from:"Matheesha Weerasinghe"


All

Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
Vista Ultimate and only has 2GB of RAM and was working fine. However I
tried to upgrade the memory by using a 512MB module and the PC wont
boot now. It blue screens with a message similar to KB 929777.

I tried getting the hotfix from technet+ with no luck. Its stage is
private and wont be released until the 30th Jan. My Premier
connection doesn't seem to allow download of the hotfix either.

I would like to know before I try and escalate this whether there is
anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
run memtest86 on my PC and it reports everything is working. However
I'd appreciate if I can get some confirmation that there are others
who either have the issue or dont.

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM


Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
more than 2GB of RAM.

Thanks
M@

On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:

All

Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
Vista Ultimate and only has 2GB of RAM and was working fine. However I
tried to upgrade the memory by using a 512MB module and the PC wont
boot now. It blue screens with a message similar to KB 929777.

I tried getting the hotfix from technet+ with no luck. Its stage is
private and wont be released until the 30th Jan. My Premier
connection doesn't seem to allow download of the hotfix either.

I would like to know before I try and escalate this whether there is
anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
run memtest86 on my PC and it reports everything is working. However
I'd appreciate if I can get some confirmation that there are others
who either have the issue or dont.

Cheers

M@


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM


I didnt configure the memory dumps for this machine. I assume a kernel
dump is preferred over minidump? Either way I will check and let you
know. Thanks for the reply.

On 1/11/07, Ken Schaefer [EMAIL PROTECTED] wrote:


Yes - I have a Dell Precision that has 4GB RAM, and which has had both Vista
x86 and x64 on it and it doesn't BSOD.

The issue in the KB seems to be with devices that use DMA and you have more
than 4GB of RAM. That used to cause issues on XP as well (which is why I
believe SP2 for XP limited the amount of RAM that could be utilised to 4GB
for 32bit editions).

STOP 0xA is pretty common. If you want a detailed explanation of
what's going on, then check out Part 1 here:
http://www.adopenstatic.com/cs/blogs/ken/archive/tags/Debugging/default.aspx

Do you have minidump files handy? I'm happy to have a look if you want.

Cheers
Ken


From: [EMAIL PROTECTED] on behalf of
Matheesha Weerasinghe
Sent: Thu 11/01/2007 12:22 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM



Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
more than 2GB of RAM.

Thanks
M@

On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 All

 Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
 Vista Ultimate and only has 2GB of RAM and was working fine. However I
 tried to upgrade the memory by using a 512MB module and the PC wont
 boot now. It blue screens with a message similar to KB 929777.

 I tried getting the hotfix from technet+ with no luck. Its stage is
 private and wont be released until the 30th Jan. My Premier
 connection doesn't seem to allow download of the hotfix either.

 I would like to know before I try and escalate this whether there is
 anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
 run memtest86 on my PC and it reports everything is working. However
 I'd appreciate if I can get some confirmation that there are others
 who either have the issue or dont.

 Cheers

 M@

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
more than 2GB of RAM.

Thanks
M@

On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 All

 Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
 Vista Ultimate and only has 2GB of RAM and was working fine. However I
 tried to upgrade the memory by using a 512MB module and the PC wont
 boot now. It blue screens with a message similar to KB 929777.

 I tried getting the hotfix from technet+ with no luck. Its stage is
 private and wont be released until the 30th Jan. My Premier
 connection doesn't seem to allow download of the hotfix either.

 I would like to know before I try and escalate this whether there is
 anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
 run memtest86 on my PC and it reports everything is working. However
 I'd appreciate if I can get some confirmation that there are others
 who either have the issue or dont.

 Cheers

 M@

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM


Sure ;-) I was just trying to get as much info as you needed the first time ;-)

Sending the minidump offline

On 1/11/07, Ken Schaefer [EMAIL PROTECTED] wrote:




Minidump is 100kb, whilst a kernel dump is 150MB+ I would prefer you to
email me a 80-100kb file in the first instance if that is enough to solve
the problem :-)

Cheers
Ken

 
 From: [EMAIL PROTECTED] on behalf of
Matheesha Weerasinghe
Sent: Thu 11/01/2007 12:49 PM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM




I didnt configure the memory dumps for this machine. I assume a kernel
dump is preferred over minidump? Either way I will check and let you
know. Thanks for the reply.

On 1/11/07, Ken Schaefer [EMAIL PROTECTED] wrote:

 Yes - I have a Dell Precision that has 4GB RAM, and which has had both
Vista
 x86 and x64 on it and it doesn't BSOD.

 The issue in the KB seems to be with devices that use DMA and you have
more
 than 4GB of RAM. That used to cause issues on XP as well (which is why I
 believe SP2 for XP limited the amount of RAM that could be utilised to 4GB
 for 32bit editions).

 STOP 0xA is pretty common. If you want a detailed explanation of
 what's going on, then check out Part 1 here:

http://www.adopenstatic.com/cs/blogs/ken/archive/tags/Debugging/default.aspx

 Do you have minidump files handy? I'm happy to have a look if you want.

 Cheers
 Ken

 
 From: [EMAIL PROTECTED] on behalf of
 Matheesha Weerasinghe
 Sent: Thu 11/01/2007 12:22 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] OT: Vista BSOD with more than 2GB of RAM



 Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
 more than 2GB of RAM.

 Thanks
 M@

 On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
  All
 
  Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
  Vista Ultimate and only has 2GB of RAM and was working fine. However I
  tried to upgrade the memory by using a 512MB module and the PC wont
  boot now. It blue screens with a message similar to KB 929777.
 
  I tried getting the hotfix from technet+ with no luck. Its stage is
  private and wont be released until the 30th Jan. My Premier
  connection doesn't seem to allow download of the hotfix either.
 
  I would like to know before I try and escalate this whether there is
  anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
  run memtest86 on my PC and it reports everything is working. However
  I'd appreciate if I can get some confirmation that there are others
  who either have the issue or dont.
 
  Cheers
 
  M@
 
 Sorry! I meant to ask is there anyone with a Vista RTM X86 PC with
 more than 2GB of RAM.

 Thanks
 M@

 On 1/11/07, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
  All
 
  Sorry for the OT topic. I have a PC I use as my lab with VMs. It has
  Vista Ultimate and only has 2GB of RAM and was working fine. However I
  tried to upgrade the memory by using a 512MB module and the PC wont
  boot now. It blue screens with a message similar to KB 929777.
 
  I tried getting the hotfix from technet+ with no luck. Its stage is
  private and wont be released until the 30th Jan. My Premier
  connection doesn't seem to allow download of the hotfix either.
 
  I would like to know before I try and escalate this whether there is
  anyone out there with a Vista RTM PC with more than 4GB of RAM. I have
  run memtest86 on my PC and it reports everything is working. However
  I'd appreciate if I can get some confirmation that there are others
  who either have the issue or dont.
 
  Cheers
 
  M@


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

[ActiveDir] OT: Vista Resource Monitor blank

2006-12-15 Thread Matheesha Weerasinghe


Has anyone ever seen the resource monitor of Vista RTM blank with no
CPU/Mem/Disk etc... details at all? Last night I noticed when I used
resource monitor it didnt display anything. Task Manager showed
activity as expected but not the resource monitor. I assumed it was
possibly due to the machine waking up from sleep but couldn't repro
it.

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] OT: Vista Resource Monitor blank

2006-12-15 Thread Matheesha Weerasinghe


Yes I was. I often launch the resource monitor from task manager and
its not blank. But in this instance it was. So I find it hard to
believe its normal. Thanks for the reply anyway Laura.

Cheers

M@

On 12/15/06, Laura A. Robinson [EMAIL PROTECTED] wrote:

Are you referring to Performance Monitor? If so, that's normal. You have to
pick the objects and counters that you want to watch.

Laura

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Matheesha Weerasinghe
 Sent: Friday, December 15, 2006 5:34 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] OT: Vista Resource Monitor blank

 Has anyone ever seen the resource monitor of Vista RTM blank
 with no CPU/Mem/Disk etc... details at all? Last night I
 noticed when I used resource monitor it didnt display
 anything. Task Manager showed activity as expected but not
 the resource monitor. I assumed it was possibly due to the
 machine waking up from sleep but couldn't repro it.

 Cheers

 M@
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.mail-archive.com/activedir@mail.activedir.org/

 --
 No virus found in this incoming message.
 Checked by AVG Free Edition.
 Version: 7.5.432 / Virus Database: 268.15.18/586 - Release
 Date: 12/13/2006 6:13 PM



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.20/588 - Release Date: 12/15/2006
10:02 AM


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] DFS vs Robocopy question

2006-12-06 Thread Matheesha Weerasinghe


How much data do you want to keep in sync between the distribution points?

Cheers

M@

On 12/6/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote:


Hi all
I'm looking for feedback on a couple of scenarios for our environment. We
have three W2K3 SP1 domains and WAN separated regions in a couple of them.
When deploying software, hotfixes and such I want to go to the
'distribution
point' for that domain/region so as not to traverse the WAN for downloads.
Each distribution point needs to mirror the others. Each region has an app
server where we maintain these distribution points for downloads, patches
and such and currently is managed manually as far as keeping each server
identical to the other. I'm not familiar with DFS other than what is and
does and have not configured or used it. Robocopy seems okay but also has
a
lot of configuration to deal with. DFS seems to be the best but wanted to
see what the experts thought. My concern is if I create the DFS hierarchy
I'd still be pointed to one server for the files. In reading the
documentation I see multiple roots can be established which I'm hoping
would
provide access to each regional distribution point and still replicate the
latest uploads from one point to all others.

Appreciate any feedback.

Thanks

Jerry

Re: [ActiveDir] BIND allow-update

2006-10-06 Thread Matheesha Weerasinghe

http://research.microsoft.com/programs/up_content/bind.doc might be of use.On 10/6/06, 
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Easy question for the group -I have a forest rood domain: msroot.companyI have a domain: company.comWe use BIND. My question: do I need an allow-update entry for both zones
or just the forest root zone for proper dynamic update operation?Thanks in advance,JamesList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADSI programming

2006-09-15 Thread Matheesha Weerasinghe

I wonder whether ironpython http://www.ironpython.com/ is worth looking into in that case. I am no programmer but I have a hunch it might be to your liking. CheersM@
On 9/15/06, Ramon Linan [EMAIL PROTECTED] wrote:
Hi,I want to start programming in AD.I have experience programming with Python, PHP and VBA.Any suggestion on which language is more convienient to program withADSI.I was going to use Python because I can be use in windows, MAC or
Linux/unixThanksRezumaList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Completely OT: Maroons

2006-09-04 Thread Matheesha Weerasinghe

I've received blank posts here.M@On 9/4/06, Laura A. Robinson [EMAIL PROTECTED] wrote:
Has anybody figured out what's causing the blank posts, or is it just me whogot blank replies from Mark and Neil?
Thanks,Laura -Original Message- From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Mark Parris Sent: Monday, September 04, 2006 4:15 AM To: ActiveDir.org Subject: Re: [ActiveDir] Completely OT: MaroonsList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Moving user accounts.

2006-08-30 Thread Matheesha Weerasinghe

http://blog.joeware.net/2005/07/17/48/M@On 8/30/06, David Cliffe 
[EMAIL PROTECTED] wrote:






Hi Jim,

 Yes, I have found this to be 
true...there is no move object delegation.We have to use the 
create and delete. I wonder if that will change in future (I have a 
feeling it's been mentioned here several times before, but can't 
remember).

-DaveC

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]] On Behalf Of Kennedy, 
  JimSent: Wednesday, August 30, 2006 3:17 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving user 
  accounts.
  
  
  I am I correct that to delegate moving user accounts 
  from OU to OU I will have to allow them the ability to delete accounts. It 
  appears accounts work similar to documents, a move is really a copy then 
  delete.

To find out more about Reuters visit www.about.reuters.com

Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.

Re: [ActiveDir] Agents on Domain Controllers

2006-08-25 Thread Matheesha Weerasinghe

I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server.
I am reading the service account security planning guide at the moment http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx
 . There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best.
M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote:



Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs.


AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM
To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers

Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info   : 
http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Agents on Domain Controllers

2006-08-25 Thread Matheesha Weerasinghe

Somehow I read that and got an entirely different meaning. It may be due to the mood I am in right now. Then again a quick look at some of joe's blog comments will show how often I misread things. Hmm...Sorry Deji.
M@On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED] wrote:



You seem to think I disagree with you, whereas we are both saying the same thing.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: Matheesha WeerasingheSent: Fri 8/25/2006 11:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Agents on Domain Controllers

I see your point but unfortunately it doesn't seem so practical these days. For example any AV software you use these days will have an agent to get updates. Any software distribution mechanism and hardware health checking software, enterprise management software all require agents. The thing is we have to ensure we give sufficient rights for each one and ensure if compromised it doesn't have sufficient rights to have elevated rights and access to AD or any other domain resource/server. 
I am reading the service account security planning guide at the moment 
http://www.microsoft.com/technet/security/topics/serversecurity/serviceaccount/default.mspx. There is some good stuff here we can use for least privilege. Its tricky and takes time. It just takes time to ensure every vendor and every product finally supports it. Until that time comes we can only do our best. 
M@
On 8/25/06, Akomolafe, Deji [EMAIL PROTECTED]
 wrote: 




Depends on what the agent is supposed to be doing, whether or not it's been proven stable or crappy, and whether or not your administrative/security philosophy allows such agent to be deployed on DCs. 


AFAIK, there is no crediblereason tomandate a blanket no-agent-on-DC security or operational posture.



Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services
www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon 



From: [EMAIL PROTECTED]Sent: Fri 8/25/2006 10:55 AM 
To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Agents on Domain Controllers 


Is it just me or does it seem like everyone wants to put an agent or 5 onDomain Controllers these days. Anyone know of any agents to steer clear of(besides all of them)?List info   : 
http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] disable 200 users

2006-08-25 Thread Matheesha Weerasinghe

To add to Deji's, you would then use the same list to get a FOR /F %i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -name %i -o dn|dsmove -newparent OU=NEWDEST,DC=FQDN

where OU=NEWDEST,DC=FQDN is the FQDN of the new OU you want to move to.please note your list of names must be unique. Test before doing this by ensuring the command below


FOR /F %i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -name %i -o dn  textfilename.txtgives you a list of DNs you really want to disable/move. Please check syntax and test before doing for real on production servers!

RegardsM@On 8/25/06, 
Akomolafe, Deji [EMAIL PROTECTED] wrote:








You have a list to use as input file. Read from that list and get the DN of each user. Then pass the DN to the script listed in this sample: 



http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx?mfr=true

Or

In a batch file, do a For loop and read in the input file, then usedsquery to get the DN and pass that to dsmod to disable the accounts

Something like:
FOR /F %%i IN (mylistofnames.txt) DO dsquery user forestroot -scope subtree -o dn|dsmod user -disabled Yes


Sincerely,  _  (, / | /) /) /)  /---| (/_ __ ___// _ // _ 
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /)  (/ Microsoft MVP - Directory Services



www.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon



From: Ramon LinanSent: Fri 8/25/2006 11:16 AMTo: 



ActiveDir@mail.activedir.orgSubject: [ActiveDir] disable 200 users


Hi,

I have been given a list of 200 users to disable, and move to another OU.
The users are not currently in the same OU but in many different OU.

I am trying to use the txt file that contains the list of users to be disable.

How can I do this?


I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with


|((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:
1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1)))
|((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:
1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2)))
etc


Thanks
Rezuma

Re: [ActiveDir] Problem in AD

2006-08-23 Thread Matheesha Weerasinghe

I'm afraid you need to give a little more detail than that. What do you mean not able to communicate with AD? 

M@
On 8/23/06, Pankaj Verma [EMAIL PROTECTED] wrote:
Hi AllI have 3 domain controllers.I transfer all the FSMO roles from DC03to DC02 after that I shutdown D03  I restarted D02  dC01 but after
that I was not able to communicate with active directory then switchedon DC03 after that every thing is working fine. If somebody can tellme what could be the problem and after the in event viewer I amgetting an error
Event id =1030  1058 source = usernv--RgdsPankaj vermaList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Secure LDAP queries from the outside

2006-08-22 Thread Matheesha Weerasinghe


Check the firewall rules to ensure they are correct. Are the packets
even getting to the DC? Personally I doubt it.

M@

On 8/22/06, Thommes, Michael M. [EMAIL PROTECTED] wrote:




Hi,

   We are trying to set up secure LDAP queries from the outside to AD for
pulling email addresses but are running into an issue.  Port 636 has been
opened up to our DCs but we get a 0x51 error like the one shown below in
this example of using adfind:



adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *  -default -nodn -f
sn=thommes extensionAttribute2



AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005



LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down

Terminating program.



(extensionAttribute2 is used for email address)



Portqry shows that the DC is listening on port 636.  Using ldp, the bind
operation seems to want to default to port 389 (which is not open).



It works fine behind our firewall.  Is there some other port that needs to
be open (besides 389)?  Or maybe some security feature (we are running
w2k3/sp1 on our DCs) that is getting in the way?  Any help is appreciated!



TIA,

Mike Thommes





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name

2006-08-17 Thread Matheesha Weerasinghe


Thanks Paul

M@

On 8/17/06, Paul Williams [EMAIL PROTECTED] wrote:


You need to escape the comma, as a comma is a delimiter and in the case of
displayName it shouldn't be a delimiter:

((objectCategory=person)(objectClass=user)(displayName=phelps\,
k*))


I've not read the whole thread, so can't discuss whether or not this is the
best way to do what you want.  I will say I feel for you re. the HP
documentation.  I had some fun getting the AD iLO integration stuff to work
because the guide wasn't very helpful at explaining what format and syntax
things wanted.  I found the help on the administration pages better, and
simply tried a number of things that I thought should work.


--Paul

- Original Message -
From: Alex Alborzfard
To: ActiveDir@mail.activedir.org
Sent: Monday, August 14, 2006 8:22 PM
Subject: RE: [ActiveDir] LDAP Logon Name



Good catch, but the corrected query still didn't work! L




Alex



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Andrew Cace
Sent: Monday, August 14, 2006 2:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Logon Name



In the error below, the LDAP filter is
((objectclass=person)displayname=phelps,k*)).  You
missed the opening parenthesis before displayname.



