
to domain domain.com ?
Thx
Zdenek Lev


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Forest trusts

[Almeida Pinto, Jorge de]

That will also be possible as long as forest 2 does not also have a
DOMAIN.COM.

That is what I meant with:  
Both forests can be connected to each other as long as within the
connected environment each domain name is unique (NetBIOS and DNS)...

jorge

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lev Zdenek
Sent: Tuesday, October 03, 2006 15:57
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts 

THX for your answer
a what about migration SUB.DOMAIN.COM from forest 2 to 
forest 1 with domain DOMAIN.COM Z.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of 
Almeida Pinto,
Jorge de
Sent: Tuesday, October 03, 2006 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forest trusts 

Both forests can be connected to each other as long as within the
connected environment each domain name is unique (NetBIOS and DNS)...

So if you have a forest called DOMAIN.COM (NetBIOS = DOMAIN) 
and another
forest called SUB.DOMAIN.COM (NetBIOS = SUB) you can connect them to
each and setup trusts between the forests.

jorge

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
Lev Zdenek
Sent: Tuesday, October 03, 2006 15:35
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Forest trusts 

Hello evr.
I have two independent forests.
Is it possible to trust forests which share a same name 
space. For example. I have domain in first forest domain.com 
and a domain in second forest my.domain.com. If not is it 
possible to migrate with some tools a domain my.domain.com 
to domain domain.com ?
Thx
Zdenek Lev


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. 
If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Move all OU and USERS from one forest to another forest

[Almeida Pinto, Jorge de]

Have a look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/105.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/107.aspx

jorge 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Tuesday, October 03, 2006 16:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Move all OU and USERS from one forest 
to another forest

Hi,

I am trying to build a testing environment.

I have the production forest and the testing forest, not 
connected at all.

Is there an easy way of creating all the same OUs and users 
from one forest to the other?, each forest only have one 
domain, also, I only interested in moving some of the 
attributes,i.e. there is no MS exchange in the testing 
environment so I don't care about exchange attributes.

I was going to build an script that will read from 
production LDAP and create objects in the other one, but is 
there is already something that, like a tool or script it 
will prefer to use it to save time.

Can I use ADAM for this?

Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Group Policy Problem

[Almeida Pinto, Jorge de]

you are experiencing morphed folders within the 
SYSVOL.

see:

MS-KBQ328492_Folder Name Is Changed to 
FolderName_NTFRS_
MS-KBQ290762_Using the BurFlags registry key to reinitialize File 
Replication Service replica sets (depending on 
the situation this solution may need additional 
steps!!!)

use one of the solutions 
to resolve the problem. the first one mentioned is 
preferred.

jorge



  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Lloyd 
  WilliamsSent: Tuesday, October 03, 2006 18:11To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Group Policy 
  Problem
  
  
  The problem I am having with group 
  policies has the following two symptoms
  1) 
  domain member computers are 
  getting windows cannot query for the list of group policy objects in 
  the event log
  2) 
  When I try and edit group policies 
  I get either access denied, or cannot write to something 
  like
  
   
  C:\WINDOWS\SYSVOL\sysvol\Domain 
  Name\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
  
  It would seem the group policy 
  contained in the {31B2F340-016D-11D2-945F-00C04FB984F9} folder is 
  missing
  
  There are several folder which are 
  named similar i.e. 
  {31B2F340-016D-11D2-945F-00C04FB984F9}_NTFRS_01ececf7
  
  I.e. have NTFRS appended to 
  them.
  
  I have tried to recreate the 
  policy by running DCGPOFIX . it recreates the 
  {31B2F340-016D-11D2-945F-00C04FB984F9} folder with the policy. But after 
  a few seconds this folder gets an NTFRS appended to it and all the error come 
  back.
  
  It seems after recreating the 
  group policy active directory just removes it. Has any one experience any 
  thing similar or have any suggestions. BTW I have about 4 DC s in the 
  domain
  
  Lloyd
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Urgent DFS Configuration

[Almeida Pinto, Jorge de]

for some reason I missed this message

nope that will not work

in short:
you can create the DFS root on any server and it does not 
need to be the server hosting the data. DFS root servers are servers that manage 
the DFS namespace (root, links)
To create the root you need to have a shared folder on some 
server. THAT folder structure (as it will be a structure as soon as you create 
DFS links) represents the DFS namespace and does not host any data. The DFS 
links are references for a common path to one or multiple servers that host the 
same data

stand-alone roots:
* stored in registry
* are not fault tolerant (unless hosted on a 
cluster)
* do not support NTFRS replication
* supports DFS-R replication on R2


domain roots:
* stored in AD
* arefault tolerant
*support NTFRS replication
* supports DFS-R replication on 
R2


for more information see:
DFS 
Technical Reference
http://technet2.microsoft.com/WindowsServer/en/library/20ffb860-f802-455c-9ca2-5194f79a9eb41033.mspx?mfr=true

cheers,
jorge



  
  
  From: Ibarra, Juan 
  [mailto:[EMAIL PROTECTED] Sent: Thursday, September 21, 2006 
  23:38To: undisclosed-recipientsSubject: RE: [ActiveDir] 
  Urgent DFS ConfigurationImportance: High
  
  
  I am trying to create 
  a DFS server (if there is such a thing)
  On server one I 
  create a DFS root called testdfs, it then asks for the location of host server 
  for this root. I then enter server2 name. They are two separate 
  servers and the reason behind it is so that users connect to server1 and not 
  server2, but I guess this is not possible (as it is not 
  working).
  
  How would I set up a 
  dfs structure? I guess this should be my 
question.
  
