Re: [ActiveDir] remove orphan DC from the domain

[Paul Williams]

 If the DC that died had FSMO roles, you need to seize them (check which 
DC had FSMO roles with -- NETDOM QUERY FSMO)


This step is no longer necessary in k3 SP1.  NTDSUTIL does it for you.  If I 
remember correctly, it tries a XFER and then does a Seize (as that's the 
logic for the Seize anyway).


I believe this was added in SP1.


--Paul

- Original Message - 
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which DC 
had FSMO roles with -- NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait 
if you have aging/scavenging enabled


Also make sure the GC role and DNS roles is hosted by other computers (other 
DCs)


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do 
automatically.




Regards,



Senthil





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de

Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects 
that belong to a DC that is not live anymore. Just other like other object 
deletions (user, group, etc) the deletions will replicate to other DCs 
(assuming replication is working fine) that host the same partitions from 
which the objects were removed. Because of that you only need to target ONE 
live DC in the same domain when using NTDSUTIL.




Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))




Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

*Mobile : +31-(0)6-26.26.62.80

*   E-mail  : see sender address





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article




1.

Click Start, point to Programs, point to Accessories, and then click Command 
Prompt.


2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, the 
administrator can perform the removal, but additional configuration 
parameters must be specified before the removal can occur.


4.

Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently logged on user 
does not have administrative permissions, different credentials can be 
supplied by specifying the credentials to use before making the connection. 
To do this, type set creds DomainNameUserNamePassword, and then press ENTER. 
For a null password, type null for the password parameter.


5.

Type connect to server servername, and then press ENTER. You should receive 
confirmation that the connection is successfully established. If an error 
occurs, verify that the domain controller being used in the connection is 
available and the credentials you supplied have administrative permissions 
on the server.


Note If you try to connect to the same server that you want to delete, when 
you try to delete the server that step 15 refers to, you may receive the 
following error message:


Error 2094. The DSA Object cannot be deleted0x2094

6.

Type quit, and then press ENTER. The Metadata Cleanup menu appears.

7.

Type select operation target and press ENTER.

8.

Type list domains and press ENTER. A list of domains in the forest is 
displayed, each with an associated number.


9.

Type select domain number and press ENTER, where number is the number 
associated with the domain the server you are removing is a member of. The 
domain you select is used to determine whether the server being removed is 
the last domain controller of that domain.


10.

Type list sites and press ENTER. A list of sites, each with an associated 

Re: RE : Re: [ActiveDir] remove orphan DC from the domain

[Paul Williams]

SP level doesn't matter when performing a seizure using NTDSUTIL.

I was referring to the fact that NTDSUTIL, as of k3 SP1, automatically tries 
to transfer and seize when you metadata cleanup.



--Paul

- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, January 26, 2007 9:05 AM
Subject: Re: RE : Re: [ActiveDir] remove orphan DC from the domain


Just what it says... it first attempts to transfer the FSMO roles from the 
one to the other...and it if can't find the proper DC.. it merely seizes 
the roles.


It tries to negotiate politely with the role holder.. and if there is none 
for it to argue with it says fine... I'm taking the roles.


I'm not sure sp1 matters does it?
http://support.microsoft.com/kb/255504

Yann wrote:

Really ?
 That is a very interesting... Could you develop this statement please ? 
What is a XFER ?
When you say it does a seize, that means it choose a DC nearby ? and 
seize *automatically* a seizure ?

 Thanks,
 Yann

*/Paul Williams [EMAIL PROTECTED]/* a écrit :

 If the DC that died had FSMO roles, you need to seize them
(check which
 DC had FSMO roles with -- NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1. NTDSUTIL does it for
you. If I
remember correctly, it tries a XFER and then does a Seize (as
that's the
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message -
From: Almeida Pinto, Jorge de
To:
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them
(check which DC
had FSMO roles with -- NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done
manually or wait
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other
computers (other
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Pinto,
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of
objects
that belong to a DC that is not live anymore. Just other like
other object
deletions (user, group, etc) the deletions will replicate to other
DCs
(assuming replication is working fine) that host the same
partitions from
which the objects were removed. Because of that you only need to
target ONE
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup
the AD
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail :





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down
permanently.
That wont come live back. Right now we want to remove that orphan dc
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then
click Command
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options
given, the
administrator can perform the removal, but additional configuration
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the
specific server where the changes occur. If the currently logged
on user
does not have administrative permissions, different credentials
can be
supplied by specifying

Re: Re: [ActiveDir] remove orphan DC from the domain

[Paul Williams]

XFER = Short for transfer.  Sorry, I abbreviate most things.

Basically, in k3 SP1, if you run the metadata cleanup command on a dead DC that 
holds FSMO roles, the process will seize the roles to another server.  I'm not 
sure of the exact logic for the choice of server, IIRC it's something like 
local (site) and GC (unless it's the IM).  Dmitri, Brett, Eric, Dean or Joe can 
clarify the logic.

I would imagine it's using the same underlying code as the Seize option 
elsewhere with the tool, therefore it will try a TRANSFER first and only SEIZE 
if the transfer fails.

http://technet2.microsoft.com/WindowsServer/en/library/819bea8b-3889-4479-850f-1f031087693d1033.mspx?mfr=true


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Friday, January 26, 2007 8:43 AM
  Subject: RE : Re: [ActiveDir] remove orphan DC from the domain


  Really ?

  That is a very interesting... Could you develop this statement please ? What 
is a XFER ?
  When you say it does a seize, that means it choose a DC nearby ? and seize 
*automatically* a seizure ?

  Thanks,

  Yann

  Paul Williams [EMAIL PROTECTED] a écrit :
 If the DC that died had FSMO roles, you need to seize them (check which 
 DC had FSMO roles with -- NETDOM QUERY FSMO)

This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I 
remember correctly, it tries a XFER and then does a Seize (as that's the 
logic for the Seize anyway).

I believe this was added in SP1.


--Paul

- Original Message - 
From: Almeida Pinto, Jorge de 
To: 
Sent: Friday, January 26, 2007 7:05 AM
Subject: RE: [ActiveDir] remove orphan DC from the domain


I forgot to mention:

* If the DC that died had FSMO roles, you need to seize them (check which 
DC 
had FSMO roles with -- NETDOM QUERY FSMO)
* DNS records are NOT removed by the NTDSUTIL. Must be done manually or 
wait 
if you have aging/scavenging enabled

Also make sure the GC role and DNS roles is hosted by other computers 
(other 
DCs)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail : 



From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 01:00
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



Thanks for your logic. I hope so in the remaining Dc it will do 
automatically.



Regards,



Senthil





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
Sent: Friday, January 26, 2007 5:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] remove orphan DC from the domain



the AD metadata cleanup is nothing more then removal/deletion of objects 
that belong to a DC that is not live anymore. Just other like other object 
deletions (user, group, etc) the deletions will replicate to other DCs 
(assuming replication is working fine) that host the same partitions from 
which the objects were removed. Because of that you only need to target ONE 
live DC in the same domain when using NTDSUTIL.



Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD 
metadata of one of the DCs on the other 999 DCs... ;-))



Met vriendelijke groeten / Kind regards,

Ing. Jorge de Almeida Pinto

Senior Infrastructure Consultant

MVP Windows Server - Directory Services



LogicaCMG Nederland B.V. (BU RTINC Eindhoven)

* Tel : +31-(0)40-29.57.777

* Mobile : +31-(0)6-26.26.62.80

* E-mail : 





From: [EMAIL PROTECTED] on behalf of senthil Kumar
Sent: Fri 2007-01-26 00:14
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] remove orphan DC from the domain

Hi,



We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. 
That wont come live back. Right now we want to remove that orphan dc 
completely. I have seen Microsoft article



1.

Click Start, point to Programs, point to Accessories, and then click 
Command 
Prompt.

2.

At the command prompt, type ntdsutil, and then press ENTER.

3.

Type metadata cleanup, and then press ENTER. Based on the options given, 
the 
administrator can perform the removal, but additional configuration 
parameters must be specified before the removal can occur.

4.

Type connections and press ENTER. This menu is used to connect to the 
specific server where the changes occur. If the currently logged on user 
does not have administrative permissions, different credentials can

Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

[Paul Williams]

You can register records like this by messing up a reverse lookup record 
addition using DNSCMD.

--Paul


  - Original Message - 
  From: EIS Lists 
  To: ActiveDir@mail.activedir.org 
  Sent: Wednesday, January 24, 2007 9:28 PM
  Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone


  Thanks, all. Ulf, you explanation was great! I am sure it was someone 
(probably me!) just typed a .1 in some setting on the printer and allowed it to 
register in DNS. 

   

  Many thanks.

   

  -- nme

   

  Noah Eiger

   


--

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. 
Simon-Weidner
  Sent: Wednesday, January 24, 2007 12:29 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

   

  Just 9:30 pm here, so not really late.

   

  Many are mixing up the zones with the DNS-Subdomains or whatever they are 
actually called. But in this case he even had it right, he said that under the 
domain zone he has the _*-folders as well as a folder 1. I had to reread 
too ;-)

   

  How are things? See you in March?

   

  Gruesse - Sincerely, 

  Ulf B. Simon-Weidner 

Profile  Publications:   
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D   
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
  Sent: Mittwoch, 24. Januar 2007 21:17
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

   

  That's what I would expect.  But since the original poster called it a zone 
I figured I'd ask. What are you doing up so late? :)

  On 1/24/07, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote:

  No Zone - no properties ;-)

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
  Sent: Mittwoch, 24. Januar 2007 20:24
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Odd Folder under Forward Lookup Zone

   

  What are properties of the 1 zone? 

  On 1/24/07, EIS Lists [EMAIL PROTECTED] wrote:

  Hi -



  Under one of our forward lookup zones (AD-integrated), we have the usual
  folders (_msdcs, _sites, _tcp, _udp, DomainDnsZones, ForestDnsZones) as well
  as a single folder just named: 1 (without the quotes). There is a single 
  A-record  under it for one of our printers.



  Any idea what this folder is?



  Thanks.



  -- nme





   

   

Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition

[Paul Williams]

Upgrading W2K3 standard to enterprise editionYeah, you can upgrade std. to ent.

One of my implementation guys accidently built a load of boxes for me as Std., 
so I got him to upgrade them to Ent.

Worked fine.  He did have issues doing this on a different project where there 
was a stupidly small C partition though (4GB I think).  I think Ent. needs more 
room, or at least it does if you're using HPs server installation CDROM...


--Paul


  - Original Message - 
  From: [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 18, 2007 11:38 AM
  Subject: [ActiveDir] Upgrading W2K3 standard to enterprise edition


  I remember there being a simple upgrade from nt4 standard to nt4 enterprise 
but don't remember reading of any similar upgrade path for w2k.

  Apparently such an upgrade path *does* now exist once again, for w2k3 
(including the R2 edition). 

  Can anyone confirm or deny that such an upgrade is possible? 

  Thanks, 
  neil 

  PLEASE READ: The information contained in this email is confidential and 
  intended for the named recipient(s) only. If you are not an intended 
  recipient of this email please notify the sender immediately and delete your 
  copy from your system. You must not copy, distribute or take any further 
  action in reliance on it. Email is not a secure method of communication and 
  Nomura International plc ('NIplc') will not, to the extent permitted by law, 
  accept responsibility or liability for (a) the accuracy or completeness of, 
  or (b) the presence of any virus, worm or similar malicious or disabling 
  code in, this message or any attachment(s) to it. If verification of this 
  email is sought then please request a hard copy. Unless otherwise stated 
  this email: (1) is not, and should not be treated or relied upon as, 
  investment research; (2) contains views or opinions that are solely those of 
  the author and do not necessarily represent those of NIplc; (3) is intended 
  for informational purposes only and is not a recommendation, solicitation or 
  offer to buy or sell securities or related financial instruments. NIplc 
  does not provide investment services to private customers. Authorised and 
  regulated by the Financial Services Authority. Registered in England 
  no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  London, EC1A 4NP. A member of the Nomura group of companies. 

Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition

[Paul Williams]

Upgrading W2K3 standard to enterprise editionWell, the length of time depends 
on the type of build used, and the components installed.  As an example, on the 
last project I worked on we used OpsWare to deploy standard servers based on a 
number of templates.  A Windows server that matched our default build, took 
closer to two hours, due to the number of post-installation scripts and 
customisations.  We use HP Radia now, and again, with a relatively standard 
build table this is usally closer to two hours than one.

In any environment where allowed, scripted builds should always be favoured 
over manual.  The percentage of 100% successfully completed manual builds, when 
there's a large number of instructions, is very, very few indeed.

Also, if we're talking a branch office site, it's probably much easier to 
upgrade out there (and maintain applications and settings) then bring back to 
the data centre and rebuild and then take back out to the branch.

Although many enterprises have the facilities to perform bare metal builds at 
the branch, there are always smaller sites whereby there's a factor to stop 
this, which ultimately results in the server needing to be returned to one of 
the staging areas.


--Paul


  - Original Message - 
  From: Ziots, Edward 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 18, 2007 2:22 PM
  Subject: RE: [ActiveDir] Upgrading W2K3 standard to enterprise edition


  Yes it does work, I have done a few on HP/Compaq here, as a test, but its not 
a standard practice, if its built wrong, just wipe it, and rebuild only takes 
an hour max. 

  Z

  Edward E. Ziots 
  Network Engineer 
  Lifespan Organization 
  MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + 
  email:[EMAIL PROTECTED] 
  cell:401-639-3505 





--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
  Sent: Thursday, January 18, 2007 9:13 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition


  Yeah, you can upgrade std. to ent.

  One of my implementation guys accidently built a load of boxes for me as 
Std., so I got him to upgrade them to Ent.

  Worked fine.  He did have issues doing this on a different project where 
there was a stupidly small C partition though (4GB I think).  I think Ent. 
needs more room, or at least it does if you're using HPs server installation 
CDROM...


  --Paul


- Original Message - 
From: [EMAIL PROTECTED] 
To: ActiveDir@mail.activedir.org 
Sent: Thursday, January 18, 2007 11:38 AM
Subject: [ActiveDir] Upgrading W2K3 standard to enterprise edition


I remember there being a simple upgrade from nt4 standard to nt4 enterprise 
but don't remember reading of any similar upgrade path for w2k.

Apparently such an upgrade path *does* now exist once again, for w2k3 
(including the R2 edition). 

Can anyone confirm or deny that such an upgrade is possible? 

Thanks, 
neil 

PLEASE READ: The information contained in this email is confidential and 
intended for the named recipient(s) only. If you are not an intended 
recipient of this email please notify the sender immediately and delete 
your 
copy from your system. You must not copy, distribute or take any further 
action in reliance on it. Email is not a secure method of communication and 
Nomura International plc ('NIplc') will not, to the extent permitted by 
law, 
accept responsibility or liability for (a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or similar malicious or disabling 
code in, this message or any attachment(s) to it. If verification of this 
email is sought then please request a hard copy. Unless otherwise stated 
this email: (1) is not, and should not be treated or relied upon as, 
investment research; (2) contains views or opinions that are solely those 
of 
the author and do not necessarily represent those of NIplc; (3) is intended 
for informational purposes only and is not a recommendation, solicitation 
or 
offer to buy or sell securities or related financial instruments. NIplc 
does not provide investment services to private customers. Authorised and 
regulated by the Financial Services Authority. Registered in England 
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
London, EC1A 4NP. A member of the Nomura group of companies. 

Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition

[Paul Williams]

Upgrading W2K3 standard to enterprise editionHP Open View Radia is HPs 
enterprise systems management product.  It's like OpsWare.

It's not a replacement for Smart Start.