-Andrew





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Alex Alborzfard
Sent: Monday, August 14, 2006 1:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Logon Name



That was exactly the same as HP documentation. I'll try your filter and will
post the result.



Thanks




Alex



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 1:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name




I assume you need a filter such as
((objectcategory=person)(objectclass=user)(displayname=phelps,k*))





I optimised the user object search and put a opening bracket when specifying
the displayname.





M@




On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:


Your ldap filter doesnt look correct.





M@




On 8/14/06, Alex Alborzfard [EMAIL PROTECTED]  wrote:

According to product documentation, I have to configure embedded ldap
authentication. Apparently this printer has an Embedded Web Server
(EWS).
However, when I follow the documentation, using ldp tool, it fails when
trying to query ldap. The message I get is this:

***Searching...
ldap_search_s(ld, DC=pharmanet,DC=com, 2,
((objectclass=person)displayname=phelps,k*)), NULL,  0,
msg)
Error: Search: Filter Error. 87
Server error:
Error94: ldap_parse_result failed: No result present in message
Getting 0 entries:

I connect to ldp as member of Domain Admins and Schema Admins, with the
same result.

Any ideas?

Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tomasz Onyszko
Sent: Wednesday, August 09, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name

Alex Alborzfard wrote:
 We have a HP printer/scanner that we want to setup for emailing
scanned
 documents.

 Management wants to ensure only domain users with email addresses can
do
 this.

 There is an option for setting up LDAP gateway, where you can set user

 name  password up.

 It's asking for LDAP logonname. I have tried my user name and account
 anme, but it didn't work.

 I looked it up in ADSIedit, but I couldn't find it.

I think that simplest way would be to refer to product documentation but

I would try to use DN, or CN (in CN=... format) of this user.

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx






List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] Longhorn Beta

2006-08-17 Thread Matheesha Weerasinghe


Technet Plus

On 8/17/06, WATSON, BEN [EMAIL PROTECTED] wrote:




Outside of my MSDN account is there a preferred way to obtain Longhorn
Beta's for testing?



~Ben

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADFind Query

2006-08-15 Thread Matheesha Weerasinghe


http://unxutils.sourceforge.net/

On 8/15/06, WATSON, BEN [EMAIL PROTECTED] wrote:




I'm familiar with grep on *nix, but didn't realize it was available on
Windows.  Where did you get your port of grep for Windows at?





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
Sent: Monday, August 14, 2006 6:16 PM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind Query



To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind Query






Yeah something like



adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376



would work fine.



But still... the OP is hopefully prefixing schema attributes and classes
with a corporate value... Otherwise they could run into collisions with
vendors with bad schema practices.



--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm










From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Dean Wells
Sent: Monday, August 14, 2006 6:17 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] ADFind Query

If not, though less efficient, dump them all and pipe it through find …




--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
Sent: Monday, August 14, 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind Query



You shouldn't be getting that error with that command... Even if the
attribute name was incorrect you wouldn't get that error, you would get 0
objects returned as the query processor doesn't output errors because of
incorrect attributes being specified.



However, that being said, this isn't going to work. You can't wildcard OIDs
(or more accurately 2.5.5.2/6 data types).



Hopefully you guys prefixes all of the classes and attributes you added with
a company prefix so you can search on that like so



adfind -schema -f name=joeware* ldapdisplayname -sl



or the shortcut



adfind -sc sl:joeware*








--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm










From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
WATSON, BEN
Sent: Monday, August 14, 2006 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind Query

Hey guys,



Simple question.  I'm trying to perform a search to locate all the schema
extensions that have been added in by our company.



I thought some simple syntax like this would work to find all schema
attributes with an attrbituteID prefixed with our OID.



adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
Attribute



I'm obviously missing something, any thoughts?



Thanks,

~Ben

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices 
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? 
http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@On 8/14/06, 
Han Valk [EMAIL PROTECTED] wrote:
Hi,A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group.Is it possible to recreate this group with the same well known SID?Authoritative restore is out of the question, deletetion is too long ago.
Han Valk.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain?

M@
On 8/14/06, Han Valk [EMAIL PROTECTED] wrote:
Problem is I don't see it anymore in the BUILTIN container. Strange thing isthat if I look at the security of the domain object in ADUC Incoming Forest
Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart
 co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba
e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not  possible to move
delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx
 M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest
 Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago.
 Han Valk. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

I dont think it can be moved. MS documentation suggests it cannot be.

M@
On 8/14/06, Peter Johnson [EMAIL PROTECTED] wrote:
Maybe the user moved it to another OU? Have you done a full forestsearch for the account?-Original Message-
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Han Valk
Sent: 14 August 2006 12:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust BuildersProblem is I don't see it anymore in the BUILTIN container. Strange
thing isthat if I look at the security of the domain object in ADUC IncomingForestTrust Builders is there. -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22
 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly
 attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices 
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db
ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not  possible tomovedelete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM?
 http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk 
[EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same
 well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxDisclaimer:The Development Bank of Southern Africa exercises no control over information contained in any e-mail message originating from within the organisation. The Bank makes no representation relating to the completeness or accuracy and accepts no responsibility for any loss, damage or liability that is incurred by reliance on the content hereof by the recipient or any other party. Each page attached hereto must also be read in conjunction with any disclaimer, which forms part of it.
Confidentiality:The e-mail is privileged and confidential and for use of the addressee only. Should you have received this e-mail in error, please return it to [EMAIL PROTECTED]
.Dissemination, disclosure, copying or any similar actions of the content of this e-mail is strictly prohibited.List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

By the way you are looking for this on the forest root right?

M@
On 8/14/06, Han Valk [EMAIL PROTECTED] wrote:
Yep logged in as Domain Admin. -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00
 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself
 or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk 
[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest
 Trust Builders is there.  -Original Message-  From: [EMAIL PROTECTED]  [mailto: 
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of
  Matheesha Weerasinghe  Sent: Monday, August 14, 2006 10:22  To: ActiveDir@mail.activedir.org  Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
  Trust Builders   I dont think so. objectsid attribute is a systemonly  attribute. Personally I am impressed of that smart  co-worker that managed to delete it. According to the AD
  Delegation appendices  http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits
 not  possible to move delete rename this group.   May be he exploited the dynamic objects feature in Windows  2003 RTM? 
 http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@ 
On 8/14/06, Han Valk [EMAIL PROTECTED] wrote:   Hi, 
  A smart co-worker deleted the BUILTIN\Incoming Forest  Trust Builders group.  Is it possible to recreate this group with the same  well known SID?
  Authoritative restore is out of the question,  deletetion is too long ago.   Han Valk.  List info : 
http://www.activedir.org/List.aspx  List FAQ: http://www.activedir.org/ListFAQ.aspx  List archive: 
http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx
 http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

I also meant to view as Administrator. Not an account with domain admin rights. There are subtle differences in certain scenarios. I wasassuming the ACLs on the object or the parent are possibly preventing you from viewing the object. But I doubt its the case.

You arent using the list object (LO)right are you?

M@
On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:

By the way you are looking for this on the forest root right?

M@
On 8/14/06, Han Valk [EMAIL PROTECTED]
wrote:
Yep logged in as Domain Admin. -Original Message- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as
the Administrator account of the domain? M@ On 8/14/06, Han Valk
[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest
Trust Builders is there. -Original Message- From:
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart
co-worker that managed to delete it. According to the AD Delegation appendices
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits not possible to move delete rename this group.
May be he exploited the dynamic objects feature in Windows 2003 RTM?
http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspxM@ On 8/14/06, Han Valk
[EMAIL PROTECTED] wrote: Hi,
A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID?
Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info :
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
http://www.activedir.org/List.aspx List FAQ:
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx List FAQ:
http://www.activedir.org/ListFAQ.aspxList archive:
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

Its only in the forest domain IIRC ;-)

M@
On 8/14/06, Han Valk [EMAIL PROTECTED] wrote:
No??? Child domain. -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38
 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right?
 M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin.  -Original Message-
  From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]] On Behalf Of  Matheesha Weerasinghe  Sent: Monday, August 14, 2006 13:00
  To: ActiveDir@mail.activedir.org  Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest  Trust Builders 
  I am wondering if there are ACLs defined on the group itself  or the OU above to prevent you from seen it. Do you see it as  the Administrator account of the domain?
   M@On 8/14/06, Han Valk  [EMAIL PROTECTED] mailto:
[EMAIL PROTECTED]  wrote:   Problem is I don't see it anymore in the BUILTIN  container. Strange thing is  that if I look at the security of the domain object in
  ADUC Incoming Forest  Trust Builders is there.-Original Message-   From: 
[EMAIL PROTECTED]   [mailto: [EMAIL PROTECTED]  mailto:
[EMAIL PROTECTED] ] On Behalf Of   Matheesha Weerasinghe   Sent: Monday, August 14, 2006 10:22   To: 
ActiveDir@mail.activedir.org   Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest   Trust Builders I dont think so. objectsid attribute is a systemonly
   attribute. Personally I am impressed of that smart   co-worker that managed to delete it. According to the AD   Delegation appendices
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba  e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en 
  http://www.microsoft.com/downloads/details.aspx?FamilyID=29db  ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=enits
  not  possible to move  delete rename this group. May be he exploited the dynamic objects feature in Windows
   2003 RTM?http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx
   M@ On 8/14/06, Han Valk 
[EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the
 BUILTIN\Incoming Forest   Trust Builders group.   Is it possible to recreate this group with the same   well known SID?
   Authoritative restore is out of the question,   deletetion is too long ago. Han Valk.   List info :
 http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx   List FAQ:
 http://www.activedir.org/ListFAQ.aspx   List archive: http://www.activedir.org/ml/threads.aspx
 http://www.activedir.org/ml/threads.aspx
  List info : http://www.activedir.org/List.aspx  http://www.activedir.org/List.aspx
  List FAQ: http://www.activedir.org/ListFAQ.aspx  List archive: 
http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name

Your ldap filter doesnt look correct.

M@
On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote:
According to product documentation, I have to configure embedded ldapauthentication. Apparently this printer has an Embedded Web Server
(EWS).However, when I follow the documentation, using ldp tool, it fails whentrying to query ldap. The message I get is this:***Searching...ldap_search_s(ld, DC=pharmanet,DC=com, 2,
((objectclass=person)displayname=phelps,k*)), NULL,0, msg)Error: Search: Filter Error. 87Server error:Error94: ldap_parse_result failed: No result present in message
Getting 0 entries:I connect to ldp as member of Domain Admins and Schema Admins, with thesame result.Any ideas?Alex-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz OnyszkoSent: Wednesday, August 09, 2006 3:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon NameAlex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing
scanned documents. Management wants to ensure only domain users with email addresses cando this. There is an option for setting up LDAP gateway, where you can set user
 name  password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it.
I think that simplest way would be to refer to product documentation butI would try to use DN, or CN (in CN=... format) of this user.--Tomasz Onyszkohttp://www.w2k.pl/blog/
 - (PL)http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name

I assume you need a filter such as ((objectcategory=person)(objectclass=user)(displayname=phelps,k*)) 

I optimised the user object search and put a opening bracket when specifying the displayname.

M@
On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:


Your ldap filter doesnt look correct.


M@

On 8/14/06, Alex Alborzfard [EMAIL PROTECTED]
 wrote: 
According to product documentation, I have to configure embedded ldapauthentication. Apparently this printer has an Embedded Web Server 
(EWS).However, when I follow the documentation, using ldp tool, it fails whentrying to query ldap. The message I get is this:***Searching...ldap_search_s(ld, DC=pharmanet,DC=com, 2,
((objectclass=person)displayname=phelps,k*)), NULL,0, msg)Error: Search: Filter Error. 87Server error:Error94: ldap_parse_result failed: No result present in message
Getting 0 entries:I connect to ldp as member of Domain Admins and Schema Admins, with thesame result.Any ideas?Alex-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz Onyszko
Sent: Wednesday, August 09, 2006 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon Name
Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can
do this. There is an option for setting up LDAP gateway, where you can set user  name  password up. It's asking for LDAP logonname. I have tried my user name and account
 anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation butI would try to use DN, or CN (in CN=... format) of this user.
--Tomasz Onyszkohttp://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir]

http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808


I dont care what anyone says. Thats a damn fine article.

I couldnt possibly thank Dean enough for that info.M@


On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote:
Alter ego !my thanks are dueworked out a treat - so the GC's are not so ***'d as i thought
any info on the concept of the phantoms though ??GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content.It lists the registry key as:
 HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the
 article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM
 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to
 check to see how many members you have in the group(s) in question.By default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information:
 http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams
 -Original Message- From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir]
 Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership
 list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems
 this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ?
 after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a
 scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive
 in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: 
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: 
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir]

joe said pretty decent http://blog.joeware.net/2006/06/08/400/

I think thats an understatement ;-)

However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it.

M@
On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote:




Why thank you … but who said otherwise? ;0)





--Dean WellsMSE
technology*
 Email: [EMAIL PROTECTED]
http://msetechnology.com




From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 




http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 




I dont care what anyone says. Thats a damn fine article.



I couldnt possibly thank Dean enough for that info.M@





On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: 
Alter ego !my thanks are dueworked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ??GT Hey Robert, In the article you posted, the registry key is incorrect in the KB
 content.It lists the registry key as:  HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI
 I've sent a comment to my former employer to ask for them to fix the  article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message-
 From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM  To: 
ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to  check to see how many members you have in the group(s) in question.By
 default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information:  
http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams  -Original Message-
 From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: 
activedir@mail.activedir.org Subject: [ActiveDir]  Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership 
 list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems 
 this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ?
 after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a 
 scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive
 in this respect. help as always gladly received GT List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir]

I am still waiting for the other 5 parts!

M@
On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:


joe said pretty decent http://blog.joeware.net/2006/06/08/400/

I think thats an understatement ;-)

However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it.


M@

On 8/14/06, Dean Wells [EMAIL PROTECTED]
 wrote: 




Why thank you … but who said otherwise? ;0)





--Dean WellsMSE
 technology*
 Email: [EMAIL PROTECTED]
http://msetechnology.com




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Monday, August 14, 2006 2:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] 




http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 




I dont care what anyone says. Thats a damn fine article.



I couldnt possibly thank Dean enough for that info.M@





On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: 
Alter ego !my thanks are dueworked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ??GT Hey Robert, In the article you posted, the registry key is incorrect in the KB 
 content.It lists the registry key as:  HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI 
 I've sent a comment to my former employer to ask for them to fix the  article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- 
 From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM  To: 
ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to  check to see how many members you have in the group(s) in question.By 
 default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information:  
http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams  -Original Message- 
 From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: 
activedir@mail.activedir.org Subject: [ActiveDir]  Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership 
 list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems 
 this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ?
 after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a 
 scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive
 in this respect. help as always gladly received GT List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ml/threads.aspx List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ml/threads.aspx List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.activedir.org/ml/threads.aspxList info : 
http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name


All I did was fix your query. It seemed like you were trying to do a
search for users who have phelps,k as the start of their
displayname.

I assume the printer wants a DN to do lookups. Any AD user should be
able to bind. But I dont know what it does with the bind credentials.
I've never configured a printer that needed to be given credentials to
an LDAP directory. Does it look at who submitted the job and do a
query for the persons email address and send them an email that its
done? I dont know.

You need to tell us how the LDAP credentials are going to be used by
the printer. Otherwise it may appear that we are not helpful. Which, I
well may be not ;-)

Sorry

M@



On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote:






Logon ID? Most likely the DN, but I need an account that can do the bind.

Per HP documentation after running the search, I am supposed to find the search 
prefix, which should begin after the individual user's CN.

This is the example right from documentation:



 Dn: [EMAIL PROTECTED],OU=US,OU=Users,OU=Account,DC=americas,DC=cpqcorp,DC=net



I tried M@'s query, it worked…well kind of…it didn't generate an error, but got 
0 entries on Matched DNs L

I also tried your tree view suggestion, but that didn't give me anything I 
could use for this printer.

I don't see anything even close to it. I'm beginning to HATE LDAP and HP both!!!




Alex






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, August 14, 2006 1:53 PM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name




To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name








Agreed. But does your printer search for the logon ID? I doubt it.  Most LDAP 
authentication (I HATE that term) will use the DN of the user: 
cn=user,cn=users,dc=domain,dc=com would be default.







From there it should be able to lookup the mail address in the directory.





You should specify the service account it will use to bind to the directory and 
the password and it should be fine from there.  To see that information, use 
ldp, and rather than search, use the tree view and navigate to it. (note: when 
the tree asks you for a dn value, leave it blank and press OK.)





Al












On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:



Your ldap filter doesnt look correct.






M@





On 8/14/06, Alex Alborzfard [EMAIL PROTECTED]  wrote:

According to product documentation, I have to configure embedded ldap
authentication. Apparently this printer has an Embedded Web Server
(EWS).
However, when I follow the documentation, using ldp tool, it fails when
trying to query ldap. The message I get is this:

***Searching...
ldap_search_s(ld, DC=pharmanet,DC=com, 2,
((objectclass=person)displayname=phelps,k*)), NULL,  0, msg)
Error: Search: Filter Error. 87
Server error:
Error94: ldap_parse_result failed: No result present in message
Getting 0 entries:

I connect to ldp as member of Domain Admins and Schema Admins, with the
same result.

Any ideas?

Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Wednesday, August 09, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name

Alex Alborzfard wrote:
 We have a HP printer/scanner that we want to setup for emailing
scanned
 documents.

 Management wants to ensure only domain users with email addresses can
do
 this.

 There is an option for setting up LDAP gateway, where you can set user

 name  password up.

 It's asking for LDAP logonname. I have tried my user name and account
 anme, but it didn't work.

 I looked it up in ADSIedit, but I couldn't find it.

I think that simplest way would be to refer to product documentation but

I would try to use DN, or CN (in CN=... format) of this user.

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADFind Query


I get the error Ben got with W2K. W2k3 doesnt give that error. The VM
I have here is W2k3 with SP3.