  Dont I need to 
  configure it on the server that has the data?
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Almeida Pinto, 
  Jorge deSent: Thursday, 
  September 21, 2006 12:53 PMTo: ActiveDir@mail.activedir.org; 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
  Configuration
  
  
  
  OK, explain the 
  following: "I am configuring 
  server1 with a standalone root, when asked for the host server I enter 
  server2 "
  
  
  
  
  
  
  
  
  
  Met vriendelijke 
  groeten / Kind regards,
  
  Ing. Jorge de 
  Almeida Pinto
  
  Senior 
  Infrastructure Consultant
  
  MVP Windows 
  Server- Directory Services
  
  
  
  
  LogicaCMG 
  Nederland B.V. (BU RTINC Eindhoven)
  
  ( 
  Tel 
  : +31-(0)40-29.57.777
  
  ( 
  Mobile 
  : 
  +31-(0)6-26.26.62.80
  * 
  E-mail 
  : see sender address
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
  Configuration
  
  That would be 
  2.
  
  Juan
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Almeida Pinto, 
  Jorge deSent: Thursday, 
  September 21, 2006 10:11 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
  Configuration
  
  which server hosts 
  the stand alone root? server 1 or 2?
  




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, JuanSent: Thursday, September 21, 2006 
17:34To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS 
ConfigurationImportance: 
High
All,

I need some input on 
DFS.

I am trying to set up DFS on a 
file server, well in reality two. I am configuring server1 with a 
standalone root, when asked for the host server I enter server2 and select 
the share drive I want to use. I then create DFS links to subfolders 
and they create just fine.

The 
problem:
When I try to access the links I 
created I cant Access Denied even though I share the folders in advance 
with appropriate permissions, and of course at this point the security tab 
from the shares disappears. So I cant make changes, and when I go and try 
to open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers 
and when they come up the DFS root is gone from server1 but remains on 
server 2 along with all the DFS links.

Please let me know what I am 
doing wrong.

Thanks,
Juan

  
  This e-mail and any 
  attachment is for authorised use by the intended recipient(s) only. It may 
  contain proprietary material, confidential information and/or be subject to 
  legal privilege. It should not be copied, disclosed to, retained or used by, 
  any other party. If you are not an intended recipient then please promptly 
  delete this e-mail and any attachment and all copies and inform the sender. 
  Thank you.

RE: [ActiveDir] SID History.

[Almeida Pinto, Jorge de]

to read on how the access token is build see:
http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.doc
 
authentication across domains depends if NTLM is used (external trusts) or 
kerberos is used (forest trusts and intra-forest transitive trusts)
 
sIDHistory just adds SIDs to the access token, after that the process is the 
same
 
jorge
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Matt Hargraves
Sent: Mon 2006-09-25 19:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SID History.


Unfortunately that's not even close to what I was having issues with Joe.

I'm more concerned with how tokens are created and whether they will by default 
query the old resource domains that haven't been migrated into the AD 
environment. 

Theoretical situtation:  I am a member of 50 groups in my user domain, I'm 
accessing something in my user domain.  We have 150 trusted resource domains 
where I have 6 group memberships in each through SID history.  Is the GC/DC 
going to query all trusted domains for my memberships through SID history?  
(resource domains are all NT4 domains) 

I'm assuming that it's not going to, because of how the authentication path 
works (resource server - user domain DC - user domain GC - resource server DC, 
resource server), but everything I've seen never really talks about SID History 
much. 




On 9/24/06, joe [EMAIL PROTECTED] wrote: 

I would recommend poking through the MSDN security docs. It sounds like 
there is a break in understanding of how the SIDs are used in combination with 
the DACLS. 
 
Start here:
 

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/how_dacls_control_access_to_an_object.asp
 
but poke around that whole area. 
 
   joe
 
--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt 
Hargraves
Sent: Thursday, September 21, 2006 4:59 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID History.



Conceptual situation:

User domain
Resource domain (s)

I bring all users into a single AD environment, bringing over SID 
History information.

Now I start moving over file servers from the resource domain to the AD 
environment.  One of the file servers has groups ACL'd from the resource 
domain.  When the server goes to check for access rights, will it pull over 
*all* group memberships from the appropriate resource domain or simply pull 
over the single group membership and append that to the user's token? 

Mostly just looking at SID history impact between semi-active resource 
domains that are being decomissioned and current domains.  Microsoft's site 
mostly seems to point to groups that are pointing to SID history objects that 
are within the AD environment, not cross-domain SID history impact. 





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] SID History.

[Almeida Pinto, Jorge de]

it does not need to mention that...
 
with sidhistory it just adds additional SIDs to the token where the same rules 
apply as mentioned in that doc
 
Example: I have a group that points a user's SID history as a 
ForeignSecurityPrinciple, then it will add in that object
 
nope if a user (AccDomA) is member of some group in another domain 
(ResDomA) and that user has been migrated to another domain (AccDomB) with the 
sidhistory of its previous domain (AccDomA), the access token will contain it's 
new SID (AccDomA) and the sidhistory of the previous user (AccDomB). as soon as 
the user crosses the trust to access a resource protected by that some group, 
then the SID of that some group will be added (ResDomA)
 
In other words, if user addomain\user1234 is accessing a file that is on 
server fileserver.addomain.com http://fileserver.addomain.com  and only 
ACLs to groups that are within the local domain that are AD native 
and those groups only have memberships for the local domain, then is his 
token going to include his memberships from NTResourcedomain42 and 
NTResourcedomain78 or just his memberships which reside within 
addomain.com http://addomain.com ?

only within the user's own domain.
 
if the user was in ADDOMAIN and the server in NTResDom78, then the SIDs of 
groupmemberships within domain NTResDom78 would be added to the list because 
the resource access was across a trust
 
the access token always includes all groups in the same domain as the user 
(including nesting within own domain) and all universal groups (direct or 
indirect membership) and eventual sidhistory values
it is on a need to know basisimagine if it needed to ask the complete 
forest to see where group memberships existed. that would be a PITA as it 
needed to ask a DC for each domain in the forest for the domain local groups 
and to ask all member servers for local groups.
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Matt Hargraves
Sent: Mon 2006-09-25 21:55
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SID History.


Yeah, read that document before.  It doesn't say whether it's going to go 
scanning domains for SID History memberships, so I have to assume that unless I 
have a group that points to a user's SID History SID within that AD environment 
(or in that authentication chain), then it's not going to add in more SIDs to 
the user's token. 

Example: I have a group that points a user's SID history as a 
ForeignSecurityPrinciple, then it will add in that object.