I've had a quick look on HPs site for you, but can't find it, which suggests 
the name's changed again...   :P


--Paul


  - Original Message - 
  From: Ziots, Edward 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 18, 2007 3:34 PM
  Subject: RE: [ActiveDir] Upgrading W2K3 standard to enterprise edition


  Humm Radia, you got the info on that, is that the next version of there Smart 
Start Scripting toolkit? I heard of Opsware but never used it. I do the server 
builds and usually only takes about 1-2 hrs for a bare-metal build and needed 
customizations. ( Patches, AV, Registry updates, and Security templates) 

  Z

  Edward E. Ziots 
  Network Engineer 
  Lifespan Organization 
  MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + 
  email:[EMAIL PROTECTED] 
  cell:401-639-3505 





--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
  Sent: Thursday, January 18, 2007 10:26 AM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition


  Well, the length of time depends on the type of build used, and the 
components installed.  As an example, on the last project I worked on we used 
OpsWare to deploy standard servers based on a number of templates.  A Windows 
server that matched our default build, took closer to two hours, due to the 
number of post-installation scripts and customisations.  We use HP Radia now, 
and again, with a relatively standard build table this is usally closer to two 
hours than one.

  In any environment where allowed, scripted builds should always be favoured 
over manual.  The percentage of 100% successfully completed manual builds, when 
there's a large number of instructions, is very, very few indeed.

  Also, if we're talking a branch office site, it's probably much easier to 
upgrade out there (and maintain applications and settings) then bring back to 
the data centre and rebuild and then take back out to the branch.

  Although many enterprises have the facilities to perform bare metal builds at 
the branch, there are always smaller sites whereby there's a factor to stop 
this, which ultimately results in the server needing to be returned to one of 
the staging areas.


  --Paul


- Original Message - 
From: Ziots, Edward 
To: ActiveDir@mail.activedir.org 
Sent: Thursday, January 18, 2007 2:22 PM
Subject: RE: [ActiveDir] Upgrading W2K3 standard to enterprise edition


Yes it does work, I have done a few on HP/Compaq here, as a test, but its 
not a standard practice, if its built wrong, just wipe it, and rebuild only 
takes an hour max. 

Z

Edward E. Ziots 
Network Engineer 
Lifespan Organization 
MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + 
email:[EMAIL PROTECTED] 
cell:401-639-3505 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, January 18, 2007 9:13 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Upgrading W2K3 standard to enterprise edition


Yeah, you can upgrade std. to ent.

One of my implementation guys accidently built a load of boxes for me as 
Std., so I got him to upgrade them to Ent.

Worked fine.  He did have issues doing this on a different project where 
there was a stupidly small C partition though (4GB I think).  I think Ent. 
needs more room, or at least it does if you're using HPs server installation 
CDROM...


--Paul


  - Original Message - 
  From: [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 18, 2007 11:38 AM
  Subject: [ActiveDir] Upgrading W2K3 standard to enterprise edition


  I remember there being a simple upgrade from nt4 standard to nt4 
enterprise but don't remember reading of any similar upgrade path for w2k.

  Apparently such an upgrade path *does* now exist once again, for w2k3 
(including the R2 edition). 

  Can anyone confirm or deny that such an upgrade is possible? 

  Thanks, 
  neil 

  PLEASE READ: The information contained in this email is confidential and 
  intended for the named recipient(s) only. If you are not an intended 
  recipient of this email please notify the sender immediately and delete 
your 
  copy from your system. You must not copy, distribute or take any further 
  action in reliance on it. Email is not a secure method of communication 
and 
  Nomura International plc ('NIplc') will not, to the extent permitted by 
law, 
  accept responsibility or liability for (a) the accuracy or completeness 
of, 
  or (b) the presence

Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Paul Williams]

The ACEs in the ACL on the file server are maintained by the LSA on that 
server.  ACLs on member servers are nothing to do with AD really.  AD is used 
to verify the SIDs in the ACLs when necessary, but it's the local LSA that's 
doing the authorisation (based on the information in one's security token which 
AD participates in generating).

Managing the ACLs is the client's job, not the DCs job.  I don't see this 
changing in the future.  It would be far to complex and expensive to have the 
DCs manage this kind of stuff.  The whole MSFT client-server design is based on 
the client systems doing most of the leg work.  Clients always use servers.  
Servers don't use clients.


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 10:35 AM
  Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.


  Thanks for replying.

  You say that it is normal that the sid still remains in file  directory ACLs 
after the deletion of the corresponding group ??

  I always thought that sids *HAVE TO* disapear dynamically on all existing 
ACLs set on file server.
  I'm a bit surprise that the system (AD-file server) leave this dirty sid 
and that there is no synchronisation that updates the link between the AD 
object and the ACE

  What is the reason ? could this behavior be altering ?

  I'd like sid disappears after deletion of the corresponding group in AD in 
order to not have this dirty SIDs...

  Thanks.

  Yann


  Akomolafe, Deji [EMAIL PROTECTED] a écrit :
It's normal. You should be permissioning your resources with groups 
instead of directly with user accounts. Groups tend to last longer, so you 
don't have to deal with the horrible SIDs.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon



From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.


Hello all  Happy new year ! :)

AD 2k3 sp1 in FFL mode.

When i delete a user or group from AD, and these objects have permissions 
on ntfs permissions, i usually see their sids remaining in those file  
directory ACLs.

Is this normal ? If not,what could be the reason(s)  how to investigate 
this issue ?

Thanks,

Yann


__
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 


  __
  Do You Yahoo!?
  En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
possible contre les messages non sollicités 
  http://mail.yahoo.fr Yahoo! Mail 

Re: [ActiveDir] do I have to choose between intra-site replication speeds or dc based on site?

[Paul Williams]

Yes.  Enabling inter-site change notifications essentially means that you have 
intra-site replication occuring over a site link.  The only real difference is 
that bridgeheads are still used.  

Basically, when a DC receives a change, a notification is generated and sent to 
it's downstream partners.  By default, notifications are only sent to adjacent 
DCs within the same site.  When you enable change notifications on a site link, 
notifications are forwarded over the site link by the local bridgeheads.  This 
means that any change will have replicated from the local bridgehead to the 
remote bridghead within ~30 seconds.  So, a change should have propogated 
across the site in question in under a minute.

Obviously, this puts a little extra load on the BHs, and more frequent amounts 
of traffic on the cross-site links.  If the links are more the 2Mbps and the 
BHs aren't dying under the load, it will be OK to enable this, but you should 
monitor the usual CPU and disk queues to be sure.  If the BHs are really old, 
or you have slow lines  then you might want to do additional testing and/ or 
reconsider.


--Paul


  - Original Message - 
  From: Anders Blomgren 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 1:11 AM
  Subject: Re: [ActiveDir] do I have to choose between intra-site replication 
speeds or dc based on site?


  Does change notification add anything else than account lockouts to the 
table? I was hoping for some way to add the whole shebang or atleast something 
that encompasses most daily administrative tasks.

  Regards,
  Anders

   
  On 1/4/07, Roger Longden [EMAIL PROTECTED] wrote: 
You can enable change notification on the site links between the sites in 
question to allow them to replicate as if they are in the same site.  This has 
the nice benefit in that you can have separate sites for authentication, SMS, 
Exchange etc purposes while allowing the DCs to replicate (AD replication only; 
FRS replication is not impacted) in a more timely manner.  The link below 
contains some instructions on enabling the option.  Briefly, you modify the 
options attribute on the site link.  Specifically for change notification 
it's as simple as adding 1 to whatever the current value is.  It's not 
set by default.  The change is dynamic; just wait for replication of the 
change and the KCC to run on both ends.  Especially for environments like what 
you seem to be describing change notification between sites is a common 
configuration. 




http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part2/adogdapb.mspx#EY6AI



 - Roger





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anders 
Blomgren
Sent: Wednesday, January 03, 2007 6:22 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] do I have to choose between intra-site replication 
speeds or dc based on site?



Hi,



We have several different locations, all very well connected (min 100Mbit). 
Each location has a dc. Right now, each location is it's own site so that the 
users connect to their local dc. This has the (in my case) disadvantage of 
limiting the replication schedule to a minimum of 15 minutes. Our network would 
have no difficulty handling intra-site replication but is there a way to make 
sure users connect to their geographically closest dc, including dfs? 

Yes, I want to have my cake and eat it. But can it be done?



Regards,

Anders

Re: RE: [ActiveDir] finding users that password never expire.

[Paul Williams]

The equals operator is looking for an exact match.  As userAccountControl is a 
bitwise attribute (each bit represents an option) then in many cases it won't 
be 65536.  Using the logical AND matching rule (1.2.840.113556.1.4.803) means 
that it checks the bit in question, regardless of what other bits are set.

As for how you use the AND matching rule, you actually write it as 
identifier:matching rule:=value 

e.g. 

((objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))

More info. here:
 -- http://msdn2.microsoft.com/en-us/library/aa746475.aspx


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Monday, October 09, 2006 6:24 PM
  Subject: RE : RE: [ActiveDir] finding users that password never expire.


  Yes !  thanks, that works so well !! :o)

  But many questions i have..
  What is the difference between the query userAccountControl=65536 and 
(userAccountControl:1.2.840.113556.1.4.803:=65536) ? 
  Why couldn(t i find any results with my first query ?
  And how do you construct the :1.2.840.113556.1.4.803: part of the ldap 
query  ??

  Thanks for your answer :)

  Yann


  Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit :
to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled
ADFIND -bit -default -f 
((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))

and to use it with a saved query use as the LDAP filter:

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

with joe's ADFIND you can just specify AND or OR without the need to know 
the OID
OR is by the way: 1.2.840.113556.1.4.804

for the other values see:
MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User 
Account Properties

jorge


--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
  Sent: Monday, October 09, 2006 17:44
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] finding users that password never expire.


  Hello all,

  I had to do dump in AD all users whose password never expires.
  I used the saved queries with this custom ldap query :
  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
DONT_EXPIRE_PASSWORD properties flag.
  BUT i found that this search was not complete, because some users have 
other properties flag such as 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or 
UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
UF_NOT_DELEGATED ... :(

  So the question is:
  How to search for user accounts that have at least the 
DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
  Is there a way to do it with a custom ldap query ?

  Thanks,

  Yann

--
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions 
et vos expériences. Cliquez ici. 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.




--
  Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses.

Re: [ActiveDir] Windows 2000 domain

[Paul Williams]

If you're talking about group nesting, the mode of the domain limits some of 
the potential configurations.  Check to see whether or not you're in mixed 
mode.  If you are, nesting is limited and you can't have universal groups. 
If you're in native, what group can't you place into what group?  Please 
define the scope of each group, e.g. domain local or global or universal.



--Paul

- Original Message - 
From: Karsten Aarhus [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, January 04, 2007 1:58 PM
Subject: [ActiveDir] Windows 2000 domain



Dear all,

I have a problem I never face before.

In my windows 2000 domain I would like to join a security group to a
group but the system will not let me.
I can see if I choose to join a disbutions group insted there is no
problem at all?

The system is a small business 2000 server

What can be the problem and how to I solved this so I can join the
security group insted?

Regards

Karsten Aarhus
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

Re: RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Paul Williams]

Because it's not managed by the DS.  The SID as you refer to it is actually an 
ACE.  The ACE is an item that makes up the DACL which makes up the ACL.  This 
is managed locally by the member server.  Windows itself.  The LSA.  It's far 
too expensive and problematic with the current design for this to auto-manage 
itself.  Re-read Joe's post.  

The DS doesn't know or care where a security principal is referenced as an ACE 
in an ACL.  And the computer in question shouldn't really auto-prune the ACEs 
based on a rule or two...


--Paul


  - Original Message - 
  From: Haritwal, Dhiraj 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 3:18 PM
  Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.


  But still the actual discussion is pending. If someone is having a single 
folder which is mapped to a single user. So in that case how we can use groups 
 suppose tomorrow this user left the organization  his account got deleted, 
SID will come on to the permission of that folder. If I am not wrong the actual 
discussion was why SID is coming after deleted an account. Why it's not getting 
deleted automatically.

   

   

  Dhiraj Haritwal

   

   


--

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
  Sent: Thursday, January 04, 2007 7:18 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

   

  Not sure why this suprises you. The ACLs are not maintained by AD nor the SAM 
where the user accounts exist which means you either get to poll or put some 
form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 

   

  Here are just a couple of the bad things that could happen if the machines 
were responsible for cleaning up those SIDs

   

  1. Overhead. Do you know the sheer number of Security Descriptors that are on 
any given system? You are just thinking of file Security Descriptors but there 
are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 

   

  2. Mistakes. Since we don't have a change notification capability for deleted 
security principals, and quite honestly you wouldn't (could you imagine 300,000 
machines registering with every domain in your forest for change notifications 
of security principal changes) so that leaves polling and lets say you have a 
tempory network glitch that makes a SID unresolvable to a friendly name... Do 
you then just start stripping the SIDs from the ACLs because a name can't be 
resolved once, twice, three times? What about when an account gets undeleted or 
restored because it was accidently deleted for an hour?

   

  I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.

   

  Could this be done? Maybe. I think could visualize mechanisms to possibly 
help here but would really have to think it through even more than I have and I 
have thought a lot about things like this... But it would take serious rework 
with how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.

   

  As someone else mentioned, use groups. Don't use users. When you go to delete 
a group, make it a point to clean up where that group has been used. If you 
don't know where it has been used, that is a process issue and one of the 
reasons why I am not a fan of universal and global groups because the scope of 
use is huge. Alternately write your own tools to scan all of the various ACLs 
looking for unresolvable SIDs and clean them up, but I would be shy on how 
agressive you are with the cleanup. You can easily screw yourself 

Re: RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.

[Paul Williams]

No.  Not quite.  No cleanup happens whatsoever.  Even when the ACEs are in the 
AD they aren't cleaned up.  The LSA was mentioned to try and highlight the 
expense and difficulty of such a cleanup operation.  The fact of the matter is 
that regardless of the securable object, it's ACE is managed locally and no 
cross-checking is done against a DC and a DC certainly doesn't look for stale 
ACEs when an object is deleted.

Hope this clarifies the point.


--Paul


  - Original Message - 
  From: Yann 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, January 04, 2007 3:54 PM
  Subject: RE : RE: RE: [ActiveDir] SID Deleted users remains in NTS permission.


  Hi,

  After rereading posts, it now makes sense to me that the ACEs are managed by 
the local LSA, and not by AD LSA

  So now if i consider that a group or user is deleted from AD and that object 
is set on an AD object ACLs (not share or ntfs permission), that object will be 
definitively disappear with no sid remaining from the ACLs, because the update 
is done by the local LSA (DC) where the deletion occurs, that is to say AD 
itself...


  Yann


  joe [EMAIL PROTECTED] a écrit :
Not sure why this suprises you. The ACLs are not maintained by AD nor the 
SAM where the user accounts exist which means you either get to poll or put 
some form of notification system in process. Consider also the case of trusted 
security principals, systems don't get a notification when a trusted system 
deletes a security principal. 

Here are just a couple of the bad things that could happen if the machines 
were responsible for cleaning up those SIDs

1. Overhead. Do you know the sheer number of Security Descriptors that are 
on any given system? You are just thinking of file Security Descriptors but 
there are Security Descriptors on many many different securable objects. I have 
published the list of items I at least know about to this list on a couple of 
occasions and the different types of objects alone is double digits let alone 
the actual instants of those objects. Consider a file system with hundreds of 
thousands or millions of Security Descriptors with really long ACL chains. You 
could have a scavenger thread running 24x7 in idle mode (you wouldn't want it 
higher as it would eat up CPU and that would be a different complaint) just 
constantly walking the ACLs and verifying them. 

2. Mistakes. Since we don't have a change notification capability for 
deleted security principals, and quite honestly you wouldn't (could you imagine 
300,000 machines registering with every domain in your forest for change 
notifications of security principal changes) so that leaves polling and lets 
say you have a tempory network glitch that makes a SID unresolvable to a 
friendly name... Do you then just start stripping the SIDs from the ACLs 
because a name can't be resolved once, twice, three times? What about when an 
account gets undeleted or restored because it was accidently deleted for an 
hour?

