Re: [ActiveDir] remove orphan DC from the domain
If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I remember correctly, it tries a XFER and then does a Seize (as that's the logic for the Seize anyway). I believe this was added in SP1. --Paul - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 7:05 AM Subject: RE: [ActiveDir] remove orphan DC from the domain I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 *Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the connection is available and the credentials you supplied have administrative permissions on the server. Note If you try to connect to the same server that you want to delete, when you try to delete the server that step 15 refers to, you may receive the following error message: Error 2094. The DSA Object cannot be deleted0x2094 6. Type quit, and then press ENTER. The Metadata Cleanup menu appears. 7. Type select operation target and press ENTER. 8. Type list domains and press ENTER. A list of domains in the forest is displayed, each with an associated number. 9. Type select domain number and press ENTER, where number is the number associated with the domain the server you are removing is a member of. The domain you select is used to determine whether the server being removed is the last domain controller of that domain. 10. Type list sites and press ENTER. A list of sites, each with an associated
Re: RE : Re: [ActiveDir] remove orphan DC from the domain
SP level doesn't matter when performing a seizure using NTDSUTIL. I was referring to the fact that NTDSUTIL, as of k3 SP1, automatically tries to transfer and seize when you metadata cleanup. --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 9:05 AM Subject: Re: RE : Re: [ActiveDir] remove orphan DC from the domain Just what it says... it first attempts to transfer the FSMO roles from the one to the other...and it if can't find the proper DC.. it merely seizes the roles. It tries to negotiate politely with the role holder.. and if there is none for it to argue with it says fine... I'm taking the roles. I'm not sure sp1 matters does it? http://support.microsoft.com/kb/255504 Yann wrote: Really ? That is a very interesting... Could you develop this statement please ? What is a XFER ? When you say it does a seize, that means it choose a DC nearby ? and seize *automatically* a seizure ? Thanks, Yann */Paul Williams [EMAIL PROTECTED]/* a écrit : If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I remember correctly, it tries a XFER and then does a Seize (as that's the logic for the Seize anyway). I believe this was added in SP1. --Paul - Original Message - From: Almeida Pinto, Jorge de To: Sent: Friday, January 26, 2007 7:05 AM Subject: RE: [ActiveDir] remove orphan DC from the domain I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying
Re: Re: [ActiveDir] remove orphan DC from the domain
XFER = Short for transfer. Sorry, I abbreviate most things. Basically, in k3 SP1, if you run the metadata cleanup command on a dead DC that holds FSMO roles, the process will seize the roles to another server. I'm not sure of the exact logic for the choice of server, IIRC it's something like local (site) and GC (unless it's the IM). Dmitri, Brett, Eric, Dean or Joe can clarify the logic. I would imagine it's using the same underlying code as the Seize option elsewhere with the tool, therefore it will try a TRANSFER first and only SEIZE if the transfer fails. http://technet2.microsoft.com/WindowsServer/en/library/819bea8b-3889-4479-850f-1f031087693d1033.mspx?mfr=true --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Friday, January 26, 2007 8:43 AM Subject: RE : Re: [ActiveDir] remove orphan DC from the domain Really ? That is a very interesting... Could you develop this statement please ? What is a XFER ? When you say it does a seize, that means it choose a DC nearby ? and seize *automatically* a seizure ? Thanks, Yann Paul Williams [EMAIL PROTECTED] a écrit : If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I remember correctly, it tries a XFER and then does a Seize (as that's the logic for the Seize anyway). I believe this was added in SP1. --Paul - Original Message - From: Almeida Pinto, Jorge de To: Sent: Friday, January 26, 2007 7:05 AM Subject: RE: [ActiveDir] remove orphan DC from the domain I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can
Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone
You can register records like this by messing up a reverse lookup record addition using DNSCMD. --Paul - Original Message - From: EIS Lists To: ActiveDir@mail.activedir.org Sent: Wednesday, January 24, 2007 9:28 PM Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Thanks, all. Ulf, you explanation was great! I am sure it was someone (probably me!) just typed a .1 in some setting on the printer and allowed it to register in DNS. Many thanks. -- nme Noah Eiger -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Wednesday, January 24, 2007 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone Just 9:30 pm here, so not really late. Many are mixing up the zones with the DNS-Subdomains or whatever they are actually called. But in this case he even had it right, he said that under the domain zone he has the _*-folders as well as a folder 1. I had to reread too ;-) How are things? See you in March? Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 21:17 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone That's what I would expect. But since the original poster called it a zone I figured I'd ask. What are you doing up so late? :) On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: No Zone - no properties ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Mittwoch, 24. Januar 2007 20:24 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone What are properties of the 1 zone? On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote: Hi - Under one of our forward lookup zones (AD-integrated), we have the usual folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well as a single folder just named: 1 (without the quotes). There is a single A-record under it for one of our printers. Any idea what this folder is? Thanks. -- nme
Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition
Upgrading W2K3 standard to enterprise editionYeah, you can upgrade std. to ent. One of my implementation guys accidently built a load of boxes for me as Std., so I got him to upgrade them to Ent. Worked fine. He did have issues doing this on a different project where there was a stupidly small C partition though (4GB I think). I think Ent. needs more room, or at least it does if you're using HPs server installation CDROM... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 11:38 AM Subject: [ActiveDir] Upgrading W2K3 standard to enterprise edition I remember there being a simple upgrade from nt4 standard to nt4 enterprise but don't remember reading of any similar upgrade path for w2k. Apparently such an upgrade path *does* now exist once again, for w2k3 (including the R2 edition). Can anyone confirm or deny that such an upgrade is possible? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition
Upgrading W2K3 standard to enterprise editionWell, the length of time depends on the type of build used, and the components installed. As an example, on the last project I worked on we used OpsWare to deploy standard servers based on a number of templates. A Windows server that matched our default build, took closer to two hours, due to the number of post-installation scripts and customisations. We use HP Radia now, and again, with a relatively standard build table this is usally closer to two hours than one. In any environment where allowed, scripted builds should always be favoured over manual. The percentage of 100% successfully completed manual builds, when there's a large number of instructions, is very, very few indeed. Also, if we're talking a branch office site, it's probably much easier to upgrade out there (and maintain applications and settings) then bring back to the data centre and rebuild and then take back out to the branch. Although many enterprises have the facilities to perform bare metal builds at the branch, there are always smaller sites whereby there's a factor to stop this, which ultimately results in the server needing to be returned to one of the staging areas. --Paul - Original Message - From: Ziots, Edward To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 2:22 PM Subject: RE: [ActiveDir] Upgrading W2K3 standard to enterprise edition Yes it does work, I have done a few on HP/Compaq here, as a test, but its not a standard practice, if its built wrong, just wipe it, and rebuild only takes an hour max. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, January 18, 2007 9:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition Yeah, you can upgrade std. to ent. One of my implementation guys accidently built a load of boxes for me as Std., so I got him to upgrade them to Ent. Worked fine. He did have issues doing this on a different project where there was a stupidly small C partition though (4GB I think). I think Ent. needs more room, or at least it does if you're using HPs server installation CDROM... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 11:38 AM Subject: [ActiveDir] Upgrading W2K3 standard to enterprise edition I remember there being a simple upgrade from nt4 standard to nt4 enterprise but don't remember reading of any similar upgrade path for w2k. Apparently such an upgrade path *does* now exist once again, for w2k3 (including the R2 edition). Can anyone confirm or deny that such an upgrade is possible? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition
Upgrading W2K3 standard to enterprise editionHP Open View Radia is HPs enterprise systems management product. It's like OpsWare. It's not a replacement for Smart Start. I've had a quick look on HPs site for you, but can't find it, which suggests the name's changed again... :P --Paul - Original Message - From: Ziots, Edward To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 3:34 PM Subject: RE: [ActiveDir] Upgrading W2K3 standard to enterprise edition Humm Radia, you got the info on that, is that the next version of there Smart Start Scripting toolkit? I heard of Opsware but never used it. I do the server builds and usually only takes about 1-2 hrs for a bare-metal build and needed customizations. ( Patches, AV, Registry updates, and Security templates) Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, January 18, 2007 10:26 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition Well, the length of time depends on the type of build used, and the components installed. As an example, on the last project I worked on we used OpsWare to deploy standard servers based on a number of templates. A Windows server that matched our default build, took closer to two hours, due to the number of post-installation scripts and customisations. We use HP Radia now, and again, with a relatively standard build table this is usally closer to two hours than one. In any environment where allowed, scripted builds should always be favoured over manual. The percentage of 100% successfully completed manual builds, when there's a large number of instructions, is very, very few indeed. Also, if we're talking a branch office site, it's probably much easier to upgrade out there (and maintain applications and settings) then bring back to the data centre and rebuild and then take back out to the branch. Although many enterprises have the facilities to perform bare metal builds at the branch, there are always smaller sites whereby there's a factor to stop this, which ultimately results in the server needing to be returned to one of the staging areas. --Paul - Original Message - From: Ziots, Edward To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 2:22 PM Subject: RE: [ActiveDir] Upgrading W2K3 standard to enterprise edition Yes it does work, I have done a few on HP/Compaq here, as a test, but its not a standard practice, if its built wrong, just wipe it, and rebuild only takes an hour max. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, January 18, 2007 9:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition Yeah, you can upgrade std. to ent. One of my implementation guys accidently built a load of boxes for me as Std., so I got him to upgrade them to Ent. Worked fine. He did have issues doing this on a different project where there was a stupidly small C partition though (4GB I think). I think Ent. needs more room, or at least it does if you're using HPs server installation CDROM... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, January 18, 2007 11:38 AM Subject: [ActiveDir] Upgrading W2K3 standard to enterprise edition I remember there being a simple upgrade from nt4 standard to nt4 enterprise but don't remember reading of any similar upgrade path for w2k. Apparently such an upgrade path *does* now exist once again, for w2k3 (including the R2 edition). Can anyone confirm or deny that such an upgrade is possible? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence
Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.
The ACEs in the ACL on the file server are maintained by the LSA on that server. ACLs on member servers are nothing to do with AD really. AD is used to verify the SIDs in the ACLs when necessary, but it's the local LSA that's doing the authorisation (based on the information in one's security token which AD participates in generating). Managing the ACLs is the client's job, not the DCs job. I don't see this changing in the future. It would be far to complex and expensive to have the DCs manage this kind of stuff. The whole MSFT client-server design is based on the client systems doing most of the leg work. Clients always use servers. Servers don't use clients. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Thursday, January 04, 2007 10:35 AM Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission. Thanks for replying. You say that it is normal that the sid still remains in file directory ACLs after the deletion of the corresponding group ?? I always thought that sids *HAVE TO* disapear dynamically on all existing ACLs set on file server. I'm a bit surprise that the system (AD-file server) leave this dirty sid and that there is no synchronisation that updates the link between the AD object and the ACE What is the reason ? could this behavior be altering ? I'd like sid disappears after deletion of the corresponding group in AD in order to not have this dirty SIDs... Thanks. Yann Akomolafe, Deji [EMAIL PROTECTED] a écrit : It's normal. You should be permissioning your resources with groups instead of directly with user accounts. Groups tend to last longer, so you don't have to deal with the horrible SIDs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Yann Sent: Thu 1/4/2007 1:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SID Deleted users remains in NTS permission. Hello all Happy new year ! :) AD 2k3 sp1 in FFL mode. When i delete a user or group from AD, and these objects have permissions on ntfs permissions, i usually see their sids remaining in those file directory ACLs. Is this normal ? If not,what could be the reason(s) how to investigate this issue ? Thanks, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
Re: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site?
Yes. Enabling inter-site change notifications essentially means that you have intra-site replication occuring over a site link. The only real difference is that bridgeheads are still used. Basically, when a DC receives a change, a notification is generated and sent to it's downstream partners. By default, notifications are only sent to adjacent DCs within the same site. When you enable change notifications on a site link, notifications are forwarded over the site link by the local bridgeheads. This means that any change will have replicated from the local bridgehead to the remote bridghead within ~30 seconds. So, a change should have propogated across the site in question in under a minute. Obviously, this puts a little extra load on the BHs, and more frequent amounts of traffic on the cross-site links. If the links are more the 2Mbps and the BHs aren't dying under the load, it will be OK to enable this, but you should monitor the usual CPU and disk queues to be sure. If the BHs are really old, or you have slow lines then you might want to do additional testing and/ or reconsider. --Paul - Original Message - From: Anders Blomgren To: ActiveDir@mail.activedir.org Sent: Thursday, January 04, 2007 1:11 AM Subject: Re: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site? Does change notification add anything else than account lockouts to the table? I was hoping for some way to add the whole shebang or atleast something that encompasses most daily administrative tasks. Regards, Anders On 1/4/07, Roger Longden [EMAIL PROTECTED] wrote: You can enable change notification on the site links between the sites in question to allow them to replicate as if they are in the same site. This has the nice benefit in that you can have separate sites for authentication, SMS, Exchange etc purposes while allowing the DCs to replicate (AD replication only; FRS replication is not impacted) in a more timely manner. The link below contains some instructions on enabling the option. Briefly, you modify the options attribute on the site link. Specifically for change notification it's as simple as adding 1 to whatever the current value is. It's not set by default. The change is dynamic; just wait for replication of the change and the KCC to run on both ends. Especially for environments like what you seem to be describing change notification between sites is a common configuration. http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EY6AI - Roger From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders Blomgren Sent: Wednesday, January 03, 2007 6:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site? Hi, We have several different locations, all very well connected (min 100Mbit). Each location has a dc. Right now, each location is it's own site so that the users connect to their local dc. This has the (in my case) disadvantage of limiting the replication schedule to a minimum of 15 minutes. Our network would have no difficulty handling intra-site replication but is there a way to make sure users connect to their geographically closest dc, including dfs? Yes, I want to have my cake and eat it. But can it be done? Regards, Anders
Re: RE: [ActiveDir] finding users that password never expire.
The equals operator is looking for an exact match. As userAccountControl is a bitwise attribute (each bit represents an option) then in many cases it won't be 65536. Using the logical AND matching rule (1.2.840.113556.1.4.803) means that it checks the bit in question, regardless of what other bits are set. As for how you use the AND matching rule, you actually write it as identifier:matching rule:=value e.g. ((objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)) More info. here: -- http://msdn2.microsoft.com/en-us/library/aa746475.aspx --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 6:24 PM Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query userAccountControl=65536 and (userAccountControl:1.2.840.113556.1.4.803:=65536) ? Why couldn(t i find any results with my first query ? And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query ?? Thanks for your answer :) Yann Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit : to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled ADFIND -bit -default -f ((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536)) and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann -- Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses.
Re: [ActiveDir] Windows 2000 domain
If you're talking about group nesting, the mode of the domain limits some of the potential configurations. Check to see whether or not you're in mixed mode. If you are, nesting is limited and you can't have universal groups. If you're in native, what group can't you place into what group? Please define the scope of each group, e.g. domain local or global or universal. --Paul - Original Message - From: Karsten Aarhus [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, January 04, 2007 1:58 PM Subject: [ActiveDir] Windows 2000 domain Dear all, I have a problem I never face before. In my windows 2000 domain I would like to join a security group to a group but the system will not let me. I can see if I choose to join a disbutions group insted there is no problem at all? The system is a small business 2000 server What can be the problem and how to I solved this so I can join the security group insted? Regards Karsten Aarhus List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.
Because it's not managed by the DS. The SID as you refer to it is actually an ACE. The ACE is an item that makes up the DACL which makes up the ACL. This is managed locally by the member server. Windows itself. The LSA. It's far too expensive and problematic with the current design for this to auto-manage itself. Re-read Joe's post. The DS doesn't know or care where a security principal is referenced as an ACE in an ACL. And the computer in question shouldn't really auto-prune the ACEs based on a rule or two... --Paul - Original Message - From: Haritwal, Dhiraj To: ActiveDir@mail.activedir.org Sent: Thursday, January 04, 2007 3:18 PM Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. But still the actual discussion is pending. If someone is having a single folder which is mapped to a single user. So in that case how we can use groups suppose tomorrow this user left the organization his account got deleted, SID will come on to the permission of that folder. If I am not wrong the actual discussion was why SID is coming after deleted an account. Why it's not getting deleted automatically. Dhiraj Haritwal -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 04, 2007 7:18 PM To: ActiveDir@mail.activedir.org Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat up CPU and that would be a different complaint) just constantly walking the ACLs and verifying them. 2. Mistakes. Since we don't have a change notification capability for deleted security principals, and quite honestly you wouldn't (could you imagine 300,000 machines registering with every domain in your forest for change notifications of security principal changes) so that leaves polling and lets say you have a tempory network glitch that makes a SID unresolvable to a friendly name... Do you then just start stripping the SIDs from the ACLs because a name can't be resolved once, twice, three times? What about when an account gets undeleted or restored because it was accidently deleted for an hour? I can think of even more bad things but don't have the time to write about them. If you want to, think through how you would build an application to do what you are suggesting. It is always a good thought exercise before being surprised at what MSFT has done. Keep in mind they are a collection of really bright programmers that often have to work in committee, they aren't necessarily miracle workers. Could this be done? Maybe. I think could visualize mechanisms to possibly help here but would really have to think it through even more than I have and I have thought a lot about things like this... But it would take serious rework with how security is implemented on Windows and I would be quite fearful of the scaling capabilities. The Windows security system is difficult to work with and can be quite a pain but it is extremely flexible and powerful at the same time. I have started and stopped several times to write all inclusive security tracking tools, it is a big big deal and if done wrong will really make someone have a bad day. As someone else mentioned, use groups. Don't use users. When you go to delete a group, make it a point to clean up where that group has been used. If you don't know where it has been used, that is a process issue and one of the reasons why I am not a fan of universal and global groups because the scope of use is huge. Alternately write your own tools to scan all of the various ACLs looking for unresolvable SIDs and clean them up, but I would be shy on how agressive you are with the cleanup. You can easily screw yourself
Re: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.