M@

On 8/14/06, joe [EMAIL PROTECTED] wrote:



You shouldn't be getting that error with that command... Even if the
attribute name was incorrect you wouldn't get that error, you would get 0
objects returned as the query processor doesn't output errors because of
incorrect attributes being specified.

However, that being said, this isn't going to work. You can't wildcard OIDs
(or more accurately 2.5.5.2/6 data types).

Hopefully you guys prefixes all of the classes and attributes you added with
a company prefix so you can search on that like so

adfind -schema -f name=joeware* ldapdisplayname -sl

or the shortcut

adfind -sc sl:joeware*




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
WATSON, BEN
Sent: Monday, August 14, 2006 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind Query





Hey guys,



Simple question.  I'm trying to perform a search to locate all the schema
extensions that have been added in by our company.



I thought some simple syntax like this would work to find all schema
attributes with an attrbituteID prefixed with our OID.



adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
Attribute



I'm obviously missing something, any thoughts?



Thanks,

~Ben


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADFind Query


The wildcard char is stripped according to the network trace for W2K.
Hence the nosuchattribute result.

M@

On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:

I get the error Ben got with W2K. W2k3 doesnt give that error. The VM
I have here is W2k3 with SP3.

M@

On 8/14/06, joe [EMAIL PROTECTED] wrote:


 You shouldn't be getting that error with that command... Even if the
 attribute name was incorrect you wouldn't get that error, you would get 0
 objects returned as the query processor doesn't output errors because of
 incorrect attributes being specified.

 However, that being said, this isn't going to work. You can't wildcard OIDs
 (or more accurately 2.5.5.2/6 data types).

 Hopefully you guys prefixes all of the classes and attributes you added with
 a company prefix so you can search on that like so

 adfind -schema -f name=joeware* ldapdisplayname -sl

 or the shortcut

 adfind -sc sl:joeware*




 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm



  
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 WATSON, BEN
 Sent: Monday, August 14, 2006 5:29 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] ADFind Query





 Hey guys,



 Simple question.  I'm trying to perform a search to locate all the schema
 extensions that have been added in by our company.



 I thought some simple syntax like this would work to find all schema
 attributes with an attrbituteID prefixed with our OID.



 adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

 ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
 Attribute



 I'm obviously missing something, any thoughts?



 Thanks,

 ~Ben



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ADFind Query


scratch the previous comment. Here is the trace output. DSID-0C0905A4.
Error 0x0057 (87) error processing filter.

M@

On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:

The wildcard char is stripped according to the network trace for W2K.
Hence the nosuchattribute result.

M@

On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 I get the error Ben got with W2K. W2k3 doesnt give that error. The VM
 I have here is W2k3 with SP3.

 M@

 On 8/14/06, joe [EMAIL PROTECTED] wrote:
 
 
  You shouldn't be getting that error with that command... Even if the
  attribute name was incorrect you wouldn't get that error, you would get 0
  objects returned as the query processor doesn't output errors because of
  incorrect attributes being specified.
 
  However, that being said, this isn't going to work. You can't wildcard OIDs
  (or more accurately 2.5.5.2/6 data types).
 
  Hopefully you guys prefixes all of the classes and attributes you added with
  a company prefix so you can search on that like so
 
  adfind -schema -f name=joeware* ldapdisplayname -sl
 
  or the shortcut
 
  adfind -sc sl:joeware*
 
 
 
 
  --
  O'Reilly Active Directory Third Edition -
  http://www.joeware.net/win/ad3e.htm
 
 
 
   
   From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  WATSON, BEN
  Sent: Monday, August 14, 2006 5:29 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] ADFind Query
 
 
 
 
 
  Hey guys,
 
 
 
  Simple question.  I'm trying to perform a search to locate all the schema
  extensions that have been added in by our company.
 
 
 
  I thought some simple syntax like this would work to find all schema
  attributes with an attrbituteID prefixed with our OID.
 
 
 
  adfind -schema -f attributeID=1.3.6.1.4.1.14376.*
 
  ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
  Attribute
 
 
 
  I'm obviously missing something, any thoughts?
 
 
 
  Thanks,
 
  ~Ben
 



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name


I took a quick look at the 9100C manual. It looks like it offers the
ldap search facility to get a list email addresses you want to send
the attachment to. So you'd scan the doc, it'll make an attachment and
send to an email address list obtained by an ldap query. You could
also use the address books on the printer or type the destinations
manually.

Obviously in order to do the ldap query, it may need credentials.The
credentials are almost certaintly in DN format as Al said. Else it
does it anonymously.

Check the address book feature. I think most people will probably
rather type destinations manually than do ldap searches ;-)

M@

On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote:

No you are definitely helpful. My best guess is that the printer wants to make 
sure you have a valid user account in AD, before letting you can fire off an 
email from it.

Reading further on HP LDAP doc, at LDAP Authentication configuration page, it 
instructs to:

-Input cn into the Match the name entered with the LDAP attribute of field.
 -Find the device user email address in the LDP trace. Copy the attribute 
defining the email address.
(A screenshot of ldp query result is shown as: 1mail:[EMAIL PROTECTED];
-Paste the attribute into the Retrieve the device user's email address using 
attribute of box
-Find the device user display name in the LDP trace. Copy the attribute 
defining the display name.
(A screenshot of ldp query result is shown as: 1displayName:Phelps,K
-Paste the attribute into the Retrieve the device and name using the attribute 
of box.
- Click Test LDAP Authentication. Input your username and password.

And this is just the first part. I save you the authentication manager 
configuration part. Hopefully this will give you an idea of what the heck they 
want!

Thanks

Alex

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha 
Weerasinghe
Sent: Monday, August 14, 2006 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name

All I did was fix your query. It seemed like you were trying to do a
search for users who have phelps,k as the start of their
displayname.

I assume the printer wants a DN to do lookups. Any AD user should be
able to bind. But I dont know what it does with the bind credentials.
I've never configured a printer that needed to be given credentials to
an LDAP directory. Does it look at who submitted the job and do a
query for the persons email address and send them an email that its
done? I dont know.

You need to tell us how the LDAP credentials are going to be used by
the printer. Otherwise it may appear that we are not helpful. Which, I
well may be not ;-)

Sorry

M@



On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote:





 Logon ID? Most likely the DN, but I need an account that can do the bind.

 Per HP documentation after running the search, I am supposed to find the 
search prefix, which should begin after the individual user's CN.

 This is the example right from documentation:



  Dn: [EMAIL 
PROTECTED],OU=US,OU=Users,OU=Account,DC=americas,DC=cpqcorp,DC=net



 I tried M@'s query, it worked…well kind of…it didn't generate an error, but 
got 0 entries on Matched DNs L

 I also tried your tree view suggestion, but that didn't give me anything I 
could use for this printer.

 I don't see anything even close to it. I'm beginning to HATE LDAP and HP 
both!!!




 Alex

 


 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: Monday, August 14, 2006 1:53 PM

 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] LDAP Logon Name




 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] LDAP Logon Name








 Agreed. But does your printer search for the logon ID? I doubt it.  Most LDAP 
authentication (I HATE that term) will use the DN of the user: 
cn=user,cn=users,dc=domain,dc=com would be default.







 From there it should be able to lookup the mail address in the directory.





 You should specify the service account it will use to bind to the directory 
and the password and it should be fine from there.  To see that information, use 
ldp, and rather than search, use the tree view and navigate to it. (note: when the 
tree asks you for a dn value, leave it blank and press OK.)





 Al












 On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:



 Your ldap filter doesnt look correct.






 M@





 On 8/14/06, Alex Alborzfard [EMAIL PROTECTED]  wrote:

 According to product documentation, I have to configure embedded ldap
 authentication. Apparently this printer has an Embedded Web Server
 (EWS).
 However, when I follow the documentation, using ldp tool, it fails when
 trying to query ldap. The message I get is this:

 ***Searching...
 ldap_search_s(ld, DC=pharmanet,DC=com, 2,
 ((objectclass=person)displayname=phelps,k*)), NULL,  0, msg)
 Error: Search: Filter Error. 87
 Server error:
 Error94: ldap_parse_result

Re: [ActiveDir] ADFind Query


You are right. The 0.99.1pre1 release of wireshark was borked. I tried
the latest release(Version 0.99.2) and it decodes correctly.

M@

On 8/15/06, joe [EMAIL PROTECTED] wrote:

You sure? That would be a client side item, not server side. I expect the
tool decoding the LDAP query may not be decoding properly.

I would recommend doing the query twice, once with wildcard, once without,
then look at the actual bytes representing the query and see if they are
identical. If the wildcard is truly being stripped, then they should be. If
not, then it is likely a decode issue and not all that unusual.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, August 14, 2006 6:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADFind Query

The wildcard char is stripped according to the network trace for W2K.
Hence the nosuchattribute result.

M@

On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 I get the error Ben got with W2K. W2k3 doesnt give that error. The VM
 I have here is W2k3 with SP3.

 M@

 On 8/14/06, joe [EMAIL PROTECTED] wrote:
 
 
  You shouldn't be getting that error with that command... Even if the
  attribute name was incorrect you wouldn't get that error, you would get
0
  objects returned as the query processor doesn't output errors because of
  incorrect attributes being specified.
 
  However, that being said, this isn't going to work. You can't wildcard
OIDs
  (or more accurately 2.5.5.2/6 data types).
 
  Hopefully you guys prefixes all of the classes and attributes you added
with
  a company prefix so you can search on that like so
 
  adfind -schema -f name=joeware* ldapdisplayname -sl
 
  or the shortcut
 
  adfind -sc sl:joeware*
 
 
 
 
  --
  O'Reilly Active Directory Third Edition -
  http://www.joeware.net/win/ad3e.htm
 
 
 
   
   From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of
  WATSON, BEN
  Sent: Monday, August 14, 2006 5:29 PM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] ADFind Query
 
 
 
 
 
  Hey guys,
 
 
 
  Simple question.  I'm trying to perform a search to locate all the
schema
  extensions that have been added in by our company.
 
 
 
  I thought some simple syntax like this would work to find all schema
  attributes with an attrbituteID prefixed with our OID.
 
 
 
  adfind -schema -f attributeID=1.3.6.1.4.1.14376.*
 
  ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
  Attribute
 
 
 
  I'm obviously missing something, any thoughts?
 
 
 
  Thanks,
 
  ~Ben
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Netlogon and SYSVOL after Restore

2006-08-10 Thread Matheesha Weerasinghe

Check the File replication Service event log for more details. This is a non authoritative restore of FRS. So it is trying to sync with a replica to ensure the sysvol content is up to date. I assume you have more than one domain controller in this domain. Once it syncs, it will bring it online.
I've never worked with a single domain controller domain. But I'd expect it to be clever enough to know that if there is no other replica, to just come online as the non auth restore is in affect a auth restore as well. 
If you have more than one domain controller and you restore this on a network with no access to the repl partners, I dont think it will come online because it will never be able to reach a replica. Unless of course you chose the primary restore option for SYSVOL in which case it will just come online.
Post more details from the FRS event log if it doesnt come online.CheersM@On 8/10/06, Salandra, Justin A. 
[EMAIL PROTECTED] wrote:












We have restored a Domain Controller and on reboot we
noticed that the Netlogon, and the SYSVOL folders exists but are not shared. Is
this normal, should we share them out ourselves or will it happen
automatically?



Justin A. Salandra

MCSE Windows 2000  2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell


[EMAIL PROTECTED]

Re: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question

2006-08-07 Thread Matheesha Weerasinghe

If you look in the AD Delegation document 
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en
 it shows the adminsdholder has permissions defined for the terminal server license servers group. Its allowed to view a terminalserver attribute that is defined on the user object and hence inherited by other classes based on it such as computer. I am not aware of the importance of the terminalserver attribute. But judging by the msdn explanation it looks like something maintained for backwards compatibility. 
I cant view the site right now as Its blocked by my corp's net nanny software as an adults only site. Go figure! But I remember it said something about opaqe data and Windows NT. I cannot see any harm with adding your license servers to the group. But then check with others before doing and test in a lab to see if there are any known issues. 
Might want to read http://support.microsoft.com/kb/895151/en-us as well.If you want some good details on terminal server licensing please refer to this doc 
http://www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx here.I have a domain based TS License server and it shows up just fine in lsview if launched from a machine in the same site as the license server. If launched from a different site I get the same results as yours. Green with no server names. I enabled the log file and configured lsview to check for a license server every 1 minute and all its logged is checking the local machine to see if its a domain license server. Its not so it failed. No messages about been able to find the correct domain license server. 
If I do this on a machine in the same site as my domain license server, it immediately logs the fact that it found it.I dont have any enterprise license servers to test with so can't comment. I also havent done any network traces either so I am not sure if it is indeed doing the license server discovery as a normal TS Client would at logon time. Might do later if I get the time.
RegardsM@On 8/6/06, Thommes, Michael M. 

[EMAIL PROTECTED] wrote:














Hi Freddy,

 Thanks for the feedback. But I get
the same result from the W2K lsview.exe . And this is running these tools
right on the license server/domain controller! I am thinking that I need to
manually populate the AD group Terminal Server Licensing Servers.
Conversely, I hate making changes when there are no known problems.



Mike Thommes











From: 

[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Freddy HARTONO
Sent: Sunday, August 06, 2006
11:34 AM
To: ActiveDir@mail.activedir.org


Subject: RE: [ActiveDir] OT:
Enterprise Terminal Server Licensing Server question





Hi Mike



I had the same problems in which I
actually logged a pss call on, try using the windows 2000 resource kit version
of lsview.exe and it works fine.



Basically if i remember this correctly
using the win2003 lsview.exe it will only detect it if your machine is in the
same site as the tsls server, if you are running the lsview on a machine that
is outside the site, it wouldnt detect it.



No solution, fedup with the answers I was
getting - closed the ticket (as I thought this only occurs in my ex company,
apparently now im getting the same result as well)









Thank you
and have a splendid day!



Kind
Regards,



Freddy
Hartono

Group
Support Engineer

InternationalSOS
Pte Ltd

mail: 

[EMAIL PROTECTED]

phone: (+65) 6330-9785





















From:


[EMAIL PROTECTED] [mailto:

[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.
Sent: Saturday, August 05, 2006
5:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT:
Enterprise Terminal Server Licensing Server question

Hi,


This is not causing any issues that I am aware of, but something does not seem
right. We set up two Enterprise Terminal Server Licensing Servers, both
DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com
under the attribute siteServer. When
I run the GUI LSVIEW.EXE from the W2K3 ResKit,
nothing populates but the spotlight icon shows green
(ie, everything is hunky-dory). Some more research shows that the AD
group Terminal Server License Servers has *no* members! Would it make sense to
populate this group with the appropriate servers? Any idea why it
wouldn't have been populated in the first place?

TIA,

Mike
Thommes

Re: [ActiveDir] LDAP Ping

2006-08-06 Thread Matheesha Weerasinghe

Nope. Me too. I know Tony said no me too posts but I cant help it here.M@On 8/6/06, Al Mulnick [EMAIL PROTECTED]
 wrote:Am I the only one receiving blank messages from Mark?
On 8/4/06, Mark Parris [EMAIL PROTECTED]
 wrote:

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Matheesha Weerasinghe

Why not use ldp.exe and just try connecting? Or you could also use adfind and doing a rootdse lookup when you want at regular intervals and check the output?
Well, Its what I'd do. But someone may have a better suggestion. I'd run a netmon/ethereal/wireshark session as well to see what happens when the ldap open/bind is done.

Cheers

M@
On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote:



Hey all,

Does anyone know of a command line utility that allows you to test ldap connections? We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings. I know about the rpc ping utility, but I wanted to test for ldap connectivity as well. Does anyone know of a utility like this?



Thanks,

Nate

Re: [ActiveDir] LDAP Ping

2006-08-04 Thread Matheesha Weerasinghe

But you are troubleshooting it right? ;-)

Cheers

M@
On 8/4/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote:



Its not for troubleshooting, its so we can tell when the DC is hung, you cant tell when its hung because our monitoring software only pings by ip and it responds. If it replies, I know it can serve ldap queries, and then i can rpc ping it and make sure that authentication requests will be answered. Its just to do a quick check of whats going on first thing in the morning.


Nate


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 04, 2006 9:14 AM

To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP Ping


So you ldap ping the DC and it replies or it does not. What does this tell you? How does it help troubleshoot the issue?

I'd suggest more detailed tools are needed such as network / packet sniffers etc. They should be able to build a picture of the situation better than a ping which offers little more than a 'yes/no' response. 


My 2 penneth :)

neil


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNASent: 04 August 2006 13:54To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP Ping

Hey all,

Does anyone know of a command line utility that allows you to test ldap connections? We have a dc that hangs, but remains pingable and I would like to do ldap pings to it to as well as rpc pings. I know about the rpc ping utility, but I wanted to test for ldap connectivity as well. Does anyone know of a utility like this?



Thanks,

Nate
PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies.

Re: [ActiveDir] Using a secret administrator account

2006-08-04 Thread Matheesha Weerasinghe

Well from what I've understood, I dont think your secret administrator is going to be useful in scenarios where you get issues with token limits. In those instances, the only account that is guaranteed to work is the default built-in administrator account. Even if its disabled, you can still use it in Safe mode with Networking. Check 
http://www.microsoft.com/downloads/details.aspx?familyid=22dd9251-0781-42e6-9346-89d577a3e74adisplaylang=en
 for details.Instead you should look to reducing the number of domain administrators in the domain and limiting them to a few trusted users. Auditing will show when passwords are changed on the default administrator account.
HTHM@On 8/4/06, Isenhour, Joseph [EMAIL PROTECTED] wrote:
What is the general consensus on the use of back up admin accounts?This is an account that is hidden to most users and has elevatedprivileges in the domain.The purpose of the account is to be able toquickly react to an attack on the Domain Admin accounts either by a
malicious user, or a bug in a process.The built in Administrator account is a huge target and it's easy tofind even if you rename it.It can't be deleted but the password can bechanged which can cause a lot of trouble.That's why I'm starting to
think about this.ThanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: NTLM troubleshooting info

2006-08-02 Thread Matheesha Weerasinghe

Many thanks for the link mate.