I can think of even more bad things but don't have the time to write about 
them. If you want to, think through how you would build an application to do 
what you are suggesting. It is always a good thought exercise before being 
surprised at what MSFT has done. Keep in mind they are a collection of really 
bright programmers that often have to work in committee, they aren't 
necessarily miracle workers.

Could this be done? Maybe. I think could visualize mechanisms to possibly 
help here but would really have to think it through even more than I have and I 
have thought a lot about things like this... But it would take serious rework 
with how security is implemented on Windows and I would be quite fearful of the 
scaling capabilities. The Windows security system is difficult to work with and 
can be quite a pain but it is extremely flexible and powerful at the same time. 
I have started and stopped several times to write all inclusive security 
tracking tools, it is a big big deal and if done wrong will really make someone 
have a bad day.

As someone else mentioned, use groups. Don't use users. When you go to 
delete a group, make it a point to clean up where that group has been used. If 
you don't know where it has been used, that is a process issue and one of the 
reasons why I am not a fan of universal and global groups because the scope of 
use is huge. Alternately write your own tools to scan all of the various ACLs 
looking for unresolvable SIDs and clean them up, but I would be shy on how 
agressive you are with the cleanup. You can easily screw yourself up.

  joe

--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm 






From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Thursday, January 04, 2007 5:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE : RE: 

Re: [ActiveDir] AdminSDHolder orphans

[Paul Williams]

The SDPROP thread technically, doesn't do anythign with inheritance.  That 
is a trait of the security descriptor, which SDPROP sets.  So, 
realistically, SDPROP overwrites the nTSecurityDescriptor attribute and 
increments adminCount to 1.  The step of setting inheritance to off is 
unnecessary in the bulleted list (sorry, I know that's pedantic).


Should this be reversed?  Good question.  There could be a cleanup task, but 
in my mind it shouldn't be part of SDPROP.  SDPROP spikes the PDCe enough as 
it is.  Perhaps it should be a different process, possibly running less 
frequently, e.g. once every 24 hours.


As it is, this needs to be process driven.  For example, on the current 
design I'm working on, if an administrator in the English sense of the word 
(as opposed to the techie definition) requires additional administrative 
access for a particular change they are elevated via a semi-automated 
workflow process.  This process is done via Active Roles.  We're currently 
working on the technical side of how to undo the effects of SDPROP when such 
an action occurs, e.g. elevated to schema admins.


In the past I've occasionally brute forced this and queried for anyone with 
an adminCount of 1, set that back to 0 and enabled inheritance and then 
retriggered SDPROP.  We've discussed scheduling this periodically but I 
don't like it.  For one, there might be additional ACEs that are not needed. 
Cleaning those up is more tricky - you need to strip the ACE, inherit and 
set any default ACEs, as well as any non-inherited bespoke ACEs back.


It's an interesting question.  One no doubt the DS guys have pondered.  The 
mechanics of a rollback seem more tricky, as does some of the security 
implications I'm sure.


On another note, adminCount is also a quick and dirty way of proving to 
someone just how many users they have that have more rights than they need. 
Especially when they're spewing a load of BS re. how they delegate most 
functions and only have a select few admins.


Just some semi-cohesive thoughts from me for y'all anyway.


--Paul

- Original Message - 
From: Brian Desmond [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, December 19, 2006 2:38 AM
Subject: RE: [ActiveDir] AdminSDHolder orphans



Yeah this caused me issues when I was at a large client which had this
proposensity to put everyone and their brother into a group that
triggered this behavior. What I would do is dump everyone with
admincount0, then set admincount=0 on all of them, wait a bit, and see
who was back to 0 and then fix the deltas.

Thanks,
Brian Desmond
[EMAIL PROTECTED]

c - 312.731.3132



-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, December 18, 2006 8:32 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AdminSDHolder orphans


Just wanted to get your opinion on something.

When an object becomes a member of one of the groups protected by the
AdminSDHolder, the next run of the SDProp thread will:

* Replace the object's security descriptor with that of the
AdminSDHolder;
* Disable permissions inheritance on the object;
* Set a new adminCount attribute with a value  0 on the object.

If the object is then removed from the protected group(s), the changes
made by the AdminSDHolder are not reversed.  In other words, the
adminCount value remains the same, as does the security descriptor.

Is it just me or does anyone think this behaviour a little strange?
What I am finding in many environments is a large number of these
AdminSDHolder orphans.  These can arise quite easily, e.g. an

account

is made a temporary member of a privileged group to perform a specific
task or someone changes role within the organisation.  Of course I
realise that in a perfect world these scenarios would be minimised by
the use of dual accounts for splitting standard vs. admin functions,
but the reality is that it is all too common.

The AdminSDHolder orphans can cause problems when troubleshooting
delegation issues.  For example, I came across this issue recently

when

setting up permissions for GAL Sync using IIFP.  I had to tidy up
before the sync would complete without errors.

Does anyone run a regular cleanup using the script provided in this
article (or similar)?

http://support.microsoft.com/kb/817433

Do you think the AdminSDHolder behaviour should be changed to clean-up
after itself?

Tony





Sent via the WebMail system at mail.activedir.org





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:

http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx
List FAQ: 

Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC

[Paul Williams]

MONAD for Exchange is supposed to fix that but I am expecting tremendous 
scaling issues in the environments I play in with it and quite frankly 
have even admitted that I would rather see WMI as it doesn't saturate the 
network lines passing data that isn't being requested.


I agree with you here.  I've started playing with PowerShell, and was trying 
to prove that you could use the WinNT provider to someone.  It took me ~5 
minutes to get as far as C* when outputting all user objects in my domain. 
And we're only talking ~40,000 in this particular instance.



--Paul

- Original Message - 
From: joe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Sunday, December 03, 2006 5:01 PM
Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account on 
DC




Oh I see that. On the flip side, companies that produce professional
products like x, y, and z[1] etc should have the skill sets to produce 
more

efficient and directed applications that don't have a reliance on those
abstraction layers and use the more efficient APIs in ways that are 
directly

relevant to the goals of the applications and that they have a greater
understanding of. Obviously someone may not have a super strong
understanding of the core APIs but at least there is only a single level
where problems can be introduced versus the multiple levels that can be
introduced in the abstractions such that you have to try and figure out at
what level the issue is at. Possibly if the abstraction layers had amazing
logging that could be enabled to track issues and explain what they are
translating the requests to at the lower levels it might be easier for
someone to identify where the issue cropped up.

One issue I see is someone who can write a basic vbscript based on these
frameworks think they are a programmer and start producing tools that they
sell. They have no understanding of the underpinnings of the overall 
system

and quite frankly, to scale things up, they really ought to, the
abstractions are not great in that arena and to be fair, I don't believe
they really were designed to be. It was more to get the masses so they 
could

do basic things. Another issue I see is when someone only published say a
WMI interface into something. I have that issue with Exchange 2000/2003 as
they really did a poor job with a lot of that from being poor performers 
to

not performing correctly at all. I took this up with the Exchange PSS
Support folks and finally got the great answer of WMI isn't designed to be
used for monitoring... How do you argue that point? Unfortunately the only
other recourse is to try and work through completely undocumented MAPI 
stuff
and MAPI is already painful and sucky at best though it was designed to be 
a
nice abstraction layer to make lives easier. MONAD for Exchange is 
supposed
to fix that but I am expecting tremendous scaling issues in the 
environments

I play in with it and quite frankly have even admitted that I would rather
see WMI as it doesn't saturate the network lines passing data that isn't
being requested.


[1] Names withheld to protect the guilty.

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 _

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Saturday, December 02, 2006 6:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 100% CPU utilization when querying Win32_Account 
on

DC



You must take into account that not everyone is a Win32 API or LDAP API C 
or
C++ developer to write its own logic and create its own tool to perform 
the

management task their business requires.

Abstraction layers like WMI, ADSI, CDO, XMLDOM, WSH, ADO and so on ... are
helping thousands of people to write scripts and applications without 
having

to dig into the API programming level.

Both worlds have pros and cons.

The API programming level requires a more specific programming knowledge,
the abstraction layers introduce a proxy, simplifies the access pattern 
and

obviously have a performance cost.

I think that none of the two worlds have to be rejected, they just need to
be used correctly and when appropriate. This why Microsoft is documenting
Win32 API, COM interfaces and .NET API.

If the COM abstraction layers were that yuck, programming environments 
like

WSH and/or VB6 would have not been so heavily used and successful.

Are abstraction layers perfect? Clearly not. Are they useful? Yes for 
sure.

Is there room for improvement? Always.



Regards,
/Alain


Alain LISSOIR

blocked::http://www.LissWare.Net cid:609343613@02122006-153C

mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]

Home Page: http://www.LissWare.Net blocked::http://www.LissWare.Net
Where am I? http://map.LissWare.Net blocked::http://map.LissWare.Net





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, December 02, 2006 1:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 100% CPU utilization when 

Re: [ActiveDir] [OT] Vista Admin Tools Pack

[Paul Williams]

If I had to guess, I would say it's because the launched process isn't a child 
of the elevated Window, but is a child of Explorer (the shell) itself.  This 
isn't the case with a CMD prompt, whereby the launched process is an actual 
child process.

Test it with Sysinternals' process explorer.  


--Paul


  - Original Message - 
  From: joe 
  To: ActiveDir@mail.activedir.org 
  Sent: Tuesday, November 21, 2006 10:49 PM
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack


  The Vista source isn't available for perusal yet so this is a complete guess 
but I expect it is something like Explorer purposely dumbs down the process 
token used to launch the new process. 

  Its just a guess though...


  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 





--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
  Sent: Tuesday, November 21, 2006 2:56 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack


  Steve - thanks again for sharing this very useful information.  I've tested 
this with different scenarios and I am somewhat confused as to some of the 
great new features of how Vista handles the security of new threads when 
launching applications:

   

  1.   I can install the AdminPak as non-privileged local user and can fix 
the DLL registration in an elevated CMD prompt with your tip below - works fine.

  2.   When I install the AdminPak from an elevated CMD prompt right away, 
everything also works fine - no need to manually register the DLLs.

  3.   When I start the AdminPak installation from an elevated Windows 
Explorer window, it does not successfully register the DLLs and again I have to 
register the DLLs manually in an elevated prompt to get them to work

  4.   When I right-click the AdminPak installation file in a Windows 
Explorer window and choose Run as administrator (i.e. running the install in 
elevated mode), it's the same as when launched from an elevated command prompt 
and again everything work fine without the need for manual registration of DLLs.

   

  So what's different from launching applications from an elevated Windows 
Explorer window to launching them from an elevated CMD prompt?

   

  Thanks for any insights J

   

  /Guido

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
  Sent: Tuesday, November 21, 2006 5:46 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack

   

  You have to run the batch from a command prompt that is elevated or you will 
get access denied.  To run a cmd prompt elevated search for cmd.exe from the 
start menu and right click selecting Run As Administrator.  We have also 
found that if you simply launch the MSI from an elevated command prompt it will 
register the DLLs as well.

   

  Thanks,

   

  -Steve

   

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
  Sent: Tuesday, November 21, 2006 9:25 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack

   

  I found this write up from someone else yesterday, I can't remember where 
now.  I tried it immediately and ran into a couple immediate errors when trying 
to register these DLLs and the Active Directory snap-ins still continued to be 
non-functional.  This is using the Win2003 SP1 admin pack on Vista Business 
RTM.  Basically, I threw all those commands into a text file named register.cmd 
and let it run.

   

  Certtmpl.dll - Your user account does not have necessary access rights to 
register the Certificate Templates snap-in.  Log on with a different user 
account and try again, or contact your system administrator.  (I am local admin 
on this Vista box).

   

  Mprsnap.dll - Access is denied.  (80070005)

   

  Even those two DLLs don't seem to be related to the Active Directory 
snap-ins, I still get the error that the MMC could not create the snap-in.

   

  Anyone else run into this?

   

  ~Ben

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
  Sent: Monday, November 20, 2006 10:39 PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] [OT] Vista Admin Tools Pack

   

  KB is in the works, just takes time.  Feel free to blog it or I can if I get 
some time this week, it is a bit slow this week but I have a backlog of content 
that I was supposed to have blogged.  Good news is that I accepted a new role 
at Microsoft where maintaining an official blog is part of my job. J

   

  Thanks,

   

  -Steve

   

  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
  Sent: Monday, November 20, 2006 11:45 PM
  To: ActiveDir@mail.activedir.org
  Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack

   

  okay if you 

Re: [ActiveDir] Enterprise Domain Controllers group missing...

[Paul Williams]

I imagine you used the version of ADPREP that ships with Windows Server 2003 
SP1?


I believe you need to run ADPREP /DOMAINPREP /GPPREP.

This will add the inheritable ACEs to CN=Policies,CN=System,DC=...

Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited ACE.


Re. EDCs.

ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 
2000.  The new Security Principals added by 2003 are:


 . LocalService

 . NetworkService

 . NTLM Authentication

 . Other Organization

 . Remote Interactive Logon

 . SChannel Authentication

 . This Organization



These group memberships are also modified:

 . The Network Servers group is added to the Performance Monitoring 
Users group.


 . The Enterprise Domain Controllers group is added to the Windows 
Authorization Access group.





See the link from Steve for more info. on this.  2003 RTM added new Sec 
Prins.  2003 SP1 also added some, IIRC.  Therefore ensure your PDCe is 
running k3 SP1.



--Paul


- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, November 22, 2006 2:04 AM
Subject: [ActiveDir] Enterprise Domain Controllers group missing...




- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group policies,
The Enterprise Domain Controllers group does not have read access to this
GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, click
Help..

- I can confirm we do not have an Enterprise Domain Controllers group in
any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Enterprise Domain Controllers group missing...

[Paul Williams]

Mistyped the Inherited/ inherit ACE flags there, but you get my point -kind 
of makes sense in English.


I'm guessing, as I'm not in a position to test, that perhaps GPPREP adds the 
necessary ACE(s) to the aforementioned container, resulting in an ACE set 
with the INHERIT flag, which means that child objects will inherit this ACE 
(unless NO_PROPOGATE is set, which is isn't).



--Paul

- Original Message - 
From: Paul Williams [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, November 22, 2006 10:31 AM
Subject: Re: [ActiveDir] Enterprise Domain Controllers group missing...


I imagine you used the version of ADPREP that ships with Windows Server 
2003 SP1?


I believe you need to run ADPREP /DOMAINPREP /GPPREP.

This will add the inheritable ACEs to CN=Policies,CN=System,DC=...

Allow: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read is an inherited 
ACE.



Re. EDCs.

ENTERPRISE_DOMAIN_CONTROLLERS Security Principal is available with Windows 
2000.  The new Security Principals added by 2003 are:


 . LocalService

 . NetworkService

 . NTLM Authentication

 . Other Organization

 . Remote Interactive Logon

 . SChannel Authentication

 . This Organization



These group memberships are also modified:

 . The Network Servers group is added to the Performance Monitoring 
Users group.


 . The Enterprise Domain Controllers group is added to the Windows 
Authorization Access group.





See the link from Steve for more info. on this.  2003 RTM added new Sec 
Prins.  2003 SP1 also added some, IIRC.  Therefore ensure your PDCe is 
running k3 SP1.



--Paul


- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, November 22, 2006 2:04 AM
Subject: [ActiveDir] Enterprise Domain Controllers group missing...




- We recently upgraded the schema in one forest from Windows 2000 to
Windows 2003.

- We now receive the following error when trying to access group 
policies,
The Enterprise Domain Controllers group does not have read access to 
this

GPO. The Enterprise Domain Controllers group must have read access on all
GPO's in the domain in order for Group Policy Modelling to function
properly. To learn more about this issue and how you can correct it, 
click

Help..

- I can confirm we do not have an Enterprise Domain Controllers group 
in

any of the domains.