No. Not quite. No cleanup happens whatsoever. Even when the ACEs are in the AD they aren't cleaned up. The LSA was mentioned to try and highlight the expense and difficulty of such a cleanup operation. The fact of the matter is that regardless of the securable object, it's ACE is managed locally and no cross-checking is done against a DC and a DC certainly doesn't look for stale ACEs when an object is deleted. Hope this clarifies the point. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Thursday, January 04, 2007 3:54 PM Subject: RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission. Hi, After rereading posts, it now makes sense to me that the ACEs are managed by the local LSA, and not by AD LSA So now if i consider that a group or user is deleted from AD and that object is set on an AD object ACLs (not share or ntfs permission), that object will be definitively disappear with no sid remaining from the ACLs, because the update is done by the local LSA (DC) where the deletion occurs, that is to say AD itself... Yann joe [EMAIL PROTECTED] a écrit : Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM where the user accounts exist which means you either get to poll or put some form of notification system in process. Consider also the case of trusted security principals, systems don't get a notification when a trusted system deletes a security principal. Here are just a couple of the bad things that could happen if the machines were responsible for cleaning up those SIDs 1. Overhead. Do you know the sheer number of Security Descriptors that are on any given system? You are just thinking of file Security Descriptors but there are Security Descriptors on many many different securable objects. I have published the list of items I at least know about to this list on a couple of occasions and the different types of objects alone is double digits let alone the actual instants of those objects. Consider a file system with hundreds of thousands or millions of Security Descriptors with really long ACL chains. You could have a scavenger thread running 24x7 in idle mode (you wouldn't want it higher as it would eat up CPU and that would be a different complaint) just constantly walking the ACLs and verifying them. 2. Mistakes. Since we don't have a change notification capability for deleted security principals, and quite honestly you wouldn't (could you imagine 300,000 machines registering with every domain in your forest for change notifications of security principal changes) so that leaves polling and lets say you have a tempory network glitch that makes a SID unresolvable to a friendly name... Do you then just start stripping the SIDs from the ACLs because a name can't be resolved once, twice, three times? What about when an account gets undeleted or restored because it was accidently deleted for an hour? I can think of even more bad things but don't have the time to write about them. If you want to, think through how you would build an application to do what you are suggesting. It is always a good thought exercise before being surprised at what MSFT has done. Keep in mind they are a collection of really bright programmers that often have to work in committee, they aren't necessarily miracle workers. Could this be done? Maybe. I think could visualize mechanisms to possibly help here but would really have to think it through even more than I have and I have thought a lot about things like this... But it would take serious rework with how security is implemented on Windows and I would be quite fearful of the scaling capabilities. The Windows security system is difficult to work with and can be quite a pain but it is extremely flexible and powerful at the same time. I have started and stopped several times to write all inclusive security tracking tools, it is a big big deal and if done wrong will really make someone have a bad day. As someone else mentioned, use groups. Don't use users. When you go to delete a group, make it a point to clean up where that group has been used. If you don't know where it has been used, that is a process issue and one of the reasons why I am not a fan of universal and global groups because the scope of use is huge. Alternately write your own tools to scan all of the various ACLs looking for unresolvable SIDs and clean them up, but I would be shy on how agressive you are with the cleanup. You can easily screw yourself up. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, January 04, 2007 5:35 AM To: ActiveDir@mail.activedir.org Subject: RE : RE:
Re: [ActiveDir] AdminSDHolder orphans
The SDPROP thread technically, doesn't do anythign with inheritance. That is a trait of the security descriptor, which SDPROP sets. So, realistically, SDPROP overwrites the nTSecurityDescriptor attribute and increments adminCount to 1. The step of setting inheritance to off is unnecessary in the bulleted list (sorry, I know that's pedantic). Should this be reversed? Good question. There could be a cleanup task, but in my mind it shouldn't be part of SDPROP. SDPROP spikes the PDCe enough as it is. Perhaps it should be a different process, possibly running less frequently, e.g. once every 24 hours. As it is, this needs to be process driven. For example, on the current design I'm working on, if an administrator in the English sense of the word (as opposed to the techie definition) requires additional administrative access for a particular change they are elevated via a semi-automated workflow process. This process is done via Active Roles. We're currently working on the technical side of how to undo the effects of SDPROP when such an action occurs, e.g. elevated to schema admins. In the past I've occasionally brute forced this and queried for anyone with an adminCount of 1, set that back to 0 and enabled inheritance and then retriggered SDPROP. We've discussed scheduling this periodically but I don't like it. For one, there might be additional ACEs that are not needed. Cleaning those up is more tricky - you need to strip the ACE, inherit and set any default ACEs, as well as any non-inherited bespoke ACEs back. It's an interesting question. One no doubt the DS guys have pondered. The mechanics of a rollback seem more tricky, as does some of the security implications I'm sure. On another note, adminCount is also a quick and dirty way of proving to someone just how many users they have that have more rights than they need. Especially when they're spewing a load of BS re. how they delegate most functions and only have a select few admins. Just some semi-cohesive thoughts from me for y'all anyway. --Paul - Original Message - From: Brian Desmond [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, December 19, 2006 2:38 AM Subject: RE: [ActiveDir] AdminSDHolder orphans Yeah this caused me issues when I was at a large client which had this proposensity to put everyone and their brother into a group that triggered this behavior. What I would do is dump everyone with admincount0, then set admincount=0 on all of them, wait a bit, and see who was back to 0 and then fix the deltas. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Monday, December 18, 2006 8:32 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AdminSDHolder orphans Just wanted to get your opinion on something. When an object becomes a member of one of the groups protected by the AdminSDHolder, the next run of the SDProp thread will: * Replace the object's security descriptor with that of the AdminSDHolder; * Disable permissions inheritance on the object; * Set a new adminCount attribute with a value 0 on the object. If the object is then removed from the protected group(s), the changes made by the AdminSDHolder are not reversed. In other words, the adminCount value remains the same, as does the security descriptor. Is it just me or does anyone think this behaviour a little strange? What I am finding in many environments is a large number of these AdminSDHolder orphans. These can arise quite easily, e.g. an account is made a temporary member of a privileged group to perform a specific task or someone changes role within the organisation. Of course I realise that in a perfect world these scenarios would be minimised by the use of dual accounts for splitting standard vs. admin functions, but the reality is that it is all too common. The AdminSDHolder orphans can cause problems when troubleshooting delegation issues. For example, I came across this issue recently when setting up permissions for GAL Sync using IIFP. I had to tidy up before the sync would complete without errors. Does anyone run a regular cleanup using the script provided in this article (or similar)? http://support.microsoft.com/kb/817433 Do you think the AdminSDHolder behaviour should be changed to clean-up after itself? Tony Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
MONAD for Exchange is supposed to fix that but I am expecting tremendous scaling issues in the environments I play in with it and quite frankly have even admitted that I would rather see WMI as it doesn't saturate the network lines passing data that isn't being requested. I agree with you here. I've started playing with PowerShell, and was trying to prove that you could use the WinNT provider to someone. It took me ~5 minutes to get as far as C* when outputting all user objects in my domain. And we're only talking ~40,000 in this particular instance. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, December 03, 2006 5:01 PM Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC Oh I see that. On the flip side, companies that produce professional products like x, y, and z[1] etc should have the skill sets to produce more efficient and directed applications that don't have a reliance on those abstraction layers and use the more efficient APIs in ways that are directly relevant to the goals of the applications and that they have a greater understanding of. Obviously someone may not have a super strong understanding of the core APIs but at least there is only a single level where problems can be introduced versus the multiple levels that can be introduced in the abstractions such that you have to try and figure out at what level the issue is at. Possibly if the abstraction layers had amazing logging that could be enabled to track issues and explain what they are translating the requests to at the lower levels it might be easier for someone to identify where the issue cropped up. One issue I see is someone who can write a basic vbscript based on these frameworks think they are a programmer and start producing tools that they sell. They have no understanding of the underpinnings of the overall system and quite frankly, to scale things up, they really ought to, the abstractions are not great in that arena and to be fair, I don't believe they really were designed to be. It was more to get the masses so they could do basic things. Another issue I see is when someone only published say a WMI interface into something. I have that issue with Exchange 2000/2003 as they really did a poor job with a lot of that from being poor performers to not performing correctly at all. I took this up with the Exchange PSS Support folks and finally got the great answer of WMI isn't designed to be used for monitoring... How do you argue that point? Unfortunately the only other recourse is to try and work through completely undocumented MAPI stuff and MAPI is already painful and sucky at best though it was designed to be a nice abstraction layer to make lives easier. MONAD for Exchange is supposed to fix that but I am expecting tremendous scaling issues in the environments I play in with it and quite frankly have even admitted that I would rather see WMI as it doesn't saturate the network lines passing data that isn't being requested. [1] Names withheld to protect the guilty. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Saturday, December 02, 2006 6:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC You must take into account that not everyone is a Win32 API or LDAP API C or C++ developer to write its own logic and create its own tool to perform the management task their business requires. Abstraction layers like WMI, ADSI, CDO, XMLDOM, WSH, ADO and so on ... are helping thousands of people to write scripts and applications without having to dig into the API programming level. Both worlds have pros and cons. The API programming level requires a more specific programming knowledge, the abstraction layers introduce a proxy, simplifies the access pattern and obviously have a performance cost. I think that none of the two worlds have to be rejected, they just need to be used correctly and when appropriate. This why Microsoft is documenting Win32 API, COM interfaces and .NET API. If the COM abstraction layers were that yuck, programming environments like WSH and/or VB6 would have not been so heavily used and successful. Are abstraction layers perfect? Clearly not. Are they useful? Yes for sure. Is there room for improvement? Always. Regards, /Alain Alain LISSOIR blocked::http://www.LissWare.Net cid:609343613@02122006-153C mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] Home Page: http://www.LissWare.Net blocked::http://www.LissWare.Net Where am I? http://map.LissWare.Net blocked::http://map.LissWare.Net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, December 02, 2006 1:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 100% CPU utilization when
Re: [ActiveDir] [OT] Vista Admin Tools Pack
If I had to guess, I would say it's because the launched process isn't a child of the elevated Window, but is a child of Explorer (the shell) itself. This isn't the case with a CMD prompt, whereby the launched process is an actual child process. Test it with Sysinternals' process explorer. --Paul - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Tuesday, November 21, 2006 10:49 PM Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack The Vista source isn't available for perusal yet so this is a complete guess but I expect it is something like Explorer purposely dumbs down the process token used to launch the new process. Its just a guess though... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, November 21, 2006 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack Steve - thanks again for sharing this very useful information. I've tested this with different scenarios and I am somewhat confused as to some of the great new features of how Vista handles the security of new threads when launching applications: 1. I can install the AdminPak as non-privileged local user and can fix the DLL registration in an elevated CMD prompt with your tip below - works fine. 2. When I install the AdminPak from an elevated CMD prompt right away, everything also works fine - no need to manually register the DLLs. 3. When I start the AdminPak installation from an elevated Windows Explorer window, it does not successfully register the DLLs and again I have to register the DLLs manually in an elevated prompt to get them to work 4. When I right-click the AdminPak installation file in a Windows Explorer window and choose Run as administrator (i.e. running the install in elevated mode), it's the same as when launched from an elevated command prompt and again everything work fine without the need for manual registration of DLLs. So what's different from launching applications from an elevated Windows Explorer window to launching them from an elevated CMD prompt? Thanks for any insights J /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, November 21, 2006 5:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack You have to run the batch from a command prompt that is elevated or you will get access denied. To run a cmd prompt elevated search for cmd.exe from the start menu and right click selecting Run As Administrator. We have also found that if you simply launch the MSI from an elevated command prompt it will register the DLLs as well. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, November 21, 2006 9:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack I found this write up from someone else yesterday, I can't remember where now. I tried it immediately and ran into a couple immediate errors when trying to register these DLLs and the Active Directory snap-ins still continued to be non-functional. This is using the Win2003 SP1 admin pack on Vista Business RTM. Basically, I threw all those commands into a text file named register.cmd and let it run. Certtmpl.dll - Your user account does not have necessary access rights to register the Certificate Templates snap-in. Log on with a different user account and try again, or contact your system administrator. (I am local admin on this Vista box). Mprsnap.dll - Access is denied. (80070005) Even those two DLLs don't seem to be related to the Active Directory snap-ins, I still get the error that the MMC could not create the snap-in. Anyone else run into this? ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Monday, November 20, 2006 10:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack KB is in the works, just takes time. Feel free to blog it or I can if I get some time this week, it is a bit slow this week but I have a backlog of content that I was supposed to have blogged. Good news is that I accepted a new role at Microsoft where maintaining an official blog is part of my job. J Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, November 20, 2006 11:45 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack okay if you
Re: [ActiveDir] Enterprise Domain Controllers group missing...
I imagine you used the version of ADPREP that ships with Windows Server 2003 SP1? I believe you need to run ADPREP /DOMAINPREP /GPPREP. This will add the inheritable ACEs to CN=Policies,CN=System,DC=... Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE. Re. EDCs. ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 2000. The new Security Principals added by 2003 are: . LocalService . NetworkService . NTLM Authentication . Other Organization . Remote Interactive Logon . SChannel Authentication . This Organization These group memberships are also modified: . The Network Servers group is added to the Performance Monitoring Users group. . The Enterprise Domain Controllers group is added to the Windows Authorization Access group. See the link from Steve for more info. on this. 2003 RTM added new Sec Prins. 2003 SP1 also added some, IIRC. Therefore ensure your PDCe is running k3 SP1. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, November 22, 2006 2:04 AM Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
Mistyped the Inherited/ inherit ACE flags there, but you get my point -kind of makes sense in English. I'm guessing, as I'm not in a position to test, that perhaps GPPREP adds the necessary ACE(s) to the aforementioned container, resulting in an ACE set with the INHERIT flag, which means that child objects will inherit this ACE (unless NO_PROPOGATE is set, which is isn't). --Paul - Original Message - From: Paul Williams [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, November 22, 2006 10:31 AM Subject: Re: [ActiveDir] Enterprise Domain Controllers group missing... I imagine you used the version of ADPREP that ships with Windows Server 2003 SP1? I believe you need to run ADPREP /DOMAINPREP /GPPREP. This will add the inheritable ACEs to CN=Policies,CN=System,DC=... Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE. Re. EDCs. ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 2000. The new Security Principals added by 2003 are: . LocalService . NetworkService . NTLM Authentication . Other Organization . Remote Interactive Logon . SChannel Authentication . This Organization These group memberships are also modified: . The Network Servers group is added to the Performance Monitoring Users group. . The Enterprise Domain Controllers group is added to the Windows Authorization Access group. See the link from Steve for more info. on this. 2003 RTM added new Sec Prins. 2003 SP1 also added some, IIRC. Therefore ensure your PDCe is running k3 SP1. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, November 22, 2006 2:04 AM Subject: [ActiveDir] Enterprise Domain Controllers group missing... - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Is it 2000 or 2003?
Interesting, you're more than likely doing it in a more efficient manner than I then. Here's the code I use in all of my scripts (for anyone who's interested in this) these days (I liked the way ADFIND and ADMOD output this info. so thought I'd steal Joe's idea and wrap this info. into all my scripts that do something with the DS): ' *** ' Sub printDirectoryInfo(RootDSE) ' ' Sub prints the DC that is being used and the ' level of the directory service. ' ' Note. Sub calls func getDSFunctionality ' ' *** Private Sub printDirectoryInfo(oRootDse) Dim sServer, sDSFunctionality sServer = oRootDse.get(dNSHostName) sDSFunctionality = _ getDSFunctionality(oRootDse.get(domainControllerFunctionality), _ oRootDse.get(supportedCapabilities)) echoUsing server: sServer echoDirectory: sDSFunctionality vbCrLf End Sub ' *** ' Func getDSFunctionality(int) ' ' get the domain functional level for info. ' purposes function returns a string defining the ' current value of the DC queried (via serverless ' bind) ' ' *** Private Function getDSFunctionality(iDSFunctionality, _ cSupportedCapabilities) Dim oBase, dsf, nTMixedDomain, supportedCapability, bFlag bFlag = False Select Case iDSFunctionality Case 0 Set oBase = oRootDse.get(defaultNamingContext) nTMixedDomain = oBase.get(nTMixedDomain) If(nTMixedDomain=1)Then dsf = Windows 2000 Native Else dsf = Windows 2000 Mixed End If Case 1 dsf = Windows Server 2003 Interim Case 2 For Each supportedCapability In cSupportedCapabilities If(supportedCapability = _ LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID)Then bFlag = True End If Next If(bFlag)Then dsf = Active Directory Application Mode (ADAM) Else dsf = Windows Server 2003 End If End Select getDSFunctionality = dsf End Function ' *** ' Sub echo(String) ' ' Sub prints the passed string to the console ' (if run from CSCRIPT) or to the shell via ' message box (if run from WSCRIPT). ' ' *** Private Sub echo(sOuputString) WScript.Echo(sOuputString) End Sub --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 6:32 PM Subject: RE: [ActiveDir] Is it 2000 or 2003? AdFind only determines the Directory level, it doesn't look for functional modes or mixed mode. The way I get directory level is through the supportedCapabilities attribute of the rootdse of the DC. Of course it is possible to hit one DC looking for info and I pull the ROOTDSE from that DC and then in the background a referral is processed which ends up getting the info from another DC in another domain (or same domain if looking at app parts). You can get functionality modes from the rootdse attributes domainFunctionality and forestFunctionality. For all of those, just do an AdFind -rootdse And you will see what I am decoding and logically how I ascertain directory level. Mixed mode versus native you simply use the domain NCs nTMixedDomain attribute. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, November 16, 2006 11:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? I don't understand where you are seeing this info. Are you referring to the applet that is used to raise the FL? Or something else? As for the flag that is used to identify the directory, it is usually a combination of: msDS-Behavior-Version nTMixedDomain supportedCapabilities Or at least, that is the way I put info. such as server and directory in each of my scripts. Just like Joe does in ADFIND and ADMOD. I believe he does it the same way too. Basically, check msDS-Behavior-Version. If it's 0, check nTMixedDomain. If it's 2, check supportedCapabilities to see whether or not it is ADAM (it's ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 [LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]). In my test lab(s), my directory is considered a 2003 directory. In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 3:45 PM Subject: RE: [ActiveDir] Is it 2000 or 2003? I've entered this thread late so apologies if the below has already been stated: I recently created a new dev forest, with multiple domains. I too raised DFL and FFL as soon as all domains were built. I do not see the issues you describe and would suggest you download the scripts available here http://www.jadonex.com/ One of the scripts (written by Dean) checks the DFL
Re: [ActiveDir] Locating empty GPOs in a domain / forest
Locating empty GPOs in a domain / forestIt varies depending on the CSE Neil. The behaviour usually reverts with Admin Templates. Security settings don't revert, but can roll back if they're set elsewhere (like you said). Darren's already covered Software installation. For example, if you set hide shutdown, and then set that option to not defined, you'll get it back unless there's another GPO overriding that. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 9:27 AM Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest I thought 'Not Defined' meant 'ignore this setting and apply it as set elsewhere in other GPOs'. i.e. if it were set and then later set to not defined, the clients would continue to use the setting and ignore the change from enabled to 'not defined'. e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I always believed clients would ignore any 'not defined' settings and thus continue to use wallpaper A. Am I wrong? neil -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 18:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest If I set an Admin template policy from Enabled to Not Configured, then that GPO with Not Configured needs to be processed at least once by the target in order to remove the setting. So, even though GPMC might report No Settings (and frankly I haven't look at how it reports other areas besides Admin. templates. For example, you can remove a software installation package but it is left in the GPO so that clients can process the removal. Does that mean that the GPO has no settings?) you might still want that GPO around to be able to undo the client--if only for a limited period of time. Darren -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, November 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied IMHO, no settings means all settings in the GPO are set to Not Defined. Wouldn't it, for the case you mention, need to have reverse settings or original settings and thus have settings? jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address -- From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Wed 2006-11-15 17:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Well, it depends upon the purpose of you quest, but you're correct. For example, you may not want to delete a GPO that has no settings (but does have versionNumber 0) because that may be a desirable state for it. In other words, if a GPO had settings and doesn't anymore, it may be needed by users and computers processing GP to undo settings that were previously applied. Unless you know for sure that those settings have been undone, then you can't be sure the GPO is unused. -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 7:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Thanks Darren - that assumes the GPO is empty and always was empty, of course :) neil -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 15 November 2006 15:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest Another option is to perform an LDAP search on the cn=policies, cn=system container for GPC objects, and on each GPC object, look for a versionNumber attribute == 0. Its probably slightly faster than first generating the HTML report and then parsing it. -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 15, 2006 5:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Locating empty
Re: [ActiveDir] Is it 2000 or 2003?