M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote:



there is at leastsome documentation on this found at 
http://davenport.sourceforge.net/ntlm.html
.i i'm not sure if it will meet your needs or not. think there are some others around as well. 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Tuesday, August 01, 2006 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: NTLM troubleshooting info


Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. 

Cheers

M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED]
 wrote: 



might sspi_workbench (from technet) be useful for this?


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info


Guys

Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. 

I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. 


Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide.

Cheers

M@

Re: [ActiveDir] DNS oddities?

Ha ha!

So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off?

Cheers

M@
On 8/1/06, joe [EMAIL PROTECTED] wrote:




 If it works for a subset of records, why not for all?


Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services.




 Just would have been nice to see some consistency in the results.



Oh now you are just asking for the moon ;o)



--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Monday, July 31, 2006 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS oddities?

Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. 
However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. 
M@
On 7/30/06, Dean Wells [EMAIL PROTECTED]
 wrote: 




I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 


1. reboot the new DC one more time 

2. or -
a. temporarily configure the zone to permit non-secure updates 

b. on the new DC, run ipconfig /registerdns or restart the DHCP client


HTH 






--Dean Wells
MSEtechnology*
 Email: [EMAIL PROTECTED]
http://msetechnology.com




From: [EMAIL PROTECTED]
 [mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject:
 [ActiveDir] DNS oddities?


AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. 
Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. 
I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. 
Thoughts?CheersM~

Re: [ActiveDir] DNS oddities?

Thanks Neil. That makes a lot of sense.

Cheers

M@
On 8/1/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:



netlogon is responsible for all SRV records and the DHCP client is responsible for the A record.

neil



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: 01 August 2006 09:53
To: ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] DNS oddities?



Ha ha!

So would I be correct in assuming netlogon registers _ldap _gc records and KDC registers _kerberos and _kpasswd records and dhcpclient does the A record etc.. or am I way off?

Cheers

M@
On 8/1/06, joe [EMAIL PROTECTED] wrote:
 




 If it works for a subset of records, why not for all?


Subsets of records are probably working because you have different services responsible for the different records which also means different SPNs used to generate the kerberos tickets for the services. 




 Just would have been nice to see some consistency in the results.
 


Oh now you are just asking for the moon ;o)



--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm





From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Monday, July 31, 2006 7:10 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS oddities?

Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared. 
However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results. 
M@
On 7/30/06, Dean Wells [EMAIL PROTECTED] 
 wrote: 




I bugged the behavior many moons ago … to my knowledge, no fix has appeared as yet. The precise cause escapes me but IIR it was related to the ticket/token attached to the DHCP client service on the newly-born domain's DC. Two immediate solutions exist - 


1. reboot the new DC one more time 

2. or -
a. temporarily configure the zone to permit non-secure updates  

b. on the new DC, run ipconfig /registerdns or restart the DHCP client 


HTH 






--Dean Wells
MSEtechnology*
 Email: [EMAIL PROTECTED]
http://msetechnology.com




From: [EMAIL PROTECTED] 
[mailto: [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe
Sent: Sunday, July 30, 2006 3:07 PMTo: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] DNS oddities?


AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only. 
Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A. 
I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone. 
Thoughts?CheersM~



PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code

[ActiveDir] OT: NTLM troubleshooting info

Guys

Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. 

I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection.


Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide.

Cheers

M@

Re: [ActiveDir] OT: NTLM troubleshooting info

Thanks. It probably will help to some extent at least to see what traffic happens between a client and a server.I was hoping for some nice reading material too. 

Cheers

M@
On 8/1/06, Kitchens Arthur E [EMAIL PROTECTED] wrote:



might sspi_workbench (from technet) be useful for this?


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Matheesha WeerasingheSent: Tuesday, August 01, 2006 9:39 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: NTLM troubleshooting info


Guys

Does anyone have any good resources on troubleshooting NTLM?. I've emailed technet mag as they posted the recent article by Jesper. I've also asked a couple of MSFT bloggers but havent heard a peep yet. 

I would appreciate if you guys can help. Basically I am looking at an issue where NTLM authentication sometimes works and other times doesn't. The issue was major as the resource accessed was a W2K cluster where kerberos wasn't enabled on the virtual server. Now that it is, everything is great. But as I haven't done anything to fix the NTLM authentication issues (none that I am aware of ;0)) fall back to NTLM may or may not work. I am pretty convinced its an issue with the software firewall on the PC while on a VPN connection. 


Ideally I am looking for some nice troubleshooting guide like they currently have for Kerberos. I would like to tie in what I see in network traces to something in a guide.

Cheers

M@

Re: [ActiveDir] DNS suffix resolution..

2006-07-31 Thread Matheesha Weerasinghe

I assume you are using WINS and the DCs of child and parent domainsare registered there. Therefore the netbios names are resolving.

What happens when you try to ping the FQDN of the child domain server? Does that work? I think your issue is you want the child domain suffix to be appended automatically. My understanding is that it doesnt happen by default. However the reverse is true. If you are in a child domain and ping or attempt to resolve a name, it tries its own domain suffix before attempting to append the parent domain suffixes. This is true as long as you havent disabled the default behaviour, havent modified this through GPOs etc...

You can also specify a list of search suffixes to go through in a certain order if you wish.
M@
On 7/30/06, HBooGz [EMAIL PROTECTED] wrote:

I have a Forrest with one forest root and one child domain.The child domain is running windows 2000 SP4 and the HQ sites are running windows 2003 R2 standard.I have the the child domain controller setup as an AD-integrated zone and i have the 2003 DNS servers setup to receive that zone as a secondary zone.
if i don't include the suffix search order on the nic cards' dns entry page, i just resolve the netbios names of the hosts at the remote site. for example.hq =
company.comchild domain = sales.company.comwhen i initiate a ping from any host at HQ to a host in the child domain i only resolve the netbios name.
how can i resolve this ?I've tried setting up dns name delegation in the past when i was running a full 2000 domain, but that name resolution never worked right and it wasn't timely.thanks,
--
HBooGz:\

Re: [ActiveDir] DNS oddities?

2006-07-31 Thread Matheesha Weerasinghe

Thanks Dean. I didnt quite understand your explanation of the tokens for the dhcp client service. If it works for a subset of records, why not for all?Anyways, I tried repro'ing. The 1st time I tried none of your recommendations worked other than ipconfig /registerdns. I deleted the zone on parent and recreated a secure update zone and rebooted the DC. None of the records were registered and all were rejected according to the network trace. restarting dhcp client fixed it this time even though it didnt before. Once the box was up, I deleted the zone and restarted dhcpclient. Did the A record but not the SRV records (excluding the ones beneath _msdcs which was in a different zone and I didnt clean them up). Restarting netlogon fixed that. So looks ike a combination of both restarting netlogon and dhcpclient is required. Then deleted and recreated zone, restarted client DC. All DDNS update records were refused. restarting dhcpclient was also not working with all records refused. After a while some of the records appeared minus the A record. Restarted dhcpclient again and the A record appeared.
However hosting the child domain's zone on the child dc doesnt seem to cause any issues.I know whats required to to fix it. Thanks for the further clarification. Just would have been nice to see some consistency in the results.
M@On 7/30/06, Dean Wells [EMAIL PROTECTED] wrote:













I bugged the behavior many moons ago … to my knowledge, no fix
has appeared as yet. The precise cause escapes me but IIR it was related to
the ticket/token attached to the DHCP client service on the newly-born domain's
DC. Two immediate solutions exist - 



1.
reboot the new DC one more time 

2.
or -

a. temporarily
configure the zone to permit non-secure updates 

b. on
the new DC, run ipconfig /registerdns or restart the DHCP client



HTH 












--
Dean Wells
MSEtechnology
* Email: 
[EMAIL PROTECTED]
http://msetechnology.com



















From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matheesha Weerasinghe
Sent: Sunday, July 30, 2006 3:07 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS oddities?







All

Can someone please explain the following observation?

Installed a new R2 DC forest with one DC/DNS.
created a new dns zone for use by a child domain (yet to be created). The zone
is replicated to all domain controllers of the root domain. Enabled secure
dynamic update only. 
Installed a new child domain and pointed to root domain DC/DNS. 

All records required were created apart from the A record for the child DC. How
come it can create all records other than the A record?. If I
delete the child donain's zone from the parent domain DC/DNS server, and
recreate it, then use netdiag /test:dns /fix on the child DC. It
does the same. Creates all records except for the A. 

I am puzzled as if the secure dynamic updates allow all these records to be
created, whats up with the A record?

Also netdiag /test:dns on child DC reports all required everything as OK even though
the A record is missing in the child domain zone. 

Thoughts?

Cheers

M~

Re: [ActiveDir] [OT] Can I add an index in AD using an LDIF file?

2006-07-30 Thread Matheesha Weerasinghe

I hear Bill and Melinda are very charitable. Not sure if they'd wanna adopt a 6 foot 1 uber geek though. ;-)M@On 7/29/06, joe 
[EMAIL PROTECTED] wrote:




LOL. This was catch up week. I took it off from work and 
ran around the house getting stuff fixed up etc and was only so so watching 
email. I also went to Cedar Point but that was quite the let down. It has gotten 
pretty run down and the clientele is interesting nowto say the least. Kind 
of sad as it can be an incredibly fun place.Anyway, when my task list in 
OneNote starts causing memory paging on my PC I figure I need to do a little 
catchup and take off time so I don't have any distractions so I can do so. 


Now I am sitting here, resting up from putting down some 
more grass seed and fertilizer in the 98 degree (37C for you metric folks) 
weather sucking down a rootbeer float and not looking forward to going back to 
work on Monday. I need to be independently wealthy already. I need to go find 
and adopt some rich parents.

 joe


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Al 
MulnickSent: Friday, July 28, 2006 11:13 AMTo: 
ActiveDir@mail.activedir.orgSubject:
 Re: [ActiveDir] Can I add an 
index in AD using an LDIF file?

Hey, I can post this one ahead of joe? joe must be busy or somethin' 
:)

I believe this is what you're looking for: 

http://rallenhome.com/books/adcookbook/code.html

(see chapter 10 section for the vbs, ldif, and perl 
sections)
On 7/28/06, [EMAIL PROTECTED] 
[EMAIL PROTECTED]  
wrote: 

  
  
  I realise I could do this via the UI but I want to 
  create a single LDIF which will: 
  
Add new attributes 
Make new attributes available to User 
class 
Add new indexes 
  The last point evades me so far and the RFC appears 
  to indicate that this is not supported(?) 
  Any ideas? 
  neil 
  PLEASE READ: The information contained in 
  this email is confidential and 
  intended for the named recipient(s) only. 
  If you are not an intended 
  recipient of this email please notify the 
  sender immediately and delete your 
  copy from your system. You must not copy, 
  distribute or take any further 
  action in reliance on it. Email is not a 
  secure method of communication and 
  Nomura International plc ('NIplc') will 
  not, to the extent permitted by law, 
  accept responsibility or liability for (a) 
  the accuracy or completeness of, 
  or (b) the presence of any virus, worm or 
  similar malicious or disabling 
  code in, this message or any attachment(s) 
  to it. If verification of this 
  email is sought then please request a hard 
  copy. Unless otherwise stated 
  this email: (1) is not, and should not be 
  treated or relied upon as, 
  investment research; (2) contains views or 
  opinions that are solely those of 
  the author and do not necessarily represent 
  those of NIplc; (3) is intended 
  for informational purposes only and is not 
  a recommendation, solicitation or 
  offer to buy or sell securities or related 
  financial instruments. NIplc 
  does not provide investment services to 
  private customers. Authorised and 
  regulated by the Financial Services 
  Authority. Registered in England 
  no. 1550505 VAT No. 447 2492 35. Registered 
  Office: 1 St Martin's-le-Grand, 
  London, EC1A 4NP. A member of the Nomura 
  group of companies.

[ActiveDir] DNS oddities?

2006-07-30 Thread Matheesha Weerasinghe

AllCan someone please explain the following observation?Installed a new R2 DC forest with one DC/DNS.created a new dns zone for use by a child domain (yet to be created). The zone is replicated to all domain controllers of the root domain. Enabled secure dynamic update only.
Installed a new child domain and pointed to root domain DC/DNS. All records required were created apart from the A record for the child DC. How come it can create all records other than the A record?. If I delete the child donain's zone from the parent domain DC/DNS server, and recreate it, then use netdiag /test:dns /fix on the child DC. It does the same. Creates all records except for the A.
I am puzzled as if the secure dynamic updates allow all these records to be created, whats up with the A record?Also netdiag /test:dns on child DC reports all required everything as OK even though the A record is missing in the child domain zone.
Thoughts?CheersM~

Re: [ActiveDir] R2 In-Place Upgrade bug ?

2006-07-29 Thread Matheesha Weerasinghe

So it works while its W2k3-SP1 but then breaks once upgraded to R2?What did you mean by incoming connections? Did you just mean ICMP? or actual connections like to certain services? Are the other DCs allowing incoming ICMP echo requests and allowing replies out? Are they also W2K3 -SP1?
I assume there is no other firewall software from thirdparty AV or anything else installed.Just an idea. Is it worth checking the rsop.msc for Computer Configuration/Administrative Templates/Network/Network Connections/WIndows Firewall/Domain Profile and Standard Profile /Allow ICMP exceptions?
Sounds to me like a security configuration wizard was run on it.I'd wait for someone more knowledgeable to say something if I were you ;-) Still, it doesnt hurt to check.CheersM@
On 7/29/06, HBooGz [EMAIL PROTECTED] wrote:
Morning to all -I just spent the last 6 hours with dell gold software support team trying to figure out the following occurrence:The upgraded R2 DC does not accept incoming connections, but it appears it accepts certain connections. Particularly those related to directory services.
e.g. telnet server ip 389 from the mail server works. \\serverip or servername brings up the shared printers and folders perfectly.

outbound traffic and icmp works fine, inbound icmp returns a time out.scenario:Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.connections to and from box were fine on 2003 sp1.
downgraded NIC drivers to match other r2 DC on identical server hardware/modelinstalled new nic drivers and prosetupgraded to R2.rebooted and noticed a ton of errors with services hanging upon boot.checked connection to the box from workstations and servers, but all requests timed out.
i made sure ICF was disabled.i disabled IPSEC and entered dword value for ProhibitIpSec - nothingi then enabled ICF configured exceptions - explicitly allowing ICMP, and still nothing.reset the TCP/ip stack and winsock using netsh, nothing
servers has two nics, one of which is disabled. changed binding order so active is on top -- nothingreinstalled the binaries of windows 2003 sp1 and upgraded to r2 again -- nothing.i'm at a lost of ideas and sure could use to vast resources the contributors of this group may have or know of.
Thanks,-- HBooGz:\

Re: [ActiveDir] R2 In-Place Upgrade bug ?

2006-07-29 Thread Matheesha Weerasinghe

I dont think its SCW anymore. Admittedly I havent used SCW but I am aware of it. If policies were applied, the change logs will be in %windir%\security\msscw\ChangeConfigurationLogs. if I understand correctly, Port 445 must be open because your file shares and the like are accessible. According to GPO help docs that means ICMP is also allowed by the server.
quoteNote: If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
/quoteWhen you say you cant ping from the main office, are you talking of workstations/servers that belong to the same subnet of the DC they are pinging?I assume you did a trace to see ICMP coming into the server and whether its leaving the server.
I'm curious now as to whats happening. M@On 7/29/06, HBooGz [EMAIL PROTECTED] wrote:
I applied no post sp-1 fixes, but i would imagine it's worth a try.do you guys want to hear something even more mind-boggling ?
i can ping the server from workstations outside the main office!!!i've remotely connected to workstations at our IPSEC vpns to test login times and email access,a nd pinged the problematic server just fine!!! 
arghhhMatheesha:Incoming connections i mean services that somehow are not defined to the server. I run a repadmin /replsum from another dc and it shows no errors. i run a dcdiag /s:problemserver with no problem. so it means that directory service traffic is allowed, but when i try to Dameware ( tcp port 6129) to the machine it times out, when i try to the ping the box i get nothing from the main office!
i checked the IPSEC domain and Standard profile and made sure no IPSEC polocies were applied. if it's the SCW -- how do i look at it ?could it someway be my checkpoint firewall at the local site ? how in the world can it accept icmp from other workstations ( win2k pro) at my remote vpn sites ?
On 7/29/06, Kurt Falde 
[EMAIL PROTECTED] wrote:















Did you apply the post SP1 security
hotfixes? I know there are a couple of updates for tcpip.sys which fix issues which
will cause AD repl issues from a couple times in the field. Check out http://support.microsoft.com/kb/898060

or for the latest tcpip.sys http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx

.





Kurt Falde











From:
[EMAIL PROTECTED] [mailto:

[EMAIL PROTECTED]] On Behalf Of HBooGz
Sent: Saturday, July 29, 2006 5:39
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] R2 In-Place
Upgrade bug ?





Morning to all -

I just spent the last 6 hours with dell gold software support team trying to
figure out the following occurrence:

The upgraded R2 DC does not accept incoming connections, but it appears it
accepts certain connections. Particularly those related to directory services.
e.g. telnet server ip 389 from
the mail server works. \\serverip or
servername brings up the shared printers and folders perfectly.

outbound traffic and icmp works fine, inbound icmp returns a time out.

scenario:

Windows 2000 SP4 DC in-place upgrade to windows 2003 SP1 then upgrade to R2.
connections to and from box were fine on 2003 sp1. 
downgraded NIC drivers to match other r2 DC on identical server hardware/model
installed new nic drivers and proset
upgraded to R2.
rebooted and noticed a ton of errors with services hanging upon boot.
checked connection to the box from workstations and servers, but all requests
timed out. 
i made sure ICF was disabled.
i disabled IPSEC and entered dword value for ProhibitIpSec - nothing
i then enabled ICF configured exceptions - explicitly allowing ICMP, and still
nothing.
reset the TCP/ip stack and winsock using netsh, nothing 
servers has two nics, one of which is disabled. changed binding order so active
is on top -- nothing
reinstalled the binaries of windows 2003 sp1 and upgraded to r2 again --
nothing.

i'm at a lost of ideas and sure could use to vast resources the contributors of
this group may have or know of. 