- I have found the following article 
http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true
 which shows how to fix the GPO issue using
GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the
group  Enterprise Domain Controllers available. From further reading I
see this group has a specific SID of S-1-5-9 so I can not simply create a
new group.

- Does anyone have any idea how the group Enterprise Domain Controllers
can be recreated with the correct SID of S-1-5-9 so that we can run the
script GrantPermissionOnAllGPOs.wsf to fix the group policy problem?

Thanks in advance,

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

Re: [ActiveDir] Is it 2000 or 2003?

[Paul Williams]

Interesting, you're more than likely doing it in a more efficient manner 
than I then.


Here's the code I use in all of my scripts (for anyone who's interested in 
this) these days (I liked the way ADFIND and ADMOD output this info. so 
thought I'd steal Joe's idea and wrap this info. into all my scripts that do 
something with the DS):



' ***
' Sub printDirectoryInfo(RootDSE)
'
' Sub prints the DC that is being used and the
' level of the directory service.
'
' Note.  Sub calls func getDSFunctionality
'
' ***
Private Sub printDirectoryInfo(oRootDse)
Dim sServer, sDSFunctionality

sServer = oRootDse.get(dNSHostName)
sDSFunctionality = _
 getDSFunctionality(oRootDse.get(domainControllerFunctionality), _
  oRootDse.get(supportedCapabilities))

echoUsing server:   sServer
echoDirectory:   sDSFunctionality  vbCrLf
End Sub



' ***
' Func getDSFunctionality(int)
'
' get the domain functional level for info.
' purposes function returns a string defining the
' current value of the DC queried (via serverless
' bind)
'
' ***
Private Function getDSFunctionality(iDSFunctionality, _
 cSupportedCapabilities)

Dim oBase, dsf, nTMixedDomain, supportedCapability, bFlag
bFlag = False

Select Case iDSFunctionality
 Case 0
  Set oBase = oRootDse.get(defaultNamingContext)
  nTMixedDomain = oBase.get(nTMixedDomain)

  If(nTMixedDomain=1)Then
   dsf = Windows 2000 Native
  Else
   dsf = Windows 2000 Mixed
  End If
 Case 1
  dsf = Windows Server 2003 Interim
 Case 2
  For Each supportedCapability In cSupportedCapabilities
   If(supportedCapability = _
 LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID)Then
bFlag = True
   End If
  Next

  If(bFlag)Then
   dsf = Active Directory Application Mode (ADAM)
  Else
   dsf = Windows Server 2003
  End If
End Select

getDSFunctionality = dsf
End Function



' ***
' Sub echo(String)
'
' Sub prints the passed string to the console
' (if run from CSCRIPT) or to the shell via
' message box (if run from WSCRIPT).
'
' ***
Private Sub echo(sOuputString)
WScript.Echo(sOuputString)
End Sub


--Paul

- Original Message - 
From: joe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, November 16, 2006 6:32 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?



AdFind only determines the Directory level, it doesn't look for functional
modes or mixed mode. The way I get directory level is through the
supportedCapabilities attribute of the rootdse of the DC. Of course it is
possible to hit one DC looking for info and I pull the ROOTDSE from that 
DC
and then in the background a referral is processed which ends up getting 
the

info from another DC in another domain (or same domain if looking at app
parts).

You can get functionality modes from the rootdse attributes
domainFunctionality and forestFunctionality.

For all of those, just do an

AdFind -rootdse

And you will see what I am decoding and logically how I ascertain 
directory

level.



Mixed mode versus native you simply use the domain NCs nTMixedDomain
attribute.

  joe


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, November 16, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

I don't understand where you are seeing this info.  Are you referring to 
the


applet that is used to raise the FL?  Or something else?

As for the flag that is used to identify the directory, it is usually a
combination of:

msDS-Behavior-Version
nTMixedDomain
supportedCapabilities


Or at least, that is the way I put info. such as server and directory in
each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he
does it the same way too.

Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain. 
If


it's 2, check supportedCapabilities to see whether or not it is ADAM (it's
ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851
[LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).

In my test lab(s), my directory is considered a 2003 directory.

In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.


--Paul


- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, November 16, 2006 3:45 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?



I've entered this thread late so apologies if the below has already been
stated:

I recently created a new dev forest, with multiple domains. I too raised
DFL and FFL as soon as all domains were built.

I do not see the issues you describe and would suggest you download the
scripts available here http://www.jadonex.com/

One of the scripts (written by Dean) checks the DFL

Re: [ActiveDir] Locating empty GPOs in a domain / forest

[Paul Williams]

Locating empty GPOs in a domain / forestIt varies depending on the CSE Neil.

The behaviour usually reverts with Admin Templates.  Security settings don't 
revert, but can roll back if they're set elsewhere (like you said).  Darren's 
already covered Software installation.

For example, if you set hide shutdown, and then set that option to not defined, 
you'll get it back unless there's another GPO overriding that.


--Paul


  - Original Message - 
  From: [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, November 16, 2006 9:27 AM
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  I thought 'Not Defined' meant 'ignore this setting and apply it as set 
elsewhere in other GPOs'. i.e. if it were set and then later set to not 
defined, the clients would continue to use the setting and ignore the change 
from enabled to 'not defined'.

  e.g. wallpaper set to A, originally. Then wallpaper set to 'not defined'. I 
always believed clients would ignore any 'not defined' settings and thus 
continue to use wallpaper A.

  Am I wrong?

  neil


--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
  Sent: 15 November 2006 18:38
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  If I set an Admin template policy from Enabled to Not Configured, then 
that GPO with Not Configured needs to be processed at least once by the 
target in order to remove the setting. So, even though GPMC might report No 
Settings (and frankly I haven't look at how it reports other areas besides 
Admin. templates. For example, you can remove a software installation package 
but it is left in the GPO so that clients can process the removal. Does that 
mean that the GPO has no settings?) you might still want that GPO around to 
be able to undo the client--if only for a limited period of time.

  Darren



--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de
  Sent: Wednesday, November 15, 2006 9:39 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  if a GPO had settings and doesn't anymore, it may be needed by users and 
computers processing GP to undo settings that were previously applied

  IMHO, no settings means all settings in the GPO are set to Not Defined. 
Wouldn't it, for the case you mention, need to have reverse settings or 
original settings and thus have settings?

  jorge

  Met vriendelijke groeten / Kind regards,
  Ing. Jorge de Almeida Pinto
  Senior Infrastructure Consultant
  MVP Windows Server - Directory Services

  LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
  (   Tel : +31-(0)40-29.57.777
  (   Mobile : +31-(0)6-26.26.62.80
  *   E-mail : see sender address


--
  From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
  Sent: Wed 2006-11-15 17:04
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  Well, it depends upon the purpose of you quest, but you're correct. For 
example, you may not want to delete a GPO that has no settings (but does have 
versionNumber 0) because that may be a desirable state for it. In other words, 
if a GPO had settings and doesn't anymore, it may be needed by users and 
computers processing GP to undo settings that were previously applied. Unless 
you know for sure that those settings have been undone, then you can't be sure 
the GPO is unused.






--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
  Sent: Wednesday, November 15, 2006 7:21 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  Thanks Darren - that assumes the GPO is empty and always was empty, of course 
:)

  neil



--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
  Sent: 15 November 2006 15:05
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty GPOs in a domain / forest


  Another option is  to perform an LDAP search on the cn=policies, cn=system 
container for GPC objects, and on each GPC object, look for a versionNumber 
attribute == 0. Its probably slightly faster than first generating the HTML 
report and then parsing it.




--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL 
PROTECTED]
  Sent: Wednesday, November 15, 2006 5:54 AM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] Locating empty 

Re: [ActiveDir] Is it 2000 or 2003?

[Paul Williams]

I don't understand where you are seeing this info.  Are you referring to the 
applet that is used to raise the FL?  Or something else?


As for the flag that is used to identify the directory, it is usually a 
combination of:


msDS-Behavior-Version
nTMixedDomain
supportedCapabilities


Or at least, that is the way I put info. such as server and directory in 
each of my scripts.  Just like Joe does in ADFIND and ADMOD.  I believe he 
does it the same way too.


Basically, check msDS-Behavior-Version.  If it's 0, check nTMixedDomain.  If 
it's 2, check supportedCapabilities to see whether or not it is ADAM (it's 
ADAM if one of the supportedCapabilities is 1.2.840.113556.1.4.1851 
[LDAP_CAP_ACTIVE_DIRECTORY_ADAM_OID]).


In my test lab(s), my directory is considered a 2003 directory.

In my labs, I used either DOMAIN.MSC or ADMOD to increase the FLs.


--Paul


- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, November 16, 2006 3:45 PM
Subject: RE: [ActiveDir] Is it 2000 or 2003?



I've entered this thread late so apologies if the below has already been
stated:

I recently created a new dev forest, with multiple domains. I too raised
DFL and FFL as soon as all domains were built.

I do not see the issues you describe and would suggest you download the
scripts available here http://www.jadonex.com/

One of the scripts (written by Dean) checks the DFL and FFL for the
forest and across all domains.

For a manual check, I also look here:

FFL
===
CN=Partitions,CN=Configuration,DC=xxx
Attribute msDS-Behavior-Version
0=w2k FFL, 1=interim FFL, 2=w2k3 FFL

DFL
===
CN=domainName,CN=Partitions,CN=Configuration,DC=xxx
Attribute msDS-Behavior-Version
0=w2k DFL, 1=interim DFL, 2=w2k3 DFL

Hope that helps,
neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Onsomu
Sent: 16 November 2006 14:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 2000 or 2003?

I got curios about this and decide to dcpromo my vm image of windows
2003 R2.

After the AD installation (which sits at Windows 2000 for domain type) I
raised the functionality for the domain and forest.

The result for domain type was windows 2000.

I am not sure it is supposed to be different.

Anybody out there who can say their install says something else?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Wednesday, November 15, 2006 3:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Is it 2000 or 2003?

Were these clean installs or inplace?

Bart Van den Wyngaert wrote:

Well I also have a strange thing... It concerns 2 SBS 2003 systems.
Some months ago I raised both domain and forrest functional level on
those boxes. By reading this thread I decided to have a look...

Both tools report the correct OS actually on both boxes.

The only I wonder is a bit that they both report with the gpresult
tool that the domain type is Windows 2000

If I look using GUI, they both report functional level of domain 
forest being at 2003.

Don't really get actually. Is this related? Normal or missed something



when I did raise the functional levels?

Thanks,
Bart

On 11/10/06, Noah Eiger [EMAIL PROTECTED] wrote:

Good question. DFL = 2003 and FFL = 2003. So it must just be some
lingering text string. Does anyone think there is more it?

Thanks.

-- nme

-Original Message-
From: Clingaman, Bruce [mailto:[EMAIL PROTECTED]
Sent: Friday, November 10, 2006 9:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Is it 2000 or 2003?



What does it say under:  AD Users  Computers | [right click domain
name] | Raise Domain Functional Level...

?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Friday, November 10, 2006 11:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Is it 2000 or 2003?

Hi -



Several months ago, I upgraded a small, multi-site domain from W2k to



W2k3. Or so I thought. The various markings in the schema indicate
that the upgrade was successful. But when I run, for example,
gpresult, it reports a Windows 2000 domain. Is this just some flag or



string that did not get set properly or is there really a problem

with the upgrade?




Thanks.



-- nme



P.S. I also just noticed that when I run netdiag on a new W2k3EN DC,
it says System info: Windows 2000 Server (Build 3790).




--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
11/7/2006


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir@mail.activedir.org/

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date:
11/7/2006


--
No 

Re: [ActiveDir] Password Police Question on Forest-ChildDomain relationship

[Paul Williams]

Answering your questions 
directly.

1. All GPOs have the same settings 
as they use the same template(s) when created. This is probably for 
simplicity and ease of use. You can add more ADM templates, and also add 
CSEs and therefore other settings if you so wish. I don't think you can 
remove them, unless you consider unregistering the necessary DLLs for the CSEs 
but that might cause other issues.

2. It will apply to the DSRM/ Safe 
Mode password and any member servers in this OU.

3. No. GPOs don't flow across 
domains by default. I believe you can link GPOs across domains, or you can 
copy the GPOs, but theprocessing engine doesn't look outside of the 
domain.

--Paul


  - Original Message - 
  From: 
  Rocky Habeeb 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, November 13, 2006 4:17 
  PM
  Subject: RE: [ActiveDir] Password Police 
  Question on Forest-ChildDomain relationship
  
  Thanks 
  Jorge,
  
  I just figured that out by 
  virtue of the fact that nothing was defined in the Default Domain Controllers 
  Policy. Can you answer these questions please?
  [1] Why does the 
  Default Domain Controllers Security Policy have a password 
  section?
  [2] What happens if you 
  change a setting in it? (ie: who does it apply to?)
  [3] If you set a 
  password policy at the empty forest root level, does it flow down to children 
  and set things sans conflict at the child domain?
  
  As always, I appreciate you 
  helpful insight.
  
  RH
  
  
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Almeida 
Pinto, Jorge deSent: 13 November, 2006 10:43 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password 
Police Question on Forest-ChildDomain relationship

What passwords are 
you talking about? For which accounts?

It will not let you 
change the password as the policy mentions: “at least 1 day 
old”

Password policies 
are not defined in the default domain controllers policy, but in the default 
domain policy

Cheers,
jorge





From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky HabeebSent: maandag 13 november 2006 
15:56To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password Police 
Question on Forest-ChildDomain 
relationship


Dear List readers,



I have a Forest 
(W2K3 FFL) with an empty root domain and a single child domain (W2K3 
FFL). Today I changed the password on all my servers in the child 
domain including the domain controllers. I meant to exclude them but 
did not. Now they have the same password as my member servers. I 
went to change the password again on the DCs in the child domain, but they 
will not let me. "Your password must be at least 8 characters, cannot 
repeat any of your previous 0 passwords and must be at least 1 days old" is 
the error I get. I have a domain policy set for the computers in the 
domain, whichhas the complexity specified above as far as characters, 
but the group policy (default Domain Controllers) for my DCs in the child 
domain is "Not Defined" in all of the password policy options. Nor is 
there anything defined in the Forest Root Default Domain Controllers policy, 
which I thought might be flowing down to my Child Domain DCs. 




I cannot find where the policy might be set keeping 
me from changing the password in my Child Domain DCs.



Would anyone know where to find that 
setting?



I would like to reset my Child DCs so their password 
is different.



Rocky Habeeb

Microsoft Systems Administrator

James W. Sewall Company

Old 
Town, Maine
This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, 
any other party. If you are not an intended recipient then please promptly 
delete this e-mail and any attachment and all copies and inform the sender. 
Thank you.

Re: [ActiveDir] /3GB and/or /USERVA and/or /PAE???

[Paul Williams]

You need 4GT enabled (/3GB switch) if 
these only function as DCs. There's not much info. on this, but if you 
want to get the maximum LSASS footprint into RAM (~2.7GB) then you need to 
enable 4GT. If you're running K3 SP1 Enterprise then PAE is enabled by 
default and therefore the boot.ini switch is not necessary.

I don't think you need to worry about PAE 
although sometimes the full RAM doesn't show up unless you do enable it (or, in 
some cases, tweak some BIOS setting).


--Paul


  - Original Message - 
  From: 
  Mike 
  Baudino 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Saturday, November 04, 2006 5:30 
  PM
  Subject: [ActiveDir] /3GB and/or /USERVA 
  and/or /PAE???
  
  Hi all,
  
  We're running a Server 2003 AD environment across 110 DCs across North 
  America and Europe. We have physical DCs on a variety of fairly new 
  hardware and ESX VMs.
  