I don't understand where you are seeing this info. Are you referring to the applet that is used to raise the FL? Or something else? As for the flag that is used to identify the directory, it is usually a combination of: msDS-Behavior-Version nTMixedDomain supportedCapabilities Or at least, that is the way I put info. such as server and directory in each of my scripts. Just like Joe does in ADFIND and ADMOD. I believe he does it the same way too. Basically, check msDS-Behavior-Version. If it's 0, check nTMixedDomain. If it's 2, check supportedCapabilities to see whether or not it is ADAM (it's ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 [LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]). In my test lab(s), my directory is considered a 2003 directory. In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 16, 2006 3:45 PM Subject: RE: [ActiveDir] Is it 2000 or 2003? I've entered this thread late so apologies if the below has already been stated: I recently created a new dev forest, with multiple domains. I too raised DFL and FFL as soon as all domains were built. I do not see the issues you describe and would suggest you download the scripts available here http://www.jadonex.com/ One of the scripts (written by Dean) checks the DFL and FFL for the forest and across all domains. For a manual check, I also look here: FFL === CN=Partitions,CN=Configuration,DC=xxx Attribute msDS-Behavior-Version 0=w2k FFL, 1=interim FFL, 2=w2k3 FFL DFL === CN=domainName,CN=Partitions,CN=Configuration,DC=xxx Attribute msDS-Behavior-Version 0=w2k DFL, 1=interim DFL, 2=w2k3 DFL Hope that helps, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu Sent: 16 November 2006 14:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it 2000 or 2003? I got curios about this and decide to dcpromo my vm image of windows 2003 R2. After the AD installation (which sits at Windows 2000 for domain type) I raised the functionality for the domain and forest. The result for domain type was windows 2000. I am not sure it is supposed to be different. Anybody out there who can say their install says something else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 15, 2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Is it 2000 or 2003? Were these clean installs or inplace? Bart Van den Wyngaert wrote: Well I also have a strange thing... It concerns 2 SBS 2003 systems. Some months ago I raised both domain and forrest functional level on those boxes. By reading this thread I decided to have a look... Both tools report the correct OS actually on both boxes. The only I wonder is a bit that they both report with the gpresult tool that the domain type is Windows 2000 If I look using GUI, they both report functional level of domain forest being at 2003. Don't really get actually. Is this related? Normal or missed something when I did raise the functional levels? Thanks, Bart On 11/10/06, Noah Eiger [EMAIL PROTECTED] wrote: Good question. DFL = 2003 and FFL = 2003. So it must just be some lingering text string. Does anyone think there is more it? Thanks. -- nme -Original Message- From: Clingaman, Bruce [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it 2000 or 2003? What does it say under: AD Users Computers | [right click domain name] | Raise Domain Functional Level... ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, November 10, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it 2000 or 2003? Hi - Several months ago, I upgraded a small, multi-site domain from W2k to W2k3. Or so I thought. The various markings in the schema indicate that the upgrade was successful. But when I run, for example, gpresult, it reports a Windows 2000 domain. Is this just some flag or string that did not get set properly or is there really a problem with the upgrade? Thanks. -- nme P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, it says System info: Windows 2000 Server (Build 3790). -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 -- No
Re: [ActiveDir] Password Police Question on Forest-ChildDomain relationship
Answering your questions directly. 1. All GPOs have the same settings as they use the same template(s) when created. This is probably for simplicity and ease of use. You can add more ADM templates, and also add CSEs and therefore other settings if you so wish. I don't think you can remove them, unless you consider unregistering the necessary DLLs for the CSEs but that might cause other issues. 2. It will apply to the DSRM/ Safe Mode password and any member servers in this OU. 3. No. GPOs don't flow across domains by default. I believe you can link GPOs across domains, or you can copy the GPOs, but theprocessing engine doesn't look outside of the domain. --Paul - Original Message - From: Rocky Habeeb To: ActiveDir@mail.activedir.org Sent: Monday, November 13, 2006 4:17 PM Subject: RE: [ActiveDir] Password Police Question on Forest-ChildDomain relationship Thanks Jorge, I just figured that out by virtue of the fact that nothing was defined in the Default Domain Controllers Policy. Can you answer these questions please? [1] Why does the Default Domain Controllers Security Policy have a password section? [2] What happens if you change a setting in it? (ie: who does it apply to?) [3] If you set a password policy at the empty forest root level, does it flow down to children and set things sans conflict at the child domain? As always, I appreciate you helpful insight. RH -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Almeida Pinto, Jorge deSent: 13 November, 2006 10:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password Police Question on Forest-ChildDomain relationship What passwords are you talking about? For which accounts? It will not let you change the password as the policy mentions: at least 1 day old Password policies are not defined in the default domain controllers policy, but in the default domain policy Cheers, jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: maandag 13 november 2006 15:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password Police Question on Forest-ChildDomain relationship Dear List readers, I have a Forest (W2K3 FFL) with an empty root domain and a single child domain (W2K3 FFL). Today I changed the password on all my servers in the child domain including the domain controllers. I meant to exclude them but did not. Now they have the same password as my member servers. I went to change the password again on the DCs in the child domain, but they will not let me. "Your password must be at least 8 characters, cannot repeat any of your previous 0 passwords and must be at least 1 days old" is the error I get. I have a domain policy set for the computers in the domain, whichhas the complexity specified above as far as characters, but the group policy (default Domain Controllers) for my DCs in the child domain is "Not Defined" in all of the password policy options. Nor is there anything defined in the Forest Root Default Domain Controllers policy, which I thought might be flowing down to my Child Domain DCs. I cannot find where the policy might be set keeping me from changing the password in my Child Domain DCs. Would anyone know where to find that setting? I would like to reset my Child DCs so their password is different. Rocky Habeeb Microsoft Systems Administrator James W. Sewall Company Old Town, Maine This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] /3GB and/or /USERVA and/or /PAE???
You need 4GT enabled (/3GB switch) if these only function as DCs. There's not much info. on this, but if you want to get the maximum LSASS footprint into RAM (~2.7GB) then you need to enable 4GT. If you're running K3 SP1 Enterprise then PAE is enabled by default and therefore the boot.ini switch is not necessary. I don't think you need to worry about PAE although sometimes the full RAM doesn't show up unless you do enable it (or, in some cases, tweak some BIOS setting). --Paul - Original Message - From: Mike Baudino To: ActiveDir@mail.activedir.org Sent: Saturday, November 04, 2006 5:30 PM Subject: [ActiveDir] /3GB and/or /USERVA and/or /PAE??? Hi all, We're running a Server 2003 AD environment across 110 DCs across North America and Europe. We have physical DCs on a variety of fairly new hardware and ESX VMs. Older server hardware, approxtwo years old: quad proc 2GB ram ESX VMs: dual proc 3.6GB ram New server hardware, from this summer: quad proc 4GB ram Our DIT is around 2.3-2.4 GB and still growing slowly as we continue migrations of users. Server migrations coming next. There's no Exchange in our environment and the DCs are single-purpose as we don't permit anything else to be loaded on them (except for SYSVOL, antivirus,and monitoring tools, of course). My concern is that none of the older hardware or the VMs are running /3GB or /PAE. Some of the new hardware is running /PAE and some is not. I would like to have some degree of consistency. From what I can tell, running /3GB would make sense on the VMs and the newer physical boxes as it would permit more RAM to be allocated LSASS. If we use /3GB do we need to, or want to, use /USERVA? I don't see any advantage, and in fact a disadvantage, to running /PAE. The disadvantage may just be "bad press" but it appears that there are issues with /PAE compatibility. Also, it appears that /PAE has no impact at or below 4GB? I read another thread from earlier this summer that the VMs should probably be replaced. We're looking into that but it will take a while. The thread seemed to indicate that /3GB might be the way to go. Anyway, I would like to know what you're running and/or would recommend. Called Microsoft about this and they looked up the same article that we already had but seemed to offer no advise based on real world experience. You guys are where the rubber meets the road. Thanks,Mike
Re: [ActiveDir] Active Directory Health Check tool - where can it run from?
Title: Active Directory Health Check tool - where can it run from? I assume you are referring to the ADST tool that you get if you're a premier customer and MSFT come and do an AD Healthcheck. As far as I know, this can be run from anywhere (in the domain), as it's really just a bunch of VBS scripts that do ADSI and WMI queries against the DCs. The cool thing is these scripts are wrapped behind a decent GUI. --Paul - Original Message - From: Washington, Booker To: ActiveDir@mail.activedir.org Sent: Tuesday, October 31, 2006 10:26 PM Subject: RE: [ActiveDir] Active Directory Health Check tool - where can it run from? It is the Active Directory Health Check Snapshot Tool. What exactly is ADRAP? I got a copy from our Forest Admins because I am a child domain of the forest. The reason that I ask is because I seem to get buggy results when I go from an XP workstation, or a member server, and I wondered if I needed to run it from the DC itself. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, October 31, 2006 5:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: Active Directory Health Check tool - where can it run from? Which tool is this? The AD Snapshot tool that you get from an ADRAP can run from any server. --brian From: [EMAIL PROTECTED] on behalf of Washington, BookerSent: Tue 10/31/2006 4:04 PMTo: ActiveDir@mail.activedir.orgSubject: Active Directory Health Check tool - where can it run from? Does that tool need to be run from a Domain Controller, or can it be run from any member server in the Domain, or workstation. Just curious. Thanks
Re: [ActiveDir] DMZ DOMAIN?
If you take a look at the Windows 2000 clustering training material (I don't have it handy so my vocabulary will be scetchy) there is a setup where you make the nodes the DCs for the domain that the cluster resides in. I've never implemented such a setup though, so can't vouch for it in anyway, other than saying that it is supported to have a DC or DCs as nodes in a cluster. What isn't supported is the clustering of AD (we all know why that is a stupid idea anyway). Personally, I would add two additional servers to the DMZ as domain controllers for their own forest, also running as GC and DNS servers. The clusters, and the notes servers, and any other servers that have service accounts running on them, can then be members of this domain. You need to think long and hard before creating any trusts from the DMZ to the internal (or vice-versa). Again, this is supported and is often used (DMZ trusts internal) in a number of setups, but the true purpose of a DMZ doesn't allow such things (from a conceptual perspective --see DMZology presentation by Fred at TechEd for some good info. on this). --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Tuesday, October 24, 2006 4:33 AM Subject: RE: [ActiveDir] DMZ DOMAIN? You need a domain to have a cluster. You can make yourself a forest for this purpose out in the DMZ. Just dont make the cluster nodes domain controllers. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 23, 2006 6:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DMZ DOMAIN? I need a little question. I have a dmz zone, where we have our firewall, and some lotus notes email servers. I want to create a Microssoft cluster with our two internet pages servers. I read in documentations that I only can have a cluster if I have a MS AD domain, Is that true? Is there any restriction in creating a Domain in Internet DMZ zone? Is that Unsafe? Thanks Adrião Ferreira Ramos CII14 (11) 33888193 [EMAIL PROTECTED]Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação.This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
Re: [ActiveDir] OT: Bulk Workstation reboots.....
Any impact problems to be aware of? From an AD standpoint, no. Especially not if you do it out of hours. If there's no remote DCs, you might see a spike in WAN traffic, but again, nothing worth worrying about. Certainly less than what's going over the WAN during office hours. From a client standpoint, there's the open files issue(s)... --Paul - Original Message - From: Frank Abagnale To: ActiveDir@mail.activedir.org Sent: Thursday, October 19, 2006 9:16 AM Subject: Re: [ActiveDir] OT: Bulk Workstation reboots. Paul, These 900 workstations are not scattered all over the place. They are placed over 4 locations This site has 3 DC's, which are all W2k3 R2 GC enabled. Any impact problems to be aware of? but thanks for the script! Frank Paul Williams [EMAIL PROTECTED] wrote: Here's a script I've used in the past to do what you want: -- http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/3be4867f843df935 I wouldn't worry about the computer logons if you do this out of hours, e.g. run the script via a scheduled task or simply initiate at 2000 or whatever. Those machines are going to be scattered all over the place and will use different DCs. --Paul - Original Message - From: Frank Abagnale To: Active Sent: Wednesday, October 18, 2006 3:14 PM Subject: [ActiveDir] OT: Bulk Workstation reboots. I have a startup script which inputs a variable on every XPworkstation. This variable is going to change and I need the workstations to be rebooted to reflect the change. I have around 900 workstations, I was thinking of using the shutdown.exe tool with the remote name in a batch file. I was planning on doing through during the night, does anyone see any issues/impact if I set 900 machines to reboot automatically? Does anyone else have a better idea? Thanks Frank Get your email and more, right on the new Yahoo.com Get your email and more, right on the new Yahoo.com
Re: [ActiveDir] Latency in List
Yeah, I sort of bitched about it last month when I had some time to reply. I see about 90 - 100 minute delays. --Paul - Original Message - From: Vinnie Cardona [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, October 18, 2006 1:00 AM Subject: RE: [ActiveDir] Latency in List This message was sent at 6pm (MST) I have seen latency... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, October 17, 2006 3:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Latency in List I initially sent a reply with to this thread (below) at 19:43 BST yet I only receive it back at 21:37 BST nearly two hours later, is anyone else experiencing latency or is just me? Let's see what this message does! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: 17 October 2006 19:43 To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Bulk Workstation reboots.....
Here's a script I've used in the past to do what you want: -- http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/3be4867f843df935 I wouldn't worry about the computer logons if you do this out of hours, e.g. run the script via a scheduled task or simply initiate at 2000 or whatever. Those machines are going to be scattered all over the place and will use different DCs. --Paul - Original Message - From: Frank Abagnale To: Active Sent: Wednesday, October 18, 2006 3:14 PM Subject: [ActiveDir] OT: Bulk Workstation reboots. I have a startup script which inputs a variable on every XPworkstation. This variable is going to change and I need the workstations to be rebooted to reflect the change. I have around 900 workstations, I was thinking of using the shutdown.exe tool with the remote name in a batch file. I was planning on doing through during the night, does anyone see any issues/impact if I set 900 machines to reboot automatically? Does anyone else have a better idea? Thanks Frank Get your email and more, right on the new Yahoo.com
Re: [ActiveDir] userAccountControl 544
Title: userAccountControl 544 If you create with ADSI, e.g. _vbscript_, and don't set a password before the initial setInfo you get 2 + 32 + 512. If you then set the password, you can un-set 32. If you don't set a password and you have a password restriction policy, you cannot un-set 32 or 2. Setting the password won't change the value of userAccountControl, you have to do that by yourself. Note. Although it doesn't really do much if you have password policies in place, it is probably not recommended to set 32, therefore you need to instruct your provisioning people on how to properly create a user object. Note also. The cookbook code (http://techtasks.com/code/viewbookcode/1555) will end up with a value of 544. So you need to take this into account and set uac at the end in addition to enabling the user (personally, I would not use accountDisabled() and would set uac to what I want). If you want to go through what you have and correct this, assuming all users have a password, you can do this with ADMOD: adfind-default -bit -f "(objectCategory=person)(objectClass=user)(userAccountControl:AND:32)" userAccountControl -adcsv|admod userAccountControl::{{userAccountControl::CLR::32}} -unsafe [Re] Note. If you have a pwd policy in place, you must set passwords first. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 17, 2006 6:24 AM Subject: RE: [ActiveDir] userAccountControl 544 D*mn Im glad you can understand my gibberish. I reread that post and came up with a what the h*//??? In the circumstance w/ ADSI, what would be the proper routine to follow? After the user is created and the password set, do you change the value of 544 back to 512? Ive noticed the same about 544. The user doesnt appear to have sufficient rights to reset their password to a blank password. The administrator (or someone with full control on the object have not verified what permissions exactly) can set their password to null all day long. Thats kind of dismaying. Also, 544 doesnt go back to 512 after the user password has changed so its kind of subject to always holding the capacity for a blank password. Dont really like that either Thanks for the information, as always. I picked up your book, by the way. Fun read. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 17, 2006 12:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] userAccountControl 544 Depends on how the user is created. If using ADSI, you cannot specify a password while creating the user so if you have a password length policy then you have to create the account disabled or set to allow a blank password or both. With the raw LDAP API (and I would expect S.DS.Protocols), you can create an enabled user because you can specify the password in the ADD op. You can do that with admod if you like. Note that an account set with 544 doesn't necessarily have a blank password, but it could be. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 16, 2006 5:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] userAccountControl 544 I think Ive figured it out. J Thanks all. :m:dsm:cci:mvp| marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oh, Marcus (CCI-Atlanta)Sent: Monday, October 16, 2006 11:57 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] userAccountControl 544 Trying to understand this value. Seeing it set on some of my user objects. So 512 would be a normal user but 32 means that no password is required. When a new user object is created, my understanding (by reading quite a few threads) is that 544 is the default uac. Does this sound right? Is there a point when something doesnt need to listen to domain policy? It should fail to meet standards by the password length now, Im not sure how I can verify the actual password is set to nothing. One on particular account, Ive tried logging in with a blank password but get a bad password failure. Thanks all!