Thanks,





-- 
HBooGz:\ 







-- HBooGz:\

Re: [ActiveDir] cn=meetings

2006-07-28 Thread Matheesha Weerasinghe

Thanks
On 7/27/06, Free, Bob [EMAIL PROTECTED] wrote:
MS NetMeeting uses the Meetings container to publish network meetingobjects.
From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha
WeerasingheSent: Thursday, July 27, 2006 12:31 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] cn=meetingsAllJust a quick query. Does anyone know what
cn=meetings,cn=system,dc=domainfqdn is for?CheersM@List info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] cn=meetings

2006-07-27 Thread Matheesha Weerasinghe

AllJust a quick query. Does anyone know what cn=meetings,cn=system,dc=domainfqdn is for? CheersM@

Re: [ActiveDir] ldp in ADAM-SP1

2006-07-26 Thread Matheesha Weerasinghe


Thanks Guido. That helps a lot. I was going to create the role
structure but leave them unpopulated and do most of the work myself.
I.e I am all roles!!

I was then going to populate them as and when I found skilled and
trusted chaps. I'll keep it very simple now.

Cheers

M@

P.S. Thanks again to everyone that read and responded.


On 7/26/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote:

well, do as you should always do to ensure that your systems are
maintainable: keep it simple!
Don't introduce extra complexity if you don't require it. For AD ACLing
this means, don't introduce roles and permissions for users, if you do
not need that role - there is certainly no need to implement all the
roles that are described in the delegation whitepaper to maintain a
stable AD infrastructure.

most ACLing issues that I have come across was in companies that granted
their delegated admins the rights to create OUs underneath their
location specific OU - soon afterwards they had an AD structure with OUs
and permissions that looked like a badly managed file-server...

so the issue is not so much setting ACLs in AD (which as discussed can
be a complex task to do right, depending on your needs), but more
controlling who is allowed to set ACLs. This should be done centrally by
domain and/or enterprise admins. As a rule of thumb you should not grant
any non-domain or enterprise admin the rights to create OUs and also
limit the rights to create any other objects (especially groups) to very
few delegated admins. Less critical is delegating the ability to manage
existing objects (e.g. to reset PW of user, mail-enable users and
groups, change membership of groups, etc). I also consider the rights to
create computer objects as low risk (which is usually required by local
desktop admins in branch offices).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, July 25, 2006 9:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Thanks to Al and Guido for your further input. Even though it may seem
pretty obvious, I would like to know of any horror stories due to AD
ACL'ing if possible. The reason is Al's comments have made me take a
much more cautious approach to ACL'ing. I get the feeling that even
though the granular feature is there, if there arent enoug people with
the correct skill level available to maintain it, then it shouldnt be
pursued. I hope I can get that skill and that is one fo the goals
here. But I may not be here all the time.

So any stories from anyone ?

M@

On 7/25/06, Al Mulnick [EMAIL PROTECTED] wrote:

 I wholeheartedly applaud the effort being put into this.  That said, I
urge
 you to reconsider your administrative model and favor as much
simplicity as
 is possible.  Why?  Because the best laid plans of mice and architects
and
 all that.

 The tricky bit is the matching a trusted and
 appropriately skilled person to the relevant role.

 That makes me laugh and cringe at the same time.  Yes, it is very
difficult
 to find that perfect match but at the same time I think a design
should
 take that into account where possible. That's a design philosophy and
I
 won't debate that for this thread.  But I would caution you that any
design
 that has the people intricately relied upon is going to have a failure
point
 at some point when you least can tolerate it.

 While you can use the command line tools as much as possible, as joe
and
 Guido both pointed out, consider rolling your own scripts if you
absolutely
 cannot do what you *need* to do at the GUI. But remember you can
really
 really really^^ hurt yourself with security permissions.  Believe me,
it can
 be ugly and it can be the undoing.

 Two thoughts consider as you walk through the design:
 1) You should never try to solve wetware issues with software or
hardware.
 2) Complexity is the anti-security.

 Best of luck.



 On 7/25/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
  Wow,
 
  Thanks you so much for the detailed info guys. Basically my goal is
  quite simple. At least it is in my head. What I want to do, is to go
  through the entire case study given in the AD delegation whitepaper,
  and do all of that permissions configuration entirely at command
line
  (where possible). I am willing to use the delegation wizard to some
  extent, but as I am configuring quite a lot of permissions for an AD
  design I am involved in, I would rather avoid having to use GUI
tools
  for this.
 
  You see, I am going to end up as been a very privileged service
  administrator and data administrator once my proposed AD design
model
  is in place. I expect I will be making some endeavour to train
  sufficiently capable people in doing this. But I dont plan to spoon
  feed. I want the guys to know to a decent level ACL'ing and if not,
do
  their research. At least on an adhoc basis. Then once they
understand
  whats involved, they can go ahead and add

Re: [ActiveDir] ldp in ADAM-SP1

2006-07-25 Thread Matheesha Weerasinghe

 an email from the developer
working on LDP and can say that he is digging into this. I can't say
much
more than that though.


 joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 11:32 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

I dunno about you guys but I am very disappointed with the tools
available to me for configuring perms. dsacls can configure most perms
but cant configure control access rights to certain attribs of certain
objects. (e.g. when you configure an attribute as confidential and
need to allow certain people the control access right to view the
attribute). dsacls also cant display perms that great and gives
details as special access. In order to see whats special, I have to
use something like acldiag and sdcheck. And then to revoke, yet
another tool dsrevoke which only works on domain objects and OUs.

After reading joe's book I figured ldp.exe from ADAM-SP1, here I come.
Now that also has issues.

I know I can write scripts for handling this. But they are cumbersome
and slow. I think a nice fast C++ tool that does all this would be
much appreciated. I am not sure how hard this is to do. But MSFT
certaintly have the expertise. May be longhorn will ship with
something like that. But I aint holding my breath.

I am no expert and no MVP. I aint convinced my rant is gonna be heeded
to. But please, guys out there with the influence (MVPs) help!!

M@


P.S Please!!!


On 7/24/06, joe [EMAIL PROTECTED] wrote:
 Beautiful, this is bug week

 There are actually two bugs here.

 1. The inherit only check box is greyed out. This is the checkbox you
would
 need to check in order to specify an inherit only ACE (i.e. Child
Objects
 Only).

 2. When you try to work around it and specify the actual object types
to
 inherit to it creates two ACEs instead of one. The first ACE is the FC
 inherit only to the object class you specify but then there is also a
FC
to
 the object itself. In the example below note the TEST\joe ACEs... I
only
 added a single FC for nTDSConnection objects for test\joe but got that
AND
 the non-inheritable Test\joe FC on the object itself.


 G:\dsacls \\r2dc1\CN=NTDS

Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf
igur
 ation,DC=test,DC=loc
 Access list:
 Effective Permissions on this object are:
 Allow TEST\joe  FULL CONTROL
 Allow TEST\Domain AdminsSPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
 Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
 Allow NT AUTHORITY\SYSTEM   FULL CONTROL
 Allow TEST\Domain AdminsFULL CONTROL   Inherited from
 parent
 Allow TEST\Enterprise AdminsFULL CONTROL   Inherited from
 parent

 Permissions inherited to subobjects are:
 Inherited to all subobjects
 Allow TEST\Domain AdminsFULL CONTROL   Inherited from
 parent
 Allow TEST\Enterprise AdminsFULL CONTROL   Inherited from
 parent

 Inherited to nTDSConnection
 Allow TEST\joe  FULL CONTROL
 The command completed successfully



 So in order to generate a generic FC that is only inherited, you
can't,
 because of bug 1 do it with LDP. If you want to create an ACE for a
specific
 objectclass (which nTDSConnection should be ok in terms of what you
are
 trying to delegate) it can do it but you have to go back and clean up
the
 the additional ACE created by bug 2.


 I will alert MSFT.

   joe




 --
 O'Reilly Active Directory Third Edition -
 http://www.joeware.net/win/ad3e.htm


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
 Weerasinghe
 Sent: Monday, July 24, 2006 8:12 AM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] ldp in ADAM-SP1

 All

 Could someone with more experience with ldp provided with ADAM-SP1
 tell me how I would go about configuring inherit-only Full Control
 permissions on nTDSDSA objects in the
 CN=Sites,CN=Configuration,DC=ForestFQDN

Re: [ActiveDir] ldp in ADAM-SP1

2006-07-25 Thread Matheesha Weerasinghe


Thanks to Al and Guido for your further input. Even though it may seem
pretty obvious, I would like to know of any horror stories due to AD
ACL'ing if possible. The reason is Al's comments have made me take a
much more cautious approach to ACL'ing. I get the feeling that even
though the granular feature is there, if there arent enoug people with
the correct skill level available to maintain it, then it shouldnt be
pursued. I hope I can get that skill and that is one fo the goals
here. But I may not be here all the time.

So any stories from anyone ?

M@

On 7/25/06, Al Mulnick [EMAIL PROTECTED] wrote:


I wholeheartedly applaud the effort being put into this.  That said, I urge
you to reconsider your administrative model and favor as much simplicity as
is possible.  Why?  Because the best laid plans of mice and architects and
all that.

The tricky bit is the matching a trusted and
appropriately skilled person to the relevant role.

That makes me laugh and cringe at the same time.  Yes, it is very difficult
to find that perfect match but at the same time I think a design should
take that into account where possible. That's a design philosophy and I
won't debate that for this thread.  But I would caution you that any design
that has the people intricately relied upon is going to have a failure point
at some point when you least can tolerate it.

While you can use the command line tools as much as possible, as joe and
Guido both pointed out, consider rolling your own scripts if you absolutely
cannot do what you *need* to do at the GUI. But remember you can really
really really^^ hurt yourself with security permissions.  Believe me, it can
be ugly and it can be the undoing.

Two thoughts consider as you walk through the design:
1) You should never try to solve wetware issues with software or hardware.
2) Complexity is the anti-security.

Best of luck.



On 7/25/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 Wow,

 Thanks you so much for the detailed info guys. Basically my goal is
 quite simple. At least it is in my head. What I want to do, is to go
 through the entire case study given in the AD delegation whitepaper,
 and do all of that permissions configuration entirely at command line
 (where possible). I am willing to use the delegation wizard to some
 extent, but as I am configuring quite a lot of permissions for an AD
 design I am involved in, I would rather avoid having to use GUI tools
 for this.

 You see, I am going to end up as been a very privileged service
 administrator and data administrator once my proposed AD design model
 is in place. I expect I will be making some endeavour to train
 sufficiently capable people in doing this. But I dont plan to spoon
 feed. I want the guys to know to a decent level ACL'ing and if not, do
 their research. At least on an adhoc basis. Then once they understand
 whats involved, they can go ahead and add/modify/delete ACE's , revoke
 perms, define new roles etc...

 Reading this delegation doc has made me believe I can configure an
 extremely secure delegation model where each role can be given just
 enough to do that role. The tricky bit is the matching a trusted and
 appropriately skilled person to the relevant role.

 So you see, as there is a lot involved and this is a big
 infrastructure to attempt to administer perms for 20,000 users plus
 many OUs used to organise users based on the business unit (at least a
 dozen in each geographical hub) they work in and the site (we have
 more than a 40 geographical hubs and 1000 satellite sites) they are
 located at. Different levels of data admin roles. I would like to get
 this right to a large extent from the moment go. Admittedly it may not
 be big as in Fortune 5 ADs. But its the biggest I've had the privilege
 to design and support.

 I figured if I test this using the case study as a lab, I will get a
 good feel of whats involved in my lower level design. I am getting a
 little miffed when I have to swap between several tools to do what I
 need to do. There is just so many buts and ifs. You can do this but
 you cant do this.  To do this use this. For this use that. And then
 try this. If all else fails script 

 I admit I was ranting a bit when asking why is this named and like
 such and the discrepencies in the docs and syntax help of command line
 tools. My sincere apologies for been anal.

 Is it too much to ask, to have at the very least a reliable command
 line or GUI tool (ldp) to configure perms just the way I want and
 need? Actually I don care even if I have to use a series of command
 line apps. I dont care how complex it is/willbe right now. I just want
 something that works. And I want the tool from MSFT. For free ;0)

 Please!

 Cheers

 M@


 P.S. thanks once again for reading, for escalating, for laughing, for
 educating , the kind words, hugs
 Control-H,Control-H,Control-H,Control-H,Control-H, etc...



 On 7/25/06, Grillenmeier, Guido [EMAIL PROTECTED]  wrote:
  I guess

[ActiveDir] ldp in ADAM-SP1

2006-07-24 Thread Matheesha Weerasinghe


All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ldp in ADAM-SP1

2006-07-24 Thread Matheesha Weerasinghe


I dunno about you guys but I am very disappointed with the tools
available to me for configuring perms. dsacls can configure most perms
but cant configure control access rights to certain attribs of certain
objects. (e.g. when you configure an attribute as confidential and
need to allow certain people the control access right to view the
attribute). dsacls also cant display perms that great and gives
details as special access. In order to see whats special, I have to
use something like acldiag and sdcheck. And then to revoke, yet
another tool dsrevoke which only works on domain objects and OUs.

After reading joe's book I figured ldp.exe from ADAM-SP1, here I come.
Now that also has issues.

I know I can write scripts for handling this. But they are cumbersome
and slow. I think a nice fast C++ tool that does all this would be
much appreciated. I am not sure how hard this is to do. But MSFT
certaintly have the expertise. May be longhorn will ship with
something like that. But I aint holding my breath.

I am no expert and no MVP. I aint convinced my rant is gonna be heeded
to. But please, guys out there with the influence (MVPs) help!!

M@


P.S Please!!!


On 7/24/06, joe [EMAIL PROTECTED] wrote:

Beautiful, this is bug week

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.


G:\dsacls \\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc
Access list:
Effective Permissions on this object are:
Allow TEST\joe  FULL CONTROL
Allow TEST\Domain AdminsSPECIAL ACCESS
   DELETE
   READ PERMISSONS
   WRITE PERMISSIONS
   CHANGE OWNERSHIP
   CREATE CHILD
   LIST CONTENTS
   WRITE SELF
   WRITE PROPERTY
   READ PROPERTY
   DELETE TREE
   LIST OBJECT
   CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
   READ PERMISSONS
   LIST CONTENTS
   READ PROPERTY
   LIST OBJECT
Allow NT AUTHORITY\SYSTEM   FULL CONTROL
Allow TEST\Domain AdminsFULL CONTROL   Inherited from
parent
Allow TEST\Enterprise AdminsFULL CONTROL   Inherited from
parent

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain AdminsFULL CONTROL   Inherited from
parent
Allow TEST\Enterprise AdminsFULL CONTROL   Inherited from
parent

Inherited to nTDSConnection
Allow TEST\joe  FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

  joe




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ

Re: [ActiveDir] ldp in ADAM-SP1

2006-07-24 Thread Matheesha Weerasinghe


Joe

joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was
trying to actually configure full control to the nTDSDSA using perms
on the CN=Sites object but the principal is the same I guess. The only
thing is nTDSConnection objects cant have child objects can they?
Still I am having some issues repro'ing. You said your workaround was
to configure on the object types. Did you mean to configure explicitly
on the object or on the parent with the child's object type specified
in the ACE? I cant repro here and I am not sure whether you used
dsacls or ldp to repro.

And why does it not choose the Access System Security option when
you edit a Full Control ACE? Is that expected? I thought full control
meant everything. Not everything but Access System Security.

Also how come there is no string defined for Access System Security?
There is for all other access masks.

I freely admit I know very little in this arena. Any lesson offered is
most appreciated. I am already reading technet and many books by the
fine guys on here. I just havent finished them yet ;-)

Thanks to everyone who's read this so far and for all the help I am
offered. I truly appreciate it.

Sincerely

M@


On 7/24/06, joe [EMAIL PROTECTED] wrote:

Beautiful, this is bug week

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.


G:\dsacls \\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc
Access list:
Effective Permissions on this object are:
Allow TEST\joe  FULL CONTROL
Allow TEST\Domain AdminsSPECIAL ACCESS
   DELETE
   READ PERMISSONS
   WRITE PERMISSIONS
   CHANGE OWNERSHIP
   CREATE CHILD
   LIST CONTENTS
   WRITE SELF
   WRITE PROPERTY
   READ PROPERTY
   DELETE TREE
   LIST OBJECT
   CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
   READ PERMISSONS
   LIST CONTENTS
   READ PROPERTY
   LIST OBJECT
Allow NT AUTHORITY\SYSTEM   FULL CONTROL
Allow TEST\Domain AdminsFULL CONTROL   Inherited from
parent
Allow TEST\Enterprise AdminsFULL CONTROL   Inherited from
parent

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain AdminsFULL CONTROL   Inherited from
parent
Allow TEST\Enterprise AdminsFULL CONTROL   Inherited from
parent

Inherited to nTDSConnection
Allow TEST\joe  FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

  joe




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http

[ActiveDir] OT: Interview Techniques

2006-07-23 Thread Matheesha Weerasinghe

All

I am currently in the process of interviewing job
candidates who if successful will become my boss ;-)
Basically the manager who will be his boss has asked
me to do the technical side of the interview and check
if the candidates are OK. I've had the pleasure of
interviewing 2 so far and they were pretty weak
technically. I am not sure if I have been spoilt by
the creme-de-la-creme here but I did check them a
little thoroughly especially with the candidate who
was bold enough to mention under key skills very
strong knowledge of windows 2000/2003 Active
Directory. 

Now I am definitely no expert, but if someone is bold
enough to claim that, he better not buckle up under
pressure and reply that the questions I am asking are
only worthy knowledge to those working at Microsoft.
And this is the reply I got when I asked him what the
FSMO roles did. Actually, I got a little miffed as the
guys had the audacity to demand pretty much twice the
pay I am getting and were paper MCSE's. 

The feedback we received from the candidates
afterwards said the interview style was .
aggressive.

So, my question to you guys is, if you interviewing
someone for a Windows tech-lead position (with focus
on AD), how technical would you want him to be? This
is a guy who would be steering the design of an
infrastructure to support tens of thousands of users.

Cheers

Mudha
{Newbie AD Guru wannabe ;0) }



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Interview Techniques

2006-07-23 Thread Matheesha Weerasinghe


LOL. Yeah. Never a good idea to have customised BIG AL number plates.