  Older server hardware, approxtwo years old:
  quad proc
  2GB ram
  
  ESX VMs:
  dual proc
  3.6GB ram
  
  New server hardware, from this summer:
  quad proc
  4GB ram
  
  
  Our DIT is around 2.3-2.4 GB and still growing slowly as we continue 
  migrations of users. Server migrations coming next. There's no 
  Exchange in our environment and the DCs are single-purpose as we don't permit 
  anything else to be loaded on them (except for SYSVOL, antivirus,and 
  monitoring tools, of course). 
  
  My concern is that none of the older hardware or the VMs are running /3GB 
  or /PAE. Some of the new hardware is running /PAE and some is not. 
  I would like to have some degree of consistency.
  
  From what I can tell, running /3GB would make sense on the VMs and the 
  newer physical boxes as it would permit more RAM to be allocated LSASS. 
  If we use /3GB do we need to, or want to, use /USERVA? 
  
  I don't see any advantage, and in fact a disadvantage, to running 
  /PAE. The disadvantage may just be "bad press" but it appears that there 
  are issues with /PAE compatibility. Also, it appears that /PAE has no 
  impact at or below 4GB? 
  
  I read another thread from earlier this summer that the VMs should 
  probably be replaced. We're looking into that but it will take a 
  while. The thread seemed to indicate that /3GB might be the way to 
  go.
  
  Anyway, I would like to know what you're running and/or would 
  recommend. Called Microsoft about this and they looked up the same 
  article that we already had but seemed to offer no advise based on real world 
  experience. You guys are where the rubber meets the road. 
  
  Thanks,Mike

Re: [ActiveDir] Active Directory Health Check tool - where can it run from?

[Paul Williams]

Title: Active Directory Health Check tool - where can it run from?



I assume you are referring to the ADST 
tool that you get if you're a premier customer and MSFT come and do an AD 
Healthcheck. As far as I know, this can be run from anywhere (in the 
domain), as it's really just a bunch of VBS scripts that do ADSI and WMI queries 
against the DCs. The cool thing is these scripts are wrapped behind a 
decent GUI.

--Paul


  - Original Message - 
  From: 
  Washington, Booker 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, October 31, 2006 10:26 
  PM
  Subject: RE: [ActiveDir] Active Directory 
  Health Check tool - where can it run from?
  
  
  It is the Active 
  Directory Health Check Snapshot Tool. What exactly is ADRAP? I got a 
  copy from our Forest Admins because I am a child domain of the 
  forest.
  
  The reason that I ask 
  is because I seem to get buggy results when I go from an XP workstation, or a 
  member server, and I wondered if I needed to run it from the DC 
  itself.
  
  
  Thanks
  
  
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, October 31, 2006 5:15 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: Active Directory Health 
  Check tool - where can it run from?
  
  
  
  Which tool is this? 
  The AD Snapshot tool that you get from an ADRAP can run from any 
  server.
  
  
  
  --brian
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Washington, BookerSent: Tue 10/31/2006 4:04 PMTo: ActiveDir@mail.activedir.orgSubject: Active Directory Health Check 
  tool - where can it run from?
  
  
  Does that 
  tool need to be run from a Domain Controller, or can it be run from any member 
  server in the Domain, or workstation.
  Just 
  curious. 
  Thanks 
  

Re: [ActiveDir] DMZ DOMAIN?

[Paul Williams]

If you take a look at the Windows 2000 
clustering training material (I don't have it handy so my vocabulary will be 
scetchy) there is a setup where you make the nodes the DCs for the domain that 
the cluster resides in. I've never implemented such a setup though, so 
can't vouch for it in anyway, other than saying that it is supported to have a 
DC or DCs as nodes in a cluster. What isn't supported is the clustering of 
AD (we all know why that is a stupid idea anyway).

Personally, I would add two additional 
servers to the DMZ as domain controllers for their own forest, also running as 
GC and DNS servers. The clusters, and the notes servers, and any other 
servers that have service accounts running on them, can then be members of this 
domain.

You need to think long and hard before 
creating any trusts from the DMZ to the internal (or vice-versa). Again, 
this is supported and is often used (DMZ trusts internal) in a number of setups, 
but the true purpose of a DMZ doesn't allow such things (from a conceptual 
perspective --see DMZology presentation by Fred at TechEd for some good info. on 
this).


--Paul

  - Original Message - 
  From: 
  Brian 
  Desmond 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, October 24, 2006 4:33 
  AM
  Subject: RE: [ActiveDir] DMZ 
DOMAIN?
  
  
  You 
  need a domain to have a cluster. You can make yourself a forest for this 
  purpose out in the DMZ. Just don’t make the cluster nodes domain 
  controllers.
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c 
  - 312.731.3132
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 
  Monday, October 23, 2006 6:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] DMZ 
  DOMAIN?
  
  I need a little 
  question.   
I have a dmz zone, where we have our firewall, and some lotus 
  notes email servers.   
I want to create a Microssoft cluster with our two internet 
  pages servers. I read in documentations that I only can have a cluster if I 
  have a MS AD domain, Is that true? Is there any restriction in creating a 
  Domain in Internet DMZ zone? Is that Unsafe? Thanks 
  Adrião 
  Ferreira Ramos CII14 
  (11) 
  33888193 [EMAIL PROTECTED]Esta mensagem pode conter 
  informação confidencial e/ou privilegiada. Se você não for o destinatário ou a 
  pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar 
  as informações nela contidas ou tomar qualquer ação baseada nessas 
  informações. Se você recebeu esta mensagem por engano, por favor avise 
  imediatamente o remetente, respondendo o e-mail e em seguida apague-o. 
  Agradecemos sua cooperação.This message may contain confidential 
  and/or privileged information. If you are not the addressee or authorized to 
  receive this for the addressee, you must not use, copy, disclose or take any 
  action based on this message or any information herein. If you have received 
  this message in error, please advise the sender immediately by reply e-mail 
  and delete this message. Thank you for your 
  cooperation.

Re: [ActiveDir] OT: Bulk Workstation reboots.....

[Paul Williams]

 Any impact problems to be aware 
of?

From an AD standpoint, no. 
Especially not if you do it out of hours.

If there's no remote DCs, you might see a 
spike in WAN traffic, but again, nothing worth worrying about. Certainly 
less than what's going over the WAN during office hours.

From a client standpoint, there's the open 
files issue(s)...


--Paul

  - Original Message - 
  From: 
  Frank 
  Abagnale 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, October 19, 2006 9:16 
  AM
  Subject: Re: [ActiveDir] OT: Bulk 
  Workstation reboots.
  
  Paul,
  
  These 900 workstations are not scattered all over the place. They are 
  placed over 4 locations
  
  This site has 3 DC's, which are all W2k3 R2 GC enabled.
  
  Any impact problems to be aware of?
  
  but thanks for the script!
  
  Frank
  
  Paul Williams [EMAIL PROTECTED] 
  wrote:
  



Here's a script I've used in the past 
to do what you want:
-- http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/3be4867f843df935


I wouldn't worry about the computer 
logons if you do this out of hours, e.g. run the script via a scheduled task 
or simply initiate at 2000 or whatever. Those machines are going to be 
scattered all over the place and will use different DCs.


--Paul

  - Original Message - 
  From: 
  Frank Abagnale 
  To: Active 
  Sent: Wednesday, October 18, 2006 
  3:14 PM
  Subject: [ActiveDir] OT: Bulk 
  Workstation reboots.
  
  I have a startup script which inputs a variable on every 
  XPworkstation.
  This variable is going to change and I need the workstations to be 
  rebooted to reflect the change.
  I have around 900 workstations, I was thinking of using the 
  shutdown.exe tool with the remote name in a batch file.
  I was planning on doing through during the night, does anyone see any 
  issues/impact if I set 900 machines to reboot automatically? Does anyone 
  else have a better idea?
  Thanks
  Frank
  
  
  Get your email and more, right on the new 
  Yahoo.com 
  
  
  Get your email and more, right on the new 
  Yahoo.com 

Re: [ActiveDir] Latency in List

[Paul Williams]

Yeah, I sort of bitched about it last month when I had some time to reply. 
I see about 90 - 100 minute delays.



--Paul

- Original Message - 
From: Vinnie Cardona [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, October 18, 2006 1:00 AM
Subject: RE: [ActiveDir] Latency in List



This message was sent at 6pm (MST)

I have seen latency...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Tuesday, October 17, 2006 3:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Latency in List

I initially sent a reply with to this thread (below) at 19:43 BST yet I 
only

receive it back at 21:37 BST nearly two hours later, is anyone else
experiencing latency or is just me?

Let's see what this message does!

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 17 October 2006 19:43
To: ActiveDir.org
Subject: Re: [ActiveDir] The remote computer has ended the connection.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: Bulk Workstation reboots.....

[Paul Williams]

Here's a script I've used in the past to 
do what you want:
-- http://groups.google.com/group/microsoft.public.windows.server.active_directory/msg/3be4867f843df935


I wouldn't worry about the computer logons 
if you do this out of hours, e.g. run the script via a scheduled task or simply 
initiate at 2000 or whatever. Those machines are going to be scattered all 
over the place and will use different DCs.


--Paul

  - Original Message - 
  From: 
  Frank 
  Abagnale 
  To: Active 
  Sent: Wednesday, October 18, 2006 3:14 
  PM
  Subject: [ActiveDir] OT: Bulk Workstation 
  reboots.
  
  I have a startup script which inputs a variable on every 
  XPworkstation.
  This variable is going to change and I need the workstations to be 
  rebooted to reflect the change.
  I have around 900 workstations, I was thinking of using the shutdown.exe 
  tool with the remote name in a batch file.
  I was planning on doing through during the night, does anyone see any 
  issues/impact if I set 900 machines to reboot automatically? Does anyone else 
  have a better idea?
  Thanks
  Frank
  
  
  Get your email and more, right on the new 
  Yahoo.com 

Re: [ActiveDir] userAccountControl 544

[Paul Williams]

Title: userAccountControl 544



If you create with ADSI, e.g. _vbscript_, 
and don't set a password before the initial setInfo you get 2 + 32 + 512. 
If you then set the password, you can un-set 32. If you don't set a 
password and you have a password restriction policy, you cannot un-set 32 or 
2.

Setting the password won't change the 
value of userAccountControl, you have to do that by yourself.

Note. Although it doesn't really do 
much if you have password policies in place, it is probably not recommended to 
set 32, therefore you need to instruct your provisioning people on how to 
properly create a user object.

Note also. The cookbook code (http://techtasks.com/code/viewbookcode/1555) 
will end up with a value of 544. So you need to take this into account and 
set uac at the end in addition to enabling the user (personally, I would not use 
accountDisabled() and would set uac to what I want).

If you want to go through what you have 
and correct this, assuming all users have a password, you can do this with 
ADMOD:

adfind-default -bit -f 
"(objectCategory=person)(objectClass=user)(userAccountControl:AND:32)" 
userAccountControl -adcsv|admod 
userAccountControl::{{userAccountControl::CLR::32}} -unsafe


[Re] Note. If you have a pwd policy 
in place, you must set passwords first.


--Paul


  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, October 17, 2006 6:24 
  AM
  Subject: RE: [ActiveDir] 
  userAccountControl 544
  
  
  D*mn 
  I’m glad you can understand my gibberish. I reread that post and came up 
  with a ‘what the h*//???’
  
  In 
  the circumstance w/ ADSI, what would be the proper routine to follow? 
  After the user is created and the password set, do you change the value of 544 
  back to 512?
  
  I’ve 
  noticed the same about 544. The user doesn’t appear to have sufficient 
  rights to reset their password to a blank password. The administrator 
  (or someone with full control on the object – have not verified what 
  permissions exactly) can set their password to null all day long. That’s 
  kind of dismaying.
  
  Also, 
  544 doesn’t go back to 512 after the user password has changed so it’s kind of 
  subject to always holding the capacity for a blank password. Don’t 
  really like that either… 
  
  Thanks 
  for the information, as always. I picked up your book, by the way. 
  Fun read.
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Tuesday, October 17, 2006 12:43 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] userAccountControl 544
  
  Depends 
  on how the user is created. If using ADSI, you cannot specify a password while 
  creating the user so if you have a password length policy then you have to 
  create the account disabled or set to allow a blank password or both. 
  
  
  With 
  the raw LDAP API (and I would expect S.DS.Protocols), you can create an 
  enabled user because you can specify the password in the ADD op. You can do 
  that with admod if you like.
  
  Note 
  that an account set with 544 doesn't necessarily have a blank password, but it 
  could be. 
  
  
  --
  O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 16, 2006 
  5:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] userAccountControl 544
  I think I’ve 
  figured it out. J Thanks 
  all.
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  :m:dsm:cci:mvp| 
  marcusoh.blogspot.com
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Oh, Marcus (CCI-Atlanta)Sent: Monday, October 
  16, 2006 11:57 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] userAccountControl 
  544
  
  Trying 
  to 
  understand this value. Seeing it set on some of my user objects. 
  So … 
  512 would be a normal user but 32 means that no password is required. 
  When a new user object is created, my understanding (by reading quite a few 
  threads) is that 544 is the default uac. Does this sound 
  right?
  Is there 
  a point when something doesn’t need to listen to domain policy? It 
  should fail to meet standards by the password length… now, I’m not sure how I 
  can verify the actual 
  password is set to nothing. One on particular account, I’ve tried 
  logging in with a blank password but get a bad password 
  failure.
  Thanks 
  all!

Re: [ActiveDir] Discovering LDAPS availability

[Paul Williams]

The project that I'm working on makes heavy use of LDAPS.  However, at the 
moment, we favour the latter statement - the built DCs don't leave staging 
until the certs are pulled.  They must be signed off, and that's one of the 
last items on the deployment check list.


We'll probably automate this check soon, but we're too busy with automating 
the buillds at the moment.


Personally, I like the idea of _ldaps SRV RRs.  Although I can appreciate 
there's a bit more to it from MSFTs point of view than simply getting 
NETLOGON to register them in DNS.



--Paul

- Original Message - 
From: joe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, October 10, 2006 10:45 PM
Subject: RE: [ActiveDir] Discovering LDAPS availability



Hmm doesn't look like anyone else has figured this out or just doesn't
deploy LDAPS or alternately makes sure every DC is capable of LDAPS.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Loder
Sent: Friday, October 06, 2006 8:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Discovering LDAPS availability

joe's absolutely right.  What's trying to be
accomplished is to publish new LDAPS SRV records for a
300+ DC environment.  But I don't want to just blindly
assume each DC properly enrolled with the CA (we had
problems like that at the beginning), and I'd really
like to avoid the overhead of touching each DC.
Unfortunately, that's about the only viable method I
see.

We have a DCR in with MS to change the behavior so
that the DCs automatically publish LDAPS if it's
available.  But what we're hearing right now is that
it's probably not in the pipeline until LH SP1.

--- joe [EMAIL PROTECTED] wrote:


LDAPS records aren't published by DCs, only LDAP
records. I can assure you
if it were that easy, David wouldn't have had an
issue. From what I have
seen, if a secure LDAP connection is required, the
internal routines from
MSFT simply locate a DC and go to the port. If LDAPS
isn't hot, the
connection is dropped with server down error.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, October 05, 2006 6:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Discovering LDAPS
availability

Couldn't you just query the DNS for the SRV record
advertising it...

Matt Duguid
Systems Engineer for Identity Services
Department of Internal Affairs

Phone: +64 4 4748028 (wellington)
Mobile: +64 21 1713290
Fax: +64 4 4748894
Address: Level 4, 47 Boulcott Street, Wellington CBD
E-mail: [EMAIL PROTECTED]
Web: http://www.dia.govt.nz/



|-+--
| |  |
| |  |
| |  |
| |   David Loder|
| |   [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   06/10/2006 08:56 a.m.  |
| |   Please respond to  |
| |   ActiveDir  |
| |  |
|-+--


---
---|
  |
|
  |To:  ActiveDir@mail.activedir.org
|
  |cc:
|
  |Subject: [ActiveDir] Discovering LDAPS
availability
|


---
---|


Other than directly testing the 636 port on each DC,
can anyone suggest a method for an unprivledged
client
to discover whether or not LDAPS should be available
on a specific DC?