Re: [ActiveDir] Discovering LDAPS availability
The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave staging until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --- ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability | --- ---| Other than directly testing the 636 port on each DC, can anyone suggest a method for an unprivledged client to discover whether or not LDAPS should be available on a specific DC? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
Re: [ActiveDir] FW: Script to move user account and computer accounts
Title: FW: Script to move user account and computer accounts Look at ADMOD or ADMT for xdom move. If you actually want to copy a user, look at ADMT. Note. ADMT won't perform a copy, when operating intra-forest, by default. But you can configure it to do so IIRC. Other options are to create a new user and copy the existing attributes, using a script or some code,excluding things like SID, UPN, etc. If this is the route you want to take, I don't think it's detailed in a whitepaper anywhere (it might be but I've not read it). This is something you need to implement yourself. The problem here is that ADMT tracks source and destination objects so you can re-run it and keep the target attributes up-to-date with the source ones. Your script won't do this by default. --Paul - Original Message - From: Group, Russ To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 3:27 PM Subject: [ActiveDir] FW: Script to move user account and computer accounts Hi all I was wondering if there is a script I can use that will move users accounts and computer accounts from one child domain to another child domain (Windows 2000). I dont even know where to look for this, so if someone can point me in the right direction (URL or white paper) so I dont ask the same ignorant question twice, I would appreciate it. ThanksRuss
Re: [ActiveDir] [OT] Exchange 2007 Schema
LOL. It's in the rest room I'm told... --Paul - Original Message - From: Rich Milburn [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 06, 2006 6:56 PM Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema For the BrettSh T-Shirt, my vote is for the line to be split BrettSh T- Shirt It's similar to the signs in the UK for leasing buildings - TO LET They are just missing an i. I think Dean and Paul W know what I'm talking about :-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 10:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema You are definitely funny Brett, some would just argue whether it is in the ways you think. =) I find you quite funny, I am waiting for the BrettSh T-Shirt to come out in fact. But with the crazy that can only be Brett hairdo, not the big boy hairdo. ;o) I do kind of agree with Tony though, unless you are one of the TAP folks with specific agreements with MSFT to bail you out in the event of a nasty fire, you probably shouldn't be installing heavily AD integrated beta products into your production forest. I would assume that ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for MSFT IT have the necessary support agreements in place. :) Plus they have Brian, not much he isn't going to be able to fix by himself I think. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, October 05, 2006 11:58 PM To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema Oh crap! Brian Puhl, you reading? Tony says E2k7 is a beta product, I hope you didn't load that schema on our main forest? Too late to get it backed out (via forest restore)? Thanks for the heads up Tony, BrettSh [msft] P.S. - Does anyone think I'm as funny as I think I am ... probably not ... On Thu, 5 Oct 2006, Tony Murray wrote: Hi all There are apparently schema changes post Beta 2 - just in case anyone was considering pre-loading the schema changes into production [1]. I don't have any further details on what the changes are. Tony [1] Which of course you wouldn't contemplate with a Beta product :-) Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] finding users that password never expire.
Perform an AND query. In ADFIND, this looks like this: adfind -default -bit -f "(objectCategory=person)(userAccountControl:AND:=65536)" cn If you want to use ADUC, or something else, you'll need to use this: ((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536)) --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 4:43 PM Subject: [ActiveDir] finding users that password never expire. Hello all, I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.
I assume you mean NetPro Directory Analyser? I've not done much with any, but we've got NetPro Directory Troubleshooter here and from what I've seen of it, it doesn't compare with Quest's SOAD as it does more proactive, task oriented stuff. I've not seen NetPro's analyser. Quest's SOAD is OK, but as with all real time monitoring solutions, your limited by the human on the end. I'd prefer something like HP Open View Operations for Windows or BMC Patrol or even MOM, which can react accordingly to issues in a number of ways. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, October 03, 2006 7:11 PM Subject: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter. Hello all, I don't know if it is the right place I'm about to test2 AD Troubleshootersproducts and I have to choose onethem to monitor,tshoot our AD infrastructure: Spoltligh on Active Directory (SOAD) and Netpro Active Directory Troubleshooter. Doessomeone have any experiences with the 2 products and could tell me what are the pros and cons of each of them ? Thank you, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Re: [ActiveDir] ADFS and certs
Perhaps Tomasz and I should blog about this more for now. :) Yeah, you guys do that please! This looks like it's taking off, and some of it is a real black art for some infrastructure people... --Paul - Original Message - From: Joe Kaplan [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, September 25, 2006 12:10 AM Subject: Re: [ActiveDir] ADFS and certs Yeah, the real step by step guide isn't so bad per say. What it tries to do is give you a simple path to having an easy demo set up of ADFS going so you can kick the tires. For that, it is ok. Where it doesn't cross the gap very well is in providing guidance on how to apply the lessons learned to real scenarios. Because ADFS relies on certificates for both SSL/HTTP and the signing of security tokens, you need certificates to use it. In order to get through the step by step guide successfully, they chose to use the self-issued model, as it is really the only simple way to get SSL certs without spending money or setting up a CA. However, it does leave you with self-signed certs, which is not where you want to end up. I think that either the step by step guide needs to provide more guidance and explanation of the steps and how to apply them, or the other documentation for ADFS needs to fill this gap. As it stands now, there is still no good guidance on how to procure your certificates and what the various trade-offs are for the possible ways to go about this. People who already know PKI will be able to fill in the details, but many people will be left scratching their heads. Perhaps Tomasz and I should blog about this more for now. :) Joe K. - Original Message - From: Tomasz Onyszko [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 24, 2006 3:16 PM Subject: Re: [ActiveDir] ADFS and certs Rick Kingslan wrote: Joe, Tomasz - Yep, you're right that it may tend to show a bad precedent for people to follow. I haven't taken a look at these particular labs (and having just come back from a long hiatus, I didn't see the referenced lab) but is the guidance there as to what Best or Preferred Practices SHOULD BE? You can check this lab here: http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654displaylang=en No You will not find there any guidance on best practices there and maybe this is not the best place, but I'm not aware of any other ADFS related doc which deals in details with best practices and description of usage for certificates in ADFS deployment. If not - I find that the bigger problem than the fact that self-certs are being used at all. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP query assistance
Great answer Joe. I completely missed the multi-domain issue, thinking (as I wrote) that was only an issue for DLGs. Oh well, you've certainly refreshed my memory and answered the question admirably. As you can tell from this, and from our off-line conversation, I'm just using ASQ all the time ('cause it's great!)-sometimes it's not appropriate : ) --Paul - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:53 PM Subject: RE: [ActiveDir] LDAP query assistance This unfortunately isn't going towork... 1. Global group membership is not maintained in the GC. Depending on the domain the GC you query hosts, your results will vary. If you hit a parent DC GC then you will see memberships for the parent (and Unis). If you hit a child DC GC, then you will see memberships of the child (and Unis). 2. An ASQ query query will only work against objects in the linked attribute that are immediately available. Depending on whether you hit a GC port or the local LDAP port and depending on the info present in that GC instance (see comments above) the results again could vary. The ASQ query does NOT cross DCs to return info.Again since theglobal group membership of a domain is only maintained on a DC of that domain this will only resolve part of the membership. A couple of examples of ASQ in action... G:\Temp\deleteadfind -e -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" member AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389Directory: Windows Server 2003 dn:CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=commember: CN=Exchange Domain Servers,CN=Users,DC=joe,DC=commember: CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=commember: CN=Domain Users,CN=Users,DC=joe,DC=com 1 Objects returned G:\Temp\deleteadfind -e -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=comdn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 2 Objects returned Note that the member attribute of the group has 3 members but the ASQ objectclass=* query only returns 2, that is because doing the LDAP port 389 query, the child1 object is not available. Now change that to a GC query to a GC that is a DC for joe.com and it works G:\Temp\deleteadfind -h 2k3dc02-gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=comdn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=comdn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 3 Objects returned But if I wanted the membership of those three global groups and tried against the same GC you will note that the membership of the child1 domain group is not enumerated... G:\Temp\deleteadfind -h 2k3dc02 -gc-b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=commember: CN=Domain Admins,CN=Users,DC=joe,DC=commember: CN=administrator,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=commember: CN=2K3EXC02,CN=Computers,DC=joe,DC=commember: CN=2K3EXC01,CN=Computers,DC=joe,DC=com 3 Objects returned But turn it around and use a child1 GC and what do you think you get? G:\Temp\deleteadfind -h 2k3dc10 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: 2k3dc10.child1.joe.com:3268Directory: Windows Server 2003 0 Objects returned That's right... nothing. That makes perfect sense correct? If not, think about what group data is "guaranteed" to be in GCs and for what scope groups... There is, unfortunately, no single LDAP query that can be posed to AD to resolve the membership of three global groups in three different domains. The proper way to handle this would be to use a single Universal group or a Single Domain Local Group, with both, you would add all members to the group directly, not nest. An alternate is to
Re: [ActiveDir] LDAP query assistance
Something like this, against a GC: (|((objectCategory=person)(memberOf=dn of group 01))((objectCategory=person)(memberOf=dn of group 02))((objectCategory=person)(memberOf=dn of group 03))) You can also do it the way you want using ASQ if you don't mind DN as the output. Here's an example using ADFIND: adfind -b "cn=group,ou=groups,dc=domain-name,dc=com"-asq member -f "objectCategory=group" member -list --Paul - Original Message - From: Amanda Rose To: ActiveDir Mailing List Sent: Friday, September 22, 2006 10:02 AM Subject: [ActiveDir] LDAP query assistance Hello! I work in a small company where we have need of some LDAP query assistance to identify a group of users out of AD. We only have basic LDAP knowledge in house and our query is not finding what we need. I would really appreciate any assistance you could lend to the following: We are trying to identify synchronize a group called LLUsers within AD with an external application- so that we can do single-sign-on (AD Authentication) Our Active Directory is structured as follows: Parent Domain contains global security group called LLUsers Two child domains each contains a Global Security Group called LLUsers In the Parent Domain, there is an additional Local Security Group called LLUsersLocal whose members are the LLUsers groups from all three domains. We want to construct a single LDAP query that will return the Users from all three LLUsers groups. Right now, the LDAP query we have pulls individual users added to the LLUsers group in the parent domain. Is there a way to create a nested or OR query that can look in LLUsersLocal and pull out the Individual Users in each group within? This is the current LDAP query ((objectcategory=user)(memberOf=CN=LLUsers,CN=users,DC=res-ltd,DC=com)) We have tried many others often a variation of: ((objectcategory=user)(|(memberOf=CN=LLUsersLocal,CN=users,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=glasgow,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=austin,DC=res-ltd,DC=com))) Or perhaps the AD design with Parent and Child directories makes this impossible? We have received some advice that we should move to a flat structure with only one domain and use work groups within. Amanda Rose, Renewable Energy Systems [EMAIL PROTECTED] (email)www.res-americas.comor www.res-ltd.com
Re: [ActiveDir] different version of R2 available?
When we spoke with the PM out in Redmond it was said that the feature that allows you to copy a file on one replica and that file get made up on another with very little replication traffic, e.g. a comparison taken on the local source and then only the deltas replicated (just like the rest of the RDCengine but without having done an initial source of the original file from the upstream partner) required an Enterprise version of Windows in the mix (somehwere in the DFSR topology). There seems to be some confusion about this. I'm not talking about RDC, but a feature that utilises that technology. For example, you have a VHD (hdd01) and you copy it to the same folder locally and rename to hdd02. That file isn't replicated in its entirety. Rather, the hdd01 on the replica is used to create that file and only the necessary bits that represent the filename change are replicated. A couple of people have tried to shoot me down in flames when I mentioned this, but I know what I heard... : ) (although I might not be correct) --Paul - Original Message - From: Chong Ai Chung To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 12:29 AM Subject: Re: [ActiveDir] different version of R2 available? Refer to following KB article: Media for Windows Server 2003 R2 is released by using various SKUs, such as Windows Server 2003 R2 Standard Edition, Windows Server 2003 R2 Enterprise Edition, and Windows Server 2003 R2 Datacenter Edition. CD2 must be the same SKU as what is currently installed. For example, only Windows Server 2003 R2 Standard Edition CD2 can be applied to Windows Server 2003 Standard Edition. http://support.microsoft.com/kb/912309/en-us On 9/21/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: My officemate and I were discussing whether there are different versions of the R2 CD depending on whether you're running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes
Re: [ActiveDir] DC Establishing Session to client on TCP139
It's probably SMB (CIFS). The NT5.x client service attempts to establish SMB sessions using both 445 and 137/8/9 (whichever one). The first to reply is what is used. If 445, it's SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP (NetBT). Note. It doesn't use all three of the NetBT3, I just don't remember what's what. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 2:53 AM Subject: [ActiveDir] DC Establishing Session to client on TCP139 Im seeing a lot of hits in firewall logs for DCs trying to establish sessions to clients on TCP139 (NBT Session Service). Does anyone know why this is happening or if its necessary? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
Re: [ActiveDir] How are folks setting hidden user attribs?
We populate this on user creation because we use provisioning systems (bespoke stuff that was written for the project(s)). For some of our smaller customers, there were scripts that were run to populate this stuff. Initially a bulk import, followed by monthly updates or adhoc updates via the script or web front end. Other options are using a different admin tool, e.g. Quest Active Roles to create users and configure that to allow you to write this attribute. --Paul - Original Message - From: Alex Fontana [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 21, 2006 8:03 AM Subject: [ActiveDir] How are folks setting hidden user attribs? Hey guys, I'm curious how people are populating attributes such as employeeid, employeetype, etc, specifically when creating\modifying accounts using the GUI (ADUC)? Besides me writing something to populate the fields what other resources do I have to allow other selected users (account creators) to populate these fields? TIA -alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work?
Joe, How is the DS calculating these values? The reason I ask is I've always found it to be way off. For example, take a look at the following output against one of my ADAM instances: D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=people,dc=test-lab,dc=com -s one -f "|(objectcategory=organizationalunit)(objectcategory=container)" msDS-Approx-Immed-Subordinates AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5Directory: Active Directory Application Mode dn:OU=Test-Batch-01,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 2742 dn:OU=Test-Batch-02,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 37507 dn:OU=Test-Batch-03,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 52809 3 Objects returned D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=test-batch-02,ou=people,dc=test-lab,dc=com -s one -c AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5Directory: Active Directory Application Mode 5 Objects returned D:\dev\dotnet\vb\dsadfind -h .:5 -b ou=test-batch-03,ou=people,dc=test-lab,dc=com -s one -c AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006 Using server: adlds01.test-lab.com:5Directory: Active Directory Application Mode 75000 Objects returned Thanks, --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 September 2006 16:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ad Reporting Tools -enabled is definitely on the list to be added to oldcmp. I will have to thinkabout the summary switch... So you just want counts... I have something in my script repository that is probably pretty close to what you want... I used it for some testing once. It is perl, but you are welcome to convert it to what you need or modify as you see fit... ##* ObjSum.PL *#*==*#* Author : [EMAIL PROTECTED] (Joe Richards) *#* Version: V01.00.00 *#* Modification History: *#* V01.00.00 2004.01.15 joe Original Version *#*--*#* This script counts objects matching a filter + approx children of each container/OU *#*--*#* Notes: *#* This script will output the container DN, container name, an approximate guess at the*#* number of child objects in the container and then an exact count of the objects in *#* the container for the filter specified. If a base is not selected, the default NC *#* of the default DC will be used. If a filter is not specified, the filter *#* objectclass=* will be utilized. *## ##* Packages: *#*--*#* None required *# ##* Definitions: *#*--*#* None required *# ## Display header#print "\nObjSum V01.00.00pl Joe Richards ([EMAIL PROTECTED]) January 2004\n\n"; ## Get args# ex: Arg1: dc=test,dc=local # Arg2: "(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"#my $base=shift;my $filter=shift; ## Process args# Set defaults if nothing specified - default NC and all objects#if ($base!~/\w/) {$base="-default"} else {$base="-b $base"};if ($filter!~/\w/) {$filter="*"}; ## Build container/OU query and execute# We want all OUs and any containers that are "default", # i.e. shown in basic views, this skips adminsdholder et alii.#my $cmd="adfind $base -f \"(|(objectcategory=organizationalunit)" . "(objectcategory=container))(!showInAdvancedViewOnly=TRUE)\" name " . "msDS-Approx-Immed-Subordinates -csv -csvdelim %%SPLIT%% -csvq \"\"";my @containers=`$cmd`;shift @containers; # lose the header linechomp @containers; # lose crlf ## Print header for CSV#print "\"dn\",\"name\",\"Aprox Child Obj Count\",\"$filter count\"\n"; ## Quote filter in case it needs to be#if ($filter!~/\"/)
Re: [ActiveDir] Elevating privileges from DA to EA
Lucky you : ) I'm in an environment where we're doing this now, and I'm not happy with how its being done (I think we can be even more secure ;-), which means I've accidently volunteered to re-look at it all for the next iteration of the design cycle... (bollocks) --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 5:22 PM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks Paul., Joe's been there and done it... LOL - so have I several time before :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 15 September 2006 09:46To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 14 September 2006 20:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that
Re: [ActiveDir] Strange password issue
No worries. It'sa big thread that has spawned serveral different threads of discussion. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 5:32 PM Subject: RE: [ActiveDir] Strange password issue OK. The account under discussion is "512". Had to refresh my brains because I just took your 1-4 bullet points and said, uh-uh, there is a way to have an enabled password-less account. Granted it won't be "512" and will be useless, it is still enabled. Sorry, Paul. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Fri 9/15/2006 7:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The account is currently 512... You can't get there with a blank password without 1-4. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 14, 2006 11:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add
Re: [ActiveDir] Elevating privileges from DA to EA
is to get as few actual DA's as possible. Is the threat real? Yes. If you feel you should have multiple domains, chances are good you really need OU's and a better admin model that includes less complexity and fewer moving parts. Oh, one other thing that might be of interst to your planning group: ask them about their restoration requirements. In that model, restoration can be a bloody nightmare especially if the layer-8 issues are not resolved up front. Al On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 09:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 14 September 2006 20:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights
Re: [ActiveDir] Elevating privileges from DA to EA
DAs got nothing to do with it. It makes it easier, but this can be done by someone without any account at all. --Paul - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 10:33 PM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Kevin, FWIW - as others are stating, assuming you know what you are doing, it is *simple* and painless so long assuming that you are a DA of any domain in the forest and have access to the console of a GC. There are many exploits strategies in this area and in its most basic form this can be done with rudimentary knowledge, native tools, and no coding or scripting. Aric -Original Message- From: Kevin Brunson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 9/15/06 1:35 PM Subject: RE: [ActiveDir] Elevating privileges from DA to EA http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx discusses some elevation of privilege attacks. It also links to another article that is supposed to have more details on SID filtering, which doesn't seem to exist anymore. All references I have found point only at NT4 and 2000 as susceptible to this kind of attack, and they have a patch to fix it. So I guess 2003 is secure at least when it comes to the SIDHistory method. There must be other ways of doing it, though. I don't know that they could possibly be simple if MS put out a patch to fix this particular hole way back in 02. The referenced article (for those who don't read it) calls for a binary edit of the data structures that hold the SIDHistory information. Not exactly candy from a baby level, unless you happen to be a 3rd level black-belt in babies-canditsu. But I'm sure someone with extreme skills could take on an unpatched 2000 domain without much trouble. Either way, it looks like sidfiltering mitigates most of the risk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, September 15, 2006 2:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 15, 2006 09:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 14 September 2006 20:59 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that
Re: [ActiveDir] Strange password issue