;-)


On 7/23/06, joe [EMAIL PROTECTED] wrote:



Yeah Al interviewed me once and I didn't get the job because I started
crying.

I found his car in the parking lot and punched holes in the tires. :)




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
Mulnick
Sent: Sunday, July 23, 2006 1:54 PM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: Interview Techniques



LOL.  If it's for a technical position, then I have no qualms of trying to
make the interviewed candidate cry. May as well see what they do with
pressure.

I can usually tell in the first few minutes how a person thinks and how well
they know the subject matter.  But I like to see how they react and how they
deal with questions.  Are they going to fold? Are they going to buckle? Are
they going to lie and BS an answer?  The last is the worst thing they can
ever do.  I demand honesty in the work I do.  If you BS me, you'll be done
before you go a step further. If you tell the truth and let me know that you
don't know, I'll at the very least have respect for you because I know that
nobody can know it all, and I konw that the interviewer is going to ask a
question that sticks in their mind as something that stumped them for a
while. Either consciously or sub-consciously.

I like to ask leading questions and I like to pick at the things on the
resume to verify that what they wrote is what they are capable of doing.
Since this is a tech lead position, I expect a broad and deep set of
knowlede and I expect that the characteristics of the person are such that
they can easily refer to the SME (subject-matter expert) for particular
subsystems without getting uptight about not knowing the answer themselves.
It really could suck if you brought somebody in who was too uptight and
insecure to let you do your job. They should be trying to help you advance
vs. holding you back and causing hate and discontent.

My $0.04 worth anyway.


Al

On 7/23/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 All

 I am currently in the process of interviewing job
 candidates who if successful will become my boss ;-)
 Basically the manager who will be his boss has asked
 me to do the technical side of the interview and check
 if the candidates are OK. I've had the pleasure of
 interviewing 2 so far and they were pretty weak
 technically. I am not sure if I have been spoilt by
 the creme-de-la-creme here but I did check them a
 little thoroughly especially with the candidate who
 was bold enough to mention under key skills very
 strong knowledge of windows 2000/2003 Active
 Directory.

 Now I am definitely no expert, but if someone is bold
 enough to claim that, he better not buckle up under
 pressure and reply that the questions I am asking are
 only worthy knowledge to those working at Microsoft.
 And this is the reply I got when I asked him what the
 FSMO roles did. Actually, I got a little miffed as the
 guys had the audacity to demand pretty much twice the
 pay I am getting and were paper MCSE's.

 The feedback we received from the candidates
 afterwards said the interview style was .
 aggressive.

 So, my question to you guys is, if you interviewing
 someone for a Windows tech-lead position (with focus
 on AD), how technical would you want him to be? This
 is a guy who would be steering the design of an
 infrastructure to support tens of thousands of users.

 Cheers

 Mudha
 {Newbie AD Guru wannabe ;0) }



 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Replmon vs. dssite.msc

2006-07-22 Thread Matheesha Weerasinghe


If I understand correctly, replmon shows connection object info that
was retrieved from the dc itself. dssite.msc shows the connection
object info from the dc the snap-in is focused on.

please correct me if i've misunderstood

M@

On 7/19/06, Noah Eiger [EMAIL PROTECTED] wrote:





Hi –



I am trying to promote a new DC in a branch location. I also want this to be
the bridgehead for IP at this Site. The promo seems to have worked, but
there are some replication problems.



Why would replmon show different replication partners than the Active
Directory Sites and Services (dssite.msc) snap-in? I am running both tools
on the same machine and have confirmed that they connect to the same
machine.



Thanks.



-- nme


--
 No virus found in this outgoing message.
 Checked by AVG Free Edition.
 Version: 7.1.394 / Virus Database: 268.10.1/391 - Release Date: 7/18/2006


[EMAIL PROTECTED])

Re: [ActiveDir] Using non-standard TLDs within Active Directory

2006-07-21 Thread Matheesha Weerasinghe


Well it would be a good idea as long as no one thinks crikey thats a
great idea and people start making corp.ad or corp.ads as their
forest name ;-)

As I understand it, the forest names need to be unique DNS names. If
you have two corp.local's, how would you do conditional forwarding and
the like? What happens when a SRV record query is sent by a client who
is possibly able to query SRV records for both forests?

M@

On 7/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:



For this and other reason I like to use the .ad or .ads TLD for my active 
directory.

Andrew Fidel



Almeida Pinto, Jorge de [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]

07/21/2006 06:43 AM

Please respond to
ActiveDir@mail.activedir.org


ToActiveDir@mail.activedir.org

cc



SubjectRE: [ActiveDir] Using non-standard TLDs within Active Directory










for the LOCAL tld, you need be aware that it can cause issues with MAC computers

http://support.microsoft.com/kb/836413/en-us
http://docs.info.apple.com/article.html?artnum=107800
Jorge



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]

Sent: Friday, July 21, 2006 12:34
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory

Thanks again. We're on the same wave length :)

I appreciate that .local can work but as you state, it's best to avoid names 
that can become obsolete if the company name changes.

The proposal here is to use .nom and the company name is Nomura.

...and no, it will not be a single domain forest, but let's not go there please 
:) I've already spent months on that subject :/

Thanks for the comments and feedback.
neil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson

Sent: 21 July 2006 10:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory

Hi Neil

Correct. The TLD is the normally the last bit the in the string. So in the real 
world Internet examples of TLD's are .com,.edu etc plus the country codes such 
as .za for South Africa which is where I from.

I always something like corp.local for the forest name. I assuming you are 
going to be building a single domain forest right?







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 11:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory

Thanks Peter.

Are we referring to same thing?

I refer to the suffix at the end of the DNS name - e.g. I refer to 'blob' in 
'neil.blob'.

I am not referring to the 'neil' part.

Does your response still hold?


neil






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 21 July 2006 09:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Using non-standard TLDs within Active Directory
I've always gone the opposite way. I like the idea of using a completely 
non-standard TLD for my forest root so that if the company name changes etc it 
has no effect on the forest. It also enables you to split the internal DNS from 
the external DNS structure. If the internal DNS structure is ever published to 
the Internet it will simply be dropped.

I always set mine up with non-standard TLD's and have never had any issues.






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: 21 July 2006 10:20
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using non-standard TLDs within Active Directory


Does anyone have experience or comments regarding the use of non-standard TLDs 
within a production AD forest?

E.g. x.nom

The name will be used within a production environment - a separate forest will 
exist for testing and QA.

I've always preferred to use standard TLDs in prod [so the name can be 
registered etc] and permit the non-standard TLD in test forests only.

Any comments?

Thanks,
neil
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author

Re: [ActiveDir] root admin account able to be locked out?

2006-07-18 Thread Matheesha Weerasinghe


Well, I've seen in our AD when it was W2K, the administrator account
was showing as locked in dsa.msc if you try too may incorrect auth
attempts. But I was still able to logon with it as expected. I didnt
check to see if any events were logged to indicate that it was.

I cannot repro your setup as my lab is busy doing other work. Someone
else might have something more sensible to add here.

M@

On 7/18/06, Thommes, Michael M. [EMAIL PROTECTED] wrote:




Hi AD Gurus!

  We have penetration testing going on and I saw a security event log
entry that showed our root admin account getting locked out.  I was
surprised because I thought this account could never get locked out.  In
addition, we had a scheduled job that runs under the credentials of this
root account that ran successfully a couple of minutes *after* the supposed
account was locked.  (We have the standard 30 minute lockout time.)  I think
the reason that this happened was that the penetration testing really didn't
lock out the root account but did lockout the local SID 500 account that
exists on all servers (including domain controllers).  This is my belief.
My officemate says there is no such account on a DC and that the root
account could have been locked out for a short period of time but then made
active again when AD saw what the account was or that the security log entry
is just bogus.  Can someone offer a little insight into this (nope, no
dinners or cash riding on this debate!).  Thanks much!



Mike Thommes

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Forestprep Failure

2006-07-18 Thread Matheesha Weerasinghe


adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.

((objectcategory=classschema)(maycontain=uid))

The above tries to do a search for classes where the maycontain
attribute contains uid.

HTH
M@

On 7/19/06, WATSON, BEN [EMAIL PROTECTED] wrote:

Hello all,

I am at the point where I now have a smooth running Windows 2003 forest and 
domain with the one exception of the UID attribute which I bypassed thanks to 
the hidden ADPREP switch Steve informed me of.

So I am now attempting to go back and defunct this UID attribute so I can repair it.  
Unfortunately, I am unable to do so at this point.  When attempting to defunct the object through 
Active Directory Schema, I receive an error stating it cannot be done because, this schema 
object may be in use as part of the definition of another schema object.  When attempting to 
set the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more informative 
error,Schema deletion failed: attribute is used in may-contain.

How can I find out which attributes have UID as part of the may-contain 
attribute so I can defunct this attribute?  If you might have any further 
advice for me I would greatly appreciate it.

I've been doing my best to study the schema over the past few days thanks to 
Joe's Active Directory book, however I'll readily admit that advanced searching 
and filtering are still beyond my grasp at this point.

Thanks,
~Ben




From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Thu 7/6/2006 10:19 PM
To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
Subject: RE: [ActiveDir] Forestprep Failure



Ben,
  These errors generally occur when a third party application has extended the 
schema and it conflicts with the base schema we are trying to put in place.  
There were many conflicts found during the initial upgrades to Windows Server 
2003 which is why additional information was put into adprep to help guide you, 
in the past it failed with a generic conflict error not telling you what 
attributes it had issues with.  In your case you appear to have a problem with 
the Attribute Syntax for UID and an OID conflict with roomnumber as well as 
issinglevalue mismatch with roomnumber.  The OID for RoomNumber that you gave 
below used to be in a sample application that showed how to extend the schema 
and unfortunately many third party developers took the OID value in the sample 
code as literal and used it when defining there objects for schema extensions 
even though they were told to provide a unique OID.  The sample code was pulled 
but there are still many applications out there that used the literal OID value 
in the sample.  Since you are running Windows 2000 you do not have a way to 
defunct these.  Do you know what application is using the information in the 
roomnumber attribute?  I would suggest in a test environment renaming the 
roomnumber attribute using the following steps:

a. Open ldp on the Schema FSMO (make sure you have Checked the option The 
Schema may be modified on this Domain Controller using the Schema Manager Snap-in).
b. From the Connection menu option select Bind.
c. Type is the user name, password and domain name (use a schema admin 
account) and keep (NTLM/Kerberos) checked. Click OK.
d. From the View Menu option select Tree and type the following in the 
field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK
e. On the left pane, double click CN=roomNumber...
f.  Right click on the roomNumber attribute and select Modify
g. In the attribute text field add lDAPDisplayName.
h. In the Value field give this to OldroomNumber.
i.  Select the replace radio button.
j.  Click Enter to add to the Entry List
k.  Click Run to confirm success in left pane.
l.  Remove the attribute from the entry list.
m.In the attribute text field add adminDisplayName.
n. In the Value field type OldRoomNumber
o. Select the replace radio button.
p. Click Enter to add to the Entry List
q. Click Run to confirm success in left pane.
r.  Right click on CN=roomNumber... And select rename.
s. Enter in the old DN field as the current DN of roomNumber.
t.  Enter the in the new DN field OldroomNumber
u. Confirm Delete Old and Synchronous are selected and click Run.
v. Exit from ldp.

This should allow the roomNumber attribute in the base Windows Server 2003 
Schema to be imported.  You would of course need to update the third party 
application to point to the renamed attribute or import the data in the 
OldRoomNumber attribute to the new RoomNumber attribute and hope that none of 
the values were multivalued and that the application was not referring to it by 
OID.  Next you need to address the syntax of the UID attribute.  We are 
expecting the syntax

OT: Re:[ActiveDir] Regarding printer configure through web

2006-07-10 Thread Matheesha Weerasinghe


If you want a web based view of what printers are available on a print
server, then installing IIS should do it. This will install a virtual
directory called printers so you could then browse
http://printserver/printers to get a list of printers. Users could
then browse and choose a printer and click connect to download and
install the driver and then print to it.

More info at 
http://www.microsoft.com/windowsserver2003/techinfo/overview/internetprint.mspx

M@

P.S. This is strictly not an AD topic. Please prefix OT: to future
topics for the benefit of other users. Thanks!



On 7/10/06, Ajay Kumar [EMAIL PROTECTED] wrote:


Hi all,

Please help me out, How I can configure website of printer server.
Actually we having 40 printer of different make and having around 1000
user on different location.So pls tell me how I can create website for
printer access.

Thanks,
Sam

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Fwd: Redirect Application Data


Sorry for the repost but it doesnt appear in the archives as been ever
posted. I would appreciate a reply ;-)

ta!

M@

-- Forwarded message --
From: Matheesha Weerasinghe [EMAIL PROTECTED]
Date: Jul 3, 2006 11:46 PM
Subject: Redirect Application Data
To: ActiveDir@mail.activedir.org


Hi All

I was watching a Webcast on GPO's and saw it mention a recommendation
I heard from PSS sometime back. And that is to not use application
data redirection. Especially in TS environments.

I would appreciate if someone could elaborate a bit on this. I would
also like to know when do MS or consultants recommend using
application data redirection. I.e ideal scenarios.

Thanks

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Fwd: Redirect Application Data


Basically the reason I am inquiring this is because of performance
issues which were blamed on application redirection. The appdata was
on a cluster in this particular instance. Siting the fact that there
are more components involved in the data path when appdata is accessed
from a cluster , the PSS guy basically didnt personally seem to
approve the design. And it seems like quite a few guys share his
opinion. As he explained, in a normal file server the client will go
through the file server's nic, the ide/scsi controller and then to the
disk(s). In a cluster environment, the client goes through the cluster
node's nic, the node's HBA, fibre switch/hub, SAN controller, and
finally disk(s). And in the case of small files the SAN was not very
performant especially with big volumes with lots of files.

In the  webcast I mentioned in the original email, in slide 22 of the
presentation available at
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=26 for
group policy tips and tricks Mark Cribben recommends against it. I
would say the main reason for that recommendation is network latency.

We are designing some file servers at the moment for the client and we
have some design considerations and fears. Basically we are wondering
whether to do away with appdata redirection altogether and leave it in
the profile itself. One of the suggestions is that we may take a hit
in logon time to download profiles , but app performance will be good
as the files are cached locally during the TS session.

We would like to use appdata redirection if at all possible. But we
dont want to sacrifice app performance for it. i.e. We dont want to
wait too long while the app is looking for ini files etc..

Thoughts?

M@

On 7/8/06, Susan Bradley [EMAIL PROTECTED] wrote:


Sorry read the original post and saw it was specifically about TS.

TS is one of those things that if the application loves the TS environment,
I don't think we've seen too many issues... and that's usually the key...
there are some applications that just don't work well and the vendor states
so in a TS/Citrix setup and would have problems redirecting.

I know that we redirect 'normal' stuff like My Docs folder all the time over
a TS... but apps like Word and Excel don't have to maintain a constant
connection to a data file.


Susan Bradley [EMAIL PROTECTED] wrote:
Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and
Howard/Lipner's Secure Coding and SDL books currently written software
from Microsoft is indeed following their best practice guidelines.

(Which my only complaint wtih both books is that they are paperback and not
hardbound and thusly when I throw them at crappy app developers like ...
oh.. say.. I don't knowIntuit... the bruise on the head of the Dev folks
there will be slightly lessened the SDL book so far is very
interesting)

Older software that they purchased .. granted that statement cannot be
made...

And isn't your situation solvable with having on your patch test matrix a
check box that says ensure app data redirect is still functional... and of
course testing that patch before it's globally deployed?

Matt Hargraves [EMAIL PROTECTED] wrote:
I believe the reason they recommend against this is because all applications
are different.  Another problem is that there is no guarantee that the
application will remain the same.  Patches and updates can change more than
just a file here and a file there, they can change settings such as these
and trying to redirect the location for that data can end up with a
situation where the application during an update is trying to pull your
information from %userroot%\appname and it's really at a completely
different location.

If all application vendors use MS best practices for programming, it would
be great, but unfortunately not even MS always uses their own best
practices.

Redirecting application data can work fine for months or even years, but
then you get an update to an application and *bam* everything's broken and
you don't really know why and you spend days (or worse, weeks) trying to
figure out why everyone's broken and realize that your problem is that the
application data is being redirected and that's the source of the problem.

Matt




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Fwd: Redirect Application Data


Thanks for the suggestion. I've posted in the public TS newsgroup.

M@

On 7/8/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:

This sounds like a question for a MSDN/TS list/newsgroup with some
monitoring tools thrown in as you do your tests.

I can tell you that in our little networks, things like smb signing
enabled on our DCs add about a 20 to 40 percent overhead to file
transfers and apps (ergo one of the reasons we're a bit insane to be
making our DCs file servers).

We've also seen speed issues affected by NIC driversand the
selection of a static speed versus auto-sense on the nic.

Just reading that laundry list of what that app is having to go
through.. each possibly needing a little tweak here or there...sounds to
me that a test, perf mon and other such monitoring is needed to
determine if he's right?


Matheesha Weerasinghe wrote:

 Basically the reason I am inquiring this is because of performance
 issues which were blamed on application redirection. The appdata was
 on a cluster in this particular instance. Siting the fact that there
 are more components involved in the data path when appdata is accessed
 from a cluster , the PSS guy basically didnt personally seem to
 approve the design. And it seems like quite a few guys share his
 opinion. As he explained, in a normal file server the client will go
 through the file server's nic, the ide/scsi controller and then to the
 disk(s). In a cluster environment, the client goes through the cluster
 node's nic, the node's HBA, fibre switch/hub, SAN controller, and
 finally disk(s). And in the case of small files the SAN was not very
 performant especially with big volumes with lots of files.

 In the  webcast I mentioned in the original email, in slide 22 of the
 presentation available at
 http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=26 for
 group policy tips and tricks Mark Cribben recommends against it. I
 would say the main reason for that recommendation is network latency.

 We are designing some file servers at the moment for the client and we
 have some design considerations and fears. Basically we are wondering
 whether to do away with appdata redirection altogether and leave it in
 the profile itself. One of the suggestions is that we may take a hit
 in logon time to download profiles , but app performance will be good
 as the files are cached locally during the TS session.