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.activedir.org/ml/threads.aspx




__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx

Re: [ActiveDir] FW: Script to move user account and computer accounts

[Paul Williams]

Title: FW: Script to move user account and computer accounts



Look at ADMOD or ADMT for xdom 
move.

If you actually want to copy a user, look 
at ADMT. Note. ADMT won't perform a copy, when operating 
intra-forest, by default. But you can configure it to do so 
IIRC.

Other options are to create a new user and 
copy the existing attributes, using a script or some code,excluding things 
like SID, UPN, etc. If this is the route you want to take, I don't think 
it's detailed in a whitepaper anywhere (it might be but I've not read it). 
This is something you need to implement yourself. The problem here is that 
ADMT tracks source and destination objects so you can re-run it and keep the 
target attributes up-to-date with the source ones. Your script won't do 
this by default.


--Paul

  - Original Message - 
  From: 
  Group, Russ 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, October 09, 2006 3:27 
  PM
  Subject: [ActiveDir] FW: Script to move 
  user account and computer accounts
  
  Hi all 
  I was wondering if there is a script I can use that 
  will move users accounts and computer accounts from one child domain to 
  another child domain (Windows 2000). I don’t even know where to look for 
  this, so if someone can point me in the right direction (URL or white paper) 
  so I don’t ask the same ignorant question twice, I would appreciate 
  it.
  ThanksRuss 

Re: [ActiveDir] [OT] Exchange 2007 Schema

[Paul Williams]

LOL.  It's in the rest room I'm told...


--Paul

- Original Message - 
From: Rich Milburn [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, October 06, 2006 6:56 PM
Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema



For the BrettSh T-Shirt, my vote is for the line to be split

BrettSh T-
Shirt

It's similar to the signs in the UK for leasing buildings -
TO LET
They are just missing an i.

I think Dean and Paul W know what I'm talking about

:-)
Rich


---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
I love the smell of red herrings in the morning - anonymous

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 06, 2006 10:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Exchange 2007 Schema

You are definitely funny Brett, some would just argue whether it is in
the
ways you think. =)

I find you quite funny, I am waiting for the BrettSh T-Shirt to come out
in
fact. But with the crazy that can only be Brett hairdo, not the big
boy
hairdo. ;o)

I do kind of agree with Tony though, unless you are one of the TAP folks
with specific agreements with MSFT to bail you out in the event of a
nasty
fire, you probably shouldn't be installing heavily AD integrated beta
products into your production forest. I would assume that
ITG/OTG/GOaT/GIT/OA/IT/IS or whatever the name is now being used for
MSFT IT
have the necessary support agreements in place. :) Plus they have Brian,
not
much he isn't going to be able to fix by himself I think.

 joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, October 05, 2006 11:58 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] [OT] Exchange 2007 Schema

Oh crap!  Brian Puhl, you reading?  Tony says E2k7 is a beta product, I
hope you didn't load that schema on our main forest?  Too late to get it
backed out (via forest restore)?

Thanks for the heads up Tony,
BrettSh [msft]

P.S. - Does anyone think I'm as funny as I think I am ... probably not
...


On Thu, 5 Oct 2006, Tony Murray wrote:


Hi all

There are apparently schema changes post Beta 2 - just in case anyone

was
considering pre-loading the schema changes into production [1].


I don't have any further details on what the changes are.

Tony

[1] Which of course you wouldn't contemplate with a Beta product :-)





Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---  
PRIVILEGED /
CONFIDENTIAL INFORMATION may be contained in this message or any 
attachments.
This information is strictly confidential and may be subject to 
attorney-client
privilege. This message is intended only for the use of the named 
addressee. If
you are not the intended recipient of this message, unauthorized 
forwarding,

printing, copying, distribution, or using such information is strictly
prohibited and may be unlawful. If you have received this in error, you 
should
kindly notify the sender by reply e-mail and immediately destroy this 
message.
Unauthorized interception of this e-mail is a violation of federal 
criminal law.
Applebee's International, Inc. reserves the right to monitor and review 
the
content of all messages sent to and from this e-mail address. Messages 
sent to
or from this e-mail address may be stored on the Applebee's International, 
Inc.

e-mail system.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] finding users that password never expire.

[Paul Williams]

Perform an AND query.

In ADFIND, this looks like 
this:

adfind -default -bit -f 
"(objectCategory=person)(userAccountControl:AND:=65536)" cn


If you want to use ADUC, or something 
else, you'll need to use this:

((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536))


--Paul


  - Original Message - 
  From: 
  Yann 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, October 09, 2006 4:43 
  PM
  Subject: [ActiveDir] finding users that 
  password never expire.
  
  Hello all,
  
  I had to dodump in ADall users whose password never 
  expires.
  I used the saved queries with this custom ldap query :
  useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT  
  DONT_EXPIRE_PASSWORD properties flag.
  BUT i found that this search was not complete, because some users have 
  other properties flagsuch as 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or 
  UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
  UF_NOT_DELEGATED ... :(
  
  So the question is:
  How to search for user accounts that have at least the 
  DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
  Is there a way to do it with a custom ldap query ?
  
  Thanks,
  
  Yann
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
  sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos 
  opinions et vos expériences. Cliquez 
  ici. 

Re: [ActiveDir] choose between SOAD and Netpro directory Troubleshooter.

[Paul Williams]

I assume you mean NetPro Directory 
Analyser? I've not done much with any, but we've got NetPro Directory 
Troubleshooter here and from what I've seen of it, it doesn't compare with 
Quest's SOAD as it does more proactive, task oriented stuff.

I've not seen NetPro's analyser. 
Quest's SOAD is OK, but as with all real time monitoring solutions, your limited 
by the human on the end. I'd prefer something like HP Open View Operations 
for Windows or BMC Patrol or even MOM, which can react accordingly to issues in 
a number of ways.


--Paul

  - Original Message - 
  From: 
  Yann 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, October 03, 2006 7:11 
  PM
  Subject: [ActiveDir] choose between SOAD 
  and Netpro directory Troubleshooter.
  
  Hello all,
  
  I don't know if it is the right place
  I'm about to test2 AD Troubleshootersproducts and I have to 
  choose onethem to monitor,tshoot our AD infrastructure:
  Spoltligh on Active Directory (SOAD) and Netpro Active Directory 
  Troubleshooter.
  Doessomeone have any experiences with the 2 products and could tell 
  me what are the pros and cons of each of them ?
  
  Thank you,
  
  Yann
  
  
  
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
  sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos 
  opinions et vos expériences. Cliquez 
  ici. 

Re: [ActiveDir] ADFS and certs

[Paul Williams]

Perhaps Tomasz and I should blog about this more for now.  :)


Yeah, you guys do that please!

This looks like it's taking off, and some of it is a real black art for some 
infrastructure people...



--Paul
- Original Message - 
From: Joe Kaplan [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Monday, September 25, 2006 12:10 AM
Subject: Re: [ActiveDir] ADFS and certs


Yeah, the real step by step guide isn't so bad per say.  What it tries to 
do is give you a simple path to having an easy demo set up of ADFS going 
so you can kick the tires.  For that, it is ok.  Where it doesn't cross 
the gap very well is in providing guidance on how to apply the lessons 
learned to real scenarios.


Because ADFS relies on certificates for both SSL/HTTP and the signing of 
security tokens, you need certificates to use it.  In order to get through 
the step by step guide successfully, they chose to use the self-issued 
model, as it is really the only simple way to get SSL certs without 
spending money or setting up a CA.  However, it does leave you with 
self-signed certs, which is not where you want to end up.


I think that either the step by step guide needs to provide more guidance 
and explanation of the steps and how to apply them, or the other 
documentation for ADFS needs to fill this gap.  As it stands now, there is 
still no good guidance on how to procure your certificates and what the 
various trade-offs are for the possible ways to go about this.  People who 
already know PKI will be able to fill in the details, but many people will 
be left scratching their heads.


Perhaps Tomasz and I should blog about this more for now.  :)

Joe K.

- Original Message - 
From: Tomasz Onyszko [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Sunday, September 24, 2006 3:16 PM
Subject: Re: [ActiveDir] ADFS and certs



Rick Kingslan wrote:

Joe, Tomasz -

Yep, you're right that it may tend to show a bad precedent for people to 
follow.  I haven't taken a look at these particular labs (and having 
just come back from a long hiatus, I didn't see the referenced lab) but 
is the guidance there as to what Best or Preferred Practices SHOULD BE?


You can check this lab here:
http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654displaylang=en

No You will not find there any guidance on best practices there and maybe 
this is not the best place, but I'm not aware of any other ADFS related 
doc which deals in details with best practices and description of usage 
for certificates in ADFS deployment.


If not - I find that the bigger problem than the fact that self-certs 
are being used at all.



--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP query assistance

[Paul Williams]

Great answer Joe. I completely 
missed the multi-domain issue, thinking (as I wrote) that was only an issue for 
DLGs. Oh well, you've certainly refreshed my memory and answered the 
question admirably.

As you can tell from this, and from our 
off-line conversation, I'm just using ASQ all the time ('cause it's 
great!)-sometimes it's not appropriate : )


--Paul

  - Original Message - 
  From: 
  joe 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 22, 2006 3:53 
  PM
  Subject: RE: [ActiveDir] LDAP query 
  assistance
  
  This unfortunately isn't going 
  towork...
  
  1. Global group membership is not maintained in the GC. 
  Depending on the domain the GC you query hosts, your results will vary. If you 
  hit a parent DC GC then you will see memberships for the parent (and Unis). If 
  you hit a child DC GC, then you will see memberships of the child (and Unis). 
  
  
  
  2. An ASQ query query will only work against 
  objects in the linked attribute that are immediately available. Depending on 
  whether you hit a GC port or the local LDAP port and depending on the info 
  present in that GC instance (see comments above) the results again could vary. 
  The ASQ query does NOT cross DCs to return info.Again since 
  theglobal group membership of a domain is only maintained on a DC of 
  that domain this will only resolve part of the membership.
  
  A couple of examples of ASQ in 
  action...
  
  G:\Temp\deleteadfind -e -b 
  "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" 
  member
  
  AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
  
  Using server: 
  2k3dc02.joe.com:389Directory: Windows Server 2003
  
  dn:CN=Pre-Windows 2000 Compatible 
  Access,CN=Builtin,DC=joe,DC=commember: CN=Exchange Domain 
  Servers,CN=Users,DC=joe,DC=commember: CN=Exchange Domain 
  Servers,CN=Users,DC=child1,DC=joe,DC=commember: CN=Domain 
  Users,CN=Users,DC=joe,DC=com
  
  1 Objects returned
  
  G:\Temp\deleteadfind -e -b "CN=Pre-Windows 2000 Compatible 
  Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn
  
  AdFind 
  V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
  
  Using server: 
  2k3dc02.joe.com:389Directory: Windows Server 2003
  
  dn:CN=Domain 
  Users,CN=Users,DC=joe,DC=comdn:CN=Exchange Domain 
  Servers,CN=Users,DC=joe,DC=com
  
  2 Objects 
  returned
  
  
  Note that the member attribute of the group has 3 members 
  but the ASQ objectclass=* query only returns 2, that is because doing the LDAP 
  port 389 query, the child1 object is not available.
  
  Now change that to a GC query to a GC that is a DC for 
  joe.com and it works
  
  G:\Temp\deleteadfind -h 
  2k3dc02-gc -b "CN=Pre-Windows 2000 Compatible 
  Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* 
  -dn
  
  AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
  
  Using server: 
  2k3dc02.joe.com:3268Directory: Windows Server 2003
  
  dn:CN=Domain 
  Users,CN=Users,DC=joe,DC=comdn:CN=Exchange Domain 
  Servers,CN=Users,DC=child1,DC=joe,DC=comdn:CN=Exchange Domain 
  Servers,CN=Users,DC=joe,DC=com
  
  3 Objects returned
  
  But if I wanted the membership of those three global 
  groups and tried against the same GC you will note that the membership of the 
  child1 domain group is not enumerated... 
  
  G:\Temp\deleteadfind -h 2k3dc02 
  -gc-b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" 
  -asq member -f objectclass=* member
  
  AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
  
  Using server: 
  2k3dc02.joe.com:3268Directory: Windows Server 2003
  
  dn:CN=Domain 
  Users,CN=Users,DC=joe,DC=commember: CN=Domain 
  Admins,CN=Users,DC=joe,DC=commember: 
  CN=administrator,CN=Users,DC=joe,DC=com
  
  dn:CN=Exchange Domain 
  Servers,CN=Users,DC=child1,DC=joe,DC=com
  
  dn:CN=Exchange Domain 
  Servers,CN=Users,DC=joe,DC=commember: 
  CN=2K3EXC02,CN=Computers,DC=joe,DC=commember: 
  CN=2K3EXC01,CN=Computers,DC=joe,DC=com
  
  3 Objects 
  returned
  
  But turn it around and use a child1 GC and what do you 
  think you get?
  
  G:\Temp\deleteadfind -h 2k3dc10 
  -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq 
  member -f objectclass=* member
  
  AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
  
  Using server: 
  2k3dc10.child1.joe.com:3268Directory: Windows Server 
  2003
  
  0 Objects returned
  
  
  
  That's right... nothing. That makes perfect sense 
  correct? If not, think about what group data is "guaranteed" to be in GCs and 
  for what scope groups... 
  
  
  
  
  There is, unfortunately, no single LDAP query that can be 
  posed to AD to resolve the membership of three global groups in three 
  different domains. The proper way to handle this would be to use a single 
  Universal group or a Single Domain Local Group, with both, you would add all 
  members to the group directly, not nest. 
  
  An alternate is to 

Re: [ActiveDir] LDAP query assistance

[Paul Williams]

Something like this, against a 
GC:

(|((objectCategory=person)(memberOf=dn of group 
01))((objectCategory=person)(memberOf=dn of group 
02))((objectCategory=person)(memberOf=dn of group 
03)))


You can also do it the way you want using 
ASQ if you don't mind DN as the output. Here's an example using 
ADFIND:

adfind -b 
"cn=group,ou=groups,dc=domain-name,dc=com"-asq member -f 
"objectCategory=group" member -list


--Paul

  - Original Message - 
  From: 
  Amanda Rose 
  To: ActiveDir Mailing List 
  Sent: Friday, September 22, 2006 10:02 
  AM
  Subject: [ActiveDir] LDAP query 
  assistance
  
  
  Hello! I work in a small company where we have 
  need of some LDAP query assistance to identify a group of users out of 
  AD. We only have basic LDAP knowledge in house and our query is not 
  finding what we need. I would really appreciate any assistance you could 
  lend to the following:
  
  We are trying to identify synchronize a group called 
  “LLUsers” within AD with an external application- so that we can do 
  single-sign-on (AD Authentication)
  
  Our Active Directory is structured as 
  follows:
  Parent Domain – contains global security group called 
  “LLUsers”
   
  Two child domains – each contains a Global Security Group called 
  “LLUsers”
  
  In the Parent Domain, there is an additional Local 
  Security Group called “LLUsersLocal” whose members are the “LLUsers” groups 
  from all three domains.
  
  We want to construct a single LDAP query that will 
  return the Users from all three “LLUsers” groups.
  
  Right now, the LDAP query we have pulls individual 
  users added to the LLUsers group in the parent 
  domain.
  
  Is there a way to create a nested or “OR” query that 
  can look in “LLUsersLocal – and pull out the Individual Users in each group 
  within?
  
  This is the current LDAP query 
  ((objectcategory=user)(memberOf=CN=LLUsers,CN=users,DC=res-ltd,DC=com))
  
  We have tried many others – often a variation 
  of:
  
  ((objectcategory=user)(|(memberOf=CN=LLUsersLocal,CN=users,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=glasgow,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=austin,DC=res-ltd,DC=com)))
  
  Or – 
  perhaps the AD design with Parent and Child directories makes this 
  impossible? We have received some advice that we should move to a flat 
  structure with only one domain and use work groups 
  within.
  