Not really, as it's now 512 and can't get to that state without a password meeting complexity. --Paul - Original Message - From: Akomolafe, Deji To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 4:52 AM Subject: RE: [ActiveDir] Strange password issue I think you are missing 5. 5. The account was created programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then someone programmatically set UAC to 544 or went into ADUC and manually enabled the account. It's a feasible scenario, no? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Thu 9/14/2006 5:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue The secret is you cannot ENABLE an account with no password if you have a password length policy and the PWD_NOT_REQD flag isn't set. So if you have an account that is created which by default (i.e. no UAC specified)will be 546. If you specify 544 it will still create and it will allow a blank password. If you have an account with 546 (disables, pwdnotrqed) you can clear the pwdnotreqd fine. However when you go to enable the account, you will get busted for not following policy. The Extended Error (-exterr with admod) is DN: CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 (53) - Unwilling To PerformExtended Error: 052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 Which is F:\DEV\cpp\AdModerr 52d# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for "52d" A blank password does not have a hash, the system knows it is blank. You will obviously hit the same problem if you have an enabled account with pwd_not_reqd and try to clear the pwd_not_reqd. So current or past setting of UAC has no bearing on this problem. This could occur infour ways that I can think of (in order of likelihood) and speak about 1. Someone relaxed the policy while the password was set or when the account was being enabled / having pwd_not_reqd cleared 2. The Domain Password Policy isn't or at least wasn't getting applied to one or more domain controllers for some reason. Check minPwdLength on the NC Head objects of all DCs in the domain 3. A blank password hash was forced into the attribute of an already enabled account through some form of LSASS process injection. 4. The raw DIT was modified. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required,
Re: [ActiveDir] Elevating privileges from DA to EA
Neil, Try a re-read of the first couple of chapters of the first part of the deployment guide book designing and deploying directory and security services. Obviously it doesn't spell out how to do this -it doesn't even allude to how this is done- but does emphasise when and when not to go with the regional domain model. I'm not disputing what anyone is saying here -I agree. I just happen to think the regional model can be a good one, and that if done properly works. Even from a security stand point. The main thing with the regional design is that there's a central group of service admins, or a true delegated model. If you have multiple groups of service admins it can still work, but the issue that has been raised is very real and you probably need to implement processes and monitor against it (if you're forced into such a design by the needs of the business or obtuse upper management ;-). Although it does seem to be possible to implement disparate groups of service admins if you follow the delegation whitepaper (you'll need to improvide, but most of the info. is pertinent), which should put you in a much stronger position from a security stand point. If you can achieve a very small number of people who are actually members of the builtin\Administrators group, and the rest only have delegated permissions and privileges (and preferably very few privileges on the DCs, i.e. no logon locally) you can achieve what you want. Joe's been there and done it... --Paul - Original Message - From: Almeida Pinto, Jorge de To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 8:48 AM Subject: RE: [ActiveDir] Elevating privileges from DA to EA Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. What is being said is very very true. Either you trust ALL Domain Admins (no matter the domain those are in) or you do not trust ANY! Every Domain Admin or ANY person with physical access to a DC has the possibility to turn the complete forest into crap! Because if that was NOT the case the DOMAIN would be the security boundary. Unfortunately it is not! The Forest is the security boundary, whereas EVERY single DC in the forest MUST be protected and EVERY Domain Admin MUST be trusted! I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above When you know HOW, it is as easy as taking candy from a baby jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 15, 2006 09:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Elevating privileges from DA to EA Thanks for responses, all. Al - we are designing a forest with regional domains (don't ask!) and one region has suggested it needs to split from this forest since elevating rights in any regional domain from DA to EA (forest wide) is 'simple' [and this would break the admin / support model]. I am arguing that it is not simple and am looking for methods which may be used to elevate rights as per the above. Make sense? neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 14 September 2006 20:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating privileges from DA to EA Can you reword? I'm not sure I clearly understand the question. FWIW, going from DA to EA is a matter of adding one's id to the EA group. DA's have that right in the root domain of the forest (DA's of the root domain have that right). Editing etc. is not necessary. Nor are key-loggers etc. If physical access is available, there are plenty of ways to get the access you require to a domain but I suspect you're asking how can a DA from a child domain gain EA access; is that the question you're looking to answer? Just for curiousity, what brings up that question? Al On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: It has been suggested by certain parties here that elevating one's rights from AD to EA is 'simple'. I have suggested that whilst it's possible it is not simple at all. Does anyone have any descriptions of methods / backdoors / workarounds etc that can be used to elevate rights in this way? Naturally, you may prefer to send this to me offline :) [ [EMAIL PROTECTED]] I can think of the following basic methods: - Remove DC disks and edit offline - Introduce key logger on admin workstation / DC -
Re: [ActiveDir] VBScript Container Security
Title: VBScript Container Security I can't point you at any examples, but most of the documentation I read and from what MSFT people said at conferences, reckons you should grant full control to the group for SMS servers on that container. That's horse sh!t -you need to grant create and delete of each of the MS SMS object types and full control over those object types, and that's it. When I designed a couple of k3 SMS installations last year I used a DLG called SMS Servers and GGs called Primary SMS and Secondary SMS and nested the GGs into the DLG which was granted the permissions. You can then get specific for primary and secondary servers in some cases, or grant all via the DLG. I'm afraid I can't remember the names of the classes, so can't give you the ldapDisplayName's of the object type in question. But they're easy to find, they should be prefixed with mS-SMS or something like that. Note also that the advanced clients search on objectClass instead of objectCategory, so if you haven't already, you need to index objectClass. --Paul - Original Message - From: Joe McNicholas To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 10:53 AM Subject: [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the "LDAP://cn=System Management,cn=System,dc=mydomain,dc=com" container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
Re: [ActiveDir] need help
Look into the Win32_Service class for info. on how to view and manage services via script. Or, if you fancy calling EXEs and not handling everything in code, use the SC.EXE tool. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 12:12 PM Subject: [ActiveDir] need help Guys i need to develop a programe which display the services in all the dc 's , any idea where i can find better help regarding or nay other alternative solution Thanks in advance "Joe McNicholas" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/15/2006 09:53 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the "LDAP://cn=System Management,cn=System,dc=mydomain,dc=com" container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
Re: [ActiveDir] dsget error
It must be some kind of issue with the DS* tools. I was using a combination of ADFIND and DSMOD last week to enable ~200,000 user objects (I forgot to set a password in a scrpit that created a bunch of objects and therefore had a shed load of objects with uac of 546) and it would die every time with that error after a couple of thousand objects. I figured, but didn't look into it, it's something to do with the fact that DSMOD queries the DN you pass it to check for object type, etc. which means there's loads of queries hitting the DC (one for each mod). This is why Joe's ADMOD (1.7)is going to be loads better, as he only does one extra query which means there's only n + 1 LDAP requests hitting the DC as opposed ton x 2 with DSMOD. --Paul - Original Message - From: Brian Desmond To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 2:45 AM Subject: RE: [ActiveDir] dsget error The query is probably timing out. Get Joes ADfind and run something like this: Adfind default f ((objectCategory=person)(objectClass=user)) displayName samAccountName pwdLastSet You can tag a csv on there too Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Tuesday, September 12, 2006 9:29 PMTo: activedir@mail.activedir.orgSubject: [ActiveDir] dsget error Any time I try to run a large query using dsquery and dsget where I pipe it to a text file for output, I eventually get a dsget failed:The server is not operational. error from dsget. Ive searched the Internet for this and seen posts from a couple of other people who have had this issue, with no resolution. Am I doing something wrong? Am I stupid? (yes, I probably am) Am I missing some limitation of stdout? Heres the command I was using: dsquery user -name * -limit 0 | dsget -display -samid pwdneverexpires Thnx, JC ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] Handling different schemas - managing maintaining updates
I can't get too specific about the requirements, so please don't ask ;-) I'm looking for your ideas, opinions and experience on how you maintain different sets of schemas for different forests that you manage (for the same customer). Basically, consider this: you have an internal domain (single domain forest) and another (or several) single domain forest(s) in a DMZ. They might have Exchange and one or two other directory-enabled apps that extend the schema, and you have your own standard/default schema. Do you see any security implications in having the same schema in the DMZ-type networksas that of the internal domain? And if not, how do you manage updates and testing, etc? I might have several single domain forests. Internal ones, and serveral of these DMZ based domains. It's not really a DMZ, but is a different network and is considered external to the internal domain(s). This is for a number of interoperability apps, and no we can't use ADAM or equivalent. We're using plenty of ADAM. The main thing I'm intersted here is, as mentioned above, if you were happy to have a consistent schema, how do you maintain that? Would you use a script to compare and export differences, etc.? Or, would you recommend against having a standard schema? I can't see why anyone would recommend against this unless there's a major security concern I've overlooked as it will greatly complicate future extensions, but I'm interested nonetheless. Please assume a large enterprise environment that follows ITIL and has a proper test environment, e.g. ADAM - VM - Dev -Pre-prod -live. Thanks, --Paul
Re: [ActiveDir] Handling different schemas - managing maintaining updates
You know ITIL. It's all guidelines and advice, etc. It's not hands on processes for you (or if it is, I slept through all that). We obviously have a structured process for testing additions. My question is more around technically implementing such a process, with minimal intervention, around a whole bunch of schemas, i.e. would you look at implementing some sort of comparison and export, e.g. schema analyser from ADAM R2 or a bespoke script that achieves the same thing? Good to see you are thinking along the same lines as me with the default base, but are you suggesting different streams of schema if and when changes occur in different forests? I don't like that (at the moment, I might be persuaded otherwise). It will also cause considerable, additionaleffort in testing new extensions for more than one schema, as there'll be different objects in each. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, September 13, 2006 2:37 PM Subject: RE: [ActiveDir] Handling different schemas - managing maintaining updates Without wishing to appear facetious :)- I would suggest if the company follows ITIL practices then they already have a change mgmt and config mgmt process and/or system which helps achieve your goal. As far as best practices are concerned, I would aim for a 'core' schema config which is present in all instances of ADAM or AD schemas but manage differences via the ITIL framework (mentioned above). neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 13 September 2006 10:39To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different schemas - managing maintaining updates I can't get too specific about the requirements, so please don't ask ;-) I'm looking for your ideas, opinions and experience on how you maintain different sets of schemas for different forests that you manage (for the same customer). Basically, consider this: you have an internal domain (single domain forest) and another (or several) single domain forest(s) in a DMZ. They might have Exchange and one or two other directory-enabled apps that extend the schema, and you have your own standard/default schema. Do you see any security implications in having the same schema in the DMZ-type networksas that of the internal domain? And if not, how do you manage updates and testing, etc? I might have several single domain forests. Internal ones, and serveral of these DMZ based domains. It's not really a DMZ, but is a different network and is considered external to the internal domain(s). This is for a number of interoperability apps, and no we can't use ADAM or equivalent. We're using plenty of ADAM. The main thing I'm intersted here is, as mentioned above, if you were happy to have a consistent schema, how do you maintain that? Would you use a script to compare and export differences, etc.? Or, would you recommend against having a standard schema? I can't see why anyone would recommend against this unless there's a major security concern I've overlooked as it will greatly complicate future extensions, but I'm interested nonetheless. Please assume a large enterprise environment that follows ITIL and has a proper test environment, e.g. ADAM - VM - Dev -Pre-prod -live. Thanks, --Paul PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
Re: [ActiveDir] Strange password issue
Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. RobinsonSent: 06 September 2006 17:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1)
Re: [ActiveDir] Strange password issue
The only way that I'm aware of where you can have different lengths (without your own filters, etc.) is if you deny the domain controllers from reading the necessary attributes on the NC head. By doing this, and then having multiple policies, I believe you can achieve what you are talking about. I've not tested this - I'm basing this on a conversation I had with someone who has tested this (Mr. Wells) -although we had had a lot to drink at the time, and I might have got things muddled up (very possible). Under those circumstances, I assume the values defined in the GPO work. It seems to be that the DCs favour the values on the NC head. The values on the NC head are written by the PDCe -that reads the domain polcies and applies the values to the domain. I haven't got round to getting my source access sorted yet, so can't verify. Hopefully someone with access to the code can chip in here. I'm not disputing what you're saying re. blocking. That will probably stop the PDCe applying this. However, I don't think the other DCs process this in the same way. Unless there's a fall back, and you're achieving that via specific filtering, e.g. DC computer objects or custom groups, i.e. some DCs getting one, and others getting another... Interesting. I'll have to try and repro (which is going to take some time with the current work load). --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 3:02 PM Subject: Re: [ActiveDir] Strange password issue My understanding was that the Password Policies are applied similarly to any other Group Policy. I do recall doing some testing some time ago where by using various security filtering on Group PoliciesI was able to set up two DC's with two different effective policies and so two different values for Password length. The thing to remember is that domainpassword changes etc are processed by a domain controller. You therefore need to check whether the Password policy is being applied to all of the domain controllers. As Larry said, if there is blocking on the OU for Domain Controllers and the Default Domain Policy does not have "No Override" then the DC will not get the policy. Similarly, it is possible that security filtering has been applied to the Default Domain Policy that stops it from getting applied etc. However these things would be "permanent" so you would still have a DC with the Policy not applied. However, my guess is that something was wrong a month ago on a Domain Controller which processed the Passwordreset. It is possible that it is still a problem (i.e. if blocking was the culprit), but it is more likely to have cleared up. Is it possible that there was a DC added briefly at the time that was not processing Policies for some reason? Is it feasible to check all of the event logs on all DC's at the time the password was created? It may show Group Policy Processing errorsat the time. Alan CuthbertsonPolicy Management Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Monday, September 11, 2006 7:06 PM Subject: Re: [ActiveDir] Strange password issue Have you actually seen this behaviour? As it was my understanding that this particular policy is processed by SCE outside of normal policy application (by the PDCe - I can't remember how often, 60 minutes comes to mind but I don't know why). I've tried to document this here: -- http://www.msresource.net/content/view/36/46/ --Paul - Original Message - From: Passo, Larry To: ActiveDir@mail.activedir.org Sent: Sunday, September 10, 2006 3:19 AM Subject: RE: [ActiveDir] Strange password issue If the Domain Controllers OU is set to block GPO inheritance, and the domain GPO that sets the password policy isn't set for No Override, then the domain policies might not get set properly. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 08, 2006 1:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue err, actually the password policy is stored in the machine portion of the GPO and thus applies to all machines and therefore all local user objects too. neil From: [EMAIL PROTECTED] [mai
Re: [ActiveDir] Strange password issue
Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Any password policy, regardless as to where it is linked in the domain, will apply to any and all computer accounts within scope. The domain password policy applies to all computer objects in the domain (within scope, i.e. not filtered). The only thing that is special about the domain password policy (a GPO with account policy configured and linked to the domainDNS object) is that the PDCe applies the values set therein to the necessary attributes re. pwd policy on the domain NC head -which is why you have to link your GPO with the settings you want to the domain and can't link it to the DC's OU- which is where the DCs read that info. from. --Paul From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 06, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange password issue Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
But it's possible that someone changed this policy, created the account, and changed it back. I've done this myself (several times for service accounts to avoid [HP] protect tool's obfuscation process). It might not even have been intentional. One admin could have messed with the policy and several minutes later (that's all its going to take if you're in the same site as the PDCe) another admin created the user. --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for a couple of years and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Strange password issue
But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 AMTo: activedirectorySubject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The
Re: [ActiveDir] Strange password issue
Does it have a hash though? There's no password. It's null. I don't know the answer to that. It could, I suppose, pad it out but...who knows? --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org ; [EMAIL PROTECTED] Sent: Thursday, September 07, 2006 3:10 PM Subject: Re: [ActiveDir] Strange password issue This brings up a very good point, HOW is it checking the password length? As we pointed out earlier once the hash is created there should not be a way to easily check the password length. Andrew Fidel "Paul Williams" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/07/2006 07:35 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issuePressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant. If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDi
Re: [ActiveDir] Strange password issue
Yeah, I think I saw your post last night. Mail was taking 70 minutes to come through last night. It's not really academic or obsolete, as this proves that it couldn't have been 544 and set back to 512. Which means that it is more than likely the password, or lack of, was set when the policy wasn't in place. --Paul - Original Message - From: Laura A. Robinson To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 4:56 PM Subject: RE: [ActiveDir] Strange password issue Since the OP has said that the accounts' UAC flags are 512, not 544, the entire discussion around this is moot. BTW, did anybody notice if my post about the 512/544 value hit the list yesterday? I don't remember seeing it and am wondering if I actually sent it. :-) Thanks, Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue But you cannot set UAC to 512 if the password is blank, as it doesn't comply with the password policy. Try it. The other half of my post shows the error. I also tried it through the GUI (ADSIEDIT gives errors that are easier on the eyes, although less specific) and it said it wasn't compliant with the security policy, so it is checking the password when you do this. p.s. your query, while illustrating the point, isn't really appropriate. The following is how you should be looking for people with this bit set. ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) Remember, unless you've made it so, objectClass isn't indexed and although UAC is, this also applies to non-people objects, e.g. computers. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 11:35 AM Subject: RE: [ActiveDir] Strange password issue UAC bitmask is 32. A normal user then gets UAC = 544. Try doing a ldap query for ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users either with adsiedit or in a nice tool such as ADModify.net. Note: if the option password not required is set. Then you can either have a blank password or comply with the password policy in defdom GPO. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: den 6 september 2006 21:35To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange password issue Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 19:28To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On
Re: [ActiveDir] AD object (User accounts) Permissions dissappearing
If the permissions are being reset it is the result of DSPROP. Google adminSDHolder or look at this: -- http://www.msresource.net/content/view/38/46/ The reason this is happening is because these users are members (directly or indirectly) of groups considered protected, e.g. administrators, backup operators, etc. --Paul - Original Message - From: Danny To: ActiveDir@mail.activedir.org Sent: Thursday, September 07, 2006 4:48 PM Subject: [ActiveDir] AD object (User accounts) Permissions dissappearing Environment: Windows Server 2003 R2 and 2000 mixed AD forest with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) server.Scenario: Existing AD account with full Exchange mailbox and provisioned BES user. Out of the blue the user is unable to send from their BlackBerry. Permissions are checked in ADUC, and the required SendAs permission granted to the BES account have disappeared. This has happened to new and existing users. I do not know where to start. I am reviewing a dcdiag /e /v to see if there are any potentially related problems.Thanks,...D
RE: [ActiveDir] Strange password issue
PWD_NOT_REQ is 32. You can create an account with this set and bypass the need to set a password (ADSI does this automatically if you dont set a password when you create an enabled user without a password), but you cant set it back to 512 (normal) when its blank, like Al says: C:\admod -b cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com objectclass::user samaccountname::test-user useraccountcontrol::544 -unsafe -add AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Adding specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com... The command completed successfully C:\admod -b cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com useraccountcontrol::512 -unsafe AdMod V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005 DN Count: 1 Using server: connoa-dc-01.connoa.concorp.contoso.com Modifying specified objects... DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn oa.concorp.contoso.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Strange password issue