 We would like to use appdata redirection if at all possible. But we
 dont want to sacrifice app performance for it. i.e. We dont want to
 wait too long while the app is looking for ini files etc..

 Thoughts?

 M@

 On 7/8/06, Susan Bradley [EMAIL PROTECTED] wrote:


 Sorry read the original post and saw it was specifically about TS.

 TS is one of those things that if the application loves the TS
 environment,
 I don't think we've seen too many issues... and that's usually the
 key...
 there are some applications that just don't work well and the vendor
 states
 so in a TS/Citrix setup and would have problems redirecting.

 I know that we redirect 'normal' stuff like My Docs folder all the
 time over
 a TS... but apps like Word and Excel don't have to maintain a constant
 connection to a data file.


 Susan Bradley [EMAIL PROTECTED] wrote:
 Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and
 Howard/Lipner's Secure Coding and SDL books currently written
 software
 from Microsoft is indeed following their best practice guidelines.

 (Which my only complaint wtih both books is that they are paperback
 and not
 hardbound and thusly when I throw them at crappy app developers like ...
 oh.. say.. I don't knowIntuit... the bruise on the head of the
 Dev folks
 there will be slightly lessened the SDL book so far is very
 interesting)

 Older software that they purchased .. granted that statement cannot be
 made...

 And isn't your situation solvable with having on your patch test
 matrix a
 check box that says ensure app data redirect is still functional...
 and of
 course testing that patch before it's globally deployed?

 Matt Hargraves [EMAIL PROTECTED] wrote:
 I believe the reason they recommend against this is because all
 applications
 are different.  Another problem is that there is no guarantee that the
 application will remain the same.  Patches and updates can change
 more than
 just a file here and a file there, they can change settings such as
 these
 and trying to redirect the location for that data can end up with a
 situation where the application during an update is trying to pull your
 information from %userroot%\appname and it's really at a completely
 different location.

 If all application vendors use MS best practices for programming, it
 would
 be great, but unfortunately not even MS always uses their own best
 practices.

 Redirecting application data can work fine for months or even years, but
 then you get an update to an application and *bam* everything's
 broken

Re: [ActiveDir] Fwd: Redirect Application Data


Thanks Darren

Unfortunately we are indeed clearing cached profiles at logoff and so
download of roaming profiles is gonna take some time. We store a lot
of files specially for lotus notes so I could have done without that.
I am gonna need to think a bit about this one. But at this stage I'd
rather take a hit at logon/logoff and have a reasonably well
performant session than crap performance all throughout the session.

Thanks to all others that replied too.

Cheers

M@


On 7/8/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:

In general I recommend against AppData redirection for the performance
reasons you've already cited below. A lot of apps, esp. MS apps, read/write
to files in AppData frequently as they run, and I've just found that when
that data resides remotely, it really slows down the user's experience. If
you are concerned about download performance of roaming profiles, you could
set AppData to not roam, but that won't do you much good in a TS
environment. Keep in mind also that unless your users are moving around to a
lot of different machines, the roaming profile hit should be reasonably
minimal after the initial download because the roaming profile algorithm
should only be downloading changed files. Of course, all bets are off if
you're deleting the cached profile at each logoff (as may be the case on a
TS).

Darren


-Original Message-
Wrom: MHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDX
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Saturday, July 08, 2006 10:57 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Fwd: Redirect Application Data

Basically the reason I am inquiring this is because of performance issues
which were blamed on application redirection. The appdata was on a cluster
in this particular instance. Siting the fact that there are more components
involved in the data path when appdata is accessed from a cluster , the PSS
guy basically didnt personally seem to approve the design. And it seems like
quite a few guys share his opinion. As he explained, in a normal file server
the client will go through the file server's nic, the ide/scsi controller
and then to the disk(s). In a cluster environment, the client goes through
the cluster node's nic, the node's HBA, fibre switch/hub, SAN controller,
and finally disk(s). And in the case of small files the SAN was not very
performant especially with big volumes with lots of files.

In the  webcast I mentioned in the original email, in slide 22 of the
presentation available at
http://www.microsoft.com/emea/itsshowtime/sessionh.aspx?videoid=26 for group
policy tips and tricks Mark Cribben recommends against it. I would say the
main reason for that recommendation is network latency.

We are designing some file servers at the moment for the client and we have
some design considerations and fears. Basically we are wondering whether to
do away with appdata redirection altogether and leave it in the profile
itself. One of the suggestions is that we may take a hit in logon time to
download profiles , but app performance will be good as the files are cached
locally during the TS session.

We would like to use appdata redirection if at all possible. But we dont
want to sacrifice app performance for it. i.e. We dont want to wait too long
while the app is looking for ini files etc..

Thoughts?

M@

On 7/8/06, Susan Bradley [EMAIL PROTECTED] wrote:

 Sorry read the original post and saw it was specifically about TS.

 TS is one of those things that if the application loves the TS
 environment, I don't think we've seen too many issues... and that's
usually the key...
 there are some applications that just don't work well and the vendor
 states so in a TS/Citrix setup and would have problems redirecting.

 I know that we redirect 'normal' stuff like My Docs folder all the
 time over a TS... but apps like Word and Excel don't have to maintain
 a constant connection to a data file.


 Susan Bradley [EMAIL PROTECTED] wrote:
 Please correct me if I'm wrong.. but in the era of Howard/LeBlanc and
 Howard/Lipner's Secure Coding and SDL books currently written
 software from Microsoft is indeed following their best practice
guidelines.

 (Which my only complaint wtih both books is that they are paperback
 and not hardbound and thusly when I throw them at crappy app developers
like ...
 oh.. say.. I don't knowIntuit... the bruise on the head of the Dev
 folks there will be slightly lessened the SDL book so far is very
 interesting)

 Older software that they purchased .. granted that statement cannot be
 made...

 And isn't your situation solvable with having on your patch test
 matrix a check box that says ensure app data redirect is still
 functional... and of course testing that patch before it's globally
deployed?

 Matt Hargraves [EMAIL PROTECTED] wrote:
 I believe the reason they recommend against this is because all
 applications are different.  Another problem is that there is no
 guarantee

Re: [ActiveDir] Can't find anyting on this [NTDS warning]

2006-07-07 Thread Matheesha Weerasinghe


Going by the ESE error codes it appears to not find the record. Some
DB corruption may be? Source is
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese/extensible_storage_engine_errors.asp

JET_errNoCurrentRecord
-1603 There is no current record.

I guess someone like Brettsh could enlighten us more?

M@

On 7/7/06, John Singler [EMAIL PROTECTED] wrote:

Sorry to rehash a year old thread...

OT: http://www.mail-archive.com/activedir@mail.activedir.org/msg30076.html

One of my DC's just logged this same message.

Nothing else is logged around this event.

Brian, was this ever resolved for you?

Thanks,

john

Brian Desmond wrote:
 *Event Type:  Warning*

 *Event Source:   NTDS General*

 *Event Category:  Internal Processing *

 *Event ID:  1173*

 *Date:6/21/2005*

 *Time:10:08:47 AM*

 *User:NT AUTHORITY\ANONYMOUS LOGON*

 *Computer:   TheServer*

 *Description:*

 *Internal event: Active Directory has encountered the following
 exception and associated parameters. *

 * *

 *Exception:*

 *e0010004 *

 *Parameter:*

 *0 *

 * *

 *Additional Data *

 *Error value:*

 *-1603 *

 *Internal ID:*

 *2050344*

 * *

 *For more information, see Help and Support Center at
 http://go.microsoft.com/fwlink/events.asp.*

 * *

 * *

 *Closest thing I Found was a -1605. Box is a 2k3 SP1 clean build (aka I
 built it on 2k3 SP1) PDC FSMO and GC. *

 ** **

 ** **

 **--brian**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Question on rightsguid

2006-06-20 Thread Matheesha Weerasinghe


thanks joe!

M@

On 6/20/06, joe [EMAIL PROTECTED] wrote:

Oops correction here, I spaced for a second. The value for Property Sets in
validAccesses is a combination of ACTRL_DS_WRITE_PROP + ACTRL_DS_READ_PROP
so the value is 32 + 16 or 48, not just 32.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, June 20, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Question on rightsguid

There are three things currently handled in the extended-rights container of
objectclass controlAccessRight.

Validated Writes
Property Sets
Extended Rights

These are differentiated by the validAccesses attribute[1]. Quickly it lays
out like

Validated Writes have validAccess value of 8
Property Sets have validAccesses value of 32
Extended Rights have validAccess value of 256

While they are the same objectclass and in the same container, they are not
the same things. The attributeSecurityGUID is used to tie schema objects to
property sets. Validated Rights and Extended Rights are hardcoded into the
OS. While you could add those types of objects, you wouldn't get anything
out of the OS with them, you would need to write your application(s) to use
them.

Now there are some things that are a bit confusing... The rightsGuid of
Add/Remove self as member is the same as the member attribute's
schemaIDGUID. This means that if you don't use the correct access mask the
permission will not be written properly and many programs and scripts
(including several of mine) actually display this incorrectly. If the mask
is a CA grant/deny (control access) then the permission is for Add/Remove
self as member, if the mask is anything else, it is the member schema
attribute. It gets even worse with the rightsGUID of
Validated wite to DNS host name is also the rightsGUID of the property set
DNS Host Name Attributes AND the schemaIDGUID of the attribute
dNSHostName.

I've actually been meaning to blog this for a while now as I keep fielding
questions in email and the newsgroups about it. Seems like a lot of people
are actually really looking at that stuff finally. I reported the DNS GUIDs
item to MSFT back after K3 came out as I didn't think it was right. I still
don't think it is the right way to handle it but too late to change now. It
just adds a bunch of confusion to something that doesn't need the confusion
because it is already too confusing.


As for the second part... I have been asked that and actually people have
insisted it is a bug in my code so much that I did blog it.

http://blog.joeware.net/2005/12/17/173/



   joe




[1]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr
ol_access_rights.asp


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, June 19, 2006 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on rightsguid

All

I've been doing a little digging into AD and was wondering why the
rightsguid for the validated-spn and the self-membership validated
rights doesn't have objects in the schema with matching
attributesecurityguid values. Is it correct to assume that there
should be objects in the schema with attributesecurityguid values to
match each rightsguid values of each controlaccess object? Or is
rightsguid only really important for propertysets?

Also I noticed when I used joe's adfind to list objects which had the
rightsguid value from validated-dns-host-name, the filter listed the
same rightsguid value in a different format. i.e

adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd
attributesecurityguid  was expanded as Transformed Filter:
((objectcategory=attributeschema)(attributeSecurityGUID=G\9
5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD))

I deduced G=47, r=72 etc..

Can anyone explain the above for me?

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Question on rightsguid

2006-06-19 Thread Matheesha Weerasinghe


All

I've been doing a little digging into AD and was wondering why the
rightsguid for the validated-spn and the self-membership validated
rights doesn't have objects in the schema with matching
attributesecurityguid values. Is it correct to assume that there
should be objects in the schema with attributesecurityguid values to
match each rightsguid values of each controlaccess object? Or is
rightsguid only really important for propertysets?

Also I noticed when I used joe's adfind to list objects which had the
rightsguid value from validated-dns-host-name, the filter listed the
same rightsguid value in a different format. i.e

adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd
attributesecurityguid  was expanded as Transformed Filter:
((objectcategory=attributeschema)(attributeSecurityGUID=G\9
5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD))

I deduced G=47, r=72 etc..

Can anyone explain the above for me?

Cheers

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] bitwise filters

2006-06-15 Thread Matheesha Weerasinghe


Thanks joe!
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] bitwise filters

2006-06-13 Thread Matheesha Weerasinghe


Thanks for replying Tony. Unfortunately gmail couldnt read your reply
so I resorted to the archive.

In my example for searching universal groups, I wasnt distinguishing
between security and distribution groups. Therefore the 2nd filter is
correct too isnt it?

As for the 3rd question, I am sure you can answer it. Please dont hold
back. I merely addressed it to Joe as he wrote the tool and hence
should know how it behaves more than anyone else ;-) But if anyone
else could explain it, I will be most grateful.

TIA

M@


On 6/13/06, Tony Murray [EMAIL PROTECTED] wrote:



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] bitwise filters

2006-06-12 Thread Matheesha Weerasinghe


Guys,

I have a few questions on bitwise filters.

1. I just wanna make sure I've understood bitwise filters correctly.
Basically if I want to check if all bits are set, I should use the
Bitwise AND operator. If I need to check if any number of the bits I
am interested in are set, I should use the OR operator. Therefore the
OR operator is best used in multiple bit checking scenarios. If I am
checking for only one bit (and not multiple bits)   , then I should
use the AND operator. I guess it really doesn't matter. Its just the
logic behind it.

If I want a list of global and local groups, I could either do a
search for groups that are not universal or I could do a seach for
groups that have the bit for either global or local set couldnt I? i.e
((objectcategory=group)(grouptype:1.2.840.113556.1.4.804:=6)) or
((objectcategory=group)(!(grouptype:1.2.840.113556.1.4.803:=8))).
Please correct me if I am wrong.

2. How do I find the bitwise filter OID for AND or OR without refering
to manuals. Can I query this in the directory or is it hardcoded?


3. Joe,

Could you please explain why the group type value output in adfind is
minus? If I do a query with -f
(objectcategory=group)(grouptype:1.2.840.113556.1.4.803:=2147483650)
grouptype, I get -2147483646 as the output. The results are correct. I
just want to understand why the output is minus.

Thanks

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: RE : RE: RE : RE: [ActiveDir] AD LDAP Logging.

2006-06-10 Thread Matheesha Weerasinghe


Check out the TechNet Webcast: Active Directory Performance
Measurement and Troubleshooting—Level 300 at
http://www.microsoft.com/events/series/adaug.mspx.


On 6/10/06, Yann [EMAIL PROTECTED] wrote:


Hello,

Gil, very very very usefull informations that u provided at DEC ad
performance session. I just finished to study it. I highly recommend it
because of videos that well explanied how to use spa, logman,etc..!. I'm
eager to test your troubleshooting on monday ! :)
A few questions...
1) Will spa comsumes lots of resources when starting analyze and generating
reports ?
2) Can spa analyzes other DCs from one w2k3 box dedicated spa ? or must i
install spa on each boxes that i want to trend ?
3) Could I see possible LDAP problem connectivities (dirty LDAP
disconnections...) between my DC and a client ?
3) Can i schedule the analyzes for a few days to be sure to track ldap pb?
and will it consumes hight resources ?

Thanks,

Yann

Gil Kirkpatrick [EMAIL PROTECTED] a écrit :


You can use SPA, or you can use logman and tracerpt to get detailed LDAP
stats. SPA does a lot of analysis for you and diagnoses several classes of
AD perf problems. Tracerpt will give you a fairly raw look at all the LDAP
traffic. I covered all three in my DEC AD Performance session (which I
didn't actually deliver at DEC :). Its available on the NetPro website at
http://www.netpro.com/community/medialibrary.cfm.

-gil

 
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Steve Linehan
Sent: Friday, June 09, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: RE : RE: [ActiveDir] AD LDAP Logging.




It is true that SPA is not localized but I believe the French version will
be ok.  The problem comes about with the localization of the perfmon data.
If you have problems post back and we can try a few work arounds because we
are only really interested in the trace data at this point which should not
be impacted.

Thanks,

-Steve


 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Yann
Sent: Friday, June 09, 2006 11:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] AD LDAP Logging.


Thank you for your answer Steve. I will install spa on monday and see if i
can log some ldpa activities (errors, connections pb,etc...).



Will this version of spa work on a w2k3 sp1 French version ?



Regards,



Yann

Steve Linehan [EMAIL PROTECTED] a écrit :


I would suggest taking a look at Server Performance Advisor (SPA), assuming
these are Windows Server 2003 DCs and using it to collect and analyze the
data for the DCs in question.  This tool combines performance counters and
the tracing data that Joe is referring to which will allow you to get very
detailed information on what is occurring.  This tool will give you a peak
into the new performance and monitoring capabilities that we are adding into
the next versions of the OS.  It will also give you hints on what we believe
the performance problems are.  One of these days when I get a chance I will
try to write a blog entry on all of the things you can do with SPA.  By the
way it also collects information for other server roles as well such as IIS
giving you tremendous amounts of detail found no where else.  Yes event
tracing is the future of not only performance monitoring but debugging
difficult issues.



You can download SPA from here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=09115420-8c9d-46b9-a9a5-9bffcd237da2DisplayLang=en



Thanks,



-Steve

 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
Sent: Friday, June 09, 2006 9:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD LDAP Logging.



Unfortunately the logging is very basic, it will not log LDAP errors from
anything I have seen. This is something I have asked for from MSFT as well,
very detailed LDAP logging like you can enable with some of the other
directories. Usually I hear a response of use event tracing but I haven't
gotten had a chance to really dig deep into that yet to see how useful it
will be.



It depends on the code is displaying error messages bit possibly a query
timed out? That could be indicative of a very poor query. By default, if a
query goes more than 2 minutes, it will get dropped.






--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm







 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Yann
Sent: Friday, June 09, 2006 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: Re : [ActiveDir] AD LDAP Logging.



Good point Joe.





I will use perfmon to monitor the health of my DC.


An nother question.





The Web app timed out with this generic error the serveur is down, where
the server = mydc.


At the time of the web app timed out, i saw no errors about ldap connections
between my dc and the zope server.





With the Field

Re: [ActiveDir] Rights to move an object from one OU to another

2006-06-07 Thread Matheesha Weerasinghe


http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en

and

http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en

On 6/8/06, Figueroa, Johnny [EMAIL PROTECTED] wrote:



What rights does a user need to move objects from one OU to another? I
can not seem to find that or a white paper on delegation of authority
that someone mentioned before.


Thanks in advance.

Johnny Figueroa
Supervisor Network Operations  Support
Network Services
Banner Health
Voice (602)495-4195
Fax (602) 495-4406

WARNING: This message, and any attachments, are intended only for the
use of the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law.  If the reader of this message is not the intended
recipient or employee/agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of the communication is strictly prohibited.  If
you receive this communication in error, please notify us immediately
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Logged in user

2006-06-06 Thread Matheesha Weerasinghe


psloggedon from sysinternals.com

On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote:





Is there a Command line util., to remotely tell what user is logged into a
PC?



-Devon
---
 This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney
work product. If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication
is strictly prohibited. If you have received this communication in error,
notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
 Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] DSID-020A06F3 error from French platform AD

2006-06-05 Thread Matheesha Weerasinghe

Whats the version of ldp? Are there any issues using ADAM sp1's ldp from the english version? I assume other ldap cliients are fine? other than this ldp? Wire traces show anything weird?Just my $0.02M@
On 6/5/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote:





I'm receiving this error on subtree searches of the Config 
NC, on a French version of Windows 2003 SP1. Anyone have any 
ideas?

(From LDP) 
ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 
2, (objectclass=*), attrList, 0, msg)Error: Search: Erreur 
d'opération. 1Server error: 20EF: SvcErr: DSID-020A06F3, problem 
5012 (DIR_ERROR), data -1018

Result 1: 20EF: SvcErr: DSID-020A06F3, problem 
5012 (DIR_ERROR), data -1018

Matched DNs: Getting 0 entries:


I'm logged in as the domain Administrateur. One level 
searches seem to work ok.

-gil



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Sivarajan, 
SanthoshSent: Monday, June 05, 2006 10:10 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC and ADC 
replication prob.


What is your ADC 
configuraiton?





Santhosh 
Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, 
TX


From: [EMAIL PROTECTED] on 
behalf of Ajay KumarSent: Sun 6/4/2006 10:00 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC and ADC 
replication prob.

Hi all,

Pls help me out,
Just recently I set up small doaminof 50Pc'swith a 
DC and ADC.
But the prob. is that the replication is not taking place between DC and 
ADC and there
is no error in event log. What could be the problem.

Ajay.

Re: [ActiveDir] DSID-020A06F3 error from French platform AD

2006-06-05 Thread Matheesha Weerasinghe


Man I regret trying to even answer that. I didnt look at the name of
the poster for crying out loud!

Note to self a fool is not known until he opens his mouth /Note to self

Sorry Gil. Wont happen again.

M@

On 6/5/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

Start your own thread :)

Joe blogged about this DSID thingy a while back, and it was a very
informative piece. I suggest you start from there. This may require you
peeking into the source code.


Sincerely,
   _
  (, /  |  /)   /) /)
/---| (/_  __   ___// _   //  _
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
   (/
Microsoft MVP - Directory Services
www.readymaids.com http://www.readymaids.com  - we know IT
www.akomolafe.com http://www.akomolafe.com
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Mon 6/5/2006 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DSID-020A06F3 error from French platform AD


I'm receiving this error on subtree searches of the Config NC, on a French
version of Windows 2003 SP1. Anyone have any ideas?

(From LDP) 
ldap_search_s(ld, CN=Configuration,DC=francais,DC=local, 2,
(objectclass=*), attrList,  0, msg)
Error: Search: Erreur d'opération. 1
Server error: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data
-1018

Result 1: 20EF: SvcErr: DSID-020A06F3, problem 5012 (DIR_ERROR), data
-1018

Matched DNs:
Getting 0 entries:


I'm logged in as the domain Administrateur. One level searches seem to work
ok.

-gil



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sivarajan, Santhosh
Sent: Monday, June 05, 2006 10:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC and ADC replication prob.


What is your ADC configuraiton?

Santhosh Sivarajan | MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA
Houston, TX



From: [EMAIL PROTECTED] on behalf of Ajay Kumar
Sent: Sun 6/4/2006 10:00 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC and ADC replication prob.


Hi all,

Pls help me out,
Just recently I set up small doamin of  50 Pc's with a DC and ADC.
But the prob. is that the replication is not taking place between DC and ADC
and there
is no error in event log. What could be the problem.

Ajay.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


[EMAIL PROTECTED])

Re: [ActiveDir] DHCP migration(OT)

2006-05-16 Thread Matheesha Weerasinghe


look into netsh. might be of use.

On 5/12/06, Tom Kern [EMAIL PROTECTED] wrote:


I want to migrate DHCP(scopes,scope options,leases) from one win2k box to
another.

My issue is, the target server is running DHCP with scopes,etc already
configured.

Is there anyway to migrate the source DHCP server to the target without
overwriting the target's settings?

I just want to merge the 2- move the source info over while keeping the
target DHCP info intack as well.

Is this possible?

Thanks

Re: [ActiveDir] DHCP migration(OT)

2006-05-16 Thread Matheesha Weerasinghe


Havent played with it for a while so I cant answer unless I fire up a
VM and start playing. Do you fancy letting me know your findings ;-)

M@

On 5/16/06, Tom Kern [EMAIL PROTECTED] wrote:


Will netsh overwrite the scopes already exisitng on the target?

Also, does netsh migrate leases or just the scope and scope options?

Thanks



On 5/16/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
 look into netsh. might be of use.

 On 5/12/06, Tom Kern [EMAIL PROTECTED]  wrote:
 
  I want to migrate DHCP(scopes,scope options,leases) from one win2k box
to
  another.
 
  My issue is, the target server is running DHCP with scopes,etc already
  configured.
 
  Is there anyway to migrate the source DHCP server to the target without
  overwriting the target's settings?
 
  I just want to merge the 2- move the source info over while keeping the
  target DHCP info intack as well.
 
  Is this possible?
 
  Thanks
 
 




[EMAIL PROTECTED]   ï¿½ï¿½Vï¿½rï¿½yï¿½ï¿½ï¿½-ï¿½÷¾4ï¿½ï¿½ï¿½iï¿½bï¿½ï¿½bï¿½ï¿½

Re: [ActiveDir] [OT] GMAIL encoding

2006-05-10 Thread Matheesha Weerasinghe


Thanks for that. My question is why doesnt the mail sent by Al
viewable by other gmail users? I was also seen blank emails and I use
gmail too.

M@

On 5/10/06, AdamT [EMAIL PROTECTED] wrote:

On 10/05/06, Lou Vega [EMAIL PROTECTED] wrote:

 I don't know exactly where it is off the top of my head because I don't have
 access to GMAIL at work, but GMAIL does allow you (to my knowledge) to set
 the encoding of your messages if you wanted toâ¦perhaps you can check into
 that?

It's under the settings like at the top right of the screen.  You get
a choice of:

Use default text encoding for outgoing messages

Or:

Use Unicode (UTF-8) encoding for outgoing messages


--
AdamT
'Thank-you for not requesting read receipts'
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


[EMAIL PROTECTED]   ï¿½ï¿½Vï¿½rï¿½yï¿½ï¿½ï¿½-ï¿½÷¾4ï¿½ï¿½ï¿½iï¿½bï¿½ï¿½bï¿½ï¿½

Re: Re: [ActiveDir] ADAM Management Tool REQs and Desires...... WAS: Internet Authentication Concepts: Pointers?

2006-05-03 Thread Matheesha Weerasinghe


personally, I'd like a command line tool thats interactive like
ntdsutil or nslookup. I'd be able to use this to browse the ADAM
instance from a command line. Have a prompt which allows me to
navigate the hierachy. Execute commands such as create/delete
objecttype etc...

M@

On 4/28/06, Stewart, Fitz [EMAIL PROTECTED] wrote:




Heck, just give a user the ability to create and otherwise manage objects –
users, groups, the basics.  Name, etc.  Nothing fancy, just not the
command-line-ishness of ADSIEDIT.






-fitz


703-866-7473
 703-626-5741 (cell)


 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joe
 Sent: Friday, April 28, 2006 3:46 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Re: [ActiveDir] ADAM Management Tool REQs and Desires..
WAS: Internet Authentication Concepts: Pointers?



I have some curiosity in this realm...



What would everyone consider good things and requirements for an ADAM
management tool. Even assuming, cough, GUI.



  joe




--

O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm







 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jef Kazimer
 Sent: Friday, April 28, 2006 10:01 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?

Since it is LDAP I did look at some friendlier admin tools, but none
really hit the mark for me.   I believed that group looked at Softerra's
tool,  and there is the web based PHP LDAP manager, and also the C# LDAP
manager tool.  You can Live search the names or I can post the links here if
you want.



In the end I wrote my own as a .NET web app since I found them lacking.
Yet as I said if I want to go global,  I don't know if I want to position
what I wrote without some major changes. :)



J





 


Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
 Date: Fri, 28 Apr 2006 09:44:55 -0400
 From: [EMAIL PROTECTED]
 To: ActiveDir@mail.activedir.org


That's a very good point.  Does anyone know of any 3rd parties which improve
the ADAM administrative UI experience?







J. Fitzgerald (Fitz) Stewart

Systems Architect

IRM/OPS/ENM

Worldwide Information Network Systems

USAID/DoS IT Infrastructure Collaboration Program

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]

703-866-7473

703-626-5741 (cell)
 


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Jef Kazimer
 Sent: Friday, April 28, 2006 9:27 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: Re: [ActiveDir] Internet Authentication Concepts: Pointers?



Mylo,



Thanks for the information!



I have setup ADAM utilizing a custom web UI utilizing AZman for a small
project before, but I have concerns about scalabilty.  The issues are not
with the ADAM instance at all, but the UI that is needed to manage ADAM.
ADSIedit is great for someone who understands the directory, but it's not
that user friendly for web application owners, helpdesk, etc.  This was for
a simple application of about 500 users, and it met their needs but I don't
see this as a scalable solution from a global perspective.



This will be a backend data store that contains the user identity, but the
applications that utilize it will be of different flavors from DMZ hosted
web apps, to externally hosted apps.   The flavors of web apps will range
from websphere, ColdFusion,  .NET and I suspect some PHP apps.



With AD,  I guess I was thinking it has a well known support interface
(though I am sure I would need to customize anyway...so I'm not sure that
value is really there).   So I was expecting to maybe find 3rd parties that
do sit in front of this to manage the IDs stored. Though this could be AD or
ADAM with ADAM being the most cost effective.   This looks like siteMinder
might be a good solution to manage all of these environments but I will need
to look into that.





 I suppose I am getting ahead of myself, because I do not know the
requirements as of yet, and I'm making assumptions that could be totally off
the mark here.   I guess it's a new environment and wanted to get some info
ahead of before it was needed. :)



Thanks again!



Jef
 


 Date: Fri, 28 Apr 2006 01:40:09 +0200
  From: [EMAIL PROTECTED]
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Internet Authentication Concepts: Pointers?
 
  Jef,
 
  As Al pointed out, there are numerous products
from vendors such as
  IBM/BEA/Oracle/RSA/Netegrity/Entrust/Baltimore Labs
(RIP) etc providing
  web-based authentication/authorisation in front of
AD. Since from a
  design point-of-view it's generally not a good idea
to stick AD too
  close to the Internet, often these solutions comprise
a presentation
  tier, e.g. with  IIS (using  some sort of ISAPI plugins)
 that th! en hooks
  into

Re: [ActiveDir] GC Promotion

2006-04-28 Thread Matheesha Weerasinghe

I've got a parent-child domain setup here and I have child domain GCs which repls the parent domain NC from another child domain NC. Now I dont know if its possible to make a GC using a DC of the other domain thats not a GC. In a hypothetical setup where all sites were not fully routed this could be tested, forcing it to repl NCs from a site/server that has/is no GC. But I wont be testing that in a VM in the near future. I'll let the knowledgable enlighten us on the subject.
M@On 4/28/06, Mark Parris 
[EMAIL PROTECTED] wrote:
When elevating a DC to be a GC and say there are 3 domains, located say located on 3 continents. Is the GC that already exists in each domain authorative in the elevation of the DC to a GC or does each DC contact a DC in the relevant domain for the GC information?
Make sense?MarkList info : http://www.activedir.org/List.aspxList FAQ: 
http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Service Account Logging/Tracking

2006-04-22 Thread Matheesha Weerasinghe

eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only. M@On 4/22/06, mike kline

[EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event.

When you go to set auditingyou will see two settings. Audit account logon events and audit logon events. There is a good blog entry about the differences between the two settings and what they mean.
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447934.aspx

We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue.

Once you have the events in the log you can search through them using a tool like Eventcomb

http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en
Eventcomb can be found within this download.

You can search for EventID 528 and specify the service account to narrow the search.

When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account.

Thanks
Mike
On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED]
wrote:

What's the recommended method for tracking service account logins? We keep a pretty tight reign on service accounts and their passwords, but in some cases we have to provide the passwords to our customers (in this case, customers are other government organizations that we support) for use in their applications. Essentially we just want to know if someone logs into a PC or a server with a service account. We don't want a bunch of people using a service account to gain access to resources, especially if it's an account with elevated privileges.

Thanks,

Justin Clay

ITS Enterprise Services

Metropolitan Government of Nashville and Davidson County
Howard School Building

Phone: (615) 880-2573

ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

Re: [ActiveDir] Service Account Logging/Tracking

2006-04-22 Thread Matheesha Weerasinghe

My bad. Just saw the option to check saved logs too . SorryM@On 4/22/06, Matheesha Weerasinghe [EMAIL PROTECTED]
wrote:eventcombmt is OK but logparser is better as it can parse saved logs. Eventcombmt is for active logs only.
M@On 4/22/06,
mike kline

[EMAIL PROTECTED] wrote:You have to turn on auditing in order to track logon events. Once you turn auditing on you can then search your security event logs for that logon event.

We set both for success, failure (per NSA guidelines). We save our logs daily on the servers and on our workstations we overwrite older events so that disk space doesn't become a huge issue.

Once you have the events in the log you can search through them using a tool like Eventcomb

http://www.microsoft.com/downloads/details.aspx?FamilyId=9989D151-5C55-4BD3-A9D2-B95A15C73E92displaylang=en
Eventcomb can be found within this download.

You can search for EventID 528 and specify the service account to narrow the search.

When you say an account with elevated privileges what kind of privilegesare youtalking about? Hopefully not a domain admin account.

Thanks
Mike
On 4/21/06, Clay, Justin (ITS) [EMAIL PROTECTED]
wrote:

Thanks,

Justin Clay

ITS Enterprise Services

Metropolitan Government of Nashville and Davidson County
Howard School Building

Phone: (615) 880-2573

[ActiveDir] stupid ldap queries

All

Could someone please explain how Non-indexed queries (e.g.
objectClass=user) fall in this category? I saw this mentioned in
some slides by Gil and couldnt quite understand what he meant. Isn't
objectclass indexed as part of the partial attribute set?

Thanks

M@
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] stupid ldap queries

Thanks for the reply. In that case why does adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b.
ThanksM@On 4/18/06, Brian Desmond [EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do:
  ((objectCategory=person)(objectClass=user))  Thanks, Brian Desmond [EMAIL PROTECTED]  c - 312.731.3132
 -Original Message-  From: [EMAIL PROTECTED] [mailto:ActiveDir-
  [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe  Sent: Tuesday, April 18, 2006 1:00 PM  To: 
ActiveDir@mail.activedir.org  Subject: [ActiveDir] stupid ldap queries   All   Could someone please explain how Non-indexed queries (e.g.  objectClass=user) fall in this category? I saw this mentioned in
 some  slides by Gil and couldnt quite understand what he meant. Isn't  objectclass indexed as part of the partial attribute set?   Thanks   M@
  List info : http://www.activedir.org/List.aspx  List FAQ: http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-  archive.com/activedir%40mail.activedir.org/ List info : 
http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] stupid ldap queries

sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
Thanks for the reply. In that case why does 
adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b.
ThanksM@On 4/18/06, Brian Desmond 
[EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do:
  ((objectCategory=person)(objectClass=user))  Thanks, Brian Desmond 
[EMAIL PROTECTED]  c - 312.731.3132
 -Original Message-  From: [EMAIL PROTECTED]
 [mailto:ActiveDir-
  [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe  Sent: Tuesday, April 18, 2006 1:00 PM
  To: 
ActiveDir@mail.activedir.org  Subject: [ActiveDir] stupid ldap queries   All   Could someone please explain how Non-indexed queries (e.g.  objectClass=user) fall in this category? I saw this mentioned in
 some  slides by Gil and couldnt quite understand what he meant. Isn't  objectclass indexed as part of the partial attribute set?   Thanks   M@
  List info : http://www.activedir.org/List.aspx  List FAQ: 
http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-  
archive.com/activedir%40mail.activedir.org/ List info : 
http://www.activedir.org/List.aspx List FAQ: 
http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] stupid ldap queries

bummer! I meant adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=TRUE) ldapdisplayname -list
On 4/18/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:
sorry that was meant to be adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T

RUE) ldapdisplayname -list On 4/18/06, Matheesha Weerasinghe
 [EMAIL PROTECTED] wrote:
Thanks for the reply. In that case why does 

adfind -schema -f (objectclass=attributeschema)(ismemberofpartialattributeset=T
RUE) ldapdisplayname -list returning objectclass amongs the others? Doesn't this mean objectclass is indexed? The reason I ask is because I wanted to make sure I didn't write stupid ldap queries that load up the server. I am still learning so please be patient with this n00b.
ThanksM@On 4/18/06, Brian Desmond 

[EMAIL PROTECTED] wrote: Not sure I understand the question fully, but, no objectClass is not indexed. objectCategory is. So if you want to get all users you do:
  ((objectCategory=person)(objectClass=user))  Thanks, Brian Desmond 

[EMAIL PROTECTED]  c - 312.731.3132
 -Original Message-  From: [EMAIL PROTECTED]
 [mailto:ActiveDir-
  [EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe  Sent: Tuesday, April 18, 2006 1:00 PM
  To: 
ActiveDir@mail.activedir.org  Subject: [ActiveDir] stupid ldap queries   All   Could someone please explain how Non-indexed queries (e.g.  objectClass=user) fall in this category? I saw this mentioned in
 some  slides by Gil and couldnt quite understand what he meant. Isn't  objectclass indexed as part of the partial attribute set?   Thanks   M@
  List info : http://www.activedir.org/List.aspx  List FAQ: 

http://www.activedir.org/ListFAQ.aspx
  List archive: http://www.mail-  

archive.com/activedir%40mail.activedir.org/ List info : 
http://www.activedir.org/List.aspx List FAQ: 

http://www.activedir.org/ListFAQ.aspx List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] stupid ldap queries