  Amanda Rose, Renewable Energy 
  Systems
  [EMAIL PROTECTED] 
  (email)www.res-americas.comor www.res-ltd.com 

Re: [ActiveDir] different version of R2 available?

[Paul Williams]

When we spoke with the PM out in Redmond 
it was said that the feature that allows you to copy a file on one replica and 
that file get made up on another with very little replication traffic, e.g. a 
comparison taken on the local source and then only the deltas replicated (just 
like the rest of the RDCengine but without having done an initial source 
of the original file from the upstream partner) required an Enterprise version 
of Windows in the mix (somehwere in the DFSR topology). There seems to be 
some confusion about this. I'm not talking about RDC, but a feature that 
utilises that technology.

For example, you have a VHD (hdd01) and 
you copy it to the same folder locally and rename to hdd02. That file 
isn't replicated in its entirety. Rather, the hdd01 on the replica is used 
to create that file and only the necessary bits that represent the filename 
change are replicated.

A couple of people have tried to shoot me 
down in flames when I mentioned this, but I know what I heard... : 
)

(although I might not be 
correct)


--Paul

  - Original Message - 
  From: 
  Chong 
  Ai Chung 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 21, 2006 12:29 
  AM
  Subject: Re: [ActiveDir] different 
  version of R2 available?
  
  Refer to following KB article: Media for Windows Server 2003 R2 is 
  released by using various SKUs, such as Windows Server 2003 R2 Standard 
  Edition, Windows Server 2003 R2 Enterprise Edition, and Windows Server 2003 R2 
  Datacenter Edition. 
  
  CD2 must be the same SKU as what is currently installed. For example, 
  only Windows Server 2003 R2 Standard Edition CD2 can be applied to Windows 
  Server 2003 Standard Edition. 
  
  http://support.microsoft.com/kb/912309/en-us
  On 9/21/06, Thommes, 
  Michael M. [EMAIL PROTECTED]  
  wrote: 
  



My 
officemate and I were discussing whether there are different versions of the 
R2 CD depending on whether you're running Server 2003 Standard or Server 
2003 Enterprise. Or is there only one version of R2? TIA! 


Mike 
Thommes

Re: [ActiveDir] DC Establishing Session to client on TCP139

[Paul Williams]

It's probably SMB (CIFS). The NT5.x 
client service attempts to establish SMB sessions using both 445 and 137/8/9 
(whichever one). The first to reply is what is used. If 445, it's 
SMB over TCP/IP. If the NetBT 3, then it's SMB over NetBIOS over TCP/IP 
(NetBT).

Note. It doesn't use all three of 
the NetBT3, I just don't remember what's what.


--Paul

  - Original Message - 
  From: 
  Brian 
  Desmond 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 21, 2006 2:53 
  AM
  Subject: [ActiveDir] DC Establishing 
  Session to client on TCP139
  
  
  I’m seeing a lot of hits 
  in firewall logs for DCs trying to establish sessions to clients on TCP139 
  (NBT Session Service). Does anyone know why this is happening or if it’s 
  necessary?
  
  Thanks,
  Brian Desmond
  [EMAIL PROTECTED]
  
  c - 312.731.3132
  

Re: [ActiveDir] How are folks setting hidden user attribs?

[Paul Williams]

We populate this on user creation because we use provisioning systems 
(bespoke stuff that was written for the project(s)).


For some of our smaller customers, there were scripts that were run to 
populate this stuff.  Initially a bulk import, followed by monthly updates 
or adhoc updates via the script or web front end.


Other options are using a different admin tool, e.g. Quest Active Roles to 
create users and configure that to allow you to write this attribute.



--Paul

- Original Message - 
From: Alex Fontana [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, September 21, 2006 8:03 AM
Subject: [ActiveDir] How are folks setting hidden user attribs?


Hey guys,



I'm curious how people are populating attributes such as employeeid,
employeetype, etc, specifically when creating\modifying accounts using the
GUI (ADUC)?  Besides me writing something to populate the fields what other
resources do I have to allow other selected users (account creators) to
populate these fields?



TIA



-alex


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] mSDS-Approx-Immed-Subordinates - How does it work?

[Paul Williams]

Joe,

How is the DS calculating these 
values? The reason I ask is I've always found it to be way off. For 
example, take a look at the following output against one of my ADAM 
instances:

D:\dev\dotnet\vb\dsadfind -h .:5 
-b ou=people,dc=test-lab,dc=com -s one -f 
"|(objectcategory=organizationalunit)(objectcategory=container)" 
msDS-Approx-Immed-Subordinates

AdFind V01.31.00cpp Joe Richards 
([EMAIL PROTECTED]) March 
2006

Using server: 
adlds01.test-lab.com:5Directory: Active Directory Application 
Mode

dn:OU=Test-Batch-01,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 
2742

dn:OU=Test-Batch-02,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 
37507

dn:OU=Test-Batch-03,OU=People,DC=test-lab,DC=commsDS-Approx-Immed-Subordinates: 
52809

3 Objects returned



D:\dev\dotnet\vb\dsadfind -h .:5 -b 
ou=test-batch-02,ou=people,dc=test-lab,dc=com -s one -c

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 
2006

Using server: adlds01.test-lab.com:5Directory: 
Active Directory Application Mode

5 Objects returned



D:\dev\dotnet\vb\dsadfind -h .:5 -b 
ou=test-batch-03,ou=people,dc=test-lab,dc=com -s one -c

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 
2006

Using server: adlds01.test-lab.com:5Directory: 
Active Directory Application Mode

75000 Objects 
returned
Thanks,


--Paul


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: 18 September 2006 16:12To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ad Reporting 
  Tools
  
  -enabled is definitely on the list to be added to oldcmp. 
  
  
  I will have to thinkabout the summary switch... 
  
  
  
  So you just want counts... I have something in my script 
  repository that is probably pretty close to what you want... I used it for 
  some testing once. It is perl, but you are welcome to convert it to what you 
  need or modify as you see fit... 
  
  
  ##* 
  ObjSum.PL 
  *#*==*#* 
  Author : [EMAIL PROTECTED] (Joe 
  Richards) 
  *#* Version: 
  V01.00.00 
  *#* Modification 
  History: 
  *#* V01.00.00 2004.01.15 
  joe Original 
  Version 
  *#*--*#* 
  This script counts objects matching a filter + approx children of each 
  container/OU 
  *#*--*#* 
  Notes: 
  *#* This script will output the container DN, container name, an 
  approximate guess at the*#* number of child objects in the container and 
  then an exact count of the objects in *#* the container for 
  the filter specified. If a base is not selected, the default 
  NC *#* of the default DC will be used. If a filter is 
  not specified, the 
  filter 
  *#* objectclass=* will be 
  utilized. 
  *##
  
  ##* 
  Packages: 
  *#*--*#* 
  None 
  required 
  *#
  
  ##* 
  Definitions: 
  *#*--*#* 
  None 
  required 
  *#
  
  ## Display header#print "\nObjSum 
  V01.00.00pl Joe Richards ([EMAIL PROTECTED]) January 
  2004\n\n";
  
  ## 
  Get args# ex: Arg1: dc=test,dc=local 
  # Arg2: 
  "(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"#my 
  $base=shift;my $filter=shift;
  
  ## 
  Process args# Set defaults if nothing specified - 
  default NC and all objects#if ($base!~/\w/) {$base="-default"} else 
  {$base="-b $base"};if ($filter!~/\w/) {$filter="*"};
  
  ## Build container/OU query and 
  execute# We want all OUs and any containers that are 
  "default", # i.e. shown in 
  basic views, this skips adminsdholder et alii.#my $cmd="adfind $base 
  -f \"(|(objectcategory=organizationalunit)" . 
  "(objectcategory=container))(!showInAdvancedViewOnly=TRUE)\" name 
  " . "msDS-Approx-Immed-Subordinates -csv -csvdelim %%SPLIT%% 
  -csvq \"\"";my @containers=`$cmd`;shift @containers; # lose the header 
  linechomp @containers; # lose crlf
  
  ## 
  Print header for CSV#print "\"dn\",\"name\",\"Aprox Child Obj 
  Count\",\"$filter count\"\n";
  
  ## Quote filter in case it needs to be#if 
  ($filter!~/\"/) 

Re: [ActiveDir] Elevating privileges from DA to EA

[Paul Williams]

Lucky you : )

I'm in an environment where we're doing 
this now, and I'm not happy with how its being done (I think we can be even more 
secure ;-), which means I've accidently volunteered to re-look at it all for the 
next iteration of the design cycle...

(bollocks)


--Paul


  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 5:22 
  PM
  Subject: RE: [ActiveDir] Elevating 
  privileges from DA to EA
  
  Thanks Paul.,
  
  
  Joe's been there and done 
  it...
  LOL - so have I 
  several time before :)
  
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: 15 September 2006 09:46To: ActiveDir@mail.activedir.orgSubject: 
  Re: [ActiveDir] Elevating privileges from DA to EA
  
  Neil,
  
  Try a re-read of the first couple of 
  chapters of the first part of the deployment guide book designing and 
  deploying directory and security services. Obviously it doesn't spell 
  out how to do this -it doesn't even allude to how this is done- but does 
  emphasise when and when not to go with the regional domain model.
  
  I'm not disputing what anyone is saying 
  here -I agree. I just happen to think the regional model can be a good 
  one, and that if done properly works. Even from a security stand 
  point. The main thing with the regional design is that there's a central 
  group of service admins, or a true delegated model. 
  
  If you have multiple groups of service 
  admins it can still work, but the issue that has been raised is very real and 
  you probably need to implement processes and monitor against it (if you're 
  forced into such a design by the needs of the business or obtuse upper 
  management ;-). Although it does seem to be possible to implement 
  disparate groups of service admins if you follow the delegation whitepaper 
  (you'll need to improvide, but most of the info. is pertinent), which should 
  put you in a much stronger position from a security stand point. If you 
  can achieve a very small number of people who are actually members of the 
  builtin\Administrators group, and the rest only have delegated permissions and 
  privileges (and preferably very few privileges on the DCs, i.e. no logon 
  locally) you can achieve what you want. 
  
  Joe's been there and done 
  it...
  
  
  --Paul
  
- Original Message - 
From: 
Almeida Pinto, Jorge 
de 
To: ActiveDir@mail.activedir.org 

Sent: Friday, September 15, 2006 8:48 
AM
Subject: RE: [ActiveDir] Elevating 
privileges from DA to EA

Al - we are designing a forest with regional domains 
(don't ask!) and one region has suggested it needs to split from this forest 
since elevating rights in any regional domain from DA to EA (forest wide) is 
'simple' [and this would break the admin / support 
model].

What is being said is very very true. Either you 
trust ALL Domain Admins (no matter the domain those are in) or you do not 
trust ANY! Every Domain Admin or ANY person with physical access to a DC has 
the possibility to turn the complete forest into crap!
Because if that was NOT the case the DOMAIN would 
be the security boundary. Unfortunately it is not! The Forest is the 
security boundary, whereas EVERY single DC in the forest MUST be protected 
and EVERY Domain Admin MUST be trusted!

I am arguing that it is not simple and am looking for 
methods which may be used to elevate rights as per the 
above

When you know HOW, it is as easy as taking candy from a 
baby

jorge


  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, September 15, 2006 
  09:36To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Elevating privileges from DA to EA
  
  Thanks for responses, all.
  
  Al - we are designing a forest with regional domains 
  (don't ask!) and one region has suggested it needs to split from this 
  forest since elevating rights in any regional domain from DA to EA (forest 
  wide) is 'simple' [and this would break the admin / support 
  model].
  
  I am arguing that it is not simple and am looking for 
  methods which may be used to elevate rights as per the 
  above.
  
  Make sense?
  
  neil
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: 14 September 2006 20:59To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating 
  privileges from DA to EA
  Can you reword? I'm not sure I clearly understand the 
  question. FWIW, going from DA to EA is a matter of adding one's id 
  to the EA group. DA's have that right in the root domain of the 
  forest (DA's of the root domain have that 

Re: [ActiveDir] Strange password issue

[Paul Williams]

No worries. It'sa big thread 
that has spawned serveral different threads of discussion.


--Paul

  - Original Message - 
  From: 
  Akomolafe, 
  Deji 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 5:32 
  PM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  
  OK. The account under 
  discussion is "512". Had to refresh my brains because I just took your 1-4 
  bullet points and said, uh-uh, there is a way to have an enabled password-less 
  account. Granted it won't be "512" and will be useless, it is still 
  enabled.
  
  Sorry, Paul.
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Fri 9/15/2006 7:52 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The account is currently 512... You can't get there with 
  a blank password without 1-4.
  
   joe
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, 
  DejiSent: Thursday, September 14, 2006 11:52 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  I think you are missing 
  5.
  
  5. The account was created 
  programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then 
  someone programmatically set UAC to 544 or went into ADUC and manually enabled 
  the account.
  
  It's a feasible scenario, 
no?
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Thu 9/14/2006 5:25 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The secret is you cannot ENABLE an account with no 
  password if you have a password length policy and the PWD_NOT_REQD flag isn't 
  set. So if you have an account that is created which by default (i.e. no UAC 
  specified)will be 546. If you specify 544 it will still create and it 
  will allow a blank password. 
  
  If you have an account with 546 (disables, pwdnotrqed) 
  you can clear the pwdnotreqd fine. However when you go to enable the account, 
  you will get busted for not following policy. The Extended Error (-exterr with 
  admod) is
  
  DN: 
  CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 
  (53) - Unwilling To PerformExtended Error: 052D: SvcErr: 
  DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  
  Which is 
  
  F:\DEV\cpp\AdModerr 52d# for 
  hex 0x52d / decimal 1325 : 
  ERROR_PASSWORD_RESTRICTION 
  winerror.h# Unable to update the password. The value provided for the# 
  new password does not meet the length, complexity, or# history requirement 
  of the domain.# 1 matches found for "52d"
  
  
  A blank password does not have a hash, the system knows 
  it is blank. 
  
  You will obviously hit the same problem if you have an 
  enabled account with pwd_not_reqd and try to clear the 
  pwd_not_reqd.
  
  So current or past setting of UAC has no bearing on this 
  problem. 
  
  
  
  This could occur infour ways that I can think of 
  (in order of likelihood) and speak about
  
  1. Someone relaxed the policy while the password was set 
  or when the account was being enabled / having pwd_not_reqd 
  cleared
  
  2. The Domain Password Policy isn't or at least wasn't 
  getting applied to one or more domain controllers for some reason. Check 
  minPwdLength on the NC Head objects of all DCs in the 
  domain
  
  3. A blank password hash was forced into the attribute of 
  an already enabled account through some form of LSASS process injection. 
  
  
  4. The raw DIT was modified. 
  
  
   joe
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  PWD_NOT_REQ is 
  32.
  
  You can create an 
  account with this set and bypass the need to set a password (ADSI does this 
  automatically if you don’t set a password when you create an enabled user 
  without a password), but you can’t set it back to 512 (normal) when it’s 
  blank, like Al says:
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
  samaccountname::test-user useraccountcontrol::544 -unsafe 
  -add
  
  

Re: [ActiveDir] Elevating privileges from DA to EA

[Paul Williams]

 is to
get
as few actual DA's as possible.

Is the threat real? Yes.  If you feel you should have multiple domains,
chances are good you really need OU's and a better admin model that
includes less complexity and fewer moving parts.

Oh, one other thing that might be of interst to your planning group: ask
them about their restoration requirements.  In that model, restoration
can
be a bloody nightmare especially if the layer-8 issues are not resolved
up
front.