Pressed send before I finished typing! : ( Following on from the last mail You can, however, modify the policy so that you can have shorter passwords, create the user, and then change the password policy back. Perhaps someone did this? If you test this, when you set the policy to zero it says no password required (in the Window). --Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 06 September 2006 19:28 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue From what I recall, if the password is not required, then there's no need to check the minimum length. Since it would be overridden at the user object level, that does not affect the domain. I don't recall the UAC bitmask, and I'm not going to figure it out at the moment. I'll take your word that the password not required is true for this user. If you remove that setting (i.e. require the user to have a password) then that password would, by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a domain account. To rehash- The Default Domain Policy is set to min password length- 6 charcters. This was created 2 years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can log in with no password. I confirmed. The userAccountControl attribute of the user object was set to 512(not that i'm certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. Thanks On 9/6/06, Laura A. Robinson [EMAIL PROTECTED] wrote: Impossible/irrelevant.If it's a domain account, the policy applies regardless, because the account is stored in AD. If it's a local account, then the policy doesn't apply regardless; domain account policies don't apply to local accounts. Is this a local account or a domain account? Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange password issue If you mean before the policy was set up, then, no. This policy has been in effect for acouple ofyears and the account was created a month ago.. Maybe the PC is not getting the Default Domain Policy? On 9/6/06, Williams, Robert [EMAIL PROTECTED] wrote: Tom, This is just a stab in the dark but is it possible that this user's password was set prior to the Default Domain Policy being in effect? Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 9:39 AM To: activedirectory Subject: [ActiveDir] Strange password issue I'm having this weird issue where I have a user account who is able to log in with a blank password. The Default Domain Policy is set to a min password length of 6 characters. The userAccountControl on the user is set to 512. The Domain is at win2k3 DFL and FFL. Is there any other way besides a migration tool like Quest that could circumvent this policy and allow blank passwords? Thanks 2006-09-06, 11:32:05 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Rid Master recovery
Use NTDSUTIL to seize the role(s) - kb255504. Follow the steps in kb216498 to clean AD (metadata and FRS objects) and DNS. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, September 05, 2006 1:02 PM Subject: [ActiveDir] Rid Master recovery Guys , another question One of My RID master is crashed before transfering of FSMO role to other DC on the network , is that any possiblities to make an another domain as RID master ( backup is failed so i can not restore the failed RID master DC now) Thanks in advance "Almeida Pinto, Jorge de" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 11:18 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Rid Master also see: RID Master FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx cheers,jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 04, 2006 18:11To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how it is managed versus what records need to be in DNS for AD to work or how its app NC replicates. -- O'Reilly Active Directory
Re: [ActiveDir] Completely OT: Maroons
Posh! I prefer browns myself. Well, actually, reds... --Paul - Original Message - From: Mark Parris [EMAIL PROTECTED] To: ActiveDir.org ActiveDir@mail.activedir.org Sent: Monday, September 04, 2006 4:30 PM Subject: Re: [ActiveDir] Completely OT: Maroons The only notes I use are £20's Perhaps we are Maroons as we live on an Island - like Robinson Crusoe??? Anyway time to have a break - feeling a deep shade of purple now. M -Original Message- From: Craig Cerino [EMAIL PROTECTED] Date: Mon, 4 Sep 2006 10:47:23 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Completely OT: Maroons Are they using NOTES - - I find that happens in list environments a lot when the sender is using NOTES -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Monday, September 04, 2006 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Completely OT: Maroons Has anybody figured out what's causing the blank posts, or is it just me who got blank replies from Mark and Neil? Thanks, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, September 04, 2006 4:15 AM To: ActiveDir.org Subject: Re: [ActiveDir] Completely OT: Maroons List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx .+-Šwèþm§ÿÿà ÿiËb½çb¯ú+ƒòâ²ßÚ²œKŠËEá¶Úÿÿü0Ãöœ¶+Þv*ÿ¢¸?.+-ÿjÊq.+-j·!Š÷ÿ†ÛiÿÿðÃÚrدyØ«þŠàþi¶ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Rid Master
Google RID FSMO for the functions of the RID master. Many people, including myself [1], have documented this. This info. is easily findable on the big wild web. As for how to view the RID of a user object, there are several ways. An easy was is to download ADFIND (www.joeware.net) and type the following: adfind -default -f samaccountname=username -nodn objectsid e.g. adfind -default -f samaccountname=paulw -nodn objectsid The value that is returnedis the SID. The RID is the last section (usually four, five or six digits long). --Paul [1] http://www.msresource.net/content/view/13/46/ - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, September 04, 2006 5:11 PM Subject: [ActiveDir] Rid Master Guys explain me , The functions of RID master , how does i display RID of object created in AD Thanks in advance "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/04/2006 08:36 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: OT - RE: [ActiveDir] W. in hell While I wouldn't want this to become a humour list, I saw the email and laughed and figured the same thing Laura figured, that Outlook autofill bit the guy (which is funny all by itself because we have all seen it happen if not had it happen to ourselves) and then I moved on. I find all of the additional attention even more humourous including the value judgements of the quality of the joke and analysis of words. I classify the message as OT with the droves of other messages that come through the list that are OT[1] and being sent here because of a tenous relationship of being about technologies that utlitize AD[2] though the question itself has nothing to do with AD or simply folks forgoing it all and just saying WTF, I'll give it a shot and ask you guys because you seem helpful. If you get a whole day of many of those coming through it is a bit annoying. More annoying, at least to me, are questions that are ON TOPIC but someone didn't take time to look at the archives or google and asking like it was the first time it was asked versus maybe revisitng the previous discussion in new light. However, unless the list goes moderated which no one wants or at least a vast majority of the someone's don't want, the list is just the way it is and will be and you read the messages if you want and blow by them otherwise. Overall I would hate to lose the jocularity and casualness of the list. It is one of the things that make it worth reading. :) There have been quite a few times subjects have drifted off topic only to expose something in the monkeying around or what not based on something not everyone understood or knew that we wouldn't have otherwise found out that immediately snaps it all back on topic and of great use. joe [1] Though this was funnier than most OT stuff.There is my value judgment on the quality. :) [2] Versus actually being AD Technology. Examples of tech that utilize AD include but are not limited to GPOs, DNS, Exchange, print queues, clustering, file server manipulations (copying files, home drives, management, etc), etc. Not saying questions about all of those are automatically OT, but we tend to get quite a few questions in those areas that aren't about AD or the interaction with AD but about the non-AD aspects of the tech. Examples being a question about how to do something in a GPO versus say OU strategies for applying GPOs or the permissions on the GPO objects and how AD interprets them. Or a general question about DNS like what is returned in a query or how it is managed versus what records need to be in DNS for AD to work or how its app NC replicates. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig CerinoSent: Monday, September 04, 2006 10:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in hellI have a hell of a sense of humor (as I’m sure a lot of geeks here do) this just isn’t the place for it when people come here for help. /just sayin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Sunday, September 03, 2006 10:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in hell Nah.it looks more like the sender mistook this list for some other lists. On other lists, this would
Re: [ActiveDir] nslookup. AD beginer question
If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
Probably because it's a secondary server. Check to see if that IP is hosting a secondary copy of the zone. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 10:04 PM Subject: RE: [ActiveDir] nslookup. AD beginer question What I actually did was nslookup domain.com I just found out that one of the computer is a linux server that is managing a child domain child.domain.com that is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, dont know why Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup Enter set q=aEnter domain.comEnter and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.comwebsite site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon LinanSent: Mon 8/28/2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?
Not much that you can do other than filter out the replication errors from your monitoring solution, so that calls aren't needlessly raised. A couple of days won't cause you any issues. Just ensure that everything is replicating and talking properly when things come back online. --Paul - Original Message - From: Danny To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 3:49 PM Subject: [ActiveDir] Site down for 36 hours so far - anything proactive to do? One of our sites has been without power for over 36 hours now. Is there anything that I should do in AD if the site could potentially be down for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 2003R2. Thanks,...D-- CPDE - Certified Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer
Re: [ActiveDir] nslookup. AD beginer question
If you don't have a host record (A) for the hostname "sami", then you should delete the SRV record [1]. If that isn't a DC, look at the KB mentioned by Steve and I. I've seen a bunch of XP workstations registering in DNS in the past. --Paul [1] Assuming of course that you don't have a DDNS issue, i.e. you don't have a record in DNS but you do have a server with that name. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 4:06 PM Subject: RE: [ActiveDir] nslookup. AD beginer question I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I cant find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, August 29, 2006 10:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that arent currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they dont then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Tuesday, August 29, 2006 4:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] nslookup. AD beginer question
There's a rather large error in my previous message: ...get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. That should read: ...get a list of all DCs for that domain. Basically, that command returns the (Same as parent) records for the domain, which arehost (A) records for the domain [name]. Apologies all. I don't know what I was thinking about when composing that mail. I'll be sure to drink my first coffee of the day _before_ replying in the future! --Paul (No I didn't spot the error; I was notified offline ;-) - Original Message - From: Paul Williams To: ActiveDir@mail.activedir.org Sent: Tuesday, August 29, 2006 10:43 AM Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
Re: [ActiveDir] Problem in AD
Then your problem is likely a DNS issue. Ensure that all clients are pointing to at least two DCs. Ensure that your DCs are pointing to at least two as well, as they're also DNS clients. --Paul - Original Message - From: Pankaj Verma [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 24, 2006 7:06 AM Subject: Re: [ActiveDir] Problem in AD before installing dc01 dc02 , DC03 was the global cataglog server ..now dc01 dc02 are global catalog servers On 8/23/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: if it is single domain and not all DCs are a GC, make ALL DCs a GC besides that also make sure a DNS server can be contacted a bit more details please Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Pankaj Verma Sent: Wed 2006-08-23 19:07 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem in AD Hi All I have 3 domain controllers. I transfer all the FSMO roles from DC03 to DC02 after that I shutdown D03 I restarted D02 dC01 but after that I was not able to communicate with active directory then switched on DC03 after that every thing is working fine. If somebody can tell me what could be the problem and after the in event viewer I am getting an error Event id =1030 1058 source = usernv -- Rgds Pankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- RgdsPankaj verma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] Longhorn Beta
Apologies. I thought it had gone well and truly public back when it went out to MSDN, etc. --Paul - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 9:10 PM Subject: RE: [ActiveDir] [OT] Longhorn Beta true when invited you can activate it on the connect site and play around with it Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 2006-08-17 20:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Longhorn Beta I believe Longhorn/Vista is an invite only Connect program. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, August 17, 2006 1:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Longhorn Beta That was definitely the first place I checked, and unless I'm blind (which I've been accused of many times by the way), I don't believe it's an available option on the connect website to test. I'll probably end up just using my MSDN copy in our test environment to create a Longhorn DC. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, August 17, 2006 10:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] [OT] Longhorn Beta http://connect.microsoft.com/ --Paul - Original Message - From: WATSON, BEN mailto:[EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 4:35 PM Subject: [ActiveDir] [OT] Longhorn Beta Outside of my MSDN account is there a preferred way to obtain Longhorn Beta's for testing? ~Ben This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
Not quite. You need to escape the comma like so: ((objectCategory=person)(objectClass=user)(displayName=phelps\, k*)) --Paul - Original Message - From: Matheesha Weerasinghe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, August 14, 2006 8:46 PM Subject: Re: [ActiveDir] LDAP Logon Name All I did was fix your query. It seemed like you were trying to do a search for users who have phelps,k as the start of their displayname. I assume the printer wants a DN to do lookups. Any AD user should be able to bind. But I dont know what it does with the bind credentials. I've never configured a printer that needed to be given credentials to an LDAP directory. Does it look at who submitted the job and do a query for the persons email address and send them an email that its done? I dont know. You need to tell us how the LDAP credentials are going to be used by the printer. Otherwise it may appear that we are not helpful. Which, I well may be not ;-) Sorry M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: Logon ID? Most likely the DN, but I need an account that can do the bind. Per HP documentation after running the search, I am supposed to find the search prefix, which should begin after the individual user's CN. This is the example right from documentation: Dn: [EMAIL PROTECTED],OU=US,OU=Users,OU=Account,DC=americas,DC=cpqcorp,DC=net I tried M@'s query, it worked…well kind of…it didn't generate an error, but got 0 entries on Matched DNs L I also tried your tree view suggestion, but that didn't give me anything I could use for this printer. I don't see anything even close to it. I'm beginning to HATE LDAP and HP both!!! Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, August 14, 2006 1:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Agreed. But does your printer search for the logon ID? I doubt it. Most LDAP authentication (I HATE that term) will use the DN of the user: cn=user,cn=users,dc=domain,dc=com would be default. From there it should be able to lookup the mail address in the directory. You should specify the service account it will use to bind to the directory and the password and it should be fine from there. To see that information, use ldp, and rather than search, use the tree view and navigate to it. (note: when the tree asks you for a dn value, leave it blank and press OK.) Al On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldap authentication. Apparently this printer has an Embedded Web Server (EWS). However, when I follow the documentation, using ldp tool, it fails when trying to query ldap. The message I get is this: ***Searching... ldap_search_s(ld, DC=pharmanet,DC=com, 2, ((objectclass=person)displayname=phelps,k*)), NULL, 0, msg) Error: Search: Filter Error. 87 Server error: Error94: ldap_parse_result failed: No result present in message Getting 0 entries: I connect to ldp as member of Domain Admins and Schema Admins, with the same result. Any ideas? Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 09, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP Logon Name Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses can do this. There is an option for setting up LDAP gateway, where you can set user name password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation but I would try to use DN, or CN (in CN=... format) of this user. -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx .+-wm ibb+ڲKE0+v*?.+-jq.+-j!irدyثi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Logon Name
You need to escape the comma, as a comma is a delimiter and in the case of displayName it shouldn't be a delimiter: ((objectCategory=person)(objectClass=user)(displayName=phelps\, k*)) I've not read the whole thread, so can't discuss whether or not this is the best way to do what you want. I will say I feel for you re. the HP documentation. I had some fun getting the AD iLO integration stuff to work because the guide wasn't very helpful at explaining what format and syntax things wanted. I found the help on the administration pages better, and simply tried a number of things that I thought should work. --Paul - Original Message - From: Alex Alborzfard To: ActiveDir@mail.activedir.org Sent: Monday, August 14, 2006 8:22 PM Subject: RE: [ActiveDir] LDAP Logon Name Good catch, but the corrected query still didnt work! L Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew CaceSent: Monday, August 14, 2006 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Logon Name In the error below, the LDAP filter is "((objectclass=person)displayname=phelps,k*))". You missed the opening parenthesis before displayname. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex AlborzfardSent: Monday, August 14, 2006 1:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Logon Name That was exactly the same as HP documentation. Ill try your filter and will post the result. Thanks Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha WeerasingheSent: Monday, August 14, 2006 1:43 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon Name I assume you need a filter such as "((objectcategory=person)(objectclass=user)(displayname=phelps,k*))" I optimised the user object search and put a opening bracket when specifying the displayname. M@ On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Your ldap filter doesnt look correct. M@ On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote: According to product documentation, I have to configure embedded ldapauthentication. Apparently this printer has an Embedded Web Server (EWS).However, when I follow the documentation, using ldp tool, it fails whentrying to query ldap. The message I get is this:***Searching...ldap_search_s(ld, "DC=pharmanet,DC=com", 2,"((objectclass=person)displayname=phelps,k*))", NULL,0, msg)Error: Search: Filter Error. 87Server error:Error94: ldap_parse_result failed: No result present in messageGetting 0 entries:I connect to ldp as member of Domain Admins and Schema Admins, with thesame result.Any ideas?Alex-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz Onyszko Sent: Wednesday, August 09, 2006 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon Name Alex Alborzfard wrote: We have a HP printer/scanner that we want to setup for emailing scanned documents. Management wants to ensure only domain users with email addresses cando this. There is an option for setting up LDAP gateway, where you can set user name password up. It's asking for LDAP logonname. I have tried my user name and account anme, but it didn't work. I looked it up in ADSIedit, but I couldn't find it. I think that simplest way would be to refer to product documentation butI would try to use DN, or CN (in CN=... format) of this user. --Tomasz Onyszkohttp://www.w2k.pl/blog/ - (PL)http://blogs.dirteam.com/blogs/tomek/ - (EN)List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders
I'm not in a position to test whether this is a forest-wide or domain-wide principal. However, when you can't find something you think should be there, you should search the GC. I've seen numerous people have issues with a user or group not existing only to find it's in a parent domain. Use ADFIND or LDP to search the GC. Also, what are the actual permissions you are seeing and where? --Paul - Original Message - From: Han Valk [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 10:24 AM Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders First forgive my ignorance, I didn't that the group should only exist in the forest root domain. But how is it possible that CHILDDOMAIN\Incoming Forest Trust Builders has permissions on the child domain in ADUC when there shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 19:37 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders Its only in the forest domain IIRC ;-) M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: No??? Child domain. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 17:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders By the way you are looking for this on the forest root right? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Yep logged in as Domain Admin. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 13:00 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I am wondering if there are ACLs defined on the group itself or the OU above to prevent you from seen it. Do you see it as the Administrator account of the domain? M@ On 8/14/06, Han Valk [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Problem is I don't see it anymore in the BUILTIN container. Strange thing is that if I look at the security of the domain object in ADUC Incoming Forest Trust Builders is there. -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 10:22 To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders I dont think so. objectsid attribute is a systemonly attribute. Personally I am impressed of that smart co-worker that managed to delete it. According to the AD Delegation appendices http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=29db ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en its not possible to move delete rename this group. May be he exploited the dynamic objects feature in Windows 2003 RTM? http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx M@ On 8/14/06, Han Valk [EMAIL PROTECTED] wrote: Hi, A smart co-worker deleted the BUILTIN\Incoming Forest Trust Builders group. Is it possible to recreate this group with the same well known SID? Authoritative restore is out of the question, deletetion is too long ago. Han Valk. List info : http://www.activedir.org/List.aspx http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx
Re: [ActiveDir] FMSO roles split, patch question.
Valid point. But you should [try and] restore from the backup that ran the night before and that you verified successfully completed before you applied the patch... ;-) If you have a document process that goes through the proper change control, then there shouldn't be any reason to do this. The patches should be tested in dev and pre-prod and then applied, only if there's a rollback option, and that should be something like uninstall patch; restore from last night's successful back if unable to boot and uninstall. --Paul - Original Message - From: Almeida Pinto, Jorge de [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 4:02 PM Subject: RE: [ActiveDir] FMSO roles split, patch question. the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] FMSO roles split, patch question.
