RE: [ActiveDir] Who Am I request
You can do an x-domain simple bind within the forest. You can not do it x-forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, January 23, 2007 3:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Who Am I request I think that's fine. Remember that AD has a global catalog, so you can search across the whole forest quite easily. I'm not actually certain that you can do a simple bind with a user from a different domain, but maybe you can. My multi-domain LDAP knowledge is a little weak since I don't actually have to deal with one on a day to day basis. I do know that you simple bind is only supposed to support the full DN (as per LDAP spec), the UPN or the NT name for simple bind. The unqualified user name is only supposed to work with a Windows secure (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but not others, so you should not use it as it is not documented to work correctly. There is also a Windows RPC method called DsCrackNames that will translate names between different format if you have a logon name and want something you can use in a DN such as the full DN, GUID or SID. I doubt that helps if you are trying to use use OpenLDAP though. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 3:12 PM Subject: Re: [ActiveDir] Who Am I request Let's say I did a simple bind with user TestUser, but the user record is actually located at CN=TestUserCN,OU=Users1,DC=company,DC=com and it can (as far as I know) only be recognized by having sAMAccountName TestUser. I could probably find the user by searching under DC=company,DC=com with a filter (sAMAccountName=TestUser), but I think it would impose a substantial load on the Active Directory server, because not all users are under OU=Users,DC=company,DC=cz, some are located in other subtrees. Do you think it would be OK to do that? Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): If you did a bind to the directory with that user object, then you should be able to do a search to find the user object you used for the bind. This might only be complicated if you authenticated with a foreign domain user, but I doubt you are doing that. The exact nature of the search would depend on the user name format you are using in the bind. If you did a simple bind with the DN, then you already have the path to the user object. :) Joe K. - Original Message - From: Alexandr Kara [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 23, 2007 11:26 AM Subject: Re: [ActiveDir] Who Am I request Hello Dmitri, thanks for your reply. The server I connect to is pre-LH (Windows 2003 I think), which doesn't support WhoAmI. You suggested that I read tokenGroups, but I have no user object to read it from. All I have generic connection to a LDAP server (I need to use the OpenLDAP library for compatibility). Can I get the user object by some other means? Thanks a lot, Alexandr Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support WhoAmI extended operation per RFC. In addition, they support rootDSE/tokenGroups attribute, which is exactly what you need to check self group membership. If you have pre-LH AD, then what you can do is read tokenGroups off the user object (which you can find using %USERDOMAIN% and %USERNAME% vars if you have an interactive session, or by looking up user SID from the token). Note tokenGroups value can vary slightly depending on which DC you connect to. If you want deterministic results, read tokenGroupsGlobalAndUniversal (which excludes domain local groups). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara Sent: Monday, January 22, 2007 6:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who Am I request Hello everybody, I am trying to get the CN of a user currently connected to Active Directory (using a 3rd party library). I tried the Who am I? extended operation from RFC 4532, but I got an error 120 or 0x78 (I don't know if it is useful). Do you know of another method to get the CN? I need it to find out if the user is part of a group. Thanks a lot, Alexandr List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info :
RE: [ActiveDir] Largest AD DIT
I can think of a few in the 30's, 40's...maybe 50-75, I forget the exact numbers. In production, that is. The bottom line is that we don't keep track, so use 25-100 as a working range of what we've seen lately, understanding that there are probably larger that we just haven't seen for a while. (That's a good prob...when you don't hear from customers for a while. Means nothing is blowing up.) We have seen customers scale their infrastructure far larger though. That is, the customer who has a 50GB dataset tends to test to 100-200GB and ensure they scale there for the future. So while they may or may not have it today, they typically have tested such that they have confidence that on their current hardware + current software they can get there w/o an issue. One example comes to mind in this category where a customer tested to 400GB even though they only have a ~60GB dataset today. One final point. The largest DIT is perhaps the largest uninteresting data point ever. :) What is harder to scale: a 2TB dataset with 10 queries/sec or a 50GB dataset with 100 queries/sec? Or how about 2TB with 2 replicas vs 50GB with 5 replicas? The bottom line is, storing data on a disk is pretty easy. I can create a 2TB db pretty quickly. Managing environments at scale is what is more challenging. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, January 19, 2007 2:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT I am aware of a 20GB DIT or two. Generally most of the DITs seem to be 10GB or smaller for many/most companies even with hundreds of thousands of users. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT I'm curious about a production DIT. A DIT that some poor soul is losing sleep over at night ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Friday, January 19, 2007 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Largest AD DIT Do you mean biggest production DIT? ~Eric made a 2^31-1 object DIT in the test lab ... in fact he's going to talk about that at DEC. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, January 19, 2007 10:41 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Largest AD DIT Hey has anyone been keeping track of the largest AD database? I seem to remember a few years ago it was an online email company. I'm curious if that has changed. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] OT: Who needs that much ram anyway?
Exchange should not be in the business of patching kernels. It's just bad form. That said, it's not clear to me what the right answer is either. You want to get people the fix that need it but you don't want to go out there and start swapping kernel components on a user. That's just not the right way for a piece of software to work. How would the SBS crowd feel if an app changed the kernel out from under them? You run a lot of apps on that box. I think the options we have today are: readme + ExBPA + perhaps offering the patch via WU when we see Exchange installed. But the last point there is contentious, I knowit's merely an option to consider and give us feedback on. :) I remember watching this issue being debugged when it was hit and it's worth proactively patching. Exchange put a lot of energy in to finding this one and getting root cause + a fix prior to RTM. Hard issue to hit, but not impossible either. Honestly, on this one, I think they served their customers well. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 8:47 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] SBS Dies Twice in Four Days
Can you give us some data? Like, when it dies, what do you see? Is death a blue screen? Or something else? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, December 13, 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SBS Dies Twice in Four Days Hi - I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday's crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the Enabled Journal Wrap Automatic Restore key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server - twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don't seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I've got to feel comfortable with leaving this server for a week - or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006
RE: [ActiveDir] Scaling up with AD or ADAM?
From a pure LDAP perspective you can expect similar perf numbers on AD vs. ADAM. For medium sized directories (like 10M) I'm of the opinion that there isn't a huge advantage to ADAM over AD. When you get larger (high tens of millions to hundreds of millions or billions), ADAM gets more interesting. I would note that I tend to look at AD vs. ADAM with an eye on AD as the 'default' choice, more often than not. This stems from a more rich protocol stack on AD (Kerberos, etc.) which is only helpful. ADAM has a more constrained protocol stack. If you have entirely home grown apps this is less interesting, but if you think you might use vendor specific apps this can only help. Not trying to downplay ADAM, just want to make sure you pick the right technology for your job. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, November 24, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Scaling up with AD or ADAM? I personally don't have any experience with ADAM at big scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Joe Kaplan wrote: That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise
RE: [ActiveDir] OT: M$
Not that I really care if people say M$ or not, but I thought Id comment on one thing, in the name of full disclosure. My participation on this list has __nothing__ to do with money. I dont get compensated on any level for this. Heck, I dont even work on AD anymore, so this is like 2 degrees of separation away from anything that MS compensates me for. So, is MS out to make $? Sure. Is AD part of that money-making strategy? Sure. Does that have anything to do with MS employee participation on this list? I dont think so. Others (at least those that I can recall posting here as I type this mail) on this list fall in to the same boat. A couple of them dont work on AD anymore either. Why do I hang out here? I do it because I care about customers and about AD/ADAM. It has nothing to do with my salary. Its also why I still blog about AD, answer newsgroup questions, answer internal questions (DLs, PSS, MCS, other PGs, etc.), handle direct emails from a myriad of non-MS people (some I know, some are totally out of the blue), fix code for people that ask for help, etc. I dont get paid for any of this. ~Eric Borg #145719302 Insert conspiracy theory here about how this whole mail is a lie and the man actually wrote it on behalf of the fake employee that goes by Eric Fleischman From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Thursday, November 09, 2006 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ I believe we all know that your statement is correct like any other big company they are out to make $, what I inferred from what she was implying (did I get that right?J) is that although we all know that Microsoft is not perfect (anyone want to cast the first stone?)a grey-toned comment made on this mailing list is probably not appreciatedespecially when this mailing list is used to help others. Im sure there are a myriad of other forums to take your personal opinions to. --vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Thursday, November 09, 2006 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ I have a mostly positive view of M$ and like their products. Heck, Im certified in their products. But that doesnt make them inexpensive and like any other big company they are out to make $. J From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 09, 2006 12:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: M$ Just out of curiosity, whatmakes people think it's appropriate to refer toMicrosoft as M$ on an MS-focused mailing list whose participants include Microsoft employees, Microsoft contractors, Microsoft MVPs and various other people who may have a relatively positiveview of Microsoft? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jitendra Kalyankar Sent: Thursday, November 09, 2006 10:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Beginner's Book on Scripting - WSH or _vbscript_? This is the link to M$ to start with...very good info http://msdn.microsoft.com/library/default.asp?url=""> -- Sincerely, J On 11/9/06, Stu Packett [EMAIL PROTECTED] wrote: Hello everyone. After reading through a lot of the posts on this mailing list, I realize I could make my job easier if I knew how to script. I have no experience in scripting, but would like to know what books do you recommend as a beginner's book on scripting? Also, I don't really know the difference between WSH and _vbscript_, so if anyone could explain that, I'd appreciate that. After browsing through Amazon, I saw several books on WSH and _vbscript_, but don't know where I should focus on. I'm also open to computer based training (CBT) videos of any exist. Thanks in advance.
RE: [ActiveDir] Need some advices....
SP2 fixed this and it should be back to 180 days. The r2 thing was a mistake. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 01, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Need some advices Yep the R2 thing was an unfortunate rollback bug. It wasn't a purposeful event due to changing of minds or anything. It is fixed, currently, in LH and set to 180. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, October 25, 2006 12:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need some advices If memory serves me right the forest/trees tombstone values whatevers (you know those things we never worry about in SBSland) are different depending on how that SP1 got on the box... 2003 RTM you have 60 days 2003 SP1 (clean install) you have 180 days 2003 R2 (clean install) you have 60 days (they kinda went backwards on the r2 and reintroduced the 60 days if I remember right.) Brian Desmond wrote: *If the domain was created in Windows 2000 or 2003 R2, you've got 60 days to fix it, 2003 domains you have 180 days. This is assuming you haven't tweaked the tombstone lifetime. 4 hours is nothing. :)* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Yann *Sent:* Wednesday, October 25, 2006 10:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Need some advices Hello all ;) Due to network outage that is scheduled for 4 hours on a active directory site, i'd like to leave our DCs up without shut them down. Question: Could il leave all my DCs up despite they can not communicate with each others for 4 hours ? Will that cause any issues (repl, auth,etc..) ? or Do i have to shut them down and next reboot them when network will up ? Thanks for advices. Cheers, Yann Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Need some advices....
Title: Re: [ActiveDir] Need some advices Right...I always forget what is released and what isn't. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Wed 11/1/2006 8:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Need some advices SP2 'will' fix it... it's not released yet that I know of.Eric Fleischman wrote: SP2 fixed this and it should be back to 180 days. The r2 thing was a mistake. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Wednesday, November 01, 2006 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Need some advices Yep the R2 thing was an unfortunate rollback bug. It wasn't a purposeful event due to changing of minds or anything. It is fixed, currently, in LH and set to 180. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, October 25, 2006 12:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Need some advices If memory serves me right the forest/trees tombstone values whatevers (you know those things we never worry about in SBSland) are different depending on how that SP1 got on the box... 2003 RTM you have 60 days 2003 SP1 (clean install) you have 180 days 2003 R2 (clean install) you have 60 days (they kinda went backwards on the r2 and reintroduced the 60 days if I remember right.) Brian Desmond wrote: *If the domain was created in Windows 2000 or 2003 R2, you've got 60 days to fix it, 2003 domains you have 180 days. This is assuming you haven't tweaked the tombstone lifetime. 4 hours is nothing. :)* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Yann *Sent:* Wednesday, October 25, 2006 10:23 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Need some advices Hello all ;) Due to network outage that is scheduled for 4 hours on a active directory site, i'd like to leave our DCs up without shut them down. Question: Could il leave all my DCs up despite they can not communicate with each others for 4 hours ? Will that cause any issues (repl, auth,etc..) ? or Do i have to shut them down and next reboot them when network will up ? Thanks for advices. Cheers, Yann D?couvrez une nouvelle fa?on d'obtenir des r?ponses ? toutes vos questions ! Profitez des connaissances, des opinions et des exp?riences des internautes sur Yahoo! Questions/R?ponses http://fr.rd.yahoo.com/evt=42054/*http:/fr.answers.yahoo.com.List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Linked Attributes Replication
You can certainly kick GC off by hand to clear that up. If you have the problem on a GC though, how are you to blame a phantom? If you navigate to the partial NC on the GC, do you see the object? I assume the answer is yes (but if not please let me know what you do see). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 20, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Linked Attributes Replication joe and I talked offline. Neither of us think it's a lingering object (but that was his first guess too). He was thinking it was a phantom but I'm not sure since I see it in a GC - which never has a need to create a phantom. Layout is a follows. Domain0 is empty root, with child domains 1-6. Manager previously existed in Domain1. User still exists in Domain2. Manager has been verified to not exist on any DC in Domain1. Some (not all) of Domain2's DCs and GCs show the user having a manager. Some (not all) of Domain1's GCs show the user having a manager. Some (not all) of Domain3's GCs show the user having a manager. None of Domain0's GCs or 4-6 show the user having a manager. Around the time this happened back in 2003 there had been some incorrect Infrastructure Master placements. However, Domain2's IM appears to have been correctly configured. Not sure if that is just a red-herring to lead us down the phantom path. --- Eric Fleischman [EMAIL PROTECTED] wrote: From the data provided below it sounds like you have a lingering object a lingering link value...not tragic, pretty straight forward to clean up. If you could be more specific as to domain layout in which domain each user resides we could likely provide steps to fix this up. If you search KB for lingering object you'll find all sorts of mention of them. I say that you must have a lingering object as link values need point so some object (they are nothing more than a DNT pointer really) so it sounds like you have an object in the partial NC on the GC which still represents that manager. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Thursday, October 19, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Linked Attributes Replication We've found something unusual in our forest and are hoping someone may have insight as to root-cause. Sometime back in 2003, when our forest was running W2K SP3, someone's manager was deleted, and that event was faithfully replicated around the originating domain and the forest GCs. The manager doesn't exist anywhere. Fast forward to today, forest now running W2K3 SP1. About 20% of the DCs (both originating domain DCs and forest GCs) show that the user still has a manager because the manager attribute contains a DN that no longer exists in the forest. Let me repeat that statement. If I look at GC_1 it shows the employee's manager is not set. If I look at GC_2 it shows manager is CN=Someone_that_no_longer_exists_in_the_forest. Yet both GC_1 and GC_2 show the same metadata for the manager attribute. At this point we're theorizing that when the user's manager was deleted, that change was faithfully replicated around the forest. However, the linked attribute update is not a replicated event - each DC is personally responsible for updating the backlink, and we had one W2K DC that didn't do it. Fast forward to today where 100% of the DCs have been reinstalled and repromoed as W2K3. Depending on which DC they sourced their promo from we now have the corruption spread we see today where some 20% of the DCs have the incorrect value. Has anyone else ever encountered this or have some idea what may that caused the initial corruption? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Linked Attributes Replication
Let's take this offline. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 20, 2006 9:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Linked Attributes Replication I find nothing. adfind -h Domain1GC -gc -b dc=Domain2,dc=x,dc=y -f name=UserABC manager AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: Domain1GC:3268 Directory: Windows Server 2003 dn:CN=UserABC,OU=USERIDS,dc=Domain2,dc=x,dc=y manager: CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y 1 Objects returned adfind -h Domain1GC -gc -b CN=Manager123,OU=USERIDS,DC=Domain1,DC=x,DC=y AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: Domain1GC:3268 Directory: Windows Server 2003 ldap_get_next_page_s: [Domain1GC] Error 0x20 (32) - No Such Object Best Match of: 'OU=USERIDS,DC=Domain1,DC=x,DC=y' 0 Objects returned --- Eric Fleischman [EMAIL PROTECTED] wrote: You can certainly kick GC off by hand to clear that up. If you have the problem on a GC though, how are you to blame a phantom? If you navigate to the partial NC on the GC, do you see the object? I assume the answer is yes (but if not please let me know what you do see). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 20, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Linked Attributes Replication joe and I talked offline. Neither of us think it's a lingering object (but that was his first guess too). He was thinking it was a phantom but I'm not sure since I see it in a GC - which never has a need to create a phantom. Layout is a follows. Domain0 is empty root, with child domains 1-6. Manager previously existed in Domain1. User still exists in Domain2. Manager has been verified to not exist on any DC in Domain1. Some (not all) of Domain2's DCs and GCs show the user having a manager. Some (not all) of Domain1's GCs show the user having a manager. Some (not all) of Domain3's GCs show the user having a manager. None of Domain0's GCs or 4-6 show the user having a manager. Around the time this happened back in 2003 there had been some incorrect Infrastructure Master placements. However, Domain2's IM appears to have been correctly configured. Not sure if that is just a red-herring to lead us down the phantom path. --- Eric Fleischman [EMAIL PROTECTED] wrote: From the data provided below it sounds like you have a lingering object a lingering link value...not tragic, pretty straight forward to clean up. If you could be more specific as to domain layout in which domain each user resides we could likely provide steps to fix this up. If you search KB for lingering object you'll find all sorts of mention of them. I say that you must have a lingering object as link values need point so some object (they are nothing more than a DNT pointer really) so it sounds like you have an object in the partial NC on the GC which still represents that manager. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Thursday, October 19, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Linked Attributes Replication We've found something unusual in our forest and are hoping someone may have insight as to root-cause. Sometime back in 2003, when our forest was running W2K SP3, someone's manager was deleted, and that event was faithfully replicated around the originating domain and the forest GCs. The manager doesn't exist anywhere. Fast forward to today, forest now running W2K3 SP1. About 20% of the DCs (both originating domain DCs and forest GCs) show that the user still has a manager because the manager attribute contains a DN that no longer exists in the forest. Let me repeat that statement. If I look at GC_1 it shows the employee's manager is not set. If I look at GC_2 it shows manager is CN=Someone_that_no_longer_exists_in_the_forest. Yet both GC_1 and GC_2 show the same metadata for the manager attribute. At this point we're theorizing that when the user's manager was deleted, that change was faithfully replicated around the forest. However, the linked attribute update is not a replicated event - each DC is personally responsible for updating the backlink, and we had one W2K DC that didn't do it. Fast forward to today where 100% of the DCs have been reinstalled and repromoed as W2K3. Depending on which DC they sourced their promo from we now have the corruption spread we see today where some 20% of the DCs have the incorrect value. Has anyone else ever encountered this or have some idea what may that caused the initial corruption
RE: [ActiveDir] Linked Attributes Replication
From the data provided below it sounds like you have a lingering object a lingering link value...not tragic, pretty straight forward to clean up. If you could be more specific as to domain layout in which domain each user resides we could likely provide steps to fix this up. If you search KB for lingering object you'll find all sorts of mention of them. I say that you must have a lingering object as link values need point so some object (they are nothing more than a DNT pointer really) so it sounds like you have an object in the partial NC on the GC which still represents that manager. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Thursday, October 19, 2006 8:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Linked Attributes Replication We've found something unusual in our forest and are hoping someone may have insight as to root-cause. Sometime back in 2003, when our forest was running W2K SP3, someone's manager was deleted, and that event was faithfully replicated around the originating domain and the forest GCs. The manager doesn't exist anywhere. Fast forward to today, forest now running W2K3 SP1. About 20% of the DCs (both originating domain DCs and forest GCs) show that the user still has a manager because the manager attribute contains a DN that no longer exists in the forest. Let me repeat that statement. If I look at GC_1 it shows the employee's manager is not set. If I look at GC_2 it shows manager is CN=Someone_that_no_longer_exists_in_the_forest. Yet both GC_1 and GC_2 show the same metadata for the manager attribute. At this point we're theorizing that when the user's manager was deleted, that change was faithfully replicated around the forest. However, the linked attribute update is not a replicated event - each DC is personally responsible for updating the backlink, and we had one W2K DC that didn't do it. Fast forward to today where 100% of the DCs have been reinstalled and repromoed as W2K3. Depending on which DC they sourced their promo from we now have the corruption spread we see today where some 20% of the DCs have the incorrect value. Has anyone else ever encountered this or have some idea what may that caused the initial corruption? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM / AD Sync
If you want to do a secure bind, no work required...just put ADAM in the domain where the users reside (or a trusted domain) and bind away. If you want to do a simple bind, you probably want to create proxy users for your AD users. There is no right way to do this, but adamsync is one way: http://blogs.technet.com/efleis/archive/tags/ADAMSync/default.aspx See the post on transforming users to proxy users. All of this is documented in the ADAM docs so for details just check em out. Holler with questions. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Thursday, October 19, 2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM / AD Sync Hi, I have an Active Directory environment with an account for all my users. I am also in the process of setting up ADAM to store more information about those users and have a X.500 style DN. I would like to be able to use some sort of pass-through authentication to Active Directory, is this possible and if so, How? What I'm trying to do is set it up so that if somebody try's to authenticate to the ADAM LDAP it passes authentication to the Active Directory Servers. Thanks, -- Matt Brown Information Technology System Specialist V Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Cleanup of NETLOGON.LOGs
Turn logging down to 0. I would note that there is no notion of log generations, so your worst case here is 2* log size (where log size defaults to 10MB), so worst case it should only be 20MB, and deleting the archive is of course trivial. More generally, we do reserve the right to write to this log recreate it as needed as sometimes there are things we need to log so you can figure out what went wrong should something turn south. So even a log level of 0 does not guarantee no logging, it just means not much logging you could say. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 17, 2006 9:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Cleanup of NETLOGON.LOGs I just did a netlogon AD site cleanup process and want to delete all netlogon.logs from all DCs in our domain. I noticed you can't delete it while the netlogon service is running. Is there a better way to keep these netlogon file sizes down, or delete them regularly than to stop, delete, and restart services on each? ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] ADAM bind Redirection with a NULL password