Al



On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote:
 Neil,

 Try a re-read of the first couple of chapters of the first part of the
 deployment guide book designing and deploying directory and security
 services.  Obviously it doesn't spell out how to do this -it doesn't
even
 allude to how this is done- but does emphasise when and when not to go
 with the regional domain model.

 I'm not disputing what anyone is saying here -I agree.  I just happen
to
 think the regional model can be a good one, and that if done properly
 works.  Even from a security stand point.  The main thing with the
 regional design is that there's a central group of service admins, or
a
 true delegated model.

 If you have multiple groups of service admins it can still work, but
the
 issue that has been raised is very real and you probably need to
 implement processes and monitor against it (if you're forced into such
a
 design by the needs of the business or obtuse upper management ;-).
 Although it does seem to be possible to implement disparate groups of
 service admins if you follow the delegation whitepaper (you'll need to
 improvide, but most of the info. is pertinent), which should put you
in a
 much stronger position from a security stand point.  If you can
achieve a
 very small number of people who are actually members of the
 builtin\Administrators group, and the rest only have delegated
 permissions and privileges (and preferably very few privileges on the
 DCs, i.e. no logon locally) you can achieve what you want.

 Joe's been there and done it...


 --Paul
 - Original Message -
 From: Almeida Pinto, Jorge de
 To: ActiveDir@mail.activedir.org
 Sent: Friday, September 15, 2006 8:48 AM
 Subject: RE: [ActiveDir] Elevating privileges from DA to EA

 Al - we are designing a forest with regional domains (don't ask!)
and
 one region has suggested it needs to split from this forest since
 elevating rights in any regional domain from DA to EA (forest wide) is
 'simple' [and this would break the admin / support model].

 What is being said is very very true. Either you trust ALL Domain
Admins
 (no matter the domain those are in) or you do not trust ANY! Every
Domain
 Admin or ANY person with physical access to a DC has the possibility
to
 turn the complete forest into crap!
 Because if that was NOT the case the DOMAIN would be the security
 boundary. Unfortunately it is not! The Forest is the security
boundary,
 whereas EVERY single DC in the forest MUST be protected and EVERY
Domain
 Admin MUST be trusted!

 I am arguing that it is not simple and am looking for methods which
 may be used to elevate rights as per the above

 When you know HOW, it is as easy as taking candy from a baby

 jorge

 From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] On Behalf Of
 [EMAIL PROTECTED]
 Sent: Friday, September 15, 2006 09:36
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Elevating privileges from DA to EA

 Thanks for responses, all.

 Al - we are designing a forest with regional domains (don't ask!) and
one
 region has suggested it needs to split from this forest since
elevating
 rights in any regional domain from DA to EA (forest wide) is 'simple'
 [and this would break the admin / support model].

 I am arguing that it is not simple and am looking for methods which
may
 be used to elevate rights as per the above.

 Make sense?

 neil

 From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED] On Behalf Of Al Mulnick
 Sent: 14 September 2006 20:59
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Elevating privileges from DA to EA

 Can you reword?  I'm not sure I clearly understand the question.

 FWIW, going from DA to EA is a matter of adding one's id to the EA
group.
 DA's have that right in the root domain of the forest (DA's of the
root
 domain have that right). Editing etc. is not necessary. Nor are
 key-loggers etc.
 If physical access is available, there are plenty of ways to get the
 access you require to a domain but I suspect you're asking how can a
DA
 from a child domain gain EA access; is that the question you're
looking
 to answer?

 Just for curiousity, what brings up that question?

 Al

 On 9/14/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:
   It has been suggested by certain parties here that elevating one's
   rights from AD to EA is 'simple'.


   I have suggested that whilst it's possible it is not simple at all.


   Does anyone have any descriptions of methods / backdoors /
workarounds
   etc that can be used to elevate rights

Re: [ActiveDir] Elevating privileges from DA to EA

[Paul Williams]

DAs got nothing to do with it.  It makes it easier, but this can be done by 
someone without any account at all.



--Paul

- Original Message - 
From: Bernard, Aric [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Sent: Friday, September 15, 2006 10:33 PM
Subject: RE: [ActiveDir] Elevating privileges from DA to EA



Kevin,

FWIW - as others are stating, assuming you know what you are doing, it is 
*simple* and painless so long assuming that you are a DA of any domain in 
the forest and have access to the console of a GC.  There are many 
exploits strategies in this area and in its most basic form this can be 
done with rudimentary knowledge, native tools, and no coding or scripting.



Aric

-Original Message-
From: Kevin Brunson [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org
Sent: 9/15/06 1:35 PM
Subject: RE: [ActiveDir] Elevating privileges from DA to EA

http://www.microsoft.com/technet/security/Bulletin/MS02-001.mspx
discusses some elevation of privilege attacks.  It also links to another
article that is supposed to have more details on SID filtering, which
doesn't seem to exist anymore.  All references I have found point only
at NT4 and 2000 as susceptible to this kind of attack, and they have a
patch to fix it.  So I guess 2003 is secure at least when it comes to
the SIDHistory method.  There must be other ways of doing it, though.  I
don't know that they could possibly be simple if MS put out a patch to
fix this particular hole way back in 02.  The referenced article (for
those who don't read it) calls for a binary edit of the data structures
that hold the SIDHistory information.  Not exactly candy from a baby
level, unless you happen to be a 3rd level black-belt in
babies-canditsu.  But I'm sure someone with extreme skills could take on
an unpatched 2000 domain without much trouble.  Either way, it looks
like sidfiltering mitigates most of the risk.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Friday, September 15, 2006 2:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating privileges from DA to EA




Al - we are designing a forest with regional domains (don't ask!) and

one region has suggested it needs to split from this forest since
elevating rights in any regional domain from DA to EA (forest wide) is
'simple' [and this would break the admin / support model].



What is being said is very very true. Either you trust ALL Domain Admins
(no matter the domain those are in) or you do not trust ANY! Every
Domain Admin or ANY person with physical access to a DC has the
possibility to turn the complete forest into crap!

Because if that was NOT the case the DOMAIN would be the security
boundary. Unfortunately it is not! The Forest is the security boundary,
whereas EVERY single DC in the forest MUST be protected and EVERY Domain
Admin MUST be trusted!




I am arguing that it is not simple and am looking for methods which

may be used to elevate rights as per the above



When you know HOW, it is as easy as taking candy from a baby



jorge







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, September 15, 2006 09:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Elevating privileges from DA to EA

Thanks for responses, all.



Al - we are designing a forest with regional domains (don't
ask!) and one region has suggested it needs to split from this forest
since elevating rights in any regional domain from DA to EA (forest
wide) is 'simple' [and this would break the admin / support model].



I am arguing that it is not simple and am looking for methods
which may be used to elevate rights as per the above.



Make sense?



neil







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 14 September 2006 20:59
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Elevating privileges from DA to EA

Can you reword?  I'm not sure I clearly understand the question.


FWIW, going from DA to EA is a matter of adding one's id to the
EA group.  DA's have that right in the root domain of the forest (DA's
of the root domain have that right). Editing etc. is not necessary. Nor
are key-loggers etc.
If physical access is available, there are plenty of ways to get
the access you require to a domain but I suspect you're asking how can a
DA from a child domain gain EA access; is that the question you're
looking to answer?

Just for curiousity, what brings up that question?

Al

On 9/14/06, [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:

It has been suggested by certain parties here that elevating
one's rights from AD to EA is 'simple'.

I have suggested that whilst it's possible it is not simple at
all.

Does anyone have any descriptions of methods / backdoors /
workarounds etc that 

Re: [ActiveDir] Strange password issue

[Paul Williams]

Not really, as it's now 512 and can't get 
to that state without a password meeting complexity.


--Paul

  - Original Message - 
  From: 
  Akomolafe, 
  Deji 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 4:52 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  
  I think you are missing 
  5.
  
  5. The account was created 
  programmatically disabled with PWD_NOT_REQD set. So, we have 546 UAC. Then 
  someone programmatically set UAC to 544 or went into ADUC and manually enabled 
  the account.
  
  It's a feasible scenario, 
no?
  
  
  
  Sincerely,  
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - Directory 
  Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you 
  were worried about Yesterday? 
  -anon
  
  
  From: joeSent: Thu 9/14/2006 5:25 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Strange password issue
  
  The secret is you cannot ENABLE an account with no 
  password if you have a password length policy and the PWD_NOT_REQD flag isn't 
  set. So if you have an account that is created which by default (i.e. no UAC 
  specified)will be 546. If you specify 544 it will still create and it 
  will allow a blank password. 
  
  If you have an account with 546 (disables, pwdnotrqed) 
  you can clear the pwdnotreqd fine. However when you go to enable the account, 
  you will get busted for not following policy. The Extended Error (-exterr with 
  admod) is
  
  DN: 
  CN=someuser,OU=Users,OU=TestOU,DC=test,DC=loc...: [r2dc1.test.loc] Error 0x35 
  (53) - Unwilling To PerformExtended Error: 052D: SvcErr: 
  DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
  
  Which is 
  
  F:\DEV\cpp\AdModerr 52d# for 
  hex 0x52d / decimal 1325 : 
  ERROR_PASSWORD_RESTRICTION 
  winerror.h# Unable to update the password. The value provided for the# 
  new password does not meet the length, complexity, or# history requirement 
  of the domain.# 1 matches found for "52d"
  
  
  A blank password does not have a hash, the system knows 
  it is blank. 
  
  You will obviously hit the same problem if you have an 
  enabled account with pwd_not_reqd and try to clear the 
  pwd_not_reqd.
  
  So current or past setting of UAC has no bearing on this 
  problem. 
  
  
  
  This could occur infour ways that I can think of 
  (in order of likelihood) and speak about
  
  1. Someone relaxed the policy while the password was set 
  or when the account was being enabled / having pwd_not_reqd 
  cleared
  
  2. The Domain Password Policy isn't or at least wasn't 
  getting applied to one or more domain controllers for some reason. Check 
  minPwdLength on the NC Head objects of all DCs in the 
  domain
  
  3. A blank password hash was forced into the attribute of 
  an already enabled account through some form of LSASS process injection. 
  
  
  4. The raw DIT was modified. 
  
  
   joe
  
  
  
  --
  O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Wednesday, September 06, 2006 3:30 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  PWD_NOT_REQ is 
  32.
  
  You can create an 
  account with this set and bypass the need to set a password (ADSI does this 
  automatically if you don’t set a password when you create an enabled user 
  without a password), but you can’t set it back to 512 (normal) when it’s 
  blank, like Al says:
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" objectclass::user 
  samaccountname::test-user useraccountcontrol::544 -unsafe 
  -add
  
  AdMod 
  V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
  2005
  
  DN Count: 
  1
  Using 
  server: connoa-dc-01.connoa.concorp.contoso.com
  Adding 
  specified objects...
   
  DN: 
  cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...
  
  The command 
  completed successfully
  
  
  
  C:\admod 
  -b "cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com" 
  useraccountcontrol::512 -unsafe
  
  AdMod 
  V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 
  2005
  
  DN Count: 
  1
  Using 
  server: connoa-dc-01.connoa.concorp.contoso.com
  Modifying 
  specified objects...
   
  DN: cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: 
  [connoa-dc-01.conn
  oa.concorp.contoso.com] 
  Error 0x35 (53) - Unwilling To Perform
  
  
  ERROR: Too 
  many errors encountered, terminating...
  
  The command 
  did not complete successfully
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al 
  MulnickSent: 06 September 
  2006 19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
  issue
  
  From what I recall, if the password 
  is not required, 

Re: [ActiveDir] Elevating privileges from DA to EA

[Paul Williams]

Neil,

Try a re-read of the first couple of 
chapters of the first part of the deployment guide book designing and deploying 
directory and security services. Obviously it doesn't spell out how to do 
this -it doesn't even allude to how this is done- but does emphasise when and 
when not to go with the regional domain model.

I'm not disputing what anyone is saying 
here -I agree. I just happen to think the regional model can be a good 
one, and that if done properly works. Even from a security stand 
point. The main thing with the regional design is that there's a central 
group of service admins, or a true delegated model. 

If you have multiple groups of service 
admins it can still work, but the issue that has been raised is very real and 
you probably need to implement processes and monitor against it (if you're 
forced into such a design by the needs of the business or obtuse upper 
management ;-). Although it does seem to be possible to implement 
disparate groups of service admins if you follow the delegation whitepaper 
(you'll need to improvide, but most of the info. is pertinent), which should put 
you in a much stronger position from a security stand point. If you can 
achieve a very small number of people who are actually members of the 
builtin\Administrators group, and the rest only have delegated permissions and 
privileges (and preferably very few privileges on the DCs, i.e. no logon 
locally) you can achieve what you want. 

Joe's been there and done 
it...


--Paul

  - Original Message - 
  From: 
  Almeida Pinto, Jorge de 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 8:48 
  AM
  Subject: RE: [ActiveDir] Elevating 
  privileges from DA to EA
  
  Al - we are designing a forest with regional domains (don't 
  ask!) and one region has suggested it needs to split from this forest since 
  elevating rights in any regional domain from DA to EA (forest wide) is 
  'simple' [and this would break the admin / support 
  model].
  
  What is being said is very very true. Either you 
  trust ALL Domain Admins (no matter the domain those are in) or you do not 
  trust ANY! Every Domain Admin or ANY person with physical access to a DC has 
  the possibility to turn the complete forest into crap!
  Because if that was NOT the case the DOMAIN would be 
  the security boundary. Unfortunately it is not! The Forest is the security 
  boundary, whereas EVERY single DC in the forest MUST be protected and EVERY 
  Domain Admin MUST be trusted!
  
  I am arguing that it is not simple and am looking for 
  methods which may be used to elevate rights as per the 
  above
  
  When you know HOW, it is as easy as taking candy from a 
  baby
  
  jorge
  
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, September 15, 2006 
09:36To: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Elevating privileges from DA to EA

Thanks for responses, all.

Al - we are designing a forest with regional domains 
(don't ask!) and one region has suggested it needs to split from this forest 
since elevating rights in any regional domain from DA to EA (forest wide) is 
'simple' [and this would break the admin / support 
model].

I am arguing that it is not simple and am looking for 
methods which may be used to elevate rights as per the 
above.

Make sense?

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: 14 September 2006 20:59To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Elevating 
privileges from DA to EA
Can you reword? I'm not sure I clearly understand the 
question. FWIW, going from DA to EA is a matter of adding one's id 
to the EA group. DA's have that right in the root domain of the forest 
(DA's of the root domain have that right). Editing etc. is not necessary. 
Nor are key-loggers etc. If physical access is available, there are 
plenty of ways to get the access you require to a domain but I suspect 
you're asking how can a DA from a child domain gain EA access; is that the 
question you're looking to answer? Just for curiousity, what 
brings up that question? Al
On 9/14/06, [EMAIL PROTECTED] 
[EMAIL PROTECTED] 
wrote: 

  
  
  It has been suggested by certain parties here 
  that elevating one's rights from AD to EA is 'simple'. 
  I have suggested that whilst it's possible it 
  is not simple at all. 
  Does anyone have any descriptions of methods / 
  backdoors / workarounds etc that can be used to elevate rights in this 
  way? Naturally, you may prefer to send this to me offline :) [ 
  [EMAIL PROTECTED]]
  I can think of the following basic 
  methods: - Remove DC disks and 
  edit offline - Introduce key 
  logger on admin workstation / DC - 

Re: [ActiveDir] VBScript Container Security

[Paul Williams]

Title: VBScript Container Security



I can't point you at any examples, but 
most of the documentation I read and from what MSFT people said at conferences, 
reckons you should grant full control to the group for SMS servers on that 
container. That's horse sh!t -you need to grant create and delete of each 
of the MS SMS object types and full control over those object types, and that's 
it.

When I designed a couple of k3 SMS 
installations last year I used a DLG called SMS Servers and GGs called Primary 
SMS and Secondary SMS and nested the GGs into the DLG which was granted the 
permissions. You can then get specific for primary and secondary servers 