I have. When bulk-patching NT 4 servers several died (OS was trashed, not the h/w) and had to be restored from the backup the night before. There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB section of the disk, although that hit workstations more than servers as they'd been build from images and had bigger disks than NT 4 boot loader could cope with g. --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 4:47 PM Subject: Re: [ActiveDir] FMSO roles split, patch question. As a person who tests/patches a bunch of single DCs I've never seen a patch kill a server. Driver update may and has, yes. Impair functionality of the server, yes. But kill it completely? Microsoft tests patches ahead of time and they would find ahead of time if basic functionality of a DC would be nailed. But if the server dies... it was probably on the emergency list prior to patching. Rebooting the box first ensures that you find these 'hospital bound' servers. Almeida Pinto, Jorge de wrote: the reason is that is a DC dies during the patching you do not have to seize the rolesIMHO, I prefer transfering over seizing Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of John Strongosky Sent: Thu 2006-08-17 16:55 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. I cornfused is this a standard practice as I thought you did not want to move the FMSO roles back and forth. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, August 17, 2006 4:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. in addition to that DC1 having FSMOset1 and DC2 having FSMOset2 transfer FSMOset1 from DC1 to DC2 apply patches to DC1 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset1 and FSMOset2 from DC2 to DC1 apply patches to DC2 and reboot and check everything (event logs DCdiag, etc) if everything OK! transfer FSMOset2 from DC1 to DC2 voila (that's french)...done! ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Wednesday, August 09, 2006 01:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FMSO roles split, patch question. It doesn't matter. Sincerely, _(, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: John Strongosky Sent: Tue 8/8/2006 4:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FMSO roles split, patch question. We have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the other. After I apply the patches from Microsoft what is the beat practices for the boot order...or does it matter? 1. Remote DC/GC's first 2. no. 1 3. then no 2. thanks This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] [OT] Longhorn Beta
http://connect.microsoft.com/ --Paul - Original Message - From: WATSON, BEN To: ActiveDir@mail.activedir.org Sent: Thursday, August 17, 2006 4:35 PM Subject: [ActiveDir] [OT] Longhorn Beta Outside of my MSDN account is there a preferred way to obtain Longhorn Betas for testing? ~Ben
Re: [ActiveDir] ADFind Query
Yeah right! Our customers still have hundreds of NT 4 boxes... I saw some (three) production 3.51 boxes four months ago... --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 15, 2006 2:34 AM Subject: RE: [ActiveDir] ADFind Query P.S. http://support.microsoft.com/lifecycle/?p1=7274 Mainstream support on 2K Server ended 6/30/2005... Get off of 2K servers folks -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ADFind Query Ah W2K. It is probably reporting the error incorrectly which is why you don't see the problem on K3. The issue is you can't wildcard the OID, the attribute does obviously exist. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 6:15 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ADFind Query I get the error Ben got with W2K. W2k3 doesnt give that error. The VM I have here is W2k3 with SP3. M@ On 8/14/06, joe [EMAIL PROTECTED] wrote: You shouldn't be getting that error with that command... Even if the attribute name was incorrect you wouldn't get that error, you would get 0 objects returned as the query processor doesn't output errors because of incorrect attributes being specified. However, that being said, this isn't going to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types). Hopefully you guys prefixes all of the classes and attributes you added with a company prefix so you can search on that like so adfind -schema -f name=joeware* ldapdisplayname -sl or the shortcut adfind -sc sl:joeware* -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, August 14, 2006 5:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ADFind Query Hey guys, Simple question. I'm trying to perform a search to locate all the schema extensions that have been added in by our company. I thought some simple syntax like this would work to find all schema attributes with an attrbituteID prefixed with our OID. adfind -schema -f attributeID=1.3.6.1.4.1.14376.* ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute I'm obviously missing something, any thoughts? Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Restoring RID
Restore it as you would any other DC. The documentation that you refer to is either out of date, or incorrect. The DS will invalidate the current RID pool when you restore and request a new one from the RID master (itself) which should be the same value as it was when it went down (if the backup is from the night before or very recent, unless you've been doing lots of security principal creations). If it isn't, the new value will be replicated in (the value is held by all DCs -I don't think the RID master does anything different when replicating) as far as I'm aware. The issues with the RID master arise if you have multiple RID masters. Which, with k3 shouldn't really be possible if network and replication are OK. There were a bunch of changes made in SP1, SP2 and SP3 for the RID master and the way a DC handles its current RID pool, etc. As far as I'm aware, all of these issues are in the past and Win2k SP4/ Wink3 don't have any problems. --Paul - Original Message - From: Lucia Washaya To: ActiveDir@mail.activedir.org Sent: Monday, August 14, 2006 9:50 AM Subject: Re: [ActiveDir] Restoring RID How do I move the RID role when that server is already crashed? I want to recover from the loss of the RID master, so I canot move it since it is not available. Or there is a way to do it? Lucia WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497Int'l Tel.: Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 (after audio response dial 174-5497)==The cobra will bite whether you call it Cobra or Dear Mr. Cobra.== "Matt Hargraves" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 14/08/2006 03:43 Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Restoring RID I always recommend transferring FSMO roles from a box before upgrading it, then moving it back after the upgrade is completed successfully.If you've got enough DCs to justify splitting FSMO roles, you've got enough to move it to another box for a week to upgrade the box. On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] wrote: When the RID flexible single-master operations DC is restored, it may use old RID pool values, and it can cause the restored RID flexible single-master operations DC to begin issuing duplicate SIDs. The best way is: - to use another DC to seize the RID master role. - Rebuild the OS on crashed DC and promote it back as Domain Controller - transfer the RID master role back to the rebuild DC. Regards, Ai Chung On 8/14/06, Lucia Washaya [EMAIL PROTECTED] wrote: Colleagues, We have a server which crashed during upgrade (2000 to 2003). Now we want to restore it. Problem is this server is the RID holder and the documentation on the technet says "Restoring the RID Master can result in Active Directory data corruption, so it is not recommended." So what is the best way to restore this server? Thank you in advance for your assistance Regards, Lucia WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497 Int'l Tel.: Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 (after audio response dial 174-5497)==The cobra will bite whether you call it Cobra or Dear Mr. Cobra. ==
Re: [ActiveDir] fRSMemberReference - NTFRS
Which object are you trying to modify the fRSMemberReference attribute on? You need to modify that attribute on the nTFRSSubscriber object called CN=Domain System Volume (SYSVOL) which is located in the CN=NTFRS Subscriptions container underneath the computer object for the DC. You do not need to modify this property on the nTFRSMember objects underneath the nTFRSReplicaSet object which resides under the CN=File Replication Service container under CN=System in the domain NC. However, before modifying this attribute, check the name of the nTFRSMember object (the great grandchild of System) as it might still have the old name (which doesn't matter, it's only the cn). --Paul - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, August 13, 2006 2:48 AM Subject: [ActiveDir] fRSMemberReference - NTFRS Hi all, I recently deployed a clean install of a Windows Server 2003 DC but since we were in the process of taking a server image for other builds of other DC's in the forest, I mistakingly left the netbios name of the server as our server guys had left it! Anyway, I only realize this mistake after running dcpromo and once I realized the mistake I quickly changed the domain controllers name to what it should be. Now I'm having issues with group policy processing etc. Everything else is good; DNS, replication etc. I ran the ntfrsdiag and one of the logs gives me the following: when I try to change the fRSMemberReference name in ADSIEDIT I get a the name reference is invalid error. I earlier had removed the unwanted computer name. Does anyone have any ideas on how and which attributes to modify? Thanks in advance. Checking for errors/warnings in ntfrsutl ds ... ERROR: This server's Member Ref property for the SYSVOL volume does NOT seem to be correct !!! To fix this, use ADSIEdit and edit the fRSMemberReference Property of the nTFRSSubscriber object named CN=Domain System Volume (SYSVOL share) located under this Server's Computer Object. This value should match the FQDN of this Server. Current Values are: Current Value = (null) Suggested Value = CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ad,,DC=com Please note there is a small chance the above Suggested Value may not be correct - See below for more info on what the Proper Value should be! For more Info See KB Article : 312862 Recovering Missing FRS Objects and FRS Attributes in Active Directory - Search for the step about Updating the fRSMemberReference object (Step 8 on the Recovering from Deleted FRS Objects section .. failed with 1 error(s) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir][OT] Always point a DC with DNS installed to itself as the preferred DNS server...always?
Only just found this one... Re. [1]. I'm sorry, but it just had to be said. Who the hell asks that? Honestly, who? big grin --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, July 22, 2006 12:54 AM Subject: RE: [ActiveDir][OT] Always point a DC with DNS installed to itself as the preferred DNS server...always? Paul with the combination of your TLAs and your harsh Welsh Accent I haven't the foggiest clue what you said here yeah... :) Warm[1] [1] That kills me, inside joke... -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Friday, July 14, 2006 6:33 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? I can't see how you can get a duplicate NDNC as the creation of such objects is targetted at the DN master. The DN master will check the existing crossRefs and stop this happening, as we can't rely on the DS stopping it as the RDN is different for each NDNC (unless they've used well-known GUIDs for the DNS NCs?). Although the behaviour you speak of is new to me, and another one of those slight, interesting changes, so thanks for that. Can you elaborate on this new behaviour? What, exactly, happens and in what order? --Paul - Original Message - From: Grillenmeier, Guido [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, July 13, 2006 6:52 PM Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? note that DNS startup behavious changes with SP1, which is another reason not to choose the DC itself as the preferred DNS server: with SP1, AD will not allow the DNS service to read any records, until it has successfully replicated with one of it's replication partners. This is to avoid false or duplicate registration of records (or even duplicate creation of the application partitions). As such, with SP1 it's better to point your DCs to a replication partner as a primary DNS and to self as a secondary. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 13. Juli 2006 17:02 To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the preferred DNS server...always? Hi Al I did want to throw in a personl experience I had with W2K3 that validates the Point your DNS server to a replication partner theory. I did see in one environment where every DC had DNS and the msdcs partition was a forest partition. An unfortunate DNS scavenge was done deleting some of the GUID records in the MSCDCS partition. Replication started to fail shortly after that and the missing GUIDs were discovered. The netlogon service was restarted to make the DCs re-register but of course they re-registered the GUID on themselves. They could find themselves but not their replication partners. The replication partners could find them but not themeselves. When the DCs were set to point to a hub replication partner for primary and themselves as secondary the problem went away - the netlogon service was restarted, the GUIDs registered on the central DNS server, the spokes did the lookup for replication parnters on the hub site DC and eventually things started working again. This was pre - SP1 so this may not be a problem anymore, but after that experience I have seen value in doing the DNS configuration so that the DCs all point to the hub first and themselves second. I have not seen any problems for the DC itself when the WAN link dropped for a length of time and the primary DNS server was not reachable. Of course, if there are never any changes to DC IPs or names and the MSDCS is never scavenged (or the interval is long enough not to recreate the above problem) then the above argument is moot. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as the tivedir.org preferred DNS server...always? 07/12/2006 09:58 PM AST Please respond to ActiveDir You don't work at the post office do you? ;) There are many many many ways to properly configure DNS. One thing that helps is to think of the terms client
Re: [ActiveDir] machine GP load
I just whipped up this _vbscript_ to get you started. Idon't have time to provide a more detailed breakdown as that involves a little extra thought, but this should point you in the right direction... Save, for example, as c:\count.vbs and run, from CMD, like so: cscript c:\count.vbs count.xls Dim oRootDse, oBase Set oRootDse = GetObject("LDAP://RootDSE")Set oBase = GetObject("LDAP://" oRootDse.get("defaultNamingContext"))countObjects oBase.ADsPath, 0 ' ***' countObjects(ADsPath, count)' ' Recursive function to count the number of children' in a container.' ' ***Private Function countObjects(oParent, iCount)Dim oChild, cChildren, aSchema, sSchemaDim i : i = 0Set cChildren = GetObject(oParent)For Each oChild In cChildren aSchema = Split(oChild.schema,"/") sSchema = aSchema(UBound(aSchema,1)) i = i + 1 c = countObjects(oChild.ADsPath, i) If(Not(sSchema = "inetOrgPerson" Or _ sSchema = "user" Or _ sSchema = "computer" Or _ sSchema = "group"))Then WScript.Echo oChild.get("distinguishedName") vbTab c End IfNextcountObjects=iEnd Function --Paul - Original Message - From: Jerry Welch To: ActiveDir@mail.activedir.org Sent: Thursday, August 10, 2006 12:49 AM Subject: RE: [ActiveDir] machine GP load Does anyone have, or know of, a utility program that will provide a breakout of object counts in ADin each container, with a rollup so that each container shows all of the containers below it ? Joe ? Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net )
Re: [ActiveDir] machine GP load
Ha ha. That's why my post says to run using CSCRIPT. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Thursday, August 10, 2006 2:31 PM Subject: RE: [ActiveDir] machine GP load I tried it out, I was hitting the enter key forever thanks to: WScript.Echo oChild.get("distinguishedName") vbTab c From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 10, 2006 8:59 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] machine GP load I just whipped up this _vbscript_ to get you started. Idon't have time to provide a more detailed breakdown as that involves a little extra thought, but this should point you in the right direction... Save, for example, as c:\count.vbs and run, from CMD, like so: cscript c:\count.vbs count.xls Dim oRootDse, oBase Set oRootDse = GetObject("LDAP://RootDSE")Set oBase = GetObject("LDAP://" oRootDse.get("defaultNamingContext"))countObjects oBase.ADsPath, 0 ' ***' countObjects(ADsPath, count)' ' Recursive function to count the number of children' in a container.' ' ***Private Function countObjects(oParent, iCount)Dim oChild, cChildren, aSchema, sSchemaDim i : i = 0Set cChildren = GetObject(oParent)For Each oChild In cChildren aSchema = Split(oChild.schema,"/") sSchema = aSchema(UBound(aSchema,1)) i = i + 1 c = countObjects(oChild.ADsPath, i) If(Not(sSchema = "inetOrgPerson" Or _ sSchema = "user" Or _ sSchema = "computer" Or _ sSchema = "group"))Then WScript.Echo oChild.get("distinguishedName") vbTab c End IfNextcountObjects=iEnd Function --Paul - Original Message - From: Jerry Welch To: ActiveDir@mail.activedir.org Sent: Thursday, August 10, 2006 12:49 AM Subject: RE: [ActiveDir] machine GP load Does anyone have, or know of, a utility program that will provide a breakout of object counts in ADin each container, with a rollup so that each container shows all of the containers below it ? Joe ? Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net )
Re: [ActiveDir] UPPER case for username
I've not tested this (just hashed it up as I read your post, so there's probably going to be some syntax errors, etc. --please test first). But here's a quick and dirty vbscript that should change all uppercase accounts to lowercase. set oConn=createObject(ADODB.Connection) set oComm=createObject(ADODB.Command) ' configure provider and define command oConn.provider=ADsDSOObject oConn.openActive Directory Provider oComm.activeConnection=oConn ' build query sADsPath= LDAP://oRootDse.get(defaultNamingContext); sFilter = ((objectCategory=person)(objectClass=user)); sAttrs = ADsPath,sAMAccountName; sScope = SubTree sQuery = sADsPathsFiltersAttrssScope ' configure command properties oComm.commandText=sQuery oComm.properties(Page Size)=128 oComm.properties(Size Limit)=10 oComm.properties(Cache Results)=false ' execute query set oRs=oComm.execute if(not oRs.eOF)then ' check to see if any results oRs.moveFirst ' were returned ' iterate result set while not oRs.eOF sAMAccountName = oRs.fields(1).value if(uCase(sAMAccountName) = sAMAccountName)then sAMAccountName = lCase(sAMAccountName) set oUser = getObject(oRs.Fields(0)) oUser.putsAMAccountName,sAMAccountName oUser.setInfo end if oRs.moveNext wend else ' empty record set (no results returned) end if --Paul - Original Message - From: Irwan Hadi [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 09, 2006 2:14 AM Subject: [ActiveDir] UPPER case for username We are in the process of bringin in a couple hundred users from a Novell Groupwise system to our AD 2003 + Exchange 2003 system. Our AD is in Windows 2003 Native mode for forest and domain. Because of the need to integrate Groupwise and Exchange, we need to use Microsoft Exchange Connector for Groupwise (and Quest Migration Wizard). The problem is, the administrator of the Novell Groupwise has set their standard username to be in UPPER CASE, eg: JDOE, instead of lower case eg: jdoe, and Exchange Connector for Groupwise will create the username with the same case it is now in Groupwise. This means in our AD domain, we will have a couple hundred users who use UPPER CASE for their username. Now the questions are: - Will this cause any problem with any of Microsoft product in the future (eg: Sharepoint). - Is there a way to change the username in CAPS to be in lower letter, once Exchange connector for Groupwise creates the user? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Weak AD passwords
Title: Message Lophcrack was purchased by Symantec and is now sold as an enterprise security product. It's called LC5, I believe, but has recently been discontinued (after symantec stopped selling it to people outside of North America) and support runs out at the end of the year. Which is a real pain as I've recently recommended it and now need to revise my recommendations! --Paul - Original Message - From: McCann, Danny To: ActiveDir@mail.activedir.org Sent: Wednesday, August 09, 2006 3:59 PM Subject: RE: [ActiveDir] Weak AD passwords Hi Haven't used it, but one of my colleagues swears it's too good. :)Try Rainbow Tables. Cheers Danny -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Weak AD passwords Can anyone recommend any tools to find which of our users have weak AD passwords? We used to use L0phtcrack back in the day, but it doesn't appear to be supported any longer? Other than enforcing complex passwords (which we do) and 8 character minimum, we'd like to figure out who uses things like "Password1" or something silly like that. Thanks in advance Email has been scanned for viruses by Altman Technologies' email management service ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
Re: [ActiveDir] Moving Sysvol .
Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 1:14 PM Subject: [ActiveDir] Moving Sysvol . Hello :) I have my ADw2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
Re: [ActiveDir] DCs Hyper-Threading
I believe, from a past conversation, that disabling hyper-threading on bridgehead servers with lots of inbound connections, i.e. in enterprise deployments, should be *considered* as the replication queue has two parallel threads for processor, core or hyper threading processor as the system call sees all in the same way -multiple processors. However, there's no real guideline here as there are so many variables, i.e. amount of change, compression, new objects, mods, whether the data is in cache or not, etc. I don't think it matters all that much for the AD stuff. You might need to look into the FRS side of things (in big environments). It will matter for CPU-intensive apps that weren't written directly for multiple-processor systems. Under such circumstances, it is often recommended to disable hyper threading. For example, you have to disable HT for SAP servers. I don't think SQL cares as that is written for multiple-CPU support and can probably tell the difference between two physical processors and HT processors but don't know. Like Al said, check the Virtual Server readme, as NIC teaming isn't supported for the host, apparently (unless, like AD, that's just load-balanced teaming). --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 2:11 PM Subject: Re: [ActiveDir] DCs Hyper-Threading From Tim Mangan's whitepaper on hyperthreading under 2003: "The results in this paper are exclusively related to Windows Server 2003. We are currently running the tests used in the development of this paper under erver 2000. We can verify reports of performance and stability problems with Hyper-Threading on Windows 2000 Server, and at this time recommend customers disable Hyper-Threading under 2000." http://www.tmurgent.com/images/WP_HyperThread.pdf So disable under 2000 is the recomendation, As to 2003 he shows a small performance increase in all cases except multithreaded CPU-bound applications, which is expected. Personally I leave hyperthreading turned on for my 2003 installs. It also makes single-dual cpu upgrades easier since the SMP kernal is already used =) Thanks, Andrew Fidel "Wyatt, David" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/07/2006 09:45 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] DCs Hyper-Threading What are people's views on whether to enable or disable hyper-threading on a Proliant box running Windows 2003 as a DC. I remember Intel advised HT to be disabled on Windows 2000 but has this changed for Windows 2003?. Are the performance benefits significant for a DC? Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Moving Sysvol .