to correct the behavior. If I had the ability to force this, I would simply require null/blank not to be passed to the ADAM server from the application. I've been at odds about the DCR myself, for all the reasons you mentioned. Yet, without the ability to control the applications, the only thing I can control is the directory itself. Without a mechanism to disable such behavior, I am without recourse unfortunately. So far, I've been able to avoid this problem, because the 2 apps I had this happen with, the developer was able to modify the authentication dialog. I have had other apps with other issuers, where modification was not possible. These did not suffer this poor design issue, but I wonder if I will get such an app eventually. I suppose I am just trying to solve a problem, I have not been forced to solve by this method, which means it cane wait. I could go into how it would be nice to have enterprise application minimum standards, and application owners involve infrastructure staff BEFORE an app is purchased, instead of after when it doesn't work, but I won't :) Jef - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 28, 2006 8:48 PM Subject: RE: [ActiveDir] ADAM bind Redirection with a NULL password One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] ADAM bind Redirection with a NULL password
One solution would be to ACL all objects such that SELF can read them, then have the app, after it has authenticated as the user, try and read something on the user itself. This way you know you are in fact that user (or someone else that has read access, which presumably won't work as anonymous). In terms of your DCR...could such a bit be put in? I guess. But DCRs that are filed with the intentional intent of going again an RFC typically have a rough time getting through even with a very strong business impact. And you have a workaround already in the app, and another solution I mentioned above. Just setting expectations... ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Thursday, September 28, 2006 5:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADAM bind Redirection with a NULL password Since there has been talk of LDAP Authentication as of late, I figured I'd post my issue of poorly developed applications allowing a null password to an ADAM instance using Bind Redirection. http://jeftek.spaces.live.com/blog/cns!F2042DC08607EF2!710.entry I'd be curious if a bit flip to shut down this possibility could be put in control of the directory Admin, instead of relying on the developers. Thanks, Jef Kazimer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]SUBDOMAIN AND LDAP
I'd love to see an AD and ADAM option that would allow the DS to reject simple bind operations on non-SSL ports We agree. That's why we built it in to the product. :) Well, in to ADAM that is. See object CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID}. Check out the attribute msds-other-settings, value named RequireSecureSimpleBind=0. Change that 0 to a 1, then you have enabled the protection. I would point out, this does not prevent a client from *presenting* a password via simple bind w/o connection security, only from the operation succeeding. So you could still present a password (thereby showing it to an attacker), it's just that it won't work. This is training with the stick, not the carrot. It's akin to saying, I can protect your SSN from working when you scream it to me in a room full of people (ie, require you write it on a piece of paper and pass it over), but I can't stop you from screaming, only punish you when you make this bad choice. Another thing that would be helpful would be an unencrypted simple bind audit event that could be configured, so that you could find the IP address of any client issuing these operations and track them down. This is a good idea. Can you file a bug for this? I have thought of doing this before but never thought anyone would appreciate things like this. :) Now, if it was only easy to force all DCs and ADAM instances to have valid server certs, we'd be in business. :) I think it goes w/o saying, but this is impossible. The definition of valid is in the eye of the beholder. For example, to some a self-signed cert, trusted by no one, is invalid for the DS. However, to the person that explicitly trusted that cert on their LDAP clients, it's perfectly fine. That's just one example, the same could be said for nearly every wonky cert config you think of, especially when you consider ADAM in the mix. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, September 24, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP I think the bottom line of my argument boils down to simple bind without SSL is evil, but simple bind with SSL is acceptable. Secure bind is generally acceptable, with or without SSL. As such, I'd love to see an AD and ADAM option that would allow the DS to reject simple bind operations on non-SSL ports. I think this would go a long way towards helping enforce my mantra and would likely only have a negative impact on non-MS apps using simple bind. The vast majority of code from the MS world uses secure bind by default and actually requires the developer to go out of their way to get a simple bind. For example, the basic vbscript: Set obj = GetObject(LDAP://DC=domain,DC=com) results in a secure bind with GSS-SPNEGO (hopefully negotiating to Kerberos :)). The same goes in .NET: DirectoryEntry entry = new DirectoryEntry(LDAP://DC=domain,DC=com) To get a simple bind, you must use OpenDSObject in script and pass in the appropriate flags to NOT have Secure bind set, or set the appropriate AuthenticationTypes. In general, ADSI does the right thing. Another thing that would be helpful would be an unencrypted simple bind audit event that could be configured, so that you could find the IP address of any client issuing these operations and track them down. I think one of the reasons why simple bind is used by many vendors is that it is the only common denominator between other directories and a lot of LDAP protocol libraries don't support Microsoft auth mechanisms. However, the good news is that just about every LDAP library does have some sort of support for SSL. Now, if it was only easy to force all DCs and ADAM instances to have valid server certs, we'd be in business. :) Regarding the evolution of authentication protocols with some of the stuff in WS-*, I have to say that I like the vision. WS-Trust is the plumbing under not only ADFS, but also CardSpace and the security framework for Windows Communication Foundation (WCF). The vision is pretty appealing, because the notion of how a user can be authenticated (via a security token service) is more abstract and based on open and fairly simple web protocols (HTTP, XML, PKI). The notion of a security token is now more abstract and flexible than a Windows token too, in that a token describing an authenticated user now just contains claims, not just SIDs. Claims can be anything (including their group SIDs), so this makes it easier to provide all the information an app needs to authorize a user without having to resort to post authentication lookups to go back and get their first name or their email address. It also allows you to address privacy concerns, in that each app can be configured to just get the info it needs and none that it doesn't. Users can be given the right to control what information is provided
RE: [ActiveDir]SUBDOMAIN AND LDAP
Yes, we should file a bug for AD. I'll take this offline with you. On the SSL front, it's interesting that you see this as a strength of ADFS. I would argue the opposite. Cert infrastructures are non-trivial to configure or maintain, I always saw it as a downside to ADFS that it requires one to get a PhD is certology and make this work not only for you but across organizations, assuming you use it in this way. Of course, the real solution to all of this is making a cert infrastructure as easy to run as, say, the key infrastructure that makes Kerberos just work for you. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, September 24, 2006 10:49 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP That's very cool, Eric. I had no idea that setting existed in ADAM. Any change of sneaking that into the AD stack? I agree that it only solves half the problem, but at least by preventing this from working at all, it keeps people from setting up apps that will do unsecure simple binds thousands of times per day for years. There is only so much you can do. I also agree that SSL just isn't that easy and can't be, just because of the way it works. That doesn't stop me from wishing it was. :) One thing I like about ADFS is that you have to use SSL to play, so you can't even get yourself in trouble. I'll definitely file a bug on the audit thing. I think that would be nice, even with ADAM in the mode to reject insecure simple binds, because you could find out which clients are attempting it. Joe K. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 11:48 AM Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP I'd love to see an AD and ADAM option that would allow the DS to reject simple bind operations on non-SSL ports We agree. That's why we built it in to the product. :) Well, in to ADAM that is. See object CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID}. Check out the attribute msds-other-settings, value named RequireSecureSimpleBind=0. Change that 0 to a 1, then you have enabled the protection. I would point out, this does not prevent a client from *presenting* a password via simple bind w/o connection security, only from the operation succeeding. So you could still present a password (thereby showing it to an attacker), it's just that it won't work. This is training with the stick, not the carrot. It's akin to saying, I can protect your SSN from working when you scream it to me in a room full of people (ie, require you write it on a piece of paper and pass it over), but I can't stop you from screaming, only punish you when you make this bad choice. Another thing that would be helpful would be an unencrypted simple bind audit event that could be configured, so that you could find the IP address of any client issuing these operations and track them down. This is a good idea. Can you file a bug for this? I have thought of doing this before but never thought anyone would appreciate things like this. :) Now, if it was only easy to force all DCs and ADAM instances to have valid server certs, we'd be in business. :) I think it goes w/o saying, but this is impossible. The definition of valid is in the eye of the beholder. For example, to some a self-signed cert, trusted by no one, is invalid for the DS. However, to the person that explicitly trusted that cert on their LDAP clients, it's perfectly fine. That's just one example, the same could be said for nearly every wonky cert config you think of, especially when you consider ADAM in the mix. ~Eric List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]SUBDOMAIN AND LDAP
In my own mind I've wrestled a lot with whether or not I like auth via LDAP. I've come to the conclusion that it's ok, and that we should build mechanisms to facilitate it. Things like tokenGroups on RootDSE speak to this, but we should do more. LDAP is easy. Anyone can write an LDAP-based application. On the flip side, Kerb is hard (a-la ADFS). Windows-level integration (LogonUser() like APIs) is likely what I like best, but there are problems, such as lack of x-platform story and the need to be within trust's reach. ADFS is a pretty good answer, but it's new, and people aren't yet comfy with the APIs (assuming they are easy to use, like LDAP) as well as lack of a consistent, reliable infrastructure you find everywhere. LDAP is the defector choice considering these complications. So, you can like LDAP or not, but it's here to stay and people are using it. :) And I'm not sure this is a bad thing. On some specific points Far too many times that I have looked at LDAP traces I see passwords and IDs just flowing across the wire like there was no tomorrow. To be fair, you need to be clear as to where you are seeing this. For example, two servers talking to one another in the clear might be acceptable depending upon your security model. SSL does not raise the bar out of the gate like people seem to want to believe. You need to look at a threat model to really know. In fact, I'd assert that most people who turn on SSL do so straight out of the gate and take the perf hit w/o ever having looked at a threat model! This is sad to me, it means they didn't threat model generally (and consequently don't know where the real gaps are) but also are paying a perf penalty w/o really knowing if it is required. Is your thought that those protocols are headed in the direction to be more universal and used even when Web access isn't even involved? I don't know what Joe was thinking, but I'm certainly willing to assert this. As these technologies become easier to use and empower more scenarios, it is reasonable to assume that people may use them internally as well as externally. As this happens, it is rolled out even within an organization. I can name a few major organizations off hand which are using these as a unifying infrastructure among desperate systems within their enterprise. It is likely going to happen more and more, and I think it's already happening quite a bit today. That said, this is not to say you will see 100% coverageI don't know. If we make ADFS a Kerberos-like piece of the infrastructure (automagically installed and configured out of the box), that becomes a more realistic perspective to consider. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, September 24, 2006 8:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP Yeah I understand, lots of vendors use LDAP for auth, but it doesn't make it good/right. Just like lots of vendors requiring admin access or always passing NULL for LPSECURITY_ATTRIBUTES when working with securable objects. ADAM is another story, if you need to use ADAM principals you are stuck with using LDAP for the auth. I still don't like it though. :) Of course you are correct on the using SSL can help beef up the security but that seems to be done in the minority of the cases. Far too many times that I have looked at LDAP traces I see passwords and IDs just flowing across the wire like there was no tomorrow. The thing is most of the users I expect have no clue that they are being exposed in such a way because they trust that the Administrators and vendors actually know what they are doing. Course this is the case with many web based apps as well, but folks have started to learn to mistrust these automatically as time goes by. The little key on the browser helps a little but it tells you nothing about the backend and how insecure it is. I guess a possible configuration to help with this would be to configure IPSEC to only allow port 389/3268 to be used by replication partners. This would probably just break a ton of other stuff including anything using say kerberos/ntlm LDAP packet encryption or TSL as well as all of the non-secured stuff. As for the WS-* stuff, this is obviously more prevalent than just Web related techs. I admit to being completely uninformed on those protocols. Is your thought that those protocols are headed in the direction to be more universal and used even when Web access isn't even involved? joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, September 23, 2006 12:15 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP Although a do tend to agree that LDAP does not define a good authentication protocol at all, it is definitely the case that LDAP is used as an
RE: [ActiveDir] Seperate Administrator password policy
Is this a serious question? I have no idea. If I knew, not only would I do this, but Id run out and buy a lotto ticket immediately. g This isnt about NDA or not. We cant see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level youre asking for. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, September 02, 2006 2:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, September 02, 2006 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO
RE: [ActiveDir] Seperate Administrator password policy
With this one, it wouldn't. This is one of the most commonly requested things in AD history. No one needs to be reminded, it's all about schedule now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Saturday, September 02, 2006 12:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Seperate Administrator password policy ...you know a few Longhorn bugs filed on this might help (hint hint) Grillenmeier, Guido wrote: ;-) thanks for the feedback anyways Eric - it gives us an idea that we shouldn't build our hopes too high for the multiple-password-policies feature at this stage in the LH development phase. But I'll keep hoping anyways. /Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:25 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Is this a serious question? I have no idea. If I knew, not only would I do this, but I'd run out and buy a lotto ticket immediately. g This isn't about NDA or not. We can't see in to the future like this. We do our best to build as much as we can. At some point, the gates close. What makes it in is quazi-predictable, but not to the level you're asking for. ~Eric *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Grillenmeier, Guido *Sent:* Saturday, September 02, 2006 2:15 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy Eric, can you already state publicly, what the chance of this feature is to make it into Longhorn, if at all? Or is this still NDA? Thanks, Guido *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Eric Fleischman *Sent:* Saturday, September 02, 2006 6:32 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Seperate Administrator password policy A few comments, in no particular order... I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sure...it doesn't take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choice...in fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationship...that is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way that these password policies could be applied to users within containers and even specific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that we've been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the fly mechanism here /efleis snip of the rest of the paragraph, but I'm commenting on it all/ The reality is that I don't think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, I'm still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, I'm not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason I'm for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groups...we don't want to push an OU model here. I'm typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC
RE: [ActiveDir] Seperate Administrator password policy
A few comments, in no particular order I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs Well sureit doesnt take a visionary to see how this could be done. ;) See LDAP policies for one such example (though by no means the only choicein fact, not how I would do it). I would point out that if you pulled out password policy, it would make sense to pull out all policy dependencies in AD itself so as to fully separate the relationshipthat is, AD and associated components (SAM, Kerberos, etc.) do not depend on policy application for anything. If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs Well, yea. I mean, this is the DCR that weve been asked for over and over for like 5 years. While there are many ways to achieve it (group memberships, direct links from the user parent containers, etc.) the net net is the same. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here efleis snip of the rest of the paragraph, but Im commenting on it all The reality is that I dont think most orgs will have thousands of password policies, so the merging is likely not all that bad. And the # of settings is low. That said, Im still against this as it seems uber inconsistent to me and very error prone. Using groups could be troublesome, what is the override mechanism, which group is more important if there are policies on 10 groups you are in? This is a trivially solvable problem, Im not worried about this. On the larger point of the right way to skin this cat, I actually disagree. I am for groups for the same reason Im for them in the RODC PRP scenario. Again, there are a great many orgs where you have OUs separated by many things, say geographical location, and now want to make an OU-separated set of lower-priv admins have some special password policy (imagine the regional admins scenario for a customer who has OUs separated by location). I really think the argument is very much the same as RODC PRP use of groupswe dont want to push an OU model here. Im typically against building features in such a way that they dictate a specific OU model to use them as that could fly directly in the face of the logic you used for your existing OU model. It confuses me somewhat why DCs insist on pulling this from DDP instead of just assembling the policy, like any other, from all applicable GPOs. I assume it was done to avoid a situation where two DCs could have different policies applied to them and depending on what DC handled your password change, you would be subject to different rules. Yes, thats why. In fact, there were some way early win2k bugs that yielded just this (like pre-SP1 if I remember right, or maybe even as late as SP1, Im not sure). If thats the case, I cant say Im a big fan of illogical hacks to help out less-cluefull admins. I love this sentence. J ~E From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, September 01, 2006 2:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Seperate Administrator password policy I can visualize mechanisms to pull this off in the existing GPOs or to do it outside of the GPOs.Having thought about this quite a bit in the past,my personal preference would be to handle this outside of the GPOs for severalreasons. Some of the reasons off the top of my head: o Ineverreally likedpolicy items that simply made changes in ADand then the changes to the policy were simultaneously moving through AD replication and GPO replication. It is illogical. Either prevent the attributes from replicating in AD or don't replicate them throughgroup policy, pick one. Preferably, IMO, get them out of the group policy and use a standard LDAP attribute on the required objects. o If you leave the world of the GPO I think you get more flexible as you could then implement it in such a way thatthese password policies could be applied tousers within containers and evenspecific individual users which would be great for say service IDs or admin IDs. o It removes you from the complexity and confusion betweenthe member password policies and domain password policies which even now is still a huge topicfor questions in the newsgroups and here. o You don't get people trying to apply different passwordpolicies to different domain controllers. I would like this executed for all domain/domain controller security settings in general actually. From the standpoint of speed/perf, I am not sure if it makes sense to have an assemble the final policy on the flymechanism here. From a perf standpoint I don't think youwant to be having to do the logic to combine multiple
RE: [ActiveDir] Read-Only Domain Controller and Server Core
To be clear as your comments dont seem to indicate the why as much as Nathans did, we were less interested in the bandwidth savings and more interested in the accuracy of the list. Non-LVR link values have a value loss potential on conflicted write across DCs. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, August 28, 2006 5:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core RODCs require Win2k03 FFM. This is so that we can guarantee a higher degree of accuracy for the password reveal list (msDS-RevealedUsers and the constructed version msDS-RevealedList) due to LVR Been thinking more about the requirement for the Windows Server 2003 Forest Functional Level (FFL2) to deploy RODCs It certainly makes sense to leverage LVR (linked value replication) to reduce the amount of data being replicated around and to eliminate the 5000 values replication limit due to the limit of the jet-db version store. Just wondering how many companies are still running a pure Win2000 AD forest and want to upgrade directly to Longhorn (skipping deployment of Windows Server 2003 DCs)? Do they realize that they will not be able to deploy RODCs prior to first upgrading or replacing ALL Win2000 DCs in the forest with writeable Longhorn DCs? They will then be able to switch to FFL3 (Longhorn Server) and in a second phase of the upgrade project they can take care of deploying RODCs. And since you cant just switch the mode of a writeable DC to an RODC (and vice versa), this usually means to de-promote the writeable LH DCs and then to re-promote them as RODCs (where you want them for example youll still want writeable DCs in your hub sites). Naturally this de-promo and re-promo process can be scripted, but its still an extra phase in the project that takes time and efforts and must be planned appropriately. Companies who have already upgraded to Win2003 and are running at Win2003 FFL will have less of an issue they will be able to deploy RODCs right into their existing Win2003 forests. The PDC of the respective domain must run Longhorn, but thats a small price to pay. So, it would be good to get some feedback from this list, A. how many of you are planning to upgrade your AD directly from Win2000 to Longhorn Server? B. how many are planning to upgrade from Windows2003 FFL? C. how many think they are still in-between (have Win2003 AD, but couldnt yet reach Win2003 FFL for some reason, such as some Win2000 or WinNT DCs still hanging around)? Thanks, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Thursday, August 03, 2006 8:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core PRP = Password Replication Policy Yes the tool will directly populate the Allow or Deny attributes (msDS-RevealOnDemandGroup and msDS-NeverRevealGroup respectively) with the security principal. Ideally the users\computers would be put into a group, and then the group added to the Allow list. That way you only have to manipulate the group and not the attributes. The tool will most likely support a generic add operation to add a group (or user\comptuer) to the Allow\Deny list and then you could use whatever group manipulation tool you wanted. RODCs require Win2k03 FFM. This is so that we can guarantee a higher degree of accuracy for the password reveal list (msDS-RevealedUsers and the constructed version msDS-RevealedList) due to LVR. Interesting suggestion on the BL for msDS-RevealOnDemandGroup\msDS-NeverRevealGroup. The only issue I see with that is if groups are used instead of individual users\computers. I dont think its as useful to see a BL on a group since you really want to see the user. However, that said, we are providing a new RootDSE operation called verify cacheability that will return three values (allowed, explicitly denied, and not on deny or allow). Its input will be a security principal and a rodc, so while PRP knowledge wont be stored on the user\computer you can easily check a given user to see if they are cacheable at a given RODC. There are two new links on the user\computer objects related to RODCs. One is msDS-AuthenticatedAtDC (which is actually the FL to msDS-AuthenticatedToAccountlist for performance reasons). The other as you pointed out is msDS-RevealedDSAs which shows which RODCs the user\computer has been cached at. Since the PRP is per RODC, we do stamp a common group for both allow and deny by default on every RODC promotion to aid in one-to-many management (ie for service accounts, etc). The new groups (which are created when the PDC is upgraded to LH) are Domain RODC Password Replication Allowed Group and Domain RODC Password Replication Denied Group. So the current default PRP on RODC promotion looks like this:
RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I havent read the entire thread which has happened, but IF you managed to delete it, ping me offline and I can help you recreate it. But I would be totally sure it is gone first.a database dump sounds like a fine way to confirm. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 8:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I also meant to view as Administrator. Not an account with domain admin rights. There are subtle differences in certain scenarios. I wasassuming the ACLs on the object or the parent are possibly preventing you from viewing the object. But I doubt its the case. You arent using the list object (LO)right are you? M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Read-Only Domain Controller and Server Core
I want to make one other thing clear.the other reason to ship the product in this state is secure by default. Out of the box, we have no idea what secrets you will want on the RODC. We dont know your enterprise or your threat model. As such, theres really no good choice.we too would be implicitly turning the knob for better out of the box admin experience vs more secure out of the box. No good choices. So, even if you assume that this state is good for no one (a contention Ill disagree with, there are some enterprises that will do this, but thats not the point), it is still the right state in which to ship the product. This is like ordering pizza for every admin in every forest on the planet. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, July 28, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core That's the ~Eric we've come to know :) Thanks for that view. I'll take your advice and check for the traffic and rethink the view on the RODC concept. Like you said, it may prove uninteresting, but after that amount of information from you, Dmitri and Guido, I'd hate to leave that stone unturned. I'll ping back if I get lost watching the traces. I appreciate the offer and you guys taking the time to discuss this. Al On 7/28/06, Eric Fleischman [EMAIL PROTECTED] wrote: Hi Al, Take your workstation and take a sniff of a logon. All traffic you throw at the DC will work against the RODC. The only WAN traffic in that scenario would be the auth itself, a tiny amt of work. (assuming GC and all that is satisfied locally) So, the statement that authentication is your biggest use is true, kindayou need to more carefully define the operation. I suspect you don't mean auth in the Kerberos sense, you mean user logon really. Unless your branch has a bunch of apps that do Kerb work and no clients.then you can correct me and we have a totally different conversation on our hands. :) Answering some questions of yours, from this and other forks of the thread.. What conditions would make it so that the password policy would be configured such that the password replication was not allowed? There is a policy (not group policy, administrative one defined in AD itself) which defines what can be cached there and what can not. The statement made (I think first by Dmitri, but I then commented on it further) was that by default, this policy allows almost nothing to be cached. You could tweak this in your enterprise and change what is cached, anything from the near-nothing default to almost every secret in the domain. You can choose. Would that just be that the RODC is no longer trusted (i.e. it was abducted or otherwise compromised?) Well, we never know if an RODC was compromised. Rather, RODC was built such that you the admin can assume they are compromised, and fully understand the scope of compromise in your enterprise should it happen one day, and respond to said event. So, I say you should look at this problem the other way. Treat your RODCs as if they were about to get compromised, then make real decisions around how much work the recovery from said compromise would be vs. actually having an environment that is useful, reliable, easy to manage, etc. That's what I was talking about re: the knobs.you can turn said knobs and make decisions that work for you. And we'll have documentation that will help you do this. Or is that something that some admin can configure and hurt themselves? Better yet, if that were true, is there any value left in the RODC that can't get a password hash? I think I answered this but please holler if it is still unclear. Outside of GP work what else comes to mind that is off-loaded to the local site that you can think of? Take a network sniff of your clients talking to your DCs for a day. Almost all of that stuff. J You could have apps, you have logon itself, etc. Perhaps I'm looking at this sideways? Every environment is different. It is entirely possible that a secret-less RODC is totally uninteresting in your enterprise. That said, I would argue that you probably haven't done enough investigation yet to really know if that's true or notit's not personal, why would you? This has likely never been relevant. Almost no one does this sort of analysis unless they absolutely have to. Take some data, please report back to us. I'd love to look at said data with you if you're unclear as to what would fall in what bucket. Hope this helps. Please holler back with questions. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, July 28, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core
RE: [ActiveDir] Read-Only Domain Controller and Server Core
To add a bit more The part that makes me wonder about the story is if it stores no secrets is the server doing anything for me? The short answer is yes. The bulk of the work that a DC does, even in the auth code path, may not involve the secret. So even if the secret checking work is outsourced to a hub DC, there is a lot more work that the local DC can perform for the user. For example, if it is an interactive logon, consider all of the GP work alone that is done that is now local. At the end of the day, you have a knob.you can make real security trade-offs based upon what attack surface you can accept mitigate, what administrative story you want, etc. You get to choose what secrets end up on the RODC. The product is built such that you can turn these knobs as you see fit but the default knob setting is more secure. I hope between my response and Dmitris you are clear that the belief that it stores nothing locally is incorrect. If more clarity is required please just holler. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dmitri Gavrilov Sent: Friday, July 28, 2006 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core The set of passwords that *can* be sent down to the RODC is controlled by password replication policy. The passwords are sent down by RODCs request, but the hub also checks whether the user (whose pwd is being requested) actually attempted to authenticate at RODC (the hub can induce this info from the traffic is sees). The pwd hash is sent down only if both are satisfied: pwd policy allows it and the user actually attempted to logon there. Pwd policy is empty by default, i.e. nobody is in allowed to reveal list. It is admins responsibility to populate this list. We might have some UI that helps with this process. Once the hash is sent down, theres no way to remove it from RODC, basically because we do not trust that RODC will remove it, even if instructed to do so. Therefore, the only way to expire the hash is to change the password. We store the list of passwords that were sent down to RODC in an attribute on the RODC computer object (the hub DC updates the list when it sends a pwd). So, if the RODC is stolen, you can enumerate whose passwords were down there, and make these users reset their passwords. Theres a constructed attribute that returns only the users whose *current* passwords appear to be on the RODC. WRT what data is sent down currently, we send everything, sans a handful of secret attributes, which are controlled by pwd replication policy. Theres a DCR to be able to configure the list of attributes that can go down to RODC (aka RODC PAS), but it is not yet clear if we will get it done or not. Note that the client data access story on RODC becomes quite convoluted because you dont know if you are seeing the whole object or only a subset of it. We do not normally issue referrals due to partial reads. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 28, 2006 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Read-Only Domain Controller and Server Core RODC stores password hashes only for a pre defined list of users and they are not stored on a permanent basis. [I'm unclear how the latter is achieved.] The goal is such that if the RODC were removed from the office then no password secrets could be extracted from that machine. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 28 July 2006 16:08 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core The part that makes me wonder about the story is if it stores no secrets is the server doing anything for me?Is there a point to deploying the server in a remote office other than just being able to point to it in the closet and say, see, I do toearn my paycheck! I'm sure there's more, but I don't yet know which parts are public information and which are NDA. Can you tell I'm concerned about the story being created? I like stories; don't get me wrong. But I'm concerned that the story being spun up might be missing the mark and lead a few people astray. Safe to note that there are some features that differentiate the RODC from a NT4 BDC and that make it appealing in some cases. But if it actually does not store anything locally, ever, then I'm not sure it's worth the time to deploy one now is it? Al On 7/27/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: FYI: http://blogs.msdn.com/jolson/archive/2006/07/27/679801.aspx Read-Only Domain Controller and Server Core List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE
RE: [ActiveDir] Read-Only Domain Controller and Server Core
Hi Al, Take your workstation and take a sniff of a logon. All traffic you throw at the DC will work against the RODC. The only WAN traffic in that scenario would be the auth itself, a tiny amt of work. (assuming GC and all that is satisfied locally) So, the statement that authentication is your biggest use is true, kindayou need to more carefully define the operation. I suspect you dont mean auth in the Kerberos sense, you mean user logon really. Unless your branch has a bunch of apps that do Kerb work and no clients.then you can correct me and we have a totally different conversation on our hands. :) Answering some questions of yours, from this and other forks of the thread.. What conditions would make it so that the password policy would be configured such that the password replication was not allowed? There is a policy (not group policy, administrative one defined in AD itself) which defines what can be cached there and what can not. The statement made (I think first by Dmitri, but I then commented on it further) was that by default, this policy allows almost nothing to be cached. You could tweak this in your enterprise and change what is cached, anything from the near-nothing default to almost every secret in the domain. You can choose. Would that just be that the RODC is no longer trusted (i.e. it was abducted or otherwise compromised?) Well, we never know if an RODC was compromised. Rather, RODC was built such that you the admin can assume they are compromised, and fully understand the scope of compromise in your enterprise should it happen one day, and respond to said event. So, I say you should look at this problem the other way. Treat your RODCs as if they were about to get compromised, then make real decisions around how much work the recovery from said compromise would be vs. actually having an environment that is useful, reliable, easy to manage, etc. Thats what I was talking about re: the knobs.you can turn said knobs and make decisions that work for you. And well have documentation that will help you do this. Or is that something that some admin can configure and hurt themselves? Better yet, if that were true, is there any value left in the RODC that can't get a password hash? I think I answered this but please holler if it is still unclear. Outside of GP work what else comes to mind that is off-loaded to the local site that you can think of? Take a network sniff of your clients talking to your DCs for a day. Almost all of that stuff. J You could have apps, you have logon itself, etc. Perhaps I'm looking at this sideways? Every environment is different. It is entirely possible that a secret-less RODC is totally uninteresting in your enterprise. That said, I would argue that you probably havent done enough investigation yet to really know if thats true or notits not personal, why would you? This has likely never been relevant. Almost no one does this sort of analysis unless they absolutely have to. Take some data, please report back to us. Id love to look at said data with you if youre unclear as to what would fall in what bucket. Hope this helps. Please holler back with questions. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, July 28, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Read-Only Domain Controller and Server Core More clarity is always welcome. I suspect I'm trying to get my mind around the GPO providing that much value that I would want to put a DC in the local brach as part of the design vs. trying really hard to use as little of the GPO as possible and making sure that the changes are as infrequent as possible. Authentication and name resolution are my biggest uses for a local DC in a branch. Outside of Exchange of course. Everything else I try to keep as compartmentalized as I can because if my WAN is a concern such that I can't use authentication across the wire (or can't trust it) then I have some big concerns about the branch environment and how autonomous it is. Outside of GP work what else comes to mind that is off-loaded to the local site that you can think of? Perhaps I'm looking at this sideways? On 7/28/06, Eric Fleischman [EMAIL PROTECTED] wrote: To add a bit more The part that makes me wonder about the story is if it stores no secrets is the server doing anything for me? The short answer is yes. The bulk of the work that a DC does, even in the auth code path, may not involve the secret. So even if the secret checking work is outsourced to a hub DC, there is a lot more work that the local DC can perform for the user. For example, if it is an interactive logon, consider all of the GP work alone that is done that is now local. At the end of the day, you have a knob.you can make real security trade-offs based upon what attack surface
RE: [ActiveDir] Raid 1 tangent -- Vendor Domain
The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. Actually, log IOs were quite low, considering. I bet a single spindle pair would have been enough for most of my work. The real killer was random I/O throughout the DB. Here I was pushing 1800 read / 1800 write for most of the run. I really needed more SAN paths because I'm pretty sure that was the bottleneck (it just wasn't set up to have as many redundant paths as I didn't anticipate the bottlenecks hit). I keep meaning to write a follow-up post with a lot of data. I'll do so this week and post it so this sort of stuff is a bit more clear. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 22, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Raid 1 tangent -- Vendor Domain Mirrors don't scale. Microsoft's deployment doc mostly just talks about using mirrors (small nod to RAID 10/0+1) so everyone thinks that they should build their Corporate DCs on mirrors, usually 3 - OS, Logs, and DIT. Very few people if anyone would build a corporate Exchange Server on mirrors... Why not? The DB is the same under both of them... What is critical to Exchange? IOPS and that means spindles. If something is really beating on AD and the entire DIT can't be cached, IOPS are critical to AD as well. The main difference is that AD is mostly random read and Exchange is heavy writing and reading. The exception to this is the edge case of Eric's big DIT[1] in which he dumped 2TB of data into AD in a month at which point he did something that few people see, pushed the IOPS on the log drive through the roof. In a smaller environment (very low thousands), or for a low use DC (small WAN site), or a DC with a DIT fully cached a RAID-1 drive for DIT will probably be sufficient, you will note that the only numbers mentioned in the deployment guide are about 5000[2]... That usually means a small DIT and it is extremely likely that a K3 DC will cache the entire DIT. Plus the usage is probably such that the IO capability of two spindles will likely be ok. Let me state though that even in a small user environment if there was an intensive directory based app or a buttload of data that pushes the DIT into GB's instead of MBs I would still be watching my disk queueing pretty close as well as the Read and Write Ops. AD admins who aren't running directory intensive apps (read as Exchange 2000+) usually don't see any issues but then again most aren't looking very closely at the counters because they haven't had a reason too and even if they had some short lived issues they probably wouldn't go look at the counters. At least that has been my experience in dealing with companies. I will admit that prior to implementing Exchange when I did AD Ops with a rather large company I didn't once look at the disk counters, didn't care, everything ran perfectly well and about the only measure of perf was replication latency and does ADUC start fast enough and it always was fine there unless there were network related issues or a DC was having hardware failure. Enter Exchange... Or some other app that pounds your DCs with millions of queries a day and tiny little bits of latency that you didn't previously feel start having an impact. You won't feel 70-80ms of latency in anything you are doing with normal AD tools or NOS ops, not at all. You will feel that with Exchange (and other heavy directory use apps), often with painful results unless it isn't consistent and the directory can unwind itself again and hence allow Exchange to then unwind itself. Now let me point out, I don't deal with tiny companies for work, small to me is less than 40-50k. The smallest I tend to deal with is about 30k. I usually get called to walk in to Exchange issues where Exchange is underperforming or outright hanging, sometimes for hours at a time. There can be all sorts of issues causing this such as O poor disk subsystem design for Exchange (someone say got fancy with a SAN layout and really didn't know what they were doing seems to be popular here) O hardware/drivers on the Exchange server just aren't working properly and the drivers are experiencing timeout issues (for some reason I want to say HBA here) O poor network configurations and odd load balancing solutions, etc that generate a whole bunch of say keep alive traffic on the segment that no one had any idea about because no one understood the solution nor took time to look at the network traces. Or maybe the infamous Full/100 on one end and half/100 on the other. Whatever. O Applications that beat the crap out of Exchange that weren't accounted for in the design well or at all... such as Blackberry or Desktop Search or various Archive solutions O Poorly written event sinks, disclaimer type
RE: [ActiveDir] corrupt vmware DC
Taking offline. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, June 13, 2006 7:20 AM To: activedir@mail.activedir.org Subject: [ActiveDir] corrupt vmware DC Booted up VMware with DC (2003, SP1)on it yesterday and got an internal error on AD at start, forcing a reboot. Went into DSRM and ran semantic checker in ntdsutil. Checker returned error: Records scanned: 1200Error fetching security descriptor [ Jet Error -1017] which, upon searching out that error code, indicates the record has been deleted. Thanks... Go Fixupfails similarly. As this is just a test server, I'm not too bummed, although I would love to not have to reinstall the OS. In any case, anyone seen this and know any nifty tricks to recover from it? Darren
RE: [ActiveDir] User Accounts
After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE
RE: [ActiveDir] User Accounts
You could build the archive on ADAM, and enable the indexes to allow for efficient medial substring indexes. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 08, 2006 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Great info ~Eric! The link to the start of the thread is: http://www.activedir.org/ml/msg08620.aspx We've just moved the archive onto the ActiveDir.org web site and we're having one or two teething problems with the search feature. :-) Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, 9 June 2006 10:38 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts After this thread (I believe Dean asked what the error was at one point, but I can't find that tip of the thread right now), I decided to go ahead and test this. http://blogs.technet.com/efleis/archive/2006/06/08/434255.aspx I'll blog some more on other things we found along the way over the next few days. ~Eric -Original Message- From: Eric Fleischman Sent: Wednesday, April 19, 2006 7:39 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] User Accounts DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the result and |content of which turned up some interesting (to me at least) |implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the two (dblayer) | - to Brett, I believe he sees them within the sum of what is the |directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're
RE: [ActiveDir] DSID-020A06F3 error from French platform AD
Very interesting. Can we see the VHD before you blow it away? I can set up a place for you to upload it to. Please let me now how large it isjust ping me offline and we can coordinate. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, June 05, 2006 2:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DSID-020A06F3 error from French platform AD Single DC, single member, running under VS 2005 R2, 32-bit. DCPROMO and other activities all seemed to work normally, so the corruption thing is a surprise. Hey Brett, if I consider the hardware suspect, does that mean I have to file a bug with the VS team? I'll kill it and rebuild and see what happens. You want to know what sucks? Trying to type French on an US-English keyboard. Its like those French, they have a different key for everything! Thanks for your help. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, June 05, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DSID-020A06F3 error from French platform AD This means there is a physical corruption in the AD database. Does this domain have replicas? If yes, just repromote another replica and then demote this guy. If no, sometimes a offline defrag can save the database. Otherwise, what is the backup situation for this domain? Don't be tempted to repair your database, that's unsupported. The hardware should be considered suspect at this point. Cheers, BrettSh [msft] On Mon, 5 Jun 2006, Gil Kirkpatrick wrote: I'm receiving this error on subtree searches of the Config NC, on a French version of Windows 2003 SP1. Anyone have any ideas? (From LDP) ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2, (objectclass=*), attrList, 0, msg) Error: Search: Erreur d'opération. 1 Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data -1018 Matched DNs: Getting 0 entries: I'm logged in as the domain Administrateur. One level searches seem to work ok. -gil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT] Machine Psswd Age
Correction: the GDO and I are tied. I posted again this morning, just to spite you. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 01, 2006 6:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] Machine Psswd Age Hey you, the garage door opener, and ~Eric[1] could all share a blog! You would still need to do a majority of the posting but occasionally they would kick something in. :) Certainly I would be an avid reader. joe [1] Who is actually being beat out this year in blog entries by the person he made fun of for having a blog and not posting -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, June 01, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000 to get the standard output and 0x2080 and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25 15:03:22 [MISC] NlWksScavenger: Can be called again in 30 days (0x9d671aca) Since the value is in milliseconds when converting this you will see in the random offset case the value is really ~30.56 days where the one in success is exactly 30 days. Probably more than you ever wanted to know about machine account password changes. Thanks, -Steve -Original Message- From: [EMAIL
RE: [ActiveDir] tokenGroups field
If you are interested in doing this over LDAP, you are on the right track. One way is to look for crossRefs in that container like you are, but only look for those with flag FLAG_CR_NTDS_DOMAIN set in systemFlags. You'll find that config and schema don't have this set, nor do arbitrary app partitions, but domains do. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, May 31, 2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks Joe, That's a little bit further than I want to go ;-) I wrote a GetMemberShip( DirectoryEntry ) method that finds all the domains in the forest and then connects to a GC in each and grabs tokenGroups for each and combines them into one string[] That seems to work fine ( until the day when we have a large number of domains :-o ). Speaking of enumerating the domains in the forest, I'm enumerating the domains by connecting to: CN=Partitions,CN=Configuration,DC=forestroot,DC=net Then I throw away the schema, config, and DNS partitions. That seems to work fine until the day we start using application partitions in which case I will have no way of distinguishing a security enabled partition from the application partition. Is there a cooler way to enumerate the domain partitions in a forest? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field The membership of groups is handled in a special way. Although the member attribute is marked for PAS inclusion only UG membership is replicated outside of a domain to all GCs. If you aren't worried about token creation for Windows security and instead just want to have full membership of a user in a single query you have two options that I can think of 1. Consolidate the group membership into another store, say ADAM or SQL Server. 2. Create another linked attribute pair that you apply to users and groups like member/memberof that is set for PAS inclusion. When you set the member attribute you set the additional attribute which will replicate to all GCs because the directory doesn't have any special rules for your custom attribute. If you go that far, I would also set that new attribute to be saved on tombstone as well. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 9:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Thanks, that's pretty much what I figured. So this is of low importance, but why wouldn't any GC in the forest be able to provide me with the local groups for all of the domains? Why do I have to hit a GC in every domain? As I understand it the GC replicates the data from each domain that is marked for the partial attribute set. Like I said, really low importance, I'm just curious. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 30, 2006 4:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Your token only contains groups that are valid locally. So if you log onto a workstation that is part of a forest, your token on the worksation will contain Univeral groups of the forest, global groups from the local domain, domain local groups from the local domain (assuming native mode) and local groups from the local machine. Take a look at whomami /groups or sectok to see your interactive token. Now if you connect to a remote machine, you will get the groups that have value there on your token on that remote machine. This is easiest to see with ADAM, connect to an ADAM instance and pull the rootdse attribute tokengroups and look at what is returned... adfind -h adammachine:port -rootdse -resolvesids tokengroups -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, May 30, 2006 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] tokenGroups field Yep your examples are helpful, that's what I'm using :-) It looks like hitting a GC for each domain in the forest is the way to go in order to get the local group membership from other domains. So just out of curiosity, when Windows builds your token, does it include the local groups from other domains? Or does it add them when you try to access a resource that is protected by the foreign group? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Sunday, May 28, 2006 9:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] tokenGroups field I've been checked out of the group here for a few weeks and just poked back in. I think Dmitri summed things up quite well. I'll just add that ADSI and S.DS don't do anything interesting
RE: [ActiveDir] ADAM Schema Questions
Title: RE: ADAM Schema Questions 1) Off the cuff, Id speculate you hit init sync. If there is no partner and you have not replicated, FSMO roles will reject operations that leverage their FSMO-ness due to init sync requirements. The idea behind this was to stop old FSMO role holders to come back online and accept updates that conflict what other people have since performed if the FSMO role was seized while they were offline. Perhaps this is what you were hitting. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, May 18, 2006 3:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM Schema Questions 1. What was the exact error you saw, with DSID? I have done schema mods of instances where one or more of the other instances were powered down so they couldn't replicate. 2. Which MMC app are you trying to hide it from? Could be a bug, but depending on the plugin, defunct attributes possibly should show up.It is up to the code to read the schema and determine the current state and then decide whether it should show the attribute or not. When you defunct something, the data behind the attribute is not purged. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.) Sent: Thursday, May 18, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADAM Schema Questions Please ignore part two of my question, I figured it out. I was only running dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X changetype: modify replace: isDefunct isDefunct: TRUE - dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - As opposed to dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X changetype: modify replace: isDefunct isDefunct: TRUE - dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X changetype: modrdn newrdn: cn=MyClassOld deleteoldrdn: 1 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 - _ From: Bernier, Brandon (.) Sent: Wednesday, May 17, 2006 5:23 PM To: 'ActiveDir@mail.activedir.org' Subject: ADAM Schema Questions 1.) If you have a ton of server in a configuration set, when you do a schema extension and one box is down will it work? In my test I had two ADAM servers and it would not take the schema update because it couldnt replicate (I purposely broke replication with it's partner). 2.) When you defunct a class/attribute, whats the attribute to hide it from the MMC? I thought defunting it did hide it, but I am mistaken. Thanks! -Brandon
RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it?
The tool is not the property of anyone on this list. As such, making it available on the list would be inappropriate. The goal of this tool has never been to be a stand-alone AD monitoring tool, nor even a snapshot tool. Rather, it was built specifically around the field offering of an AD risk assessment. As such, outside of that, the tool likely has little context, and may or may not be at all helpful. That said, it is available in this context only, to the best of my knowledge. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 09, 2006 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Snapshot Tool (ADST) - how useful is it? I missed if anyone was making this tool available to the list? :) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Accounts
DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Basically, yes. Though I would point out, this is hardly reusing DNTs...this is more starting over. :) For the sake of clarity I would point out that such a re-promotion would need to be over the wire and not IFM. IFM just picks up where the last left off, as you are using the old database again, and so the same AD level rules apply. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, April 18, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts * DNTs (to me) are _not_ a component of the directory IIRC they are like a (primary/foreign) key in a database. Technically not needed by the database layer, and not needed by the application, but needed to keep the data together for the application. So if you look at AD from the outside it won't be referenced, if you look at ESE it's just a DB and doesn't care about the data stored within, but you still need it in between to store the AD in the ESE. Right? * DNTs are not reusable Unique per Server and don't provide any reference across servers. If AD looks for a parent object by looking up it's known DNT (stored with the child), ESE would fail in that moment, AD would not able to go to another server and look up the same DNT in it's database. The AD is distributed, the ESE is local, and DNTs are part of the local table. If I understand correctly: DNTs are reusable in ESE, however ADs implementation does not allow DNTs to be released / reused on a single server, and the database will only reuse them if you recreate the DB by repromoting (cause the data is replicated from other servers into a virgin ESE, and DNTs are assigned from the beginning at this point). Right? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells |Sent: Wednesday, April 19, 2006 1:18 AM |To: Send - AD mailing list |Subject: RE: [ActiveDir] User Accounts | |Inline is my take on an IM conv. Brett and I just had, the |result and content of which turned up some interesting (to me |at least) implementation details. The short story is - | |* DNTs (to me) are _not_ a component of the directory | - they _are_ a component of the layer that bridges the |two (dblayer) | - to Brett, I believe he sees them within the sum of |what is the directory |* DNTs (to both Brett and I) are not part of ESE |* DNTs are limited (as Eric says) to 2^31 (~2.1 billion rows) |* DNTs are not reusable | |I hope the summary and conversational text inline proves useful. | |-- |Dean Wells |MSEtechnology |* Email: [EMAIL PROTECTED] |http://msetechnology.com | | | | -Original Message- | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of |Brett Shirley | Sent: Tuesday, April 18, 2006 5:11 PM | To: ActiveDir@mail.activedir.org | Cc: Send - AD mailing list | Subject: RE: [ActiveDir] User Accounts | | | Dean, I didn't understand this comment ... | But, dude, seriously, you weren't aware that AD's ESE |used a 32 bit | DNT? | Methinks perhaps you're muddling in the realms of personal | interpretation ... though I'm quite certain you'll argue that too | ... ESE purist :0p | | Are you claiming that ESE knows what a DNT is? | |Not at all ... but IMO, neither does the directory ... and per |our IM, the dblayer knows what they are (after all, DNT = |distinguished name tag ... |blatantly not an ESE term ... and dblayer = database layer ... |not a directory term ... hmmm) | | A DNT is an entirely AD concept, ESE has no idea what a DNT is. | |Nod. | | ESE also has no concept of linked-values, or the link_table. | |Now this was news to me, so here's the summary: ESE has tables |+ columns + indices over columns. The dblayer forms the |bridge between two technologies, one molding the behavior of |the other (dblayer molds ESE). |ESE maintains no referential integrity, the dblayer does this |... including link-pairs -- this part was especially surprising to me. | | This is the 2nd time you've confused the AD dblayer (what maintains | the AD schema on an ESE | database) and the ESE database layer. | |Don't know that I'd agree with that since on neither occasion |was the dblayer specifically referenced .. but it's moot for |the moment since I'm still mulling over whether my new-found |knowledge
RE: [ActiveDir] User Accounts
ngo, it was aimed at the|super experts (Dean, joe, et al), I'll try to digest it into a|series of more edible blog posts that would explain the terms|as introduced ... :P||Anyway, all I'm saying, is the Garage Door Operator has never|heard of this 2.1 or 4.2 billion row limit of an ESE database|you speak of ...||Cheers,|Brett||P.S. - I've never heard of negative link IDs, I'm most curious|to see Eric's description of this ...|||On Sat, 15 Apr 2006, Eric Fleischman wrote:|| Good thread. A few corrections, for the sake of keeping the search|engines fresh The underlying store used by AD supports a theoretical|maximum of 4.2| billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we|start at 1,| but it is actually a signed int. So we only get up to ~2bil|or so, and| don't use the negative side. Sorry, you can't have the bit back,| unless you ask REALLY nicely. g A row could be said to correlate to an object but it's|certainly not| a one-to-one relationship since rows also house many other|structures| such as tables, long-values, etc Ah, no, not quite (thankfully :-)).|| There is a similar limit for # of long values (doesn't work|the same,| but mechanics omitted for the sake of brevity), but it has|nothing to| do with row count in the data table. Long values are burst out to| their own b-tree, and as such would not be related to the DNT count| max that you were talking about before. In fact, the LID concept is| entirely orthogonal to the max row count governed by DNTs that was| being discussed.|| Dean and I also IM'd on this thread some, and the concept of link| value also came up. Rest assured, link values also do not consume| DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly| different reason. :) A row being used on a DC does not necessarily| correlate with only what people think of as "their objects hosted by| that particular server." You have phantoms, structural phantoms,| schema definitions, etc. Further, GCs of course drive the limitation| in large forests, when the # of objects that is large are in domain| NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than| the ESE constraints outlined above. Hundreds of millions of users| seems perfectly practical. I personally have no first-hand| experience of a directory of that scale but if memory serves I| believe public documentation does exist referencing either|(or both)| test or production directories well within this arena. There is actually a subtle point herethere is max # of|users in a| single directory instance (ie, on one given DC/ADAM|instance), and max| # in the entire distributed system. They are somewhat different.|| In the ADAM world (read: no GCs), it is entirely possible to have a| series of instances, each of which house different NCs, and each NC| approaches the limits mentioned in this thread (ie, each has 2bil| objects say). So long as no one instances breaks the thresholds, you| are golden.|| It is only AD that can't play this game because GCs of course have| partial NCs. But ADAM, no worries. Well, unless your large # of| objects in AD are in NDNCs. The larger directories I have worked with had ~100M objects on a| single server. I haven't seen people break that on a single|boxbut| I don't deny it has been done, I just haven't seen it. :-) Oh yea, the concept of negative linkIDs somehow came up in| conversation as well. I'll blog about that I think. Perhaps even| tonight, if I get my stuff done. ~Eric || From: [EMAIL PROTECTED]| [mailto:[EMAIL PROTECTED]] On Behalf Of joe| Sent: Saturday, April 15, 2006 11:15 AM| To: ActiveDir@mail.activedir.org| Subject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else| does. The SIDS are going to be limited into the billions. Not due to| the SID structure, but due to locations where RIDs are stored as| DWORDs (32| bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as| they use the GUID logic for producing the SIDs, they are not|based on| a domain SID coupled with an artificially limited 32 bit "RID". --|| O'Reilly Active Directory Third Edition -| http://www.joeware.net/win/ad3e.htm || From: [EMAIL PROTECTED]| [mailto:[EMAIL PROTECTED]] On Behalf Of joe| Sent: Saturday, April 15, 2006 11:49 AM| To: ActiveDir@mail.activedir.org| Subject: RE: [ActiveDir] User Accounts|| I agree with Dean on this. :o) The only user logical or implementation related limitation I could| think of off the top of my head would be around SIDs and you are| talking a number in the trillions for Active Directory and much much| errr much higher for ADAM since they changed how SIDs are|generated[1]. For completeness though not dire
RE: [ActiveDir] User Accounts
| |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 |9-F2F1214C811 | D | | | | | _ | | From: [EMAIL PROTECTED] | [mailto:[EMAIL PROTECTED] On Behalf Of Eric | Fleischman | Sent: Monday, April 17, 2006 4:43 PM | To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] User Accounts | | | I don't look very happy | imagining running ADMT or some other migration tool against 100M | Object | ADs | | You don't need to think about anything like ADMT. In your scenario, | with object overturn and DNT depletion, you would simply need to | re-promote the machines slowly over time, perhaps when doing OS | version upgrades or something, and not use IFM. | This is not a forest concept, nor domain, nor NC.this is a DB | instance concept. DNTs are different in each instance in |your forest. | They are not replicated. | | Were these real objects, or what the regular AD-Guy would refer to | | Yes, but I don't understand why this matters to you? | | ~Eric | | | _ | | From: [EMAIL PROTECTED] on behalf of Ulf B. | Simon-Weidner | Sent: Mon 4/17/2006 1:09 AM | To: ActiveDir@mail.activedir.org | Subject: RE: [ActiveDir] User Accounts | | | | Very interesting again, thanks for those explainations. | | So you've seen Ads with 50M - 100M Objects. This makes the | theoretical part of my brain a bit anxious - theoretically ;-) | | Were these real objects, or what the regular AD-Guy would refer to | (Sum of users, computers, groups, a.s.o - leaving out technical | objects like phantoms, objects in the C-NC, S-NC, |D-NC/System,.. dnsNode-Objects [1],..)? | | That means they'll have issues after a account overturn |[2] of 20-40 | (or 10 if 100M Objects and you feel comfortable with 1.07B) because | then they hit the unreleased DNTs and have to start |repromoting DCs | to get them back. | OK - while a account overturn of 20 seems very long term - I doubt | that DNTs are being released by inplace upgrades and I don't |look very | happy imagining running ADMT or some other migration tool |against 100M Object ADs. | And the limit is still the forest, not the domain. | | So in the long term they might be even hitting the |DNT-Limit, without | even creating a bigger AD DIT (considering they perform regular | DIT-maintenance) | - just by deleting and recreating each object b/c of its natural | overturn up to 40 times and not releasing their DNTs. However long | term - if we assume 100M Objects and a object overturn about 10yrs | we'll have 20 cycles and 200 yrs to figure that out - or |just get the last bit back and rethink. | | Limit on RIDs - this one is interesting as well, since we |only need to | create 2147483 DCs and create 325 objects on the last one. |Anyone out | there to borrow me some hardware ;-) | | However I'm still curious what would happen when we have the 2^31+1 | newly created objects (handled error, major bang of the |server against | the wall) (no matter how many are currently existing - same issue | whold happen with lower numbers of objects and frequent |deletion/creation)? | Also - as Dean mentioned - what would happen when we have more than | 2^30-1000+1 Security Principles - Bang boom bang - or start the RIDs | over at 1000, or overflow which would cause the RIDs to start at | 1(yeah - I'd like to be the 2^30-1000+500 user then)? | | OK - everything extremely unlikely - but the d... [3] thing |is that my | brain wants to know that now - and I can't find the soft reset ;-) | | [1] Uupsi - they tend to be deleted and recreated quite frequently | (compared to accounts) | | [2] How would you call this? Inventory overturn comes to my mind | (the cycle when a warehouse has all inventory sold and new one in | there), so account overturn may be appropriate defining when each | account has been dismissed and a new one created (however |technically | I'm talking to object | overturn) - people leave and people join - people die and |people are | being instantiated (aka born). | | [3] Swearword? Do clue - I'm german - we have our own - can't keep a | dictionary of approabriate words in foreign languages in the same | brain which is interested in those answers. | | Gruesse - Sincerely, | | Ulf B. Simon-Weidner | | MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz | Weblog: http://msmvps.org/UlfBSimonWeidner | Website: http://www.windowsserverfaq.org | http://www.windowsserverfaq.org/ | Profile: | |http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F12 | 14C811 | D | | | | |-Original Message- | |From: [EMAIL PROTECTED] | |[mailto:[EMAIL PROTECTED] On Behalf Of Brett | |Shirley | |Sent: Monday, April 17, 2006 2:47 AM | |To: ActiveDir@mail.activedir.org | |Subject: RE: [ActiveDir] User Accounts | | | | | |Eric's quoting didn't come across in pine so well, so I've improved | |it by using where he was quoting others
RE: [ActiveDir] User Accounts
Title: User Accounts Good thread. A few corrections, for the sake of keeping the search engines fresh. The underlying store used by AD supports a theoretical maximum of 4.2 billion rows (limited by the 32 bit DNT or distinguished name tag) Actually, you can only have 2^31 DNTs. This is because we start at 1, but it is actually a signed int. So we only get up to ~2bil or so, and dont use the negative side. Sorry, you cant have the bit back, unless you ask REALLY nicely. g A row could be said to correlate to an object but it's certainly not a one-to-one relationship since rows also house many other structures such as tables, long-values, etc Ah, no, not quite (thankfully J). There is a similar limit for # of long values (doesnt work the same, but mechanics omitted for the sake of brevity), but it has nothing to do with row count in the data table. Long values are burst out to their own b-tree, and as such would not be related to the DNT count max that you were talking about before. In fact, the LID concept is entirely orthogonal to the max row count governed by DNTs that was being discussed. Dean and I also IMd on this thread some, and the concept of link value also came up. Rest assured, link values also do not consume DNTs, they are stored entirely differently. But, I do agree with the general feeling here, though for a slightly different reason. :) A row being used on a DC does not necessarily correlate with only what people think of as their objects hosted by that particular server. You have phantoms, structural phantoms, schema definitions, etc. Further, GCs of course drive the limitation in large forests, when the # of objects that is large are in domain NCs, of course (more on this below). So ... to my knowledge, there's no user-related maximum other than the ESE constraints outlined above. Hundreds of millions of users seems perfectly practical. I personally have no first-hand experience of a directory of that scale butif memory serves I believe public documentation does exist referencing either (or both) test or production directories well within this arena. There is actually a subtle point here.there is max # of users in a single directory instance (ie, on one given DC/ADAM instance), and max # in the entire distributed system. They are somewhat different. In the ADAM world (read: no GCs), it is entirely possible to have a series of instances, each of which house different NCs, and each NC approaches the limits mentioned in this thread (ie, each has 2bil objects say). So long as no one instances breaks the thresholds, you are golden. It is only AD that cant play this game because GCs of course have partial NCs. But ADAM, no worries. Well, unless your large # of objects in AD are in NDNCs. The larger directories I have worked with had ~100M objects on a single server. I havent seen people break that on a single box.but I dont deny it has been done, I just havent seen it. J Oh yea, the concept of negative linkIDs somehow came up in conversation as well. Ill blog about that I think. Perhaps even tonight, if I get my stuff done. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts Actually I am going to bust myself here before Dean or someone else does. The SIDS are going to be limited into the billions. Not due to the SID structure, but due to locations where RIDs are stored as DWORDs (32 bits) instead of as 6 bytes (48 bits). ADAM thoughts still stand as they use the GUID logic for producing the SIDs, they are not based on a domain SID coupled with an artificially limited32 bit RID. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 15, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Accounts I agree with Dean on this. :o) The only user logical or implementation related limitation I could think of off the top of my head would be around SIDs and you are talking a number in the trillions for Active Directory and much much errr much higher for ADAM since they changed how SIDs are generated[1]. For completeness though not directly related to Christine's question I also wanted to add that the other physical limit is simply one of size which is~16TB. This is governed by the max pages of ESE (2147483646[2]) coupled with the page size used for the Active Directory DB which is 8KB. That works out to 8*1024*2147483646 / 1099511627776[3] or 15.TB. joe [1] See discussion in book mentioned in signature[7] [2] This max page size is publicly available in the ESE docs. It is located on the page http://msdn.microsoft.com/library/default.asp?url="">however notethere is a doco bug where it says that is 2^32 - 2 and
RE: [ActiveDir] Replication issues on one of our DCs
If you turn up internal processing, do you get any more data about this condition? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 12, 2006 6:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication issues on one of our DCs I would certainly be a trifle concerned about disk... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, April 12, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication issues on one of our DCs Any ideas? NTFS compression isn't turned on. Maybe a impending drive failure? Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller. Object: CN=FFF-LEE-Six-Sigma,OU=LEE,OU=EH,OU=CAM,DC=FFF,DC=ourdomain,DC=com Object GUID: 0a7ba036-b9be-4c9f-b978-1d1ce99c8e40 Source domain controller: 190d7fdf-0c3f-4c5d-ad78-0df06208c3be._msdcs.ourdomain.com Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected. This operation will be tried again at the next scheduled replication. User Action Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory). Additional Data Error value: 1127 While accessing the hard disk, a disk operation failed even after retries. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SSL to ADAM with a vanity URL
The client wants to get a cert back with a name that matches the resource it connects to. Else, you connected to a resource but got a cert for a non-matching resource, so perhaps there was something like DNS spoofing that tricked you in to going there. This is potentially bad. Set up each instance to have a cert with a name that matches the vanity URL and put that cert in the ADAM service store. Ensure the cert is marked for server auth. ADAM will pick it up directly this way, not ask SCHANNEL what the right cert is, and you can party on like its 1999. There is a way to do this w/o a matching name, something about putting it in another field (perhaps it was alt subject, Im not sure). I dont know, Im not much of a cert guy. I talked with the cert people once who said this should work and a customer confirmed it. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Friday, February 10, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SSL to ADAM with a vanity URL Is it possible to setup two ADAM instances and have them both respond to the same vanity url over ssl? Both ADAMs are running on the same port. I currently just have a RR DNS record with both entries in it for testing. I have an SSL cert with the new name installed on both systems. Connections without SSL work fine, but SSL binds fail. Is this a supported config? Any ideas why it is not working?
RE: [ActiveDir] Active Directory Health Scripts?
Also, the AD management pack for MOM is in this category. Further, they documented everything that the ADMP does so that you could roll your own, or port it to another mgmt platform if you so choose. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, December 23, 2005 1:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory Health Scripts? The Windows Server 2003 Active Directory Branch Office Guide contains some Quality Assurance Health Check Scripts http://www.microsoft.com/downloads/details.aspx?FamilyId=9353A4F6-A8A8-40BB-9FA7-3A95C9540112displaylang=en Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Matt Brown Sent: Fri 12/23/2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Health Scripts? Hi, wondering if anybody has written any scripts using the free tools to monitor the health of Active Directory? I was thinking about writing a python script to run DCDiag and check the output for any failures and when found shoot me an email to let me know... maybe something with repadmin, etc. Thanks, -- Matt Brown [ SELECT * FROM IT WHERE EyeContact=True ] Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] Ntds.dit file corruption
Distributed systems hurt the head in that it is not clear *where* the problem is. It is hard to point a finger at something/someone and say there's the issue! when the issue lies in the state in which some number of servers exist relative to one another. However, in a system which aims to provide convergence (in mission and in assumption by clients), such divergence is, I think, corruption. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 06, 2005 5:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption Good post ~Eric, thanks for chiming in. I see where you are coming from with the corruption at the distributed level. In terms of corruption at that level I see it as corruption but just can't get myself to see it as AD corruption. I am not sure if I can put it down in words why. I just don't. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, December 06, 2005 5:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption snip I would generally not call USN rollback a corruption either, but I think Dean make a fair and quasi-valid point that if you consider the distributed system, yes such a thing is a corruption. Feel free to shim in a AD Distributed System Logical Layer in the above stack, between AD Logical Layer and App Logical Layer. I'm waffling on this point though, as somethign smells differnent that other types of corruption. I'm going to think about that for a long time ... in fact Eric yes the ~Eric) is at my door and says he would consider it corruption, so there is a long debate in my future as well ... /snip Over lunch, Brett and I discussed this some more. My contention is that USN rollback would be a form of corruption under a somewhat broad definition. The reality is that there is a layer that Brett mentioned which actually has a two parts when looked at from a high level. Namely, this layer: AD Logical Layer The first piece could be thought of as local logical layer. That is, data hierarchy, conforming to the code assumptions of how it should be, data conforming to the schema as defined, etc. This is a layer of data that clearly need be proper (leaving the definition of proper to another day), else we are in some sort of corrupt state. Brett and I both agree on this I'm pretty sure. However, there is then distributed systems corruption. In AD, one of the services we aim to provide is convergence. If we do not converge, we define this divergence as at a minimum bad, perhaps corrupt. USN rollback breaks our convergence guarantees, it breaks replication such that you will not attain convergence in the system. I would as such consider it a form of corruption. Over Teriyaki a few minutes ago, Brett posited the question well if USN rollback is corruption, what else? Valid question. I would concede that if USN rollback is considered distributed systems corruption, so too would be other conditions which yield divergence. Perhaps this is a slippery slope that goes too far. I need to think about this some more. I would also toss out there that corruption should not be confused with forever broken. There are many states in which the directory can exist where it is functional, but in some way broken. Such divergences can typically be repaired with administrative action, so long as it is a savvy administrator. :) If we are willing to assume that divergence is corruption, I'd tend to believe that most people on this list have recovered from some form of corruption before. The worse the corruption, the more help you likely want to recover from it. :) Anyway, we'll likely debate this for a few months, as we usually do on such points. More thoughts to come as we debate further. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, December 06, 2005 12:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption I wouldn't say that, joe ... Lets take another hypothetical real quick, lets say you have a column for the RDN of an AD object (well we do) and that value is NULL. From AD's perspective this object is well not really an object, it would be corrupt, and might even crash lsass.exe (I don't know, it might). However, from ESE's persepctive though, the table/row/column is valid, it has a particular column that doesn't have a value. A column which I might add is declared optional (real term is tagged) in the ESE layer schema (real term is catalog). ESE is simply a store of data, it passes no judgement on the data as long as it fits the schema guidelines for the column. Joe, is the DB corrupt? An AD object without an RDN? I have tendency to think in layers and sources of corruption. App Logical Layer AD Logical Layer ESE Logical Layer [ESE] Physical
RE: [ActiveDir] Ntds.dit file corruption
that the system will recognise the corruptions and therefore not replicate them? Surely this is akin to the new feature added to e2k3 sp1, but which is (sadly) missing from AD(?) I must be missing a subtle point - please show me the light :) neil _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 05 December 2005 19:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Monday, December 05, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest. Maybe I am just being a worry wort and this really is not an issue. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 05, 2005 8:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption I did? :-) I think I still said all I know is what the poster said :-) I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun. The directory services one is filled with events 'post' blow up. What is interesting is that it seems to me big server land goes .. oh yeah... ntds.dit corruption... and sbsland freaks out. Either we do indeed need to ensure we have a secondary DC or we need to park a second copy of a system state offsite [say at the vap/var] Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress. You might give that a try. If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware. Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5. - Try swapping out the hard drives, one at a time. - Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP
RE: [ActiveDir] Ntds.dit file corruption
Title: [ActiveDir] Ntds.dit file corruption Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Sat 12/3/2005 10:58 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September]RE: [ActiveDir] Database Corruption:http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.htmlWe have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultantand PSS have been banging on. Could not get the services back running,changed the RPC service to local system and some service came back up [Idon't have all the details but the consultant opened a support case ofSRX051202605433].Bottom line they are about going to give up and start a restore butbefore they do that I'd like to get the view of the AD gods andgoddesses around here. From all that I've seen, read, seen in the SBSnewsgroup, the corruption of ntds.dit is rare to nil and an underlyingcause is hardware issues [raid, disk subsystem]. This doesn't justhappen.The VAP asked if not properly excluding the ad databases from the a/vwould cause this/trigger this and my expectation is 'no', given that Idoubt the majority of us in SBSland properly set up exclusionsVirus scanning recommendations on a Windows 2000 or on a Windows Server2003 domain controller:http://support.microsoft.com/default.aspx?scid=kb;en-us;822158If this were my hardware and box, I'd be putting this sucker on theoperating table and getting an autopsy before putting it back online.Are we right in being paranoid now about this hardware? For you guys inbig server land you'd just slide over another box into that server role.---Stupid question alertOkay so we know that having a secondary/additional domain controller isa good thing even in SBSland...but question many times the secondserver in SBSland is a terminal server box because we do not support TSin app mode on our PDCs. So we've established that having a domaincontroller and a terminal server is a security issue [see WindowsSecurity resource kit, NIST Terminal services hardening guide, etcetc] If our second server is a member server handing out TSexternally, should that be a candidate for the additional DC? Are theissues of TS on a DC ... true for 'any' DC? Would it be better than toVserver/VPC a Win2k3 inside a workstation in the network if a thirdserver box was not feasible?List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange kerberos errors(OT)
We have observed this in the past on many systems. It may not be the same issue, but it is very likely the same. It was cleared with a QFE we built as there was a Windows issue at play. We have had threads on this previously: http://www.mail-archive.com/activedir@mail.activedir.org/msg24917.html I would obtain that QFE and put it on your Exchange server. It will likely clear the issue. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, December 03, 2005 5:54 AM To: activedirectory Subject: [ActiveDir] exchange kerberos errors(OT) I've been geeting Event ID 675 errors on my DC's lately. The accounts referenced are the machine accounts of my Exchange servers. The error is as follows- Event Type:Failure Audit Event Source:Security Event Category:Account Logon Event ID:675 Date:12/2/2005 Time:3:58:39 PM User:NT AUTHORITY\SYSTEM Computer:OPNYC10 Description: Pre-authentication failed: User Name:EXNYC02$ User ID:MYDOMAIN\EXNYC02$ Service Name:krbtgt/OPANDCO.COM Pre-Authentication Type:0x2 Failure Code:0x18 Client Address:192.168.20.1 I'm running a win2k sp4 forest in native mode and exchange 2k in native mode. I don't know if this is something I should be worried about or not. Thanks
RE: [ActiveDir] Netlogon.dns (2)
I would have SWORN there was an issue in this code path, but the details escaped me. So I pinged Steve offline who remembered the details..basically, its this: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395 So that could be what youre hitting. With some more details, we might be able to diagnose it if it is something else. But we might need to debug it to know for sure. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Tuesday, November 08, 2005 2:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netlogon.dns (2) Were the entries dropped off the end of the file, or were they missing from the middle? Any pattern to the entries that were missing? -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Tuesday, November 08, 2005 3:36 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Netlogon.dns (2) Instead of hijacking another thread I'm going to start my own ;) What I've seen recently and was pretty surprised: A customer of mine had incomplete netlogon.dns-files, they had some of the records which were supposed to be there but not all. On some DCs about 50% of the netlogon.dns was missing. Really bad about this is that the tools like dcdiag only test the content of the netlogon.dns against the DNS-Service, and that the netlogon-process does not check the content of the netlogon.dns without any changes unless the file is missing. So the customer had missing DNS-Informations for ages and never noticed it - not everyone is digging around in DNS and knows what's supposed to be there ;) DCs were W2k SP4. Anyone seen this before? OK - I've already fixed it by renaming netlogon.dns and restarting netlogon, but I'm curious if anyone has ideas where this might come from and if anyone has seen it before. Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org
RE: [ActiveDir] Unreadable Netlogon.dns file
Since you are saying the file is there but netdiag can't see it. If I were a betting man, I would say for some reason the context under which netdiag is running does not have perms to read the file. The code in question does an fopen() on it with parameters rt. I suspect, though don't know, that permissions is the likely problem. :) It usually is with other calls such as this one. If you want, let's take this offline. We can report back to the list with the result. I can debug this for you if you're willing? ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott Sent: Monday, November 07, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unreadable Netlogon.dns file I have just verified that I have the latest version of Netdiag (5.2.3790.0). As for the netlogon.dns file, I have verified it. In fact, I renamed it, restarted netlogon service and it recreated it correctly. I'm running this from a terminal server session on the box itself. I haven't tried running it remotely. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, November 07, 2005 2:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unreadable Netlogon.dns file I *think* there was an updated version of netdiag that came out. It might be useful to ensure you have the latest. Also, have you verified that the file exists? If neither of those relates, can you give some more information? Are you running this remotely from your desktop? From the console? Same results regardless? Al From: Rachui, Scott [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unreadable Netlogon.dns file Date: Mon, 07 Nov 2005 14:20:14 -0600 I have a very odd problem. I am testing Windows 2003 Active Directory (running in W2K Native Mode) and on the W2K3 DCs, I get the following message when running NETDIAG: DNS test . . . . . . . . . . . . . : Failed [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns for reading. [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns for reading. [FATAL] Could not open file C:\WINNT\system32\config\netlogon.dns for reading. [FATAL] No DNS servers have the DNS records for this DC registered. I have checked security on the 2 W2K3 DCs (which are in different domains, but are both experiencing this), but can't find any permission that they're missing. Any help with this would be much appreciated. Thanks! Scott List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to export an AD environment to XML
I think you need to consider that the export to XML is far less difficult than the import back in to the directory on the other side. Joe raised onethe ACL problems. And there are other problems you need to fix too. For example, you have a user and a group, the user is in the group. You need to ensure that you create the user before you try and tickle the 'member' attribute of the group. This problem would be out there for all link value attributes. And sometimes, perhaps you happen to have an attribute on objectA that points to objectB but also an attribute on objectB that points back to objectA. So you can't just reorder, you need to defer some of the operations to later on. You need to ensure you sort your object creates hierarchically so you don't try and create children before you have their parents. You need to ensure you have schema parity. Those are just a few problems that come to mind. Synchronization is tricky business. This is why we wrote MIIS and ADAMSyncso you don't have to. ;) Perhaps an easy approach for you would be adamsync + a little scripting (namely for ACLs + GPOs, two things that adamsync can't handle on it's own). ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 21, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to export an AD environment to XML Good points, joe. The whole effort started with a guy here writing a script which made two passes as you describe in order to avoid the chicken and egg dilemma.[1] He found he was having difficulty in applying OU perms so I started to look at the GPMC scripts hoping it would make his life easier. I guess we need the GPMC scripts plus his custom made scripts in some shape or form. With regard names vs SIDs - I am looking to create a fresh env from the XML file so that is less of an issue. The GPMC createXMLfromEnv script uses names and happily exports GPOs, their permissions and the related group objects. neil [1] this is clearly not a dilemma since the egg came first. Animals gave birth via an egg long before the chicken ever evolved into existence :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 21 October 2005 15:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to export an AD environment to XML Perms are going to be fun to handle... You have two problems. First off you obviously can't use SIDs, everything will have to be named based with all objects with same names having to exist or a mapping file used. Second off, chicken an egg. If you are trying to build an OU X with the perms set for group XYZ to have permissions but XYZ is a member of some OU below X then you can't set the OU X perms until you have created XYZ. Simplest way to handle would be to build all objects, then come through and apply perms. I would probably look at writing a separate script to read and apply the perms. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 21, 2005 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to export an AD environment to XML That's where I started - but I need OU perms and don't believe that script exports that data, by default. Did you extend the script at all? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 21 October 2005 15:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to export an AD environment to XML Neil, have a look at CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf from C:\Program Files\GPMC\Scripts. Darren put me onto these a week or so ago and I have been able export Users, Groups, Group Membership, OU, GPO (incl ACLS and security) to about 80% accuracy so far. Check out the post titled [ActiveDir] Interesting Scripting Task. that is still ive and kicking. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 21 October 2005 14:43 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Script to export an AD environment to XML I believe some of the scripts that come with GPMC can be helpful here. As for creating the XML file for structure, not as sure it's already built. You do have some vbscript or perl options available that handle creating the XML structures for you though. Take a look at the GPMC file and you'll see what I mean. (there was a conversation yesterday about exporting the GPMC stuff on this list, and I just replied to some of that. You'll see the methods etc that relate to using XML vs. plain text in those files) Drop a note if that's not what you had in mind though. -ajm From: [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Script to export
RE: [ActiveDir] LDAP Query Fails
Sudhir do you have a network sniff of the original problem? I think that's likely the easiest way to diagnose this. That way we see the problem itself. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Outlook Express (OE) and Search for People use the same WAB provider IIRC. When you open ldap://servername you're really making a call to use WAB.EXE which is the same address book that OE uses to search for users. I notice though, that if you specify a server to contact, that you get that pre-filled in vs. if you open it in search or via OE. Interesting IE uses the following key to control what it uses for the ldap url: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Contacts\Address Book\Protocols\ldap\shell\open\command So my thinking was that you needed to properly specify the directory on the client. It may just be permissions related however, as utilizing the ldap url to open a DC for search provides null credentials by default. Check your security logs (if auditing) to see if this is the case. Note: I notice as I looked at this in my test environment that I had no notification in the event logs. I didn't look at it long enough to see if I had the audit settings perfected, so it's possible I missed something. However, a network trace shows the attempt and an error indicating that I need to first bind. That's not really correct, because I do bind, but I bind anonymously. It should be telling me to allow anonymous bind in order to search etc. If it helps, ldap url syntax is defined in RFC 2255. Al From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 10:07:57 -0400 Hi Mulnick, I get the same error when i give ldap://domainname. Yes i am using IE. Sorry i didnt get what u mean to ask by How are your directory settings in OE configured exactly? Regards, Sudhir --- - This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. --- - Al Mulnick amulnick @hotmail.com Sent by: ActiveDir-owner 10/10/2005 10:01 AM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject:RE: [ActiveDir] LDAP Query Fails What happens if you specify ldap://domainname ? Just out of curiousity. Using IE or some other browser? IE relies on OE IIRC to handle LDAP searches. How are your directory settings in OE configured exactly? From: Sudhir Kaushal [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 07:37:57 -0400 Hi All, Whenever I do LDAP search for any user in AD through browser, (ldap://DC server IP ) it gives me error An error accured while performing the search. Your computer, ISP or the specified directory services may be disconnected. Check ur connections and try again. Operations Error I have tried this even locally on the DC, still it gives the same error. Though it is working very well with LDAP browser ( Softerra ) and using the Search - Find ppl from Start Menu. Any Help!! Regards, Sudhir --- - This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. --- - List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Time on server
And please be sure to note the part of Michael's mail below here he said stable. I once talked to a customer who was syncing DCs to an external clock that rolled back ~20 years. I assure you that was not the best day ever for this admin. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Wednesday, August 31, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time on server Yes, the recommendation is to use an internal hardware clock: http://support.microsoft.com/default.aspx?scid=816042 Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, 1 September 2005 12:28 p.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Time on server How about synch'ing it with an internal source that is stable? Remember that it needs port UDP 123 open. I wonder why you wouldn't want to use an external source, like http://tycho.usno.navy.mil/ntp.html? Mike Thommes From: [EMAIL PROTECTED] on behalf of Patrick Paul Sent: Wed 8/31/2005 11:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Time on server The time on my server is constantly increasing and is clearly wrong. I do not want to sync with and external source! Help appreciated! Windows 2000 advance server List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hidden objects
Actually better would probably be dumpDatabase. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects Well on reflection, the answer to this regardless of objecttype would be to run an enumeration routing as localsystem and as the admin ID you want to find things that may be hidden from and then compare the results. If the object is a user or group you could try using the NET API to see if lets you see it where the LDAP calls won't. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] cloning DC's
Title: RE: [ActiveDir] cloning DC's I'm not equating it with cloning in the impact to the directory nor steps followed, only in the typically desired result of most who try and clone (most who try and clone typically do so to bring up a DC fast, which is effectively what IFM gives you, just in a safe manner via a different set of steps of course). ~Eric From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Wed 8/17/2005 10:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] cloning DC's Eric,I just want to be sure that you are not equating backup with cloning. I amafraid that the OP may take your "eat cake" statement to mean that you areagreeing with the cloning proposal. Install from media was not made forcloning. Unless I am wrong again, the install from media is not done (nor isit supposed to be done) on a cloned image of existing DCs. "Cloned" in thiscase means something like Ghost image of a DC taken from who knows when. Thisis completely different from a backup of a DC, backup being NTBackup orsimilar.So, I am not very sure that he is not going to be eating some very stalecakes if he reads you literally.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Eric FleischmanSent: Wed 8/17/2005 9:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] cloning DC'sThere is a way to have your cake and eat it too, however.Take a backup of the DC, then use the install from media (IFM) featureto dcpromo more machines in to the environment using the backup taken asa seed for the dataset. This will allow you to rapidly bring up new DCswithout having to re-source all of the info yet still not do damage toyour environment (with the definition of "do damage" left out forbrevity, as it has been covered on this DL previously if memory servesme correctly).IFM was added in WS2003 to address scenarios such as this.~Eric-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rick KingslanSent: Wednesday, August 17, 2005 7:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] cloning DC'sTom -Regardless of the scenario and how it's done - you never, never, never,clone DCs. This will lead to very bad things - possibly including theappearance of the Anti-Christ, opening of Black Holes, ABBA coming backtoprominence.Do NOT do this. Do NOT allow IBM to do it. Period.Rick-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, August 17, 2005 7:56 PMTo: activedirectorySubject: Re: [ActiveDir] cloning DC'sI went back and i saw B. Shirley's remarks on cloning dc's.I'm wondering if this applies to my senario below-cloning a DC with Disk Image and sysprep and creating new DC's thatway?Is this very very bad? is there an article or paper explaining why?or anyone care to explain why.or is this ok?thanks. sorry to harp but these AD consultants from IBM want to gothis route tomorrow and I'm thinking its not a good idea for somereason but I'd like to be sure before i bring it up.Thanks againOn 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I know i read this thread before but i can't seem to find it. we are creating a new forest root and the IBM consultants here created the first root dc and now they want to clone it using Disk Image and sysprep to create the other DC's in the root. I think i heard this is a bad idea. Am I right? I can't seem to find any article on this but I do remember this being spoken of on the list and I don't remeber what the conculsion was. thanksList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] cloning DC's
There is a way to have your cake and eat it too, however. Take a backup of the DC, then use the install from media (IFM) feature to dcpromo more machines in to the environment using the backup taken as a seed for the dataset. This will allow you to rapidly bring up new DCs without having to re-source all of the info yet still not do damage to your environment (with the definition of do damage left out for brevity, as it has been covered on this DL previously if memory serves me correctly). IFM was added in WS2003 to address scenarios such as this. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 17, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] cloning DC's Tom - Regardless of the scenario and how it's done - you never, never, never, clone DCs. This will lead to very bad things - possibly including the appearance of the Anti-Christ, opening of Black Holes, ABBA coming back to prominence. Do NOT do this. Do NOT allow IBM to do it. Period. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, August 17, 2005 7:56 PM To: activedirectory Subject: Re: [ActiveDir] cloning DC's I went back and i saw B. Shirley's remarks on cloning dc's. I'm wondering if this applies to my senario below- cloning a DC with Disk Image and sysprep and creating new DC's that way? Is this very very bad? is there an article or paper explaining why? or anyone care to explain why. or is this ok? thanks. sorry to harp but these AD consultants from IBM want to go this route tomorrow and I'm thinking its not a good idea for some reason but I'd like to be sure before i bring it up. Thanks again On 8/17/05, Tom Kern [EMAIL PROTECTED] wrote: I know i read this thread before but i can't seem to find it. we are creating a new forest root and the IBM consultants here created the first root dc and now they want to clone it using Disk Image and sysprep to create the other DC's in the root. I think i heard this is a bad idea. Am I right? I can't seem to find any article on this but I do remember this being spoken of on the list and I don't remeber what the conculsion was. thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] trust question
Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and
RE: [ActiveDir] trust question
If you want to validate when this code path is fired, set a breakpoint on DCacheWriteDomainsToCache and see when it fires. It might be easiest to use image file execution options to do this and put every winlogon that fires up under ntsd, or you can do it on the kd side, whatever you find easiest. `Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Sunday, August 14, 2005 10:31 AM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question Hmmm, I understand the distinction you're making Eric but don't recollect it being the case, I'll take a look at the source again and see if I can't solidify this. Thanks for the input. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 1:08 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under
RE: [ActiveDir] An administrator's view on Auditing of AD....
When it comes to auditing, the question really is what are you going to do with the data, not should you collect it. I'd encourage you to pick some questions you want to answer, then figure out what data you need to answer them. Then wrap it up with how to collect the data. Really, it's hard to answer any other questions until you pick some goals. That said, I've seen organizations very successfully use auditing as part of their security strategy. It really just comes back to what questions you want to answer. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, July 20, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] An administrator's view on Auditing of AD AD Auditing I haven't been big on doing in production, I am not against it in test just make sure to revert to production settings if doing perf testing. If you have to do it, try to be very targeted. The best strategy, IMHO, is to take away privileges from people to mod things directly and make them do it through some provisioning system that has its own logging. Auditing of failed logons, privilege use, policy changes, and such I do get into. Auditing in general can be pretty harsh on a machine or cause something else (say like an event log scraper) to be pretty harsh on a machine, you want to enable auditing with care. I once saw a misconfigured member server take over 20 hours to boot into NT4 because of all of the auditing enabled on it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chuck Chopp Sent: Wednesday, July 20, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] An administrator's view on Auditing of AD OK, having done a lot of digging around regarding Active Directory and auditing changes being made in it [for various sundry purposes], I have reached a point where it would help to know something about what other system admin folks think about auditing in general I'm looking for some feedback here on what system admin folks really do in practice with their production systems regarding auditing of AD. How frequently do you use auditing of AD? Do you turn it on only for troubleshooting, or is it left on all the time with reporting review of the security audit logs performed at timely intervals? Do you find that having auditing enabled causes too much of a negative impact on the performance of your DCs to leave it on for any period of time? Do you outright refuse to enable auditing for any other reasons? -- Chuck Chopp ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com RTFM Consulting Services Inc. 864 801 2795 voice voicemail 103 Autumn Hill Road 864 801 2774 fax Greer, SC 29651 Do not send me unsolicited commercial email. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......)
~Eric wrote: We actually block all base schema elements if I remember correctly. No you don't. Of the 1070 base schema attributes, you only block the 1007 ones that are marked as category 1. The remaining 63 attributes, such as msDS-ExternalKey, are not marked and therefore don't have this or any other protection for base schema attributes. Looking at your example msds-externalkey, I don't see the base flags bit set. Therefore, it would not be blocked. Looking at the code, right now, I stand by the earlier statement: we block base schema elements. Base schema elements are defined as the elements with the base schema flag set. All of them should be blocked. Please show me an example of a base schema element with the base schema flag set where I'm wrong. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Tuesday, July 12, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) Hi Brett and ~Eric, Thanks for your comments on my confidential attribute post. Now I solved, how to set the confidentiality in a way where unnecessary permissions are not granted. Brett wrote: A) Small note, 0xF is 15 decimal and is equivalent to 4 bits set (0b) Thanks for catching my silly mistake. Yes, I meant 0x10, which is 16 in decimal. Fortunately this part was not about setting bits, but just checking which base schema attributes have protection. Brett wrote (and ~Eric agreed): B) Why can't you grant the explicit extended right for reading the confidential attribute? I assume there is one, there has to be. No there isn't. I went through the 49 extended rights that exist in SP1, and none of them seems to be for controlling confidentiality. This is actually obvious, because each of them is linked to only certain object classes, but the confidential attribute mechanism must apply to all current and future object classes. Therefore, a specific extended right cannot be used (unless Microsoft defined a fake rightsGuid for this, without a corresponding controlAccessRight object in the Configuration partition). However, I now found out that the trick is to define a certain attribute or property set with the control access permission. If you do this, the trustee won't get normal extended rights, such as Reset Password. This trick has been illegal so far, and therefore if you try it with DSACLS, it will give you an error that you can specify an attribute or property set only with WP(Write Property) and RP(Read Property) permissions, not with CA(Control Access). So, the following is the correct syntax, but the current DSACLS (nor the R2 ADAM version) doesn't yet support it: dsacls ou=demo,dc=sanao,dc=com /G jim:ca;msDS-ExternalKey; ~Eric wrote: The LDP required for this is the LDP in R2's ADAM, not in the currently shipping one. Sorry. Yes, exactly. Just get R2 beta, locate ADAM in it, extract LDP.EXE from there, and use that tool's Security Descriptor feature to add a following ACE (preferably to an OU, and with the inherit flag on): - specify Control access as the permission - specify the desired attribute or property set as the Object type ~Eric wrote: We actually block all base schema elements if I remember correctly. No you don't. Of the 1070 base schema attributes, you only block the 1007 ones that are marked as category 1. The remaining 63 attributes, such as msDS-ExternalKey, are not marked and therefore don't have this or any other protection for base schema attributes. Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......)
For clarity, this is the flag I'm making reference to: 1 systemFlags: 0x10 = ( FLAG_SCHEMA_BASE_OBJECT ); If that is set on a schema element, my contention is that on an SP1 DC it should not allow you to set the confidential bit. Show me a counterexample please. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, July 12, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) ~Eric wrote: We actually block all base schema elements if I remember correctly. No you don't. Of the 1070 base schema attributes, you only block the 1007 ones that are marked as category 1. The remaining 63 attributes, such as msDS-ExternalKey, are not marked and therefore don't have this or any other protection for base schema attributes. Looking at your example msds-externalkey, I don't see the base flags bit set. Therefore, it would not be blocked. Looking at the code, right now, I stand by the earlier statement: we block base schema elements. Base schema elements are defined as the elements with the base schema flag set. All of them should be blocked. Please show me an example of a base schema element with the base schema flag set where I'm wrong. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Tuesday, July 12, 2005 4:39 PM To: ActiveDir@mail.activedir.org Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL..) Hi Brett and ~Eric, Thanks for your comments on my confidential attribute post. Now I solved, how to set the confidentiality in a way where unnecessary permissions are not granted. Brett wrote: A) Small note, 0xF is 15 decimal and is equivalent to 4 bits set (0b) Thanks for catching my silly mistake. Yes, I meant 0x10, which is 16 in decimal. Fortunately this part was not about setting bits, but just checking which base schema attributes have protection. Brett wrote (and ~Eric agreed): B) Why can't you grant the explicit extended right for reading the confidential attribute? I assume there is one, there has to be. No there isn't. I went through the 49 extended rights that exist in SP1, and none of them seems to be for controlling confidentiality. This is actually obvious, because each of them is linked to only certain object classes, but the confidential attribute mechanism must apply to all current and future object classes. Therefore, a specific extended right cannot be used (unless Microsoft defined a fake rightsGuid for this, without a corresponding controlAccessRight object in the Configuration partition). However, I now found out that the trick is to define a certain attribute or property set with the control access permission. If you do this, the trustee won't get normal extended rights, such as Reset Password. This trick has been illegal so far, and therefore if you try it with DSACLS, it will give you an error that you can specify an attribute or property set only with WP(Write Property) and RP(Read Property) permissions, not with CA(Control Access). So, the following is the correct syntax, but the current DSACLS (nor the R2 ADAM version) doesn't yet support it: dsacls ou=demo,dc=sanao,dc=com /G jim:ca;msDS-ExternalKey; ~Eric wrote: The LDP required for this is the LDP in R2's ADAM, not in the currently shipping one. Sorry. Yes, exactly. Just get R2 beta, locate ADAM in it, extract LDP.EXE from there, and use that tool's Security Descriptor feature to add a following ACE (preferably to an OU, and with the inherit flag on): - specify Control access as the permission - specify the desired attribute or property set as the Object type ~Eric wrote: We actually block all base schema elements if I remember correctly. No you don't. Of the 1070 base schema attributes, you only block the 1007 ones that are marked as category 1. The remaining 63 attributes, such as msDS-ExternalKey, are not marked and therefore don't have this or any other protection for base schema attributes. Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Keep existing attributes from users restored.
Title: RE: [ActiveDir] Keep existing attributes from users restored. BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). Actually, not quite. For sidHistory, the SP1 change in behavior works for existing installations juts as well as existing ones. However, to be safe, we didnt actually modify searchFlags. Instead, we added sidHistory to the list of attributes we always preserve on tombstones no matter what the schema tells us we should (there is a list so that you cant subvert replication and strip off more than should be allowed). This was deemed safer than modifying your schema out from under you on SP upgrade. I tend to agree. This of course leads to the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was well understood, but we did not want a schema change for SP1. So we figured, it was this or wait for Longhorn. We went with this as being better than nothing. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. realize that this search-flag can't be applied to all attributes (e.g. linked attributes such as member/memberOf) = as such you will always require a combination of actions to successfully recover users to a previous state. If you do want to leverage the tombstone reanimation feature of 2003 (such as leveraged by SysInternal's adrestore), you'll have to have mechanisms in place to recover attributes which you can't contain in the tombstone object. BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). These are the ones that other third-party tools which help with re-populating the missing attributes can't rewrite after tombstone revival occures = as such I would certainly consider changing these search flags in other AD implementations, which leverage restore tools that also use the tombstone reanimation method. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Samstag, 9. Juli 2005 00:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. Thanks Dean, I will test it. Cheers, Yann De: [EMAIL PROTECTED] de la part de Dean Wells Date: ven. 08/07/2005 18:29 À: Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. Resent for clarity, odd formatting in previous post ... at least on my end ... modify the searchFlags property of the attributeSchema class that represents the attribute you'd like preserved during logical deletion. 1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins) 2. Expand the Schema NC (Naming Context) 3. Locate cn=attribute 4. Right click it and select Properties 5. Locate and edit the searchFlags property 6. Perform a bitwise-or of bit 3 (the 8) 7. Click OK 8. Right click the node in the left pane labeled Schema [your DC's FQDN], select Update Schema Now To make my reason for asking clear, I don't think modifying an enterprise property for the sake of recovering slightly more quickly from occasional deletions is particularly good practice ... but that's just me :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 08, 2005 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. Out of curiosity Dean, what schema mod is this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dean Wells Sent: Friday, July 08, 2005 11:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Keep existing attributes from users restored. To do that, you need to modify the schema. The schema modification must be in place before the deletion occurs, are you prepared to modify the schema for such a rare occurrence (at least I hope this is rare)? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of TIROA YANN Sent: Friday, July 08, 2005 11:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Keep existing attributes from users restored. Hello all :) I recovered deleted users from deletion succesfully by either the following method http://support.microsoft.com/kb/840001/en-us or the excellent adrestore tool from sysinternals. But when i restore deleted users, all their existing attributes (such as telephone, fax
RE: [ActiveDir] Keep existing attributes from users restored.
Title: RE: [ActiveDir] Keep existing attributes from users restored. Having been in this code before, I never noticed this applying to passwords. I dont believe we keep them on tombstones today. Can you confirm that we do in fact keep them on tombstones as of SP1? If so Ill take a peak at this in further detail to see if there is some magic there that I just didnt pick up on last time through. But I didnt think we did. ~Erc (Wheres did the i in my name go? Well, when you replied in the last mail, you forgot the i in your name, so Ive taken it out of mine so you can borrow it for your next reply.) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 2:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. thanks for the useful information, Eric. You've only mentioned sidHistory - does the same apply for the password? /Gudo From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Montag, 11. Juli 2005 16:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). Actually, not quite. For sidHistory, the SP1 change in behavior works for existing installations juts as well as existing ones. However, to be safe, we didnt actually modify searchFlags. Instead, we added sidHistory to the list of attributes we always preserve on tombstones no matter what the schema tells us we should (there is a list so that you cant subvert replication and strip off more than should be allowed). This was deemed safer than modifying your schema out from under you on SP upgrade. I tend to agree. This of course leads to the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was well understood, but we did not want a schema change for SP1. So we figured, it was this or wait for Longhorn. We went with this as being better than nothing. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, July 11, 2005 7:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. realize that this search-flag can't be applied to all attributes (e.g. linked attributes such as member/memberOf) = as such you will always require a combination of actions to successfully recover users to a previous state. If you do want to leverage the tombstone reanimation feature of 2003 (such as leveraged by SysInternal's adrestore), you'll have to have mechanisms in place to recover attributes which you can't contain in the tombstone object. BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and Password attributes to the tombstone (I believe this is only valid for new installation of AD). These are the ones that other third-party tools which help with re-populating the missing attributes can't rewrite after tombstone revival occures = as such I would certainly consider changing these search flags in other AD implementations, which leverage restore tools that also use the tombstone reanimation method. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Samstag, 9. Juli 2005 00:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes from users restored. Thanks Dean, I will test it. Cheers, Yann De: [EMAIL PROTECTED] de la part de Dean Wells Date: ven. 08/07/2005 18:29 À: Send - AD mailing list Objet : RE: [ActiveDir] Keep existing attributes from users restored. Resent for clarity, odd formatting in previous post ... at least on my end ... modify the searchFlags property of the attributeSchema class that represents the attribute you'd like preserved during logical deletion. 1. Run ADSIEDIT.MSC (Support Tools) (Requires Schema Admins) 2. Expand the Schema NC (Naming Context) 3. Locate cn=attribute 4. Right click it and select Properties 5. Locate and edit the searchFlags property 6. Perform a bitwise-or of bit 3 (the 8) 7. Click OK 8. Right click the node in the left pane labeled Schema [your DC's FQDN], select Update Schema Now To make my reason for asking clear, I don't think modifying an enterprise property for the sake of recovering slightly more quickly from occasional deletions is particularly good practice ... but that's just me :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 08, 2005 11:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Keep existing attributes
RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......)
] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 09, 2005 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL.. Excellent thanks ~Eric... This looks to be a good document. However, anyone else think this info on confidential attributes is a bit weak in the documentation Improved security to protect confidential attributes To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default, only domain administrators have Read access to confidential attributes, but this access can be delegated. For more information about access to attributes, see How Security Descriptors and Access Control Lists Work on the Microsoft Web site http://go.microsoft.com/fwlink/?LinkId=45972 at http://go.microsoft.com/fwlink/?LinkId=45972. The link takes you to a document from March 28, 2003 which I highly doubt has more info about confidential attributes. This is something that actually requires you to make changes to use, not like saying hey we also keep SID Histories in the tombstone objects now which doesn't take any action on the part of the admins From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, May 09, 2005 12:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL.. http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-4 6E2-B1B6-3659B92B2CDEdisplaylang=en I didn't read it for completeness, but spot checked, and many are there. Though certainly not every one I'm sure. ~Eric List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Turn off an audit
Can you dump the SDDL string of the domain head security descriptor for us and share it out? (feel free to send it to me offline if you are more comfy that way) You can do this with ldp or maybe dsacls (I forget if dsacls can show you the raw string or not, but I know LDP can). ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Saturday, July 02, 2005 2:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Turn off an audit I cannot remember the name of the commandline app to do this. I want to turn off auditing of the msExchALObjectVersion attribute all together. This is set to audit success/fail at the domain level. If I go in ADUC/ADSIEdit and look at the domain head, that property is no where to be found in the list. If I goto some OU, its inheriting the option to audit this property from the domain. How to turn off? --brian
RE: [ActiveDir] Recursive serach on Root domain failed.
Can you take a network sniff of the PHP scripts failing? I suspect they are just blindly doing VLV, not actually checking if the DC they are talking to supports it. The mod you made below will remove the VLV OID from supportedCapabilities such that people that look for it wont find it. If the PHP scripts just use VLV w/o first checking, theyll still fail (though Id argue while what we did isnt ideal, what they would be doing is just as bad if not worse, because you shouldnt use something like VLV w/o first checking that the DSA supports it). I dont really know what that Outlook thing you tried does from the Outlook side, Im an AD guy, not an Outlook guy. Ive been told by people that I know that it just disables the attempt to use VLV, but there might the caveats they didnt mention. Maybe you dont have a late enough Outlook binary that understands it. Maybe you didnt do the magic DisableVLVBrowsing dance. I dont know. As I mentioned before, Im doing a write-up of this which Ill probably blog. Ill post to this list with a link to that post when I do it, probably soon, but I have a few other things I need to do first Im afraid. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, June 27, 2005 1:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. ERIC !!! You're the BEST !!! THAT WORKS FINE !! I have never found the solution of my problem for one year :( For oulook 2003, the search succeeded thanks to your Value addedwith adsiedit, and it works better than the [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\LDAP] DisableVLVBrowsing=dword:0001 added per workstations !!! But I noticed that for php scripts, the error still remaining... any thoughts ? Thank u very much eric for the invaluable help u provided me :-) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Eric Fleischman Envoyé: dimanche 26 juin 2005 00:45 À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS
RE: [ActiveDir] Recursive serach on Root domain failed.
http://blogs.technet.com/efleis Not much there, I dont blog often. Ill try and get to it today. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haaker, Chris Sent: Monday, June 27, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Eric, I would blog it and then those that are interested can pull the blog post. What is your blog address? Chris Haaker ITS Infrastructure x7841 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, June 25, 2005 6:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp
RE: [ActiveDir] Recursive serach on Root domain failed.
So I am writing a longer note about the history of VLV fixes weve thrown at it and why, but havent finished yet, and am trying to decide if it is best done in a blog post or an email to this list (its 2 pages so far). In the interim, a couple of thoughts. From the DSID youre getting, Id speculate youre still doing VLV. I dont know what youve tweaked on the Outlook side, but thats my suspicion. A network sniff (or some more data) would confirm. However, looking at this more broadly. If you implement this change as your fix, youll find you need to do this on every client. That might grow old. J A better fix, assuming 2k3 SP1 DCs (for RTM DCs, youd need a QFE on them for this, namely a binary from the QFE tree that is Q886683 or later).. Fire up adsiedit, crack open the config NC Expand CN=Directory Service,CN=Windows NT,CN=Services. Edit CN=Directory Services. Nav down to msds-Other-Settings. Edit. In the Value to add box, type, without the quotes: DisableVLVSupport=1. Click Add. Give that a try, let us know how it goes. J ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 12:54 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recursive serach on Root domain failed. Thanks for reply :) Yes, i have already followed the link you sepcified. I disable LDAP address-list-browsing functionality in my outlook 2003:the browsing isthen disable -The list is empty without the Unavailable Critical Extension error message box. The only way I found to use the LDAP seach with outlook 2003 Exchange MAPI mode is to configure Outlook for searchng LDAP Active Directory first and not the Exchange GAL , and type the sender in the to... 'field of outlook: Outlook the verify the sender against LDAP AD first and that works. I thought distributing his regkey with GPO in all my users... I Have already installed sp1 for w2k3 a months ago, and no way :( The same problem is reproduced in an other French University. The maxpagesize = the max LDAP page size for the default query policy in my domain is set to a hight value 2 instead of the default value of 1000 I wondering if this can be the reason... Cheers, Yann De: [EMAIL PROTECTED] de la part de Robert Williams (RRE) Date: sam. 25/06/2005 18:25 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Recursive serach on Root domain failed. Try disabling VLV in outlook, you can do that here: 820864 You Experience Performance Problems in Outlook 2003 When You Browse an http://support.microsoft.com/?id=820864 If that solves your problem then you might be hitting a known bugcontact PSS for the hotfix (or install SP1 which I believe has the fix). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region MicrosoftCorporation Global Solutions Support Center From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Saturday, June 25, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recursive serach on Root domain failed. Hello, When I do a LDAP recursive search(with Outlook 2003 in Exchange 2003MAPIor php scripts) througth my root Domain AD2003 (dc=domain,dc=fr), the search failed with the corresponding error: Unavailable Critical Extension.but when I put the complete DN of an OU (ou=test,dc=domain,dc=fr) then the search worked. When I used Outlook Expressconfigured in LDAP , the recursive search ... worked. My environnement:Forest ad2003 raised to windows server 2003 functional level. Idid an in place upgrade from AD 2000 native mode to AD 2003. Curious thing is when i installed fresh domain AD2003 test (without upgradefrom ad2000) any recursive serach with php, outlook 2003,etc..) works So I suspect that i is the migration that causes the problem but, I didn't know if such request workedbefore migration :( My network trace between my workstation and any DCs confirmed the error: LDAP: ProtocolOp = SearchResponse (simple) LDAP: Result Code = Unavailable Critical Extension LDAP: Error Message =20EF: SvcErr: DSID-031402D0, problem 5010 (UNAVAIL_EXTENSION) LDAP: Controls LDAP: Sort Response Control LDAP: Criticality = 0 (0x0) LDAP: Sort Result Code = Unwilling to Perform I contacted MS French support and they give the patch concerning http://support.microsoft.com/kb/841461/en-us, without success :( I find this http://support.microsoft.com/kb/842637/en-usthat seems to correspond to my pb but who to put the script to put in my outlook 2003 ? this is in the workaround section any ideas ? Cherrs, Yann
RE: [ActiveDir] Scripts
But as has been said in the past on this list, this approach is probably going to be thwarted by more crafty admins who know how to obtain the password anyway. So fundamentally, there is a security issue here. So long as you're willing to live with that issue, the approach will work I'm sure. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nazim Akperov Sent: Sunday, June 19, 2005 8:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Scripts Agree with net user administrator thepassword But 1. This should be computer startup script 2. Set Visibility to disable otherwise smart users will note a new password in a black window appeared for a couple of seconds. Regards Nazim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Monday, June 20, 2005 02:22 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripts Does anyone know of a script I can include in the login scripts to change the local admin passwords on the computers in my environment? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
I also posted to this dl once before on MaxPageSize. The same argument could be made for MaxValRange as I made for MaxPageSize. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Effect of change to MaxValRange Thanks for the feedback. I thought some of the experts would be able to better articulate the consequences of changing that value. I read about it in Eric's Blog and based on the information I had come up with this response to changing the value. Performance issues include increased processor time to run the query and increased network bandwidth to send unnecessary query results. If the answer to the query is found in the first 1500 results there is no need to send another 2500 records. This setting affects all applications, so if multiple queries are run with an unspecified range it will return all of the results to every query and as more applications begin to use Active Directory for LDAP queries we will feel the performance hit. I think I was basically right. Thanks for helping me strengthen my point. joe [EMAIL PROTECTED] .net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Effect of change to 06/17/2005 11:33 MaxValRange AM Please respond to [EMAIL PROTECTED] tivedir.org What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
AD itself shouldn't care (if it will care, I can't think of why right now, but then again it's only 8:32am, far before I am usually able to recall much). But someone who does broadcast, or maybe WINS gets mucked up as a resultthey very well might care that a domain they think has some name doesn't know who they are. Having two domains with the same name within NetBIOS earshot of one another is risky business. I'm always fearful that some subtle component (in Windows or not) gets confused and talks to a DC in the wrong domain. Another other option is logical migration w/o physical. Take the users and do logical migration on them (ldifde or the like), and deal with SID and such headache and domain rejoin. Another option is upgrade the 2k+ side to 2k3, and rename that domain. ~Eric From: [EMAIL PROTECTED] on behalf of Grillenmeier, GuidoSent: Thu 6/16/2005 12:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Thanks Eric, renaming the source NT4 domain was on the list of my options and I know that it works as I've done it before in a larger test-environment. However, I expect many more headaches in a production environment as it's difficult to analyse all the dependencies to existing apps, e.g. Exchange 5.5 and others. And since you need to re-join all members to the domain anyways, it's almost as much work as just joining them to the target domain... ...hmm - that just triggered a thought - I guess it would be possible to do just that: rename the source dom (on PDC) + re-join all BDCs, then setup trust to the target domain and join all resources to target domain while accounts groupsare still in (renamed) source domain. [thinking continues]... ofcourse the challenges with the apps and potential dependencies on the old domain name remain and need to be analysed first - so it's really tough to estimate the amount of work involved for this... Besides, the obvious downside is fallback options = customers usually don't allow any drastic changes in the existing infrastructure, when migrating to another one - which I fully understand. SoIwas mainly seeking for other experience and things to look out for, if domain rename is not an option. E.g. is it really an issue to have a BDC of the NT4 CORP domain in the same subnet as a DC of the AD CORP domain? I guess I could hinder the AD DC somehow from trying torace against theNT4 BDC to becomemaster browser. Even when we plan to do a hard-cutover (long weekend), I'll need DCs of both domains available at some point... And I know I need to test this anyways, but can't do so right now. I should mention, that I'm talking about roughly 1000 users with clients and servers distributed in a dozen locations. So nothing major - a hard cutover should be doable over a long 4-day weekend (incl. migration of all mailboxes at once) and handling re-ACLing on the FS is no issue. Accrd. to customer, there are no other apps (other than Exchange) that leverage the NT4 domain for anything (other than running on a memberserver). My past experience tells me that this is likely not to be true... I'm sure there are other things that are often overlooked - any ideas? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Donnerstag, 16. Juni 2005 07:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migration between domains with same NetBios name Rename it? I will admit, Ive never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741 If this does work, Id like to know, so I can recommend it in the future. The other option is logical data migration but not actual migration if you will. IE, ldifde and such. But that comes with the normal lose the SIDs type of issues, which I assume to be a major headache for your scenario. ~Eric PS: Basically, this mail translates roughly in to me saying, this might or might not work, and Id like you to be my testing guy to let me know, since Ive never had occasion to give it a whirl myself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Wednesday, June 15, 2005 10:43 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP
RE: [ActiveDir] Migration between domains with same NetBios name
Rename it? I will admit, Ive never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741 If this does work, Id like to know, so I can recommend it in the future. The other option is logical data migration but not actual migration if you will. IE, ldifde and such. But that comes with the normal lose the SIDs type of issues, which I assume to be a major headache for your scenario. ~Eric PS: Basically, this mail translates roughly in to me saying, this might or might not work, and Id like you to be my testing guy to let me know, since Ive never had occasion to give it a whirl myself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, June 15, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (withDNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a normal migration. At least I have no need to register the AD domainin WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido
RE: [ActiveDir] LDAP performance
Title: LDAP performance Netstat -* will yield this info. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, June 14, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Great articlejoe. It definitely sounds like it could be relevant in our scenario. On that note, do you know of any perf counter that can tell me how many active ports above 1024 are being used at any given time? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 13, 2005 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance What errors specifically are the clients seeing? Is the server returning any extended information or are the connections just dying on the vine? And if so are you sure? As Eric indicated, running through a trace would probably be mucho helpful. What type of client? If Windows, this KB may seem odd, but check out http://support.microsoft.com/?id=836429 What you are describing sounds like something I heard from another friend of mine doing some auth testing and the KB above ended up being what the issue was related to. I am assuming they are most likely doing simple binds?If so, possibly the app developers may want to look at LDAP_OPT_FAST_CONCURRENT_BIND available in Windows Server 2003 AD which allows multiple binds over a single connection and should be faster overall. Read more here http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, June 13, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP performance We're running into what appears to be some performance issues. We have several AD servers that we dedicate to doing LDAP authentications for various applications. We recently added a new application that performs a large number of binds. The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute. Here are the details: Application: Issues an average of 100 binds per second. Average of 50 queries per second using filter (samaccountname=X) and requesting the DN as the return. HW: 2 Domain Controllers. Each is quad proc 2.4GHZ. Each has 4GB of RAM with the 3GB switch set. I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers. I've run several performance checks on these machines and it appears that they are barely breaking a sweat in terms of available resources. I've tweaked our default LDAP policies to add additional queries per proc and allowed larger buffers. But the app owner is still complaining. The network team has recommended that I increase the TCP listening queue on the servers. They suspect this because they are seeing a few syns that never get acked. I'm not familiar with how to do this in Windows and am not sure if that is really something I should be concerned with. Can anyone out there vouch for this theory? Or perhaps offer another theory as to why the DCs seem to not keep up with the load? Thanks One other thing, I set the LDAP diags to two and found the following warning poping up from time to time: ** Event Type: Warning Event Source: NTDS LDAP Event Category: LDAP Interface Event ID: 1216 Date: 6/13/2005 Time: 6:34:37 PM User: N/A Computer: ** Description: Internal event: An LDAP client connection was closed because of an error. Client ID: 427107 Additional Data Error value: 995 The I/O operation has been aborted because of either a thread exit or an application request. Internal ID: c0602ec For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. **
RE: [ActiveDir] LDAP performance
Title: LDAP performance The one that comes on the XP CD. :) C:\netstat -o Active Connections Proto Local Address Foreign Address State PID TCP ericslaptop:2832 someServer:1025 ESTABLISHED 4056 TCP ericslaptop:2843 anotherServer:1025 ESTABLISHED 4056 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, June 14, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Not on any of my versions of netstat, boss. Which version do YOU have? :-) Windows Server 2003 sp1 C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.2.3790.1830 shp 35,840 03-24-2005 netstat.exe Windows Server 2003 RTM C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.2.3790.0 shp 31,744 03-25-2003 netstat.exe Windows XP sp2 C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.1.2600.2180 shp 36,864 08-04-2004 netstat.exe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Netstat -* will yield this info. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, June 14, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Great articlejoe. It definitely sounds like it could be relevant in our scenario. On that note, do you know of any perf counter that can tell me how many active ports above 1024 are being used at any given time? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 13, 2005 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance What errors specifically are the clients seeing? Is the server returning any extended information or are the connections just dying on the vine? And if so are you sure? As Eric indicated, running through a trace would probably be mucho helpful. What type of client? If Windows, this KB may seem odd, but check out http://support.microsoft.com/?id=836429 What you are describing sounds like something I heard from another friend of mine doing some auth testing and the KB above ended up being what the issue was related to. I am assuming they are most likely doing simple binds?If so, possibly the app developers may want to look at LDAP_OPT_FAST_CONCURRENT_BIND available in Windows Server 2003 AD which allows multiple binds over a single connection and should be faster overall. Read more here http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, June 13, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP performance We're running into what appears to be some performance issues. We have several AD servers that we dedicate to doing LDAP authentications for various applications. We recently added a new application that performs a large number of binds. The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute. Here are the details: Application: Issues an average of 100 binds per second. Average of 50 queries per second using filter (samaccountname=X) and requesting the DN as the return. HW: 2 Domain Controllers. Each is quad proc 2.4GHZ. Each has 4GB of RAM with the 3GB switch set. I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers. I've run several performance checks on these machines and it appears that they are barely breaking a sweat in terms of available resources. I've tweaked our default LDAP policies to add additional queries per proc and allowed larger buffers. But the app owner is still complaining. The network team has recommended that I increase the TCP listening queue on the servers. They suspect this because they are seeing a few syns that never get acked. I'm not familiar with how to do this in Windows and am not sure if that is really something I should be concerned with. Can anyone out there vouch for this theory? Or perhaps offer another theory as to why the DCs seem to not keep up with the load? Thanks One other thing, I set the LDAP diags to two and found the following warning poping up from time to time: ** Event Type: Warning Event Source: NTDS LDAP Event Category: LDAP Interface Event ID: 1216 Date: 6/13/2005 Time: 6:34:37 PM User: N/A Computer: ** Description: Internal event: An LDAP client connection was closed because of an error. Client ID: 427107 Additional Data Error value: 995 The I/O operation has been aborted because of either
RE: [ActiveDir] LDAP performance
Title: LDAP performance That was a -*, indicating that there is some switch you should use, and that was an exercise I was leaving to the reader. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, June 14, 2005 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance You did a * the first time! :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance The one that comes on the XP CD. :) C:\netstat -o Active Connections Proto Local Address Foreign Address State PID TCP ericslaptop:2832 someServer:1025 ESTABLISHED 4056 TCP ericslaptop:2843 anotherServer:1025 ESTABLISHED 4056 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, June 14, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Not on any of my versions of netstat, boss. Which version do YOU have? :-) Windows Server 2003 sp1 C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.2.3790.1830 shp 35,840 03-24-2005 netstat.exe Windows Server 2003 RTM C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.2.3790.0 shp 31,744 03-25-2003 netstat.exe Windows XP sp2 C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.1.2600.2180 shp 36,864 08-04-2004 netstat.exe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Netstat -* will yield this info. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, June 14, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Great articlejoe. It definitely sounds like it could be relevant in our scenario. On that note, do you know of any perf counter that can tell me how many active ports above 1024 are being used at any given time? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 13, 2005 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance What errors specifically are the clients seeing? Is the server returning any extended information or are the connections just dying on the vine? And if so are you sure? As Eric indicated, running through a trace would probably be mucho helpful. What type of client? If Windows, this KB may seem odd, but check out http://support.microsoft.com/?id=836429 What you are describing sounds like something I heard from another friend of mine doing some auth testing and the KB above ended up being what the issue was related to. I am assuming they are most likely doing simple binds?If so, possibly the app developers may want to look at LDAP_OPT_FAST_CONCURRENT_BIND available in Windows Server 2003 AD which allows multiple binds over a single connection and should be faster overall. Read more here http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, June 13, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP performance We're running into what appears to be some performance issues. We have several AD servers that we dedicate to doing LDAP authentications for various applications. We recently added a new application that performs a large number of binds. The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute. Here are the details: Application: Issues an average of 100 binds per second. Average of 50 queries per second using filter (samaccountname=X) and requesting the DN as the return. HW: 2 Domain Controllers. Each is quad proc 2.4GHZ. Each has 4GB of RAM with the 3GB switch set. I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers. I've run several performance checks on these machines and it appears that they are barely breaking a sweat in terms of available resources. I've tweaked our default LDAP policies to add additional queries per proc and allowed larger buffers. But the app owner is still complaining. The network team has recommended that I increase the TCP listening queue on the servers. They suspect this because they are seeing a few syns that never get acked. I'm not familiar with how to do this in Windows and am not sure if that is really something I should be concerned with. Can anyone out there vouch for this theory? Or perhaps offer another theory as to why the DCs seem to not keep up with the load? Thanks One other thing, I set t
RE: [ActiveDir] LDAP performance
Title: LDAP performance Thankfully for us all, I have no responsibility over the documentation. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, June 14, 2005 2:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] LDAP performance Importance: Low ... and you wonder why people criticize MS documentation ;-) LOL! (just teasing) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance That was a -*, indicating that there is some switch you should use, and that was an exercise I was leaving to the reader. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, June 14, 2005 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance You did a * the first time! :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 5:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance The one that comes on the XP CD. :) C:\netstat -o Active Connections Proto Local Address Foreign Address State PID TCP ericslaptop:2832 someServer:1025 ESTABLISHED 4056 TCP ericslaptop:2843 anotherServer:1025 ESTABLISHED 4056 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Tuesday, June 14, 2005 10:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Not on any of my versions of netstat, boss. Which version do YOU have? :-) Windows Server 2003 sp1 C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.2.3790.1830 shp 35,840 03-24-2005 netstat.exe Windows Server 2003 RTM C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.2.3790.0 shp 31,744 03-25-2003 netstat.exe Windows XP sp2 C:\filever c:\windows\system32\netstat.exe - W32i APP ENU 5.1.2600.2180 shp 36,864 08-04-2004 netstat.exe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, June 14, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Netstat -* will yield this info. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, June 14, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Great articlejoe. It definitely sounds like it could be relevant in our scenario. On that note, do you know of any perf counter that can tell me how many active ports above 1024 are being used at any given time? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 13, 2005 10:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance What errors specifically are the clients seeing? Is the server returning any extended information or are the connections just dying on the vine? And if so are you sure? As Eric indicated, running through a trace would probably be mucho helpful. What type of client? If Windows, this KB may seem odd, but check out http://support.microsoft.com/?id=836429 What you are describing sounds like something I heard from another friend of mine doing some auth testing and the KB above ended up being what the issue was related to. I am assuming they are most likely doing simple binds?If so, possibly the app developers may want to look at LDAP_OPT_FAST_CONCURRENT_BIND available in Windows Server 2003 AD which allows multiple binds over a single connection and should be faster overall. Read more here http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, June 13, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP performance We're running into what appears to be some performance issues. We have several AD servers that we dedicate to doing LDAP authentications for various applications. We recently added a new application that performs a large number of binds. The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute. Here are the details: Application: Issues an average of 100 binds per second. Average of 50 queries per second using filter (samaccountname=X) and requesting the DN as the return. HW: 2 Domain Controllers. Each is quad proc 2.4GHZ. Each has 4GB of RAM with the 3GB switch set. I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers. I've run several performance checks on these machines a
RE: [ActiveDir] LDAP performance
It's hard to really give any sort of analysis with the data provided. Do you have any network traces of entering failure state that we could see? With that hopefully we can provide more guidance. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 13, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Something similar came up for discussion last week. My response was to increase the maxreceivebuffer size. See Q315071 and Q834317 HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Isenhour, Joseph Sent: Mon 6/13/2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance Oops one correction: 100 binds per second is the upper limit that I've found. Average of 10 binds per second. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, June 13, 2005 4:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP performance We're running into what appears to be some performance issues. We have several AD servers that we dedicate to doing LDAP authentications for various applications. We recently added a new application that performs a large number of binds. The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute. Here are the details: Application: Issues an average of 100 binds per second. Average of 50 queries per second using filter (samaccountname=X) and requesting the DN as the return. HW: 2 Domain Controllers. Each is quad proc 2.4GHZ. Each has 4GB of RAM with the 3GB switch set. I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers. I've run several performance checks on these machines and it appears that they are barely breaking a sweat in terms of available resources. I've tweaked our default LDAP policies to add additional queries per proc and allowed larger buffers. But the app owner is still complaining. The network team has recommended that I increase the TCP listening queue on the servers. They suspect this because they are seeing a few syns that never get acked. I'm not familiar with how to do this in Windows and am not sure if that is really something I should be concerned with. Can anyone out there vouch for this theory? Or perhaps offer another theory as to why the DCs seem to not keep up with the load? Thanks One other thing, I set the LDAP diags to two and found the following warning poping up from time to time: * * Event Type: Warning Event Source: NTDS LDAP Event Category: LDAP Interface Event ID: 1216 Date: 6/13/2005 Time: 6:34:37 PM User: N/A Computer: ** Description: Internal event: An LDAP client connection was closed because of an error. Client ID: 427107 Additional Data Error value: 995 The I/O operation has been aborted because of either a thread exit or an application request. Internal ID: c0602ec For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp http://go.microsoft.com/fwlink/events.asp . * * List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for Microsoft Clusters
I've set up iSCSI several times. Do you have an error to cite? ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, May 31, 2005 12:44 PM To: [ExchangeList]; ActiveDir@mail.activedir.org Subject: [ActiveDir] Microsoft ISCSI SNS Server and ISCSI Inatiotar for Microsoft Clusters Good Afternoon, I am trying to configure a HP 1200s NAS server appliance as an iSCSI Target server using Microsoft's iSNS server 3.0 along with a client server that we want to install Microsoft cluster server on that has the Microsoft iSCSI initiator 1.06. I having trouble configuring it, has any one done this yet? I am at a loss as to why I can not see the target server from a server that is running the ISCSI initiator. http://www.microsoft.com/downloads/details.aspx?familyid=12CB3C1A-15D6-4 585-B385-BEFD1319F825displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=0dbc4af5-9410-4 080-a545-f90b45650e20DisplayLang=en Thanks in advance. Jose Medeiros 408-449-6621 Cell List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO not applied - thinks it is empty
fashion, you know exactly when it is going to expire, make sure you change it before then. This gets fought and it goes to policy/security people who say, ok, we will grant a non-expiring password but you have to change it every X days!!! How many people grant non-expiring IDs to application owners who say they will change their password at least every X days? Raise your hand. How many actually go back and audit those same IDs and shut them down if the password is older than that X days? Raise your hands. I expect the first number of hands far exceeds the second number. Who wants to take responsibility for knocking down a running application? This is the kind of thing I get fired for because I will take that responsibility, I think it is more important that they be secure because I know the minute they are compromised they are going to chew me out asking who did it and how. I have seriously had managers ask me who logged onto a specific ID. My response... Well whomever has the password of course! No, specifically who logged on and did this. My response... I don't know, the mechanism I have for tracking the WHO is completely compromised by how you use the system with that ID. For a small fee, we can install a web cam on every machine in the world that people can log into and we can work out a mechanism around that if you would like to track it the next time your application gets hacked. Anyway... :o) I would like MS to put out guidance on making services with self setting passwords as well as any services they have that require userids doing the same. If people write services they can do that now but many don't because they think... Well crap I have to store the plain text password somewhere... If the ID is a domain ID, don't do it that way, give the service ID the ability to SET its own password. Then it can randomly generate a password once a day, once a week, once a month and set it. Now the issue, from what I understand, is that the service has to be restarted... I would like to see a mechanism that makes this so it isn't required. I expect it is possible, users do it now when they change their password interactively. While it is a troubleshooting good idea to log off and log on, it isn't always required. It should never be required. Changing local machine IDs is much harder if the ID isn't an admin itself on the machine in question. Those currently would have to remember the old password. But the question is... If you have a local ID for a service... Why does it have to have a password at all? Why can't it be a service only password that you get to specifically set the rights for (i.e. not use localservice which applies to all services running as localservice). I would like to see a similar domain ID as well so people don't have to be stuck with networkservice or a regular ID that needs changing. That one is a little tougher to overcome though. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 05, 2005 9:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO not applied - thinks it is empty I used to store the password in the batch file before I got my brains bashed out on this list. So, I went back and store the password in a DB, read it on the fly from a vbs and pass it onto bat. What's taking you guys so long to give us a more elegant solution for this must-have? Until you do, all we have is crud and we balance the security of the implementation against the URGENT need for this feature. If you are savvy enough to fire up a sniffer to get the info or know where to go to get it raw, you are more than a casual threat as far as I'm concerned. In that situation, I'll let HR deal with you as soon as I find out (IF I find out). How does MS IT do it? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Eric Fleischman Sent: Wed 5/4/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO not applied - thinks it is empty If I could ask what might be the obvious, from a security perspective If you have a policy out there resetting the local admin password, how are you storing the new password in the script? Hopefully you have something very clever in place, else I can get the local admin password out of your policy in so many ways: * If you didn't consider this at all, I bet the policy is ACLd with AU having read, so I can just read it out with notepad. * If you were clever enough to acl the policy so that only the machine accounts can read it, I could own a machine (perhaps I already doperhaps I am in the local admins group on one of the boxes, because it is _my machine_) and just open the policy while
RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI
So this data would not be available in AD. Youd need to call down to each machine and find it. So really, this DL probably isnt best for this question. WMI can probably answer this question better than most other APIs (at least easier) but it will require a call out to each box, unless you start pushing this data in to some central repository. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh Sent: Sunday, May 08, 2005 8:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI I am sorry for not being clear. I meant scanners that scan photos. Also I am interetesed in then knowing the attributes like if scanner is colored or not? Thank You Manbinder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, May 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI Scanners? Like scanners that scan your photos? Or like network sniffers (which some people call scanners)? Or something else? Can you clarify Manbinder? ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh Sent: Saturday, May 07, 2005 2:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI Hi all I want to know how to know how many scanners are there in the domain and their properties using ADSI/WMI. Any help would be apprecaited. Thank You Manbinder
RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI
Big assumption. Youre assuming that printers elect to publish to AD. If they dont, for any reason, you wont find them. So it depends upon the reason youre looking. Doesnt AD store any info about network scanners , just like printers AD doesnt store info about printers so much as the printer people decided to publish stuff to AD. Theres a major difference. It is up to the printer people to publish to AD. The AD people are not going out and finding printers. The scanner people did no such publishing, because they did not see value for their component. And they are right, for them, there really isnt. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh Sent: Sunday, May 08, 2005 9:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI Thanks for the info. The thing is that I dont know how many scanners are there in my domain and so I dont know the machines on which they are configured. My scenario is like this. Think I want info about all printers. AD stores info about all the network printers and so by querying AD I should be able to know how many printers are there and basic detail abour each printer that on which machine it is installed. Once I know the machines , I can query them to get further details. Doesnt AD store any info about network scanners , just like printers Thank You Manbinder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, May 09, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI So this data would not be available in AD. Youd need to call down to each machine and find it. So really, this DL probably isnt best for this question. WMI can probably answer this question better than most other APIs (at least easier) but it will require a call out to each box, unless you start pushing this data in to some central repository. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh Sent: Sunday, May 08, 2005 8:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI I am sorry for not being clear. I meant scanners that scan photos. Also I am interetesed in then knowing the attributes like if scanner is colored or not? Thank You Manbinder From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, May 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI Scanners? Like scanners that scan your photos? Or like network sniffers (which some people call scanners)? Or something else? Can you clarify Manbinder? ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh Sent: Saturday, May 07, 2005 2:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI Hi all I want to know how to know how many scanners are there in the domain and their properties using ADSI/WMI. Any help would be apprecaited. Thank You Manbinder
[ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......
http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-46E2-B1B6-3659B92B2CDEdisplaylang=en I didnt read it for completeness, but spot checked, and many are there. Though certainly not every one Im sure. ~Eric
RE: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI
Scanners? Like scanners that scan your photos? Or like network sniffers (which some people call scanners)? Or something else? Can you clarify Manbinder? ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manbinder Pal Singh Sent: Saturday, May 07, 2005 2:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How to enumerate scanners in a domain using ADSI/WMI Hi all I want to know how to know how many scanners are there in the domain and their properties using ADSI/WMI. Any help would be apprecaited. Thank You Manbinder
RE: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix?
Next time, taking a dump of winlogon at 100% (actually a couple a few seconds apart) would be interesting. With that we can see what it is chewing on, and perhaps get root cause. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark Sent: Thursday, May 05, 2005 3:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix? Gentlemen, Arandom other problem gave me a clue looking into it further it turns out that offline files was the problem, reinitialising the offline cache has put the box back onto its feet. For anyone who needs to do this it can be done with control and shift held down while clicking the delete files on the offllinefiles tab of Folder options, it requires a reboot, I have no idea of the cause of the corruption but this does seem to resolve the problem. thanks anyhoo. Gary From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: 04 May 2005 19:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix? Dell GX-270s have a defected capacitor and is dying all over the world. Replace the system board. -Z.V. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark Sent: Wednesday, May 04, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix? Hello all, Having spent two days poking this problem I am throwing myself on the groups mercy. Windows XP SP1 computer joined to domain much like its 300 brothers and sisters decides one day that winlogon.exe should take 50% or rather 100 % of one of the Dell GX270 hyper threading virtual processors, constant high cpu utilization makes the fans ramp up and turns a nice box into a loud evil box. With winlogon using all the processor the box shows symptoms of having broken WINS no Netbios name resolution, can not find file shares etc which also creates event id of 1030 and 1058 as the group policy objects can not be found. Example Windows cannot access the file gpt.ini for GPO CN={-0**2-4B**-B3F6-7B*8B878},CN=Policies,CN=System,DC=**,DC=***,DC=**,DC=**. The file must be present at the location \\ad.***.**.**\SysVol\ad..**.**\Policies\{***-***-***-***-}\gpt.ini. (The network path was not found. ). Group Policy processing aborted While in this confused state the box will also not shutdown clean and has to be POPO'd The obvious malware lines of investigation have proved fruitless ad-aware did find some bits but this has not resolved the problem. The winlogon has been verified as being in the right location and has not been switched with another version. The fact that the box is a Dell Gx270 with a Gigabit card also made me think that MS Article 840669 with the group policy not starting due to the race condition might have helped but again zip. Virus protection is installed and maintained and returns no nasties. The Intel 1000 gigabit card has had its drivers updated and still nadda. I even disabled the built in card and installed a 3com 10 Mb NIC and that exhibited the same trouble. The curious thing and what is driving me absolutely nuts is that if the Computer is removed from the domain and returned to a workgroup the problem persists until you change the way users logon and use the welcome with the fast user switching, it has to be both using the welcome screen and fast user switching, this puts the box back on its feet. Winlogon behaves and the network drives can once again be accessed. We have seen this twice before on separate computersbut have not paid it too much attention. rebuilds of the Computershave fixed theproblem, as this is something which keeps raising its ugly head I think I need to try and get a good handle on it, the fact that there are so many other unaffected boxes makes me think that it is a software conflict on the client. What I don't get is why it can be turned on and off with the fast user switching? If I did'nt need the box to be in AD I would leave it as is fast user switching enabled and slip into a dark cave and put this down to gremlins but thats not an option, and I am very nervous that more boxes could start playing up too... ~cheers Gary
RE: [ActiveDir] Account activation and password setting using PHP/LDAPS
More generally, AD doesn't care who the client is, it only cares that the client can play by the rulesLDAPv2/3, for password ops a secure LDAP connection, etc. In fact, there isn't really a good way for AD to know what OS/client side LDAP API/etc. a given LDAP client is running. We just service requests as they come to us. So as long as you can talk LDAPS to us, doing such an operation from a Windows system or a !Windows system should be very much the same. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 04, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account activation and password setting using PHP/LDAPS Start here http://support.microsoft.com/Default.aspx?kbid=269190 Short form. Yeah it should be possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Sent: Wednesday, May 04, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account activation and password setting using PHP/LDAPS Hello everybody Our windows 2003 server is configurated with LDAPS (port 636). I would like to know if it's possible to set an account password and activate the account from another server using PHP (apache/redhat). I read that it's not possible to activate an account on this way. What do you know about this ? Many thanks Olivier List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO not applied - thinks it is empty
If I could ask what might be the obvious, from a security perspective. If you have a policy out there resetting the local admin password, how are you storing the new password in the script? Hopefully you have something very clever in place, else I can get the local admin password out of your policy in so many ways: If you didnt consider this at all, I bet the policy is ACLd with AU having read, so I can just read it out with notepad. If you were clever enough to acl the policy so that only the machine accounts can read it, I could own a machine (perhaps I already do.perhaps I am in the local admins group on one of the boxes, because it is _my machine_) and just open the policy while impersonating the machine. Or get the machine to do it for me (since I own it, I can make it do my bidding). etc And if you havent taking precautions, you should assume local admin on any machine with this password is local admin on them all. For it only takes one bad apple to spoil the whole bushel. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, May 04, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO not applied - thinks it is empty Thanks Darren- I ran the gpotool as you suggested. As part ofthe output I am told: Error: ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0users 37machine Sysvol: 0user 37machine Flags: 0 User extensions: not found Machine extensions: . Functionality version: 2 All fo the functionality versions are 2. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, May 04, 2005 9:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO not applied - thinks it is empty Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, May 04, 2005 7:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Tuesday, May 03, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I dont know how they are populating /etc/passwd but can find out. Ive never used NIS against AD so couldnt say whats going on here. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, May 02, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html
RE: [ActiveDir] How much of the DIT is cached in RAM ?
and is available on AD, or at least it was on 2K AD which is the last time I used it a couple of years ago. There used to be a KB out there that talked about what it made available but I don't see it anywhere which sucks because if I need it again I will have to go dig through 8 GB of PSTs and notepad docs. :o) I want to say that I think I heard they changed (or were changing) the name of this reg entry to something like show advanced counters or something like that but I don't think I can point at any references for that. As far as I know, this key wasn't supposed to be hidden or secret, though it appears it might have gone underground. I don't think I will post any more on it and let ~Eric or Brett put out in the public whatever they think should be available. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Thursday, April 28, 2005 1:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? This has been a great thread. I've really enjoyed reading it. This question is going to illustrate my extreme ignorance; however, the answer is worth it. What is Squeaky Lobster? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, April 27, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? From ESE's advanced perf counters exist, that tell you on a non-per-search basis: - Database Pages Transferred/sec - Database Page Latches/sec IIRC, the first is rate of pages being transferred from disk, and the 2nd is the rate at wich you are making a read of something on a page in the cache (that will include the read right after a page is transferred, BTW). It doesn't give you the per query stats you were discussing, but it does give you an idea of how much disk the DC is requiring ... If you were to isolate a DC from load, except your query, it could give a _rough_ idea for a paticular query, but remember latches aren't unique references, so if a single query internally has to read a page several times, that will be several latch counts. ... Cheers, -BrettSh On Wed, 27 Apr 2005, joe wrote: I waffled on posting that at all. I am not sure I can properly illustrate why I think it would be good for educational info. Maybe just to see from the outside the deltas in speeds of the same query when things are in cache versus not, etc. Overall it is just another stat to help understand how your directory is performing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, April 27, 2005 2:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Correcting myself inline (full of that today aren't I?). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that Actually, that's not really what you want. If I may, let me change your ask in to what I think you really would like What you really want is the % of pages touched to service the query that were in the cache. It doesn't matter if those pages are returned or not, it only matters that you needed the pages to effective service the search. As that's what defines the amt of time it takes to service it. [Efleis] - I shouldn't say this, it isn't quite true. What I meant was, this defines the amt of time that we would spend on I/O, should those pages not be in memory. Other things might necessitate more time spent on the search. That said, assuming you got what you really want, I'm not totally sold of the value. What will you learn? 1) More db cache - inefficient searches are faster 2) Better search filter optimization - better index selection - faster searches with less cache needed and less I/O needed Searches that hit infrequently used indexes will have a lower % of pages in memory, but still be faster than inefficient ones that hit many pages in memory. And the avg IT admin will wonder why. :) Inefficient searches are still inefficient, and are still going to require a large db cache to service them in any sort of timely manner. How much cache? As much as you have dataset that need be traversed for the inefficient
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Correcting myself inline (full of that today aren't I?). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that Actually, that's not really what you want. If I may, let me change your ask in to what I think you really would like What you really want is the % of pages touched to service the query that were in the cache. It doesn't matter if those pages are returned or not, it only matters that you needed the pages to effective service the search. As that's what defines the amt of time it takes to service it. [Efleis] - I shouldn't say this, it isn't quite true. What I meant was, this defines the amt of time that we would spend on I/O, should those pages not be in memory. Other things might necessitate more time spent on the search. That said, assuming you got what you really want, I'm not totally sold of the value. What will you learn? 1) More db cache - inefficient searches are faster 2) Better search filter optimization - better index selection - faster searches with less cache needed and less I/O needed Searches that hit infrequently used indexes will have a lower % of pages in memory, but still be faster than inefficient ones that hit many pages in memory. And the avg IT admin will wonder why. :) Inefficient searches are still inefficient, and are still going to require a large db cache to service them in any sort of timely manner. How much cache? As much as you have dataset that need be traversed for the inefficient search in question. Whatever that dataset might be. Sell me on the learning opportunity here? Sorry, I'm just not seeing it. I like the idea on paper, and would be more than happy to file the bug. I'm just not seeing what you think you can do better with this data point than you can today. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 26, 2005 9:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Thanks ~Eric. I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that. How feasible would something like that be? Possibly the results of that would only be for educational reasons but I, at least, would find that info interesting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk
RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline defrag. THOUGH, you'd have free pages in the database in the online defrag case, that offline defrag would give you back in the form of a smaller DIT file. So for memory purposes, joe is right, don't worry about offline defrag, unless there are disk space issues ... but do look for the successful online defrag event. Note: There was an issue where online defrag was never completing. Both online defrag and offline defrag basically scrunch all the
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry should have said: I _think_ _online_ defrag actually logs an event on how much free space there is in the database Yes, it should. It might require turning up GC logging (to 1?) but either way, yes it does. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry I keep forgetting things. Brett mentioned: Note: There was an issue where online defrag was never completing. This was an issue on 2k. You might want to know how you would know if you are hitting this.it shows itself with a series of even 602's in the event logs. If you see this, holler, and we can provide steps to clear this. It's a trivial fix. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Sorry should have said: I _think_ _online_ defrag actually logs an event on how much free space there is in the database Yes, it should. It might require turning up GC logging (to 1?) but either way, yes it does. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract
RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000?
Is this expected? Or should I be getting a different output? Expected. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, April 24, 2005 4:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Gpresult shows Domain Type: Windows 2000 Ldp shows these 1 domainFunctionality: 2; 1 forestFunctionality: 2; 1 domainControllerFunctionality: 2; Is this expected? Or should I be getting a different output? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2003 setings
I would point out.the presence of the objects Guido cited does not say that forest/domain prep has been run, it says it completed successfully. If you ran forest/domain prep and it failed, that object would not be present, but instead you'd only have the operational GUIDs for each of the operations that succeeded (in the correct location for the prep run of course). It's important to note the subtle difference, as you might not see that there but still be trying to run forest/domain prep. If so, that means it is failing, and we'd want to pick up the adprep logs to see what the nature of the failure is. Finally, I'd point out that running adprep from SP1 is better than from RTM. We added a lot of verbiage to error conditions to clearly spell out common error conditions which PSS saw in the field. So if you are prepping, SP1 is the best bet, as failure will be better spelled out should you hit any. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 22, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 setings yes, it doesn't have child objects, but it's not empty - it has some attributes determining it's status = the revision attribute is stamped when all tasks have been completed successfully. What's this set to in your environment you'll get more details as to what was performed by checking the Operations container at the same level as the Windows2003update container = this should contain an entry for every operations which was performed during the upgrade (which are 37 for the forestprep and 50 for the domain prep) and the fact that the objects exist confirms that ADPREP /forestprep and /domainprep was executed in the respective forest/domain (and that the update replicated to other DCs). also check out this KB for more details: http://support.microsoft.com/Default.aspx?kbid=309628 /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Freitag, 22. April 2005 22:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Windows 2003 setings I have the windows2003update folder in both the config and domain NC, but its empty. What does that mean? Thanks Grillenmeier, Guido wrote: to check prep ADPREP /FORESTPREP cn=forest name cn=Configuration cn=ForestUpdates cn=windows2003update ADPREP /DOMAINPREP cn=domain name cn=SYSTEM cn=DomainUpdates cn=Windows2003Update to check functional level, it's easiest to read rootDSE of a specific DC /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Freitag, 22. April 2005 22:18 To: ActiveDir (E-mail) Subject: [ActiveDir] Windows 2003 setings I forgot, but where are the settings kept in AD where you can see if forest/domain prep has been run and which domain/forest functional level a domain/forest is on? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
I IM'd with Dean about this and found the DCR where we took this. Then confirmed the checkin...SP3 is the first SP that adds it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, April 20, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's By golly you're right! (As expected.) Thanks. A member of the Exchange team referred me to this KB http://support.microsoft.com/?id=324941 I've also asked for KB 304403 to be corrected. Thanks again, M //me runs off to change the text in a chapter... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 12:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's It is indeed dynamically enabled though I've not put that to the test. I believe it was first fixed in Windows 2000 SP3, review - http://support.microsoft.com/?id=305596 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, April 20, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's ears prick up NSPI startup/shutdown without a reboot was addressed in w2k3? Can you point me toward any additional information? I had not come across that factoid. Thanks. /ears prick up -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 11:37 AM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's Only sort of wrong, there's a particular interface (NSPI/Named Service Provider Interface) exposed by GCs that is used by Exchange. This interface wasn't exposed on new GCs until they had been rebooted (that has been addressed for 2K3), the other aspects of the GC take effect according to something known as the occupancy level. In the event I've misunderstood and you are actually asking what happens if you click-it-on and then straight back off again ... well, that depends on a few other clicks but I don't really think that's what you wanted to know. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:29 AM To: ActiveDir (E-mail) Subject: [ActiveDir] GC's Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Trick question? The parts of the 100gb that will replicate are the parts that change. (not counting dcpromo of new boxes) How much is changing? Who knows. Different for everyone. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Eric, Granted but how much of that actual 100gb will be replicated over that 64k line? I can see the issue if you do a DC promo on a W2k3 server on the other size and it's the first box and has to pull info over 64k, but once established that traffic shouldn't even be close to 100mb.' That said it is also environment dependant :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 15 April 2005 06:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people warm the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman [EMAIL PROTECTED] wrote: Well I've seen very very large in test on many occasions. The numbers I cited below (with those very descriptive adjectives) are just what I've seen in production. I didn't think test counted. If you want to count test, I could fire up a test db that is a TB or so on a san I have nearby
RE: [ActiveDir] NTDS.dit size
Better yet: http://search.msn.com/results.aspx?q=DNS+2003+%22application+partition%2 2FORM=QBHP I would point out, moving to app partitions does not _shrink_ the size of the data you have to store in the aggregate as has been eluded to. Rather, it does two things: 1) It lets you control the scope of where it is stored so non-DNS servers don't need to keep a copy around 2) It removes the partial NC copies from GCs in other domains in the forest, who do nothing but house these little guys (at least a PAS-worth of them) I know the posters probably meant this, but they didn't really state it, so I wanted to clarify. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Well Francis, How is your DNS servers setup are they: 1. Windows DNS servers 2. Have you sepecified that your Zones are Active Directory Intergrated Zones If you haven't created the default DNS app partions right click on your DNS server --- Create Default DNS application Partitions this will create two APP partitions: 1. ForestDNS 2. DomainDNS HTH Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: 15 April 2005 02:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Hi Guido, Can you provide us with some more information on moving the DNS data into the DNS app partition? Thanks! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 15 avril 2005 04:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the Distributed Link Tracking service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) = the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB = so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman [EMAIL PROTECTED] wrote: Well I've seen very very large in test on many occasions. The numbers I cited below (with those very descriptive adjectives) are just what I've seen in production. I didn't think test counted. If you want to count test, I could fire up a test db that is a TB or so on a san I have nearby. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size See I almost cc'ed you on the response to get your input on this too as I knew you had played with some 16GB+ DITS but didn't want to bother you for this and didn't want to speak out of turn for you. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 14, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size I've seen larger. I've seen 15GB
RE: [ActiveDir] NTDS.dit size
Sure. There is a good chunk of the db that doesn't replicate because it is outside of the AD object model (example: indexes) or marked to not replicate (ex: some attributes). But in the aggregate, for most objects, a fair statement...without clouding the issue with the nuances. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 15, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Just to clarify, it is the parts that change and are tagged to replicate that replicate. You could have shitloads of changes occuring that never leave the DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, April 15, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Trick question? The parts of the 100gb that will replicate are the parts that change. (not counting dcpromo of new boxes) How much is changing? Who knows. Different for everyone. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Eric, Granted but how much of that actual 100gb will be replicated over that 64k line? I can see the issue if you do a DC promo on a W2k3 server on the other size and it's the first box and has to pull info over 64k, but once established that traffic shouldn't even be close to 100mb.' That said it is also environment dependant :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 15 April 2005 06:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people warm the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14
RE: [ActiveDir] NTDS.dit size
I've seen larger. I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and 100GB+ on a few occasions. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size The largest production DIT I have personally seen was on the order of 8GB for the GC DIT for a Fortune 5 company running about 250k users of which about 180k were Exchange enabled. Also had some 250k contacts, 200k or so computer objects, 100k or so group objects and consisted of 9 domains. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Tuesday, April 12, 2005 2:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTDS.dit size I know that AD can have millions of objects, just trying to see what the real world size of some your AD databases are. Do any of you have databases greater than 20GB+... or more? Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Well I've seen very very large in test on many occasions. The numbers I cited below (with those very descriptive adjectives) are just what I've seen in production. I didn't think test counted. If you want to count test, I could fire up a test db that is a TB or so on a san I have nearby. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size See I almost cc'ed you on the response to get your input on this too as I knew you had played with some 16GB+ DITS but didn't want to bother you for this and didn't want to speak out of turn for you. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 14, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size I've seen larger. I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and 100GB+ on a few occasions. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size The largest production DIT I have personally seen was on the order of 8GB for the GC DIT for a Fortune 5 company running about 250k users of which about 180k were Exchange enabled. Also had some 250k contacts, 200k or so computer objects, 100k or so group objects and consisted of 9 domains. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Tuesday, April 12, 2005 2:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTDS.dit size I know that AD can have millions of objects, just trying to see what the real world size of some your AD databases are. Do any of you have databases greater than 20GB+... or more? Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people warm the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman [EMAIL PROTECTED] wrote: Well I've seen very very large in test on many occasions. The numbers I cited below (with those very descriptive adjectives) are just what I've seen in production. I didn't think test counted. If you want to count test, I could fire up a test db that is a TB or so on a san I have nearby. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size See I almost cc'ed you on the response to get your input on this too as I knew you had played with some 16GB+ DITS but didn't want to bother you for this and didn't want to speak out of turn for you. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 14, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size I've seen larger. I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and 100GB+ on a few occasions. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size The largest production DIT I have personally seen was on the order of 8GB for the GC DIT for a Fortune 5 company running about 250k users of which about 180k were Exchange enabled. Also had some 250k contacts, 200k or so computer objects, 100k or so group objects and consisted of 9 domains. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Tuesday, April 12, 2005 2:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTDS.dit size I know that AD can have millions of objects, just trying to see what the real world size of some your AD databases are. Do any of you have databases greater than 20GB+... or more
RE: [ActiveDir] NTDS.dit size
Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how much connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people warm the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman [EMAIL PROTECTED] wrote: Well I've seen very very large in test on many occasions. The numbers I cited below (with those very descriptive adjectives) are just what I've seen in production. I didn't think test counted. If you want to count test, I could fire up a test db that is a TB or so on a san I have nearby. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size See I almost cc'ed you on the response to get your input on this too as I knew you had played with some 16GB+ DITS but didn't want to bother you for this and didn't want to speak out of turn for you. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 14, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size I've seen larger. I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and 100GB+ on a few occasions. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:28 PM To: ActiveDir@mail.activedir.org Subject: RE