In other words, if user addomain\user1234 is accessing a file that is on server 
fileserver.addomain.com and only ACLs to groups that are within the local 
domain that are AD native and those groups only have memberships for the local 
domain, then is his token going to include his memberships from 
NTResourcedomain42 and NTResourcedomain78 or just his memberships which reside 
within addomain.com?



On 9/25/06, Almeida Pinto, Jorge de [EMAIL PROTECTED]  wrote: 

to read on how the access token is build see:

http://download.microsoft.com/download/8/f/3/8f36dfe4-47d0-4775-ad5a-5614384921aa/AccessTokenLimitation.doc

authentication across domains depends if NTLM is used (external trusts) 
or kerberos is used (forest trusts and intra-forest transitive trusts) 

sIDHistory just adds SIDs to the access token, after that the process 
is the same

jorge


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant 
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address 



From: [EMAIL PROTECTED] on behalf of Matt Hargraves
Sent: Mon 2006-09-25 19:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SID History.


Unfortunately that's not even close to what I was having issues with 
Joe.

I'm more concerned with how tokens are created and whether they will by 
default query the old resource domains that haven't been migrated into the AD 
environment. 

Theoretical situtation:  I am a member of 50 groups in my user domain, 
I'm accessing something in my user domain.  We have 150 trusted resource 
domains where I have 6 group memberships in each through SID history.  Is the 
GC/DC going to query all trusted domains for my memberships through SID 
history?  (resource

RE: [ActiveDir] Schema analyzer

[Almeida Pinto, Jorge de]

look at the ADAM help file and search for ADSchemaAnalyzer
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Ramon Linan
Sent: Mon 2006-09-25 22:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Schema analyzer




Hi,


I need to compare our current AD schema to the one that comes out of the
box when you install windows 2003+MS exchange.

I have been told that with Schema Analyzer which comes with ADAM SP1 can
do this... Has anyone done this before? I can figure out how to do it,
anyone can lead to a doc where I can learn how to do it?

Thanks

Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] I'm Baaaaaaack!

[Almeida Pinto, Jorge de]

i do.. ;-)

See anything "random" 
here: Dèjì RANDOM 
Akómöláfé?



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Akomolafe, DejiSent: Fri 2006-09-22 04:12To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm 
Baaack!


Not according to my birth 
certificate.

See anything "random" here: Dèjì 
Akómöláfé? Me neither ;-p



Sincerely, 
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know 
IT-5.75, -3.23Do 
you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: joeSent: Thu 9/21/2006 3:15 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
I'm Baaack!

Random is Deji's middle name. :)



--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon 
LinanSent: Thursday, September 21, 2006 3:59 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm 
Baaack!

:) allthis is very random


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
DejiSent: Thursday, September 21, 2006 2:49 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm 
Baaack!


Yikes! Is it Halloween 
yet?



Sincerely,  
_ 
 (, / | 
/) 
/) /)  /---| (/_ 
__ ___// _ // _ ) 
/ |_/(__(_) // 
(_(_)(/_(_(_/(__(/_(_/ 
/) 
 
(/ Microsoft MVP - Directory 
Serviceswww.akomolafe.com- we know 
IT-5.75, -3.23Do 
you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon


From: Rick KingslanSent: Thu 
9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] I'm Baaack!
Be afraid  Be very afraid!  :-)



Rick

_
Be seen and heard with Windows Live Messenger and Microsoft LifeCams 
http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href=""

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Urgent DFS Configuration

[Almeida Pinto, Jorge de]

a stand alone root cannot 
have more than 1 root server (unless on a cluster). only a domain based root 
can have more than one root server

that is why I ask the Q 
below



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Almeida Pinto, Jorge deSent: Thu 2006-09-21 
21:52To: ActiveDir@mail.activedir.org; 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
Configuration


OK, explain the following: 
"I am configuring server1 with a standalone root, when asked 
for the host server I enter server2 "





Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG Nederland 
B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: 
+31-(0)6-26.26.62.80
* 
E-mail: 
see sender address


From: [EMAIL PROTECTED] on 
behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
Configuration


That would be 
2.

Juan





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Almeida Pinto, Jorge 
deSent: Thursday, September 
21, 2006 10:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
Configuration

which server hosts 
the stand alone root? server 1 or 2?

  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Ibarra, 
  JuanSent: Thursday, 
  September 21, 2006 17:34To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS 
  ConfigurationImportance: 
  High
  All,
  
  I need some input on 
  DFS.
  
  I am trying to set up DFS on a 
  file server, well in reality two. I am configuring server1 with a 
  standalone root, when asked for the host server I enter server2 and select 
  the share drive I want to use. I then create DFS links to subfolders and 
  they create just fine.
  
  The problem:
  When I try to access the links I 
  created I cant Access Denied even though I share the folders in advance 
  with appropriate permissions, and of course at this point the security tab 
  from the shares disappears. So I cant make changes, and when I go and try to 
  open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers 
  and when they come up the DFS root is gone from server1 but remains on server 
  2 along with all the DFS links.
  
  Please let me know what I am doing 
  wrong.
  
  Thanks,
  Juan
  

This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] Replication Metadata

[Almeida Pinto, Jorge de]

Title: RE: [ActiveDir] Replication Metadata






hey joe,

how about ADFIND with an attribute 
spellchecker? ;-)



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of joeSent: Thu 2006-09-21 03:36To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication 
Metadata

;o) that would do it.--O'Reilly Active 
Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Isenhour, JosephSent: Wednesday, September 20, 2006 4:46 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication 
MetadataNevermind, I guess I should learn to spell the attribute name 
correctly.Works great, Thanks!-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Isenhour,JosephSent: Wednesday, September 20, 2006 8:44 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication 
MetadataOk for some reason ADSI doesn't seem to like this 
attribute. I've tried_vbscript_ and System.DirectoryServices.In 
_vbscript_:meta = group.GetEx("ms-DSReplValueMetaData")In 
C#:string[] meta 
=(string[])group.Properties["ms-DSReplValueMetaData"].Value;The line 
in _vbscript_ throws an error saying it can't be found in the dircache. 
The C# line doesn't throw an error but does not give me the 
xmleither.I used dsquery against the same group and it gave me the 
xml.Can you see what I'm doing 
wrong?Thanks-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of joeSent: Thursday, September 14, 2006 6:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication 
MetadataYep, if _vbscript_ you want the XML versions...You should 
be able to do this in an hour You just need to pick therighthour. 
;o)--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Isenhour,JosephSent: Thursday, September 14, 2006 9:12 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication 
MetadataThat's great info; thanks joe. I'll take a look 
atmsDS-ReplValueMetaData and msDS-ReplAttributeMetaData. I'm trying to 
dothis in a _vbscript_ and avoid getting into any compiled solutions. 
Itold my boss I could do this in an hour because I thought I could 
justuse IADsTools, oopsie.-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of joeSent: Thursday, September 14, 2006 5:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Replication 
MetadataI doubt that IADsTools was updated. They seemed to be trying to 
killthat asfar back as 2001. I think it was someone's pet project and 
they went toanother petting zoo to work... I know I found some time issues 
in itbackthen and some more later that I tried to get corrected and was 
whollyunsuccessful on both occasions.But the answer is... There is 
additional metadata available now forlookingat value level changes. The 
way IADsTools was probably getting the info(this is a guess, never saw the 
code) is through the attributereplPropertyMetaData but it very well could 
have been using the RPCbasedAPI call DsReplicaGetInfo.Probably 
the simplest mechanism to use now are the 
attributesmsDS-ReplAttributeMetaData and msDS-ReplValueMetaData which by 
defaultwillreturn XML strings with the data. If you are equipped to 
handle it, youcaninstead make the calls much faster and pass less data 
on the wire byaskingfor the binary versions of those attributes by 
appending the ;binarymodifier.If you want to write DC API based 
code, you can use DsReplicateGetInfo2. 
joe--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Isenhour,JosephSent: Friday, September 08, 2006 11:36 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Replication 
MetadataI'm using Robbie Allens example for using IADSTools.DCFunctions 
to readgroup object meta data. I just realized that now that we've 
upgraded to2003 I can no longer look at the member last changed field to 
determinewhen group membership last changed.I know that RepAdmin can 
look at the individual group changes so theremust be some updated API that I 
can use to do the same thing, I justcan't seem to find it.Can anyone 
point me in the right direction?ThanksList info : http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspxList 
info : http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: 

RE: [ActiveDir] How are folks setting hidden user attribs?

[Almeida Pinto, Jorge de]

where is the [ActiveDir] part in the subject... (there goes my Outlook filter) 
;-)
 
for attribs not shown in the ADUC GUI, you can extend the GUI (search the 
archives for the MSDN link that shows how to do this) or you can add a VBS 
script to READ or WRITE the attribs. One of the examples can be found here: 
http://www.kouti.com/scripts.htm
search for employeeID.vbs
this of course also applies to other attribs
 
cheers,
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Alex Fontana
Sent: Thu 2006-09-21 09:03
To: ActiveDir@mail.activedir.org
Subject: How are folks setting hidden user attribs?



Hey guys, 

 

I'm curious how people are populating attributes such as employeeid, 
employeetype, etc, specifically when creating\modifying accounts using the GUI 
(ADUC)?  Besides me writing something to populate the fields what other 
resources do I have to allow other selected users (account creators) to 
populate these fields?

 

TIA

 

-alex



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Urgent DFS Configuration

[Almeida Pinto, Jorge de]

which server hosts the stand alone root? server 1 or 
2?

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ibarra, 
  JuanSent: Thursday, September 21, 2006 17:34To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS 
  ConfigurationImportance: High
  
  
  All,
  
  I need some input on 
  DFS.
  
  I am trying to set up DFS on a 
  file server, well in reality two. I am configuring server1 with a 
  standalone root, when asked for the host server I enter server2 and select 
  the share drive I want to use. I then create DFS links to subfolders and 
  they create just fine.
  
  The 
  problem:
  When I try to access the links I 
  created I cant Access Denied even though I share the folders in advance 
  with appropriate permissions, and of course at this point the security tab 
  from the shares disappears. So I cant make changes, and when I go and try to 
  open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers 
  and when they come up the DFS root is gone from server1 but remains on server 
  2 along with all the DFS links.
  
  Please let me know what I am doing 
  wrong.
  
  Thanks,
  Juan
  
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Urgent DFS Configuration

[Almeida Pinto, Jorge de]

OK, explain the following: 
"I am configuring server1 with a standalone root, when asked 
for the host server I enter server2 "





Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Ibarra, JuanSent: Thu 2006-09-21 20:41To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
Configuration


That would be 
2.

Juan





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Almeida Pinto, Jorge 
deSent: Thursday, September 
21, 2006 10:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Urgent DFS 
Configuration

which server hosts 
the stand alone root? server 1 or 2?

  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Ibarra, 
  JuanSent: Thursday, 
  September 21, 2006 17:34To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Urgent DFS 
  ConfigurationImportance: 
  High
  All,
  
  I need some input on 
  DFS.
  
  I am trying to set up DFS on a 
  file server, well in reality two. I am configuring server1 with a 
  standalone root, when asked for the host server I enter server2 and select 
  the share drive I want to use. I then create DFS links to subfolders and 
  they create just fine.
  
  The problem:
  When I try to access the links I 
  created I cant Access Denied even though I share the folders in advance 
  with appropriate permissions, and of course at this point the security tab 
  from the shares disappears. So I cant make changes, and when I go and try to 
  open from DFS I get an error Failed to launch explorer home at \\pathname. I also rebooted both servers 
  and when they come up the DFS root is gone from server1 but remains on server 
  2 along with all the DFS links.
  
  Please let me know what I am doing 
  wrong.
  
  Thanks,
  Juan
  

This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] SID History.

[Almeida Pinto, Jorge de]

not sure if this is the 
answer to your Q (not clear what you mean), but lets give it a 
try...

if you migrate a user with sidhistory, it 
will not include the group memberships of the object in the source domain just 
because the users old sid is in sidhistory. if you need to have the group 
memberships as well, you need to migrate the groups to preserver the group 
membership and to preserve the access to resources protected by those groups you 
need to include the sidhistory as well during migration

is this the answer?



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Matt HargravesSent: Thu 2006-09-21 22:58To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] SID 
History.
Conceptual situation:User domainResource domain (s)I 
bring all users into a single AD environment, bringing over SID History 
information.Now I start moving over file servers from the resource 
domain to the AD environment. One of the file servers has groups ACL'd 
from the resource domain. When the server goes to check for access rights, 
will it pull over *all* group memberships from the appropriate resource domain 
or simply pull over the single group membership and append that to the user's 
token? Mostly just looking at SID history impact between semi-active 
resource domains that are being decomissioned and current domains. 
Microsoft's site mostly seems to point to groups that are pointing to SID 
history objects that are within the AD environment, not cross-domain SID history 
impact. 
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Assign User rights overs computers with AD

[Almeida Pinto, Jorge de]

Hi Alberto,
 
Use the restricted groups feature in a GPO
 
For the group ADMINISTRATORS define/dictate which groups/users MUST/SHOULD 
(e.g. Domain Admins, and local administrator) be in the group ADMINISTRATORS. 
Everyone else not defined will not be listed and if defined prior to the 
configuration of the GPO will be kicked out
 
jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Alberto Oviedo
Sent: Wed 2006-09-20 14:57
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Assign User rights overs computers with AD


Hello. My name is Alberto, I'm from Nicaragua

In our company the support team has granted every user administrator rights 
over their workstation, We recently migrated to Windows 2003 AD and I want to 
revoke the privileges tha users have on their computers. Can I do this through 
AD?   It's around 300 users and I don't want to visit every single one of them. 

Thanks for your help.



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] AD and static DNS

[Almeida Pinto, Jorge de]

Each DC has two GUIDs...
* the objectGUID identifies the DC itself and is used for replication. That is 
also the GUID that is registered in _MSDCS. This value can be found in the 
attribute called objectGUID on the NTDS Settings object that is owned by the 
DC. This GUID is created when promoting the server to a DC and is destroyed 
when demoting to server. So as long as the DC is a DC this GUID remains
* the Invocation ID identifies the database instance on the DC and is used to 
record originating updates, which means on which database instance was 
something added ot changed. This value can be found in the attribute called 
Invocation ID on the NTDS Settings object that is owned by the DC. This GUID 
is created when promoting the server to a DC and is initially the same as the 
objectGUID. The invocation ID changes as soon as the DC is restored from a 
backup USING A SUPPORTED AD AWARE BACKUP MECHANISM or when an application 
partition is instantiated.
 
all service records that registered by the DC are stored in the NETLOGON.DNS 
file (located in %WINDIR%\System32\Config). That file be used to import data 
into DNS
 
Cheers,
Jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Wed 2006-09-20 21:19
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD and static DNS



Does the GUID used for a DC change when the server is brought up through 
dcpromo, or does it remain the same as the base OS install. That is, can I take 
the current GUID and use it to prefill my static BIND records, or do I need to 
do the dcpromo and then create the records? 

Thanks, 
Andrew Fidel


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Ad Reporting Tools

[Almeida Pinto, Jorge de]

my first and simple thought is: OLDCMP from 
joeware.net

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Dave 
  WadeSent: Monday, September 18, 2006 12:04To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ad Reporting 
  Tools
  
  Folks,
  
   I am struggling 
  with a fairly simple request. We would like a simple report that lists how 
  many PC's there are in each OU into an Excel Spreadsheet. Well I have managed 
  to do this with CSVDE and the summary report in Excel. Is there a better (low 
  cost) solution?
  
  
  Dave 
  Wade
  
  E-Services
  0161 474 
  5456
  
  **This 
  email and any files transmitted with it are confidential andintended 
  solely for the use of the individual or entity to whom theyare addressed. 
  As a public body, the Council may be required to disclose this email, or any 
  response to it, under the Freedom of Information Act 2000, unless the 
  information in it is covered by one of the exemptions in the Act. If 
  you receive this email in error please notify Stockport e-Services via 
  [EMAIL PROTECTED] and then permanently remove it from your system. 
  Thank 
  you.http://www.stockport.gov.uk**
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Elevating privileges from DA to EA

[Almeida Pinto, Jorge de]

Al - we are designing a forest with regional domains (don't 
ask!) and one region has suggested it needs to split from this forest since 
elevating rights in any regional domain from DA to EA (forest wide) is 'simple' 
[and this would break the admin / support 
model].

What 
is being said is very very true. Either you trust ALL Domain Admins (no matter 
the domain those are in) or you do not trust ANY! Every Domain Admin or ANY 
person with physical access to a DC has the possibility to turn the complete 
forest into crap!
Because if that was NOT the case the DOMAIN would be 
the security boundary. Unfortunately it is not! The Forest is the security 
boundary, whereas EVERY single DC in the forest MUST be protected and EVERY 
Domain Admin MUST be trusted!

I am arguing that it is not 
simple and am looking for methods which may be used to elevate rights as per the 
above

When 
you know HOW, it is as easy as taking candy from a baby

jorge


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, September 15, 2006 
  09:36To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Elevating privileges from DA to EA
  
  Thanks for responses, all.
  
  Al - we are designing a forest with regional domains 
  (don't ask!) and one region has suggested it needs to split from this forest 
  since elevating rights in any regional domain from DA to EA (forest wide) is 
  'simple' [and this would break the admin / support model].
  
  I am arguing that it is not simple and am looking for 
  methods which may be used to elevate rights as per the 
  above.
  
  Make sense?
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: 14 September 2006 20:59To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating 
  privileges from DA to EA
  Can you reword? I'm not sure I clearly understand the 
  question. FWIW, going from DA to EA is a matter of adding one's id to 
  the EA group. DA's have that right in the root domain of the forest 
  (DA's of the root domain have that right). Editing etc. is not necessary. Nor 
  are key-loggers etc. If physical access is available, there are plenty of 
  ways to get the access you require to a domain but I suspect you're asking how 
  can a DA from a child domain gain EA access; is that the question you're 
  looking to answer? Just for curiousity, what brings up that 
  question? Al
  On 9/14/06, [EMAIL PROTECTED] 
  [EMAIL PROTECTED] 
  wrote: 
  


It has been suggested by certain parties here 
that elevating one's rights from AD to EA is 'simple'. 
I have suggested that whilst it's possible it is 
not simple at all. 
Does anyone have any descriptions of methods / 
backdoors / workarounds etc that can be used to elevate rights in this way? 
Naturally, you may prefer to send this to me offline :) [ 
[EMAIL PROTECTED]]
I can think of the following basic 
methods: - Remove DC disks and edit 
offline - Introduce key logger on 
admin workstation / DC - Inject 
code into lsass 
As you can see, I don't want specific steps to 
'hack' the DC, just basic ideas / methods. 
Thanks, neil 
PLEASE READ: The information contained in 
this email is confidential and 
intended for the named recipient(s) only. 
If you are not an intended 
recipient of this email please notify the 
sender immediately and delete your 
copy from your system. You must not copy, 
distribute or take any further 
action in reliance on it. Email is not a 
secure method of communication and 
Nomura International plc ('NIplc') will 
not, to the extent permitted by law, 
accept responsibility or liability for 
(a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or 
similar malicious or disabling 
code in, this message or any 
attachment(s) to it. If verification of this 
email is sought then please request a 
hard copy. Unless otherwise stated 
this email: (1) is not, and should not be 
treated or relied upon as, 
investment research; (2) contains views 
or opinions that are solely those of 
the author and do not necessarily 
represent those of NIplc; (3) is intended 
for informational purposes only and is 
not a recommendation, solicitation or 
offer to buy or sell securities or 
related financial instruments. NIplc 
does not provide investment services to 
private customers. Authorised and 
regulated by the Financial Services 
Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. 
Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura 
group of companies. 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of 

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Almeida Pinto, Jorge de]

Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?



I knew that, I just preferred him to say it for himself... 
;-) (BY THE WAY: Mark, did you go to the game?)

it is also possible to rename a W2K3 DC when not in 
DFL=W2K3 (thus DFL=W2K native/mixed) AND it is supported! 
;-)
However, what Guido is saying IS preferred because it is a 
multiple step approach and does not cause the issues the other method does 
cause

see:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/19/109.aspx
jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
  GuidoSent: Thursday, September 14, 2006 17:56To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Any impacts to 
  domain controller when changingits IP?
  
  
  Yep, 
  that was Win2k – once you’ve reached Win2k3 domain functional level, you can 
  start adding another name to your DC, make it primary, reboot, ensure 
  everything replicates well and registers in DNS, then remove the old name. 
  Use NETDOM to do so.
  
  /Guido
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Almeida Pinto, Jorge deSent: Thursday, 
  September 14, 2006 4:50 PMTo: ActiveDir@mail.activedir.org; 
  ActiveDir.orgSubject: RE: [ActiveDir] Any impacts to domain 
  controller when changingits IP?
  
  
  
  If you want to change the computer name 
  you need toDEMOTE the server
  
  
  
  isn't that for 
  w2k only? (he's got w2k3)
  
  
  
  
  
  
  
  Met 
  vriendelijke groeten / Kind regards,
  
  Ing. 
  Jorge de Almeida Pinto
  
  Senior 
  Infrastructure Consultant
  
  MVP 
  Windows Server- Directory Services
  
  
  
  
  LogicaCMG 
  Nederland B.V. (BU RTINC Eindhoven)
  
  ( 
  Tel 
  : +31-(0)40-29.57.777
  
  ( 
  Mobile 
  : +31-(0)6-26.26.62.80
  * 
  E-mail 
  : see sender address
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Mark ParrisSent: 
  Thu 2006-09-14 16:35To: ActiveDir.orgSubject: Re: 
  [ActiveDir] Any impacts to domain controller when changingits 
  IP?
  
  If you want to change the computer name you 
  need to demote the server, wait for replication then change the server name at 
  this stage I would re ip the server, then dcpromo the server 
  again.This is of course assuming you have multiple DC's if not and 
  it's only for 3 months keep then why not keep the name and just change the IP 
  address.Make sure DNS functions 
  correctly.RegardsMark ParrisBase IT 
  LtdActive Directory ConsultancyTel +44(0)7801 
  690596-Original Message-From: "McClure, David (MED 
  US)" [EMAIL PROTECTED]Date: Thu, 14 Sep 2006 
  10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Any impacts to domain controller when changingits 
  IP?If you're running a Certificate Authority on that DC, you can't 
  changethe computer name without first uninstalling Certificate 
  Services. I'mnot sure what the impact would be on the chain of trust 
  if you reinstallCertSvcs after the name change.-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: 
  Thursday, September 14, 2006 10:04 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain 
  controller whenchangingits IP?In SBSland they made a change IP 
  address wizard for our DCs becauseinvariably we forget 
  something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou 
  can see what the wizard does.. which is are the changes you willneed to 
  doJobsz wrote: Dear all, Because our 
  company is being merged by another company, in the process of 
  integration we need change the internal IP address and 
  computername. Our domain controller of Windows Server 
  2003. We have to change its computer name and internal IP but no need 
  to change The domain name, because we want to let run for 3 
  months. Anyone could tell me what impacts brought by these 
  changes? Any suggestions would be 
  appreciated! With best regards 
  Jobs.ZhaoList info : http://www.activedir.org/List.aspxList 
  FAQ : http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.activedir.org/ml/threads.aspx---This 
  message and any included attachments are from Siemens Medical 
  SolutionsUSA, Inc. and are intended only for the 
  addressee(s).The information contained herein may include trade 
  secrets or privileged orotherwise confidential information. 
  Unauthorized review, forwarding, printing,copying, distributing, or 
  using such information is strictly prohibited and maybe 
  unlawful. If you received this message in error, or have reason to 
  believeyou are not authorized to 

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Almeida Pinto, Jorge de]

have at look at:
http://blogs.dirteam.com/blogs/jorge/archive/2005/11/25/165.aspx
 
which might help you on your way
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Jobsz
Sent: Thu 2006-09-14 14:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Any impacts to domain controller when changingits IP?



Dear all,

Because our company is being merged by another company, in the process of
integration we need change the internal IP address and computer name.

Our domain controller of Windows Server 2003.
We have to change its computer name and internal IP but no need to change
The domain name, because we want to let run for 3 months.

Anyone could tell me what impacts brought by these changes?

Any suggestions would be appreciated!


With best regards
Jobs.Zhao



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Any impacts to domain controller when changingits IP?

[Almeida Pinto, Jorge de]

Title: Re: [ActiveDir] Any impacts to domain controller when changingits IP?






If you want to change the computer name you need 
toDEMOTE the server

isn't that for w2k only? (he's got 
w2k3)




Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services


LogicaCMG 
Nederland B.V. (BU RTINC Eindhoven)
(Tel 
: +31-(0)40-29.57.777
(Mobile: +31-(0)6-26.26.62.80
* E-mail: see sender 
address


From: [EMAIL PROTECTED] on 
behalf of Mark ParrisSent: Thu 2006-09-14 16:35To: 
ActiveDir.orgSubject: Re: [ActiveDir] Any impacts to domain 
controller when changingits IP?

If you want to change the computer name you need to demote the 
server, wait for replication then change the server name at this stage I would 
re ip the server, then dcpromo the server again.This is of course 
assuming you have multiple DC's if not and it's only for 3 months keep then why 
not keep the name and just change the IP address.Make sure DNS functions 
correctly.RegardsMark ParrisBase IT 
LtdActive Directory ConsultancyTel +44(0)7801 
690596-Original Message-From: "McClure, David (MED US)" 
[EMAIL PROTECTED]Date: Thu, 14 Sep 2006 
10:12:54To:ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Any impacts to domain controller when changingits IP?If you're 
running a Certificate Authority on that DC, you can't changethe computer 
name without first uninstalling Certificate Services. I'mnot sure what 
the impact would be on the chain of trust if you reinstallCertSvcs after the 
name change.-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: 
Thursday, September 14, 2006 10:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Any impacts to domain 
controller whenchangingits IP?In SBSland they made a change IP 
address wizard for our DCs becauseinvariably we forget 
something...DHCPWINSkitchen sink stuff, etchttp://www.microsoft.com/technet/prodtechnol/sbs/2003/support/43dd693a-0cc4-47fd-94c7-cfe200439f41.mspx?mfr=trueYou 
can see what the wizard does.. which is are the changes you willneed to 
doJobsz wrote: Dear all, Because our 
company is being merged by another company, in the process of 
integration we need change the internal IP address and 
computername. Our domain controller of Windows Server 
2003. We have to change its computer name and internal IP but no need 
to change The domain name, because we want to let run for 3 
months. Anyone could tell me what impacts brought by these 
changes? Any suggestions would be 
appreciated! With best regards 
Jobs.ZhaoList info : http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspx---This 
message and any included attachments are from Siemens Medical 
SolutionsUSA, Inc. and are intended only for the 
addressee(s).The information contained herein may include trade secrets 
or privileged orotherwise confidential information. Unauthorized 
review, forwarding, printing,copying, distributing, or using such 
information is strictly prohibited and maybe unlawful. If you 
received this message in error, or have reason to believeyou are not 
authorized to receive it, please promptly delete this message andnotify 
the sender by e-mail with a copy to 
[EMAIL PROTECTED]Thank youList info 
: http://www.activedir.org/List.aspxList 
FAQ : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.activedir.org/ml/threads.aspx.ÿÁ²§²B§Ã¶v®
§²rz§Ã¶v®± 



This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Strange password issue

[Almeida Pinto, Jorge de]

Yes, there is.
 
The password policy is checked as soon as the password entered (using 
characters) is written into the directory, whether it is a new password or a 
changed password.
If a password hash is written into the directory the system cannot check if the 
password that generated the hash meets the password policy or not. Migration 
tools like ADMT and Quest DMW migrate passwords by migrating the hash and not 
the actual password. For those accounts that were migrated, the password policy 
comes into effect as soon as the user is forced to change the password, but 
until that time
 
You mention Quest's migration tool. Are you saying the user was migrated from 
another forest/domain outside the existing forest and where it was created 
using ADUC?
 
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Wed 2006-09-06 16:38
To: activedirectory
Subject: [ActiveDir] Strange password issue


I'm having this weird  issue where I have a user account who is able to log in 
with a blank password.
The Default Domain Policy is set to a min password length of 6 characters.
The userAccountControl on the user is set to 512.
 
The Domain is at win2k3 DFL and FFL.
 
Is there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank passwords?
 
Thanks


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] Rid Master recovery

[Almeida Pinto, Jorge de]

in that case you would need to seize 
it
also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, September 05, 2006 
  14:03To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Rid Master recovery 
  Guys , another question 
  One of My RID master is crashed before 
  transfering of FSMO role to other DC on the network , is that any 
  possiblities to make an another domain as RID master ( backup is failed so i 
  can not restore the failed RID master DC now) Thanks in advance  
  


  "Almeida Pinto, Jorge 
        de" [EMAIL PROTECTED] Sent by: 
[EMAIL PROTECTED] 
09/04/2006 11:18 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 
  

  cc

  

  Subject
RE: [ActiveDir] Rid 
  Master

  
  

also see: RID Master 
  FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx 
  cheers,jorge 
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, September 04, 2006 
  18:11To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Rid Master Guys explain me , The functions of RID master , how 
  does i display RID of object created in AD 
  Thanks in advance 
  


  "joe" 
[EMAIL PROTECTED] Sent by: 
[EMAIL PROTECTED] 
09/04/2006 08:36 AM 


  
  

  Please respond 
  toActiveDir@mail.activedir.org

  

  
  

  To
ActiveDir@mail.activedir.org 
  
  

  cc

  

  Subject
RE: OT - RE: [ActiveDir] W. in 
  hell

  
  

While I wouldn't 
  want this to become a humour list, I saw the email and laughed and figured the 
  same thing Laura figured, that Outlook autofill bit the guy (which is funny 
  all by itself because we have all seen it happen if not had it happen to 
  ourselves) and then I moved on. I find all of the additional attention even 
  more humourous including the value judgements of the quality of the joke and 
  analysis of words. I classify the message as OT with the droves of other 
  messages that come through the list that are OT[1] and being sent here because 
  of a tenous relationship of being about technologies that utlitize AD[2] 
  though the question itself has nothing to do with AD or simply folks forgoing 
  it all and just saying WTF, I'll give it a shot and ask you guys because you 
  seem helpful. If you get a whole day of many of those coming through it is a 
  bit annoying. More annoying, at least to me, are questions that are ON TOPIC 
  but someone didn't take time to look at the archives or google and asking like 
  it was the first time it was asked versus maybe revisitng the previous 
  discussion in new light. However, unless the list goes moderated which no one 
  wants or at least a vast majority of the someone's don't want, the list is 
  just the way it is and will be and you read the messages if you want and blow 
  by them otherwise. Overall I would hate to lose the jocularity and 
  casualness of the list. It is one of the things that make it worth reading. :) 
  There have been quite a few times subjects have drifted off topic only 
  to expose something in the monkeying around or what not based on something not 
  everyone understood or knew that we wouldn't have otherwise found out that 
  immediately snaps it all back on topic and of great use.  
  joe [1] Though this was funnier than most OT stuff.There is my value 
  judgment on the quality. :) [2] Versus actually being AD Technology. 
  Examples of tech that utilize AD include but are not limited to GPOs, DNS, 
  Exchange, print queues, clustering, file server manipulations (copying files, 
  home drives, management, etc), etc. Not saying questions about all of those 
  are automatically OT, but we tend to get quite a few questions in those areas 
  that aren't about AD or the interaction with AD but about the non-AD aspects 
  of the tech. Examples being a question about how to do something in a GPO 
  versus say OU strategies for applying GPOs or the permissions on the GPO 
  objects and how AD interprets them. Or a general question about DNS like what 
  is returned in a query or how it is managed versus what records need to be in 
  DNS for AD to work or how its app NC replicates. -- O'Reilly Activ

RE: [ActiveDir] Rid Master

[Almeida Pinto, Jorge de]

also see:
RID Master 
FSMO explained 
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx
cheers,jorge

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, September 04, 2006 
  18:11To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Rid Master 
  Guys explain me , The functions of 
  RID master , how does i display RID of object created in AD 
  Thanks in advance  
  
  


  "joe" 
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
09/04/2006 08:36 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 
  

  cc

  

  Subject
RE: OT - RE: [ActiveDir] W. in 
  hell

  
  

While I wouldn't want this to become a humour list, I saw 
  the email and laughed and figured the same thing Laura figured, that Outlook 
  autofill bit the guy (which is funny all by itself because we have all seen it 
  happen if not had it happen to ourselves) and then I moved on. I find all of 
  the additional attention even more humourous including the value judgements of 
  the quality of the joke and analysis of words.  I classify the 
  message as OT with the droves of other messages that come through the list 
  that are OT[1] and being sent here because of a tenous relationship of being 
  about technologies that utlitize AD[2] though the question itself has nothing 
  to do with AD or simply folks forgoing it all and just saying WTF, I'll give 
  it a shot and ask you guys because you seem helpful. If you get a whole day of 
  many of those coming through it is a bit annoying. More annoying, at least to 
  me, are questions that are ON TOPIC but someone didn't take time to look at 
  the archives or google and asking like it was the first time it was asked 
  versus maybe revisitng the previous discussion in new light. However, unless 
  the list goes moderated which no one wants or at least a vast majority of the 
  someone's don't want, the list is just the way it is and will be and you read 
  the messages if you want and blow by them otherwise.  Overall I would 
  hate to lose the jocularity and casualness of the list. It is one of the 
  things that make it worth reading. :) There have been quite a few times 
  subjects have drifted off topic only to expose something in the monkeying 
  around or what not based on something not everyone understood or knew that we 
  wouldn't have otherwise found out that immediately snaps it all back on topic 
  and of great use.   joe 
[1] Though this was funnier than most OT 
  stuff.There is my value judgment on the quality. :)  [2] Versus 
  actually being AD Technology. Examples of tech that utilize AD include but are 
  not limited to GPOs, DNS, Exchange, print queues, clustering, file server 
  manipulations (copying files, home drives, management, etc), etc. Not saying 
  questions about all of those are automatically OT, but we tend to get quite a 
  few questions in those areas that aren't about AD or the interaction with AD 
  but about the non-AD aspects of the tech. Examples being a question about how 
  to do something in a GPO versus say OU strategies for applying GPOs or the 
  permissions on the GPO objects and how AD interprets them. Or a general 
  question about DNS like what is returned in a query or how it is managed 
  versus what records need to be in DNS for AD to work or how its app NC 
  replicates.  -- O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm   
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Craig 
  CerinoSent: Monday, September 04, 2006 10:46 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in 
  hellI 
  have a hell of a sense of humor (as Im sure a lot of geeks here do) this just 
  isnt the place for it when people come here for help.  /just sayin  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Akomolafe, DejiSent: Sunday, September 03, 2006 
  10:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: OT 
  - RE: [ActiveDir] W. in hell  Nah.it looks more like 
  the sender mistook this list for some other lists. On other lists, this would 
  have been a engendered more rapid-fire flame war to the sender's satisfaction, 
  even though the joke itself is very old and has outlived its useful shelf 
  life.  I'm sure he's disappointed that this list is so geeky and 
  full of maroons with no sense of humors.  Sincerely,  _ 
 
  (, / | /)  
/)   /)  
   /---| (/_ __  ___// _  // _ ) 
  /  |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/
 
  /)  
  (/   
   Microsoft