I believe the school of thought here is that the person has write access to the same volume as the DIT, which means he/ she can easily perform DOS attacks, etc. by filling up the disk. I agree it's unlikely, but there you go. Take the [real] examples of where people with write access to SYSVOL have decided to replicate ghost images, etc. which not only trashes FRS, but fills the disk so that only the 20MB reserve files are left (which can easily be used up with dodgy custom synchronisation scripts that don't know what an USN is [past experience showing?] ;-) I don't believe the recommendations for Logs and DIT go either. Yes, the logs are predominently write, while most of the DIT usage is read, but the logs are circular. Why waste a mirrored set for 100 MB of disk even if disk is cheap? Plus, as already stated in the same argument, most of the activity is read, so is there really performance to be gained by having nano-second better response times on the file writes? Other than implementation or re-provisioning or restoration, I can't see the need to separate the logs. I'm involved with a design at the moment that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier recommendations for the disks for DCs. We're arguing over whether RAID10 or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, but there's not much difference there on a 4 - 6 disk set -the argument is political to do with different standards for the management people. But then, the SYSVOL volume is also a scratch area for administrators. The DIT and OS volumes are very much off limits, and secured thus. --Paul - Original Message - From: Darren Mar-Elia To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 3:58 PM Subject: RE: [ActiveDir] Moving Sysvol . Yea, I'm not sure why one has to do with the other (GPO delegation and security of the DIT). GPO delegation simply involves granting permissions on a individual GPC objects in AD and individual folders in the GPT (SYSVOL).The only risk I can see is that it ismarginally easier to fill up a disk by writinga ton of data intoSYSVOL than it is to do that by generating millions of AD objects (both of which a "lesser" admin can do), butif either happens, you probably have bigger problemsthan the disk with the DIT on it fillingup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving Sysvol . ... but then there's the school of thought that says you should: - PlaceDITandlogsonseparatespindles,sinceDITisreadintensiveandlogsarewriteintensive Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT. To be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and AD so if delegating access to GPOs, surely there is an argument for placing SYSVOL and DIT on the *same* disk(?) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 08 August 2006 13:35To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT. See: -- http://support.microsoft.com/?id=842162 However, if I might be so bold as to make a suggestion here, I would recommed you leave SYSVOL where it is, giving you: 0: Windows 1: DIT and Logs 2: SYSVOL You don't want SYSVOL on the same disk as the database. Especially if you are delegating things like GPO modification, etc. to non-admins or lesser admins. --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 1:14 PM Subject: [ActiveDir] Moving Sysvol . Hello :) I have my ADw2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol. I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ? Thanks for your replies. Yann Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure
Re: [ActiveDir] Moving Sysvol .
Yeah, I'm not disagreeing with what you and Darren say. In fact, I mostly agree. I'm just working in a high security environment where every detail is scruitinised and extra care needs to be taken with everything. I've always been one of these people that try and look at both sides of the security versus operability arguments and think that if it can be hardened without causing issues, it should be.Many of us on this list, and in the groups, are of the opinion that non DAs shouldn't have write access to the OS and DIT volumes, even if performing proper administrative functions. Therefore a scratch volume that contains SYSVOL works well if you have non-DAs working with GPOs using native tools. The AD side of GPO is easily managed against most forms of attack. The file system still poses an element of risk. The tools for doing this stuff are a given. If they're not using the management tools on the management servers then they shouldn't be allowed to work. This is just another little piece in the big puzzle that is locking everything down to the point of (insert opinion here)... In my case, the scratch area played an important part in the decision and that swung the idea for me so I spout it off a lot now. But consider the malicious user, as opposed to the foolish, or naive admin. If they've got write (or even read) access to certain areas of the DC where sensitive files are... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 4:37 PM Subject: RE: [ActiveDir] Moving Sysvol . All fair points, Paul - I guess I'd view these concerns in a different way: - Use a GPO management tool to abstract away native GPO rights - If admins cannot be trusted not to fill SYSVOL with sh** then don't give them any rights in SYSVOL [similar to above point] - If SYSVOL has its own partition, you still have the potential for adminA to fill the disk with cr** and thus hinder the legitimate efforts of adminB to make changes to a GPO. Granted, this 'DOS' only affects SYSVOL, but then if GPO is broken then you're in big trouble anyway :) - Granted a separate disk for logs *is* overkill. Consider using that partition / diskin other ways (GPO backups; system state backups, build source filesetc etc). my 2 penneth, neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 08 August 2006 16:22To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol . I believe the school of thought here is that the person has write access to the same volume as the DIT, which means he/ she can easily perform DOS attacks, etc. by filling up the disk. I agree it's unlikely, but there you go. Take the [real] examples of where people with write access to SYSVOL have decided to replicate ghost images, etc. which not only trashes FRS, but fills the disk so that only the 20MB reserve files are left (which can easily be used up with dodgy custom synchronisation scripts that don't know what an USN is [past experience showing?] ;-) I don't believe the recommendations for Logs and DIT go either. Yes, the logs are predominently write, while most of the DIT usage is read, but the logs are circular. Why waste a mirrored set for 100 MB of disk even if disk is cheap? Plus, as already stated in the same argument, most of the activity is read, so is there really performance to be gained by having nano-second better response times on the file writes? Other than implementation or re-provisioning or restoration, I can't see the need to separate the logs. I'm involved with a design at the moment that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier recommendations for the disks for DCs. We're arguing over whether RAID10 or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, but there's not much difference there on a 4 - 6 disk set -the argument is political to do with different standards for the management people. But then, the SYSVOL volume is also a scratch area for administrators. The DIT and OS volumes are very much off limits, and secured thus. --Paul - Original Message - From: Darren Mar-Elia To: ActiveDir@mail.activedir.org Sent: Tuesday, August 08, 2006 3:58 PM Subject: RE: [ActiveDir] Moving Sysvol . Yea, I'm not sure why one has to do with the other (GPO delegation and security of the DIT). GPO delegation simply involves granting permissions on a individual GPC objects in AD and individual folders in the GPT (SYSVOL).The only risk I can see is that it ismarginally easier to fill up a disk by writinga ton of data intoSYSVOL than it is to do that by generating millions of AD objects (both of
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
This is a real problem for me. I've got no qualms about doing things in an unsupported fashion, as I feel I know what I'm doing. However, our customers won't have any of it. Especially as we won't be around to help support it, etc. Another example is replicating NDNCs. Apparently, I can't script the population of mSDS-NC-Replica-Locations, I can only get bridgeheads that don't, for example, run DNS to replicate the DNS NDNCs by using the applicable NTDSUTIL options. I doubt NTDSUTIL is doing anything different to my script (in this one instance of course) but the DSE said that my script was unsupported. I'd be interested in knowing why some of these switches in the answer file only work under select circumstances. As it seems that doing so is going to force some people to do one of two things: -- Perform unsupported tasks to automate their DC promotions -- Write a number of pre- and post-promotion scripts, which can be a pain as it adds additional complexity to the automation environment, etc. [I hope] Longhorn should have better support for these options as the new DCPROMO UI alows you to select GC, etc. --Paul - Original Message - From: Dean Wells [EMAIL PROTECTED] To: Send - AD mailing list [EMAIL PROTECTED] Sent: Friday, August 04, 2006 2:32 AM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Granted ... though perhaps a moot point to those (on the consumer side of the fence) capable of using such a tweak since proving such usage is challenging to say the least. Aside, since its purpose has been well served twice in as many days and on 2 unrelated topics, maybe it could be considered a feature suggestion ... -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 03, 2006 8:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Touching schema.ini would qualify as very not supported ... -B On Thu, 3 Aug 2006, Paul Williams wrote: Setting FFL=2 automatically when building first DC in forestIt might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this correct? I'd like to automate the transition to FFL=2 when building the first DC in a forest (without a script). Perhaps another change request for Longhorn? :) neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's- le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Yes, I'll do the same then... This particular customer should have a lot of weight. --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 9:09 AM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Let's just hope that Longhorn enables us to build machines (DCs) in a truly unattended fashion then :) only then can I avoid touching schema.ini. [I don't consider post build scripts to acceptable.] MS will be ratifying our designs late this year - I think I can lean hard enough on the MS guys to persuade them to support us :) neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: 04 August 2006 01:34 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Touching schema.ini would qualify as very not supported ... -B On Thu, 3 Aug 2006, Paul Williams wrote: Setting FFL=2 automatically when building first DC in forestIt might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this correct? I'd like to automate the transition to FFL=2 when building the first DC in a forest (without a script). Perhaps another change request for Longhorn? :) neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered
Re: [ActiveDir] OT: DNS entry
If you've got the necessary auditing enabled in your domain, and you had auditing ACEs configured on the DNS zone (location depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you can. But you'll have to search each DCs security event log for this info. Otherwise, you can't get this info. You can check the whenChanged attribute on the tombstoned record for a rough idea of when the deletion occurred and try and move from there by looking at logon events, again if you have auditing enabled. If you're not using AD-Integrated DNS, then none of the above will really help. --Paul - Original Message - From: James Carter To: ActiveDir@mail.activedir.org Sent: Friday, August 04, 2006 12:09 PM Subject: [ActiveDir] OT: DNS entry We had a static Server DNS entry deleted over the weekend. Is there anyway to find out who deleted this entry? This is a Windows 2003 R2 server/domain thanks JAmes Do you Yahoo!?Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box
I've done this a couple of times, but on the exchange gateway servers, not on an SBS box. I've never seen SBS. Anyway, the easiest way to do this is to create a second virtual SMTP server and set it to listen on port 26 (and send on 25). Configure the first virtual server to send on 26 (its already listening on 25). Then register the sink on the second virtual server. The reason is that most of your clients are MAPI clients, so don't trigger the SMTP sink. If you're using a connector, you need to point the second virtual server at the connector (I think, it's been even longer since I did one where they had an SMTP connector). I'm afraid I can't give you the scripts as they're at customer sites, etc. One thing I will say is troubleshooting this is a real pain. On one problem I had Dev Support MSFT people help out. We took it from the bottom up. Unregistered all the sinks (that I'd registered, the VBS script you use to register allows you to view all sinks) and then registered a new one that simply created a text file on the D drive. As you're using VBS, not VB, ensure that you use absolute paths for things like text files, etc. as the script will run and not error without absolute paths but they won't work... --Paul - Original Message - From: Bart Van den Wyngaert [EMAIL PROTECTED] To: ActiveDir ActiveDir@mail.activedir.org Sent: Wednesday, August 02, 2006 9:41 PM Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box Hi guys, I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box. I'm using the EventSink with a .vbs to add the disclaimer. The box is configured with a default SMTP server and a SMTP connector which forwards all external email to the SMTP of the ISP. Anybody who has done the trick already? If so, can you please tell me the little secret for this? *g* Many thanks to all, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: SBS question
I've never seen SBS, but my younger brother has just started a new job (first one since leaving Uni) and bought a new server and it came with SBS. When he built it it appeared he had no choice but to make it a DC, even though he only wanted it as a member server -there's already an SBS box there. Anyway, we didn't know at the time (this was a phone conversation) so I told him to go ahead with the promotion (thinking it was just a stupid Dell wizard) and demote it later. He did this and now it reboots every day. So, I think I know the answer to this from the tidbits of info. I've seen in the groups and forums, etc. but can the 2nd SBS box be added to the domain with the first SBS or does he need to get a k3 Std. license instead? All he wants at this point in time is a SQL and file server. (As you can guess, this is a small company, he's one of three dev guys there). And, if they wanted to replace the existing SBS box with this new one, how do they go about that if you can't have more than one SBS box? I doubt they want to migrate... Thanks, --Paul - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 3:45 AM Subject: Re: [ActiveDir] Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: You know us blondes With barely a twig, let alone a tree in our forest...and I'll have you know this twig is clean installed 2k3 domain (I strongly believe in no inplace even in our twig domains down here). (and for the record for everyones trivia tonightwhile I choose to have a single DC (at this time) ... SBS can support additional DCs in our domain hey.. I've even used ntdsutil and ADSIedit even down here ;-) Brett Shirley wrote: Susan, how on earth could _you_ get a lingering object? Seems impossible with only one DC, oh wait did you just forget to delete it? From The Love, -B On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Information about lingering objects in a Windows 2000-based forest or in a Windows Server 2003-based forest: http://support.microsoft.com/?kbid=910205 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest It might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this correct? I'd like to automate the transition to FFL=2 when building the first DC in a forest (without a script). Perhaps another change request for Longhorn? :) neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest Ah nice, you got there before me with a better answer! :P I'm poking around in there now, as I'm in a similar position to Neil a the mo'. Question: Can I provide schema.ini as an argument to the promotion or unattended or do I need to mod the default file prior to running the unattended script? mint-sauce-fearing friend LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 1:30 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Thats v. close my mint-sauce-fearing friend but its likely that that will set only the dom. func. level to K3 native (though to be honest Ive not tried). So, since forests tend to drag domains with them, functional level wise, (i.e. when a new domain is created within an existing forest), we simply need to tell the forest func. level to seed itself with a value of 2 see my previous post for instructions on how to do that. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest It might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this correct? I'd like to automate the transition to FFL=2 when building the first DC in a forest (without a script). Perhaps another change request for Longhorn? :) neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
Re: [ActiveDir] Remove Defunct domains..
See kb216498 for the info. on the NTDSUTIL cleanup. Basically you need to perform a metadata, DNS and FRS cleanup. ThatKB details all the necessary steps. You'd determine the IP address of the workgroup by the 1B and 1C records registered for that name. The domain master browser is performed by the PDCe. A master browser is also elected on a per-subnet basis. Check out the Win2k RK book - TCP/IP core networking guide for more info. There's an appendix on the browser service. --Paul - Original Message - From: HBooGz To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 1:33 PM Subject: Re: [ActiveDir] Remove Defunct domains.. Thanks Neil -How would one determine the IP of the members of a particular workgroup ?RE: NTDSUTIL - just do a search, that matches the whole string, for the domain name ? and remove accordingly ? On 8/3/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Look for 1b and 1c records in WINS for the defunct domain. Remove them and wait for WINS replication. You should also use ntdsutil and remove the redundant AD objects too. You can never stop ppl creating new workgroups - you should be able to determine the IP address of their members however and then track back to individual machines / users. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGz Sent: 03 August 2006 03:04 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Remove Defunct domains.. hey guys - Yes, i'm using wins. Yes, they are appearing outside of network neighborhood. what exactly would i examine (node type) that would help me pinpoint where these are appearing ? and how to get rid of it ? definitely appears to be a browsing issue ? how can i force who is the "master browser" for the domain ? all workstations are windows 2000 and windows xp i'm also seeing workgroups that should have never been created and i'm now policing against -- any way to rid myself of this or detect where they are being generated ? Thanks On 8/2/06, Ayers, Diane [EMAIL PROTECTED] wrote: dusting off old NT 4.0 sectors Check your WINS database if you are using WINS. Part of the browsing data comes from WINS and the database will tell you where those records are coming from. You can address it viathe hosts if it's coming from there or clean up your WINS db. Diane From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, August 02, 2006 3:10 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. That's a browser function not something in AD. There's probably still computers joined to those domains (even though they don't exist) or computers in workgroups with the same names… Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BENSent: Wednesday, August 02, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove Defunct domains.. You can remove the orphaned domains through NTDSUTIL. Doing a metadata cleanup. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of HBooGzSent: Wednesday, August 02, 2006 2:46 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Remove Defunct domains.. Whenever i browse Network Neighborhood or view the list of availble networks, there are a few domains that appear that shouldn't. Is there a way to remove these domain/domain entries manually ?ADSI edit ?-- HBooGz:\ -- HBooGz:\ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy.
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy bwynt! - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 2:10 PM Subject: OT: [ActiveDir] Setting FFL=2 automatically when building first DC in forest LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) O dear - we'll be seeing posts in Welsh next :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 03 August 2006 13:43To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Ah nice, you got there before me with a better answer! :P I'm poking around in there now, as I'm in a similar position to Neil a the mo'. Question: Can I provide schema.ini as an argument to the promotion or unattended or do I need to mod the default file prior to running the unattended script? mint-sauce-fearing friend LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 1:30 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Thats v. close my mint-sauce-fearing friend but its likely that that will set only the dom. func. level to K3 native (though to be honest Ive not tried). So, since forests tend to drag domains with them, functional level wise, (i.e. when a new domain is created within an existing forest), we simply need to tell the forest func. level to seed itself with a value of 2 see my previous post for instructions on how to do that. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest It might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this correct? I'd like to automate the transition to FFL=2 when building the first DC in a forest (without a script). Perhaps another change request for Longhorn? :) neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as,
Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest
Title: Setting FFL=2 automatically when building first DC in forest Ha ha. (I don't actually speak Welsh. A friend of mine translated my English sentance into Welsh for that witty reply). - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 3:25 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Nod, but sfkds sdkfk skdwpoe cdof slkap d dkds y dlsdk lspw dod sfd qwpw slla dsk ccdpow yours too. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 9:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Am hwyl, dwi am ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy bwynt! - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 2:10 PM Subject: OT: [ActiveDir] Setting FFL=2 automatically when building first DC in forest LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) O dear - we'll be seeing posts in Welsh next :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: 03 August 2006 13:43To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Ah nice, you got there before me with a better answer! :P I'm poking around in there now, as I'm in a similar position to Neil a the mo'. Question: Can I provide schema.ini as an argument to the promotion or unattended or do I need to mod the default file prior to running the unattended script? mint-sauce-fearing friend LOL. Yep. I'm adverse to such things as I'm fed up of the damned English, Scottish, Irish, South African and Australian (and there's a damned cheek) meet'g and bleh'g at me... ;-) - Original Message - From: Dean Wells To: Send - AD mailing list Sent: Thursday, August 03, 2006 1:30 PM Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC in forest Thats v. close my mint-sauce-fearing friend but its likely that that will set only the dom. func. level to K3 native (though to be honest Ive not tried). So, since forests tend to drag domains with them, functional level wise, (i.e. when a new domain is created within an existing forest), we simply need to tell the forest func. level to seed itself with a value of 2 see my previous post for instructions on how to do that. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest It might be worth looking at the %systemroot%\system32\schema.ini file again. I just had a poke around in there after reading Dean's answer to your question yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You can change that to 0 (for native) and try adding mSDS-Behavior-Version and setting it to 2. I don't know if that will work, but you're probably in a position to test this... --Paul - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, August 03, 2006 9:39 AM Subject: [ActiveDir] Setting FFL=2 automatically when building first DC in forest According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry in the dcpromo answer file can only be used to set FFL to 1 or 0 when building a new forest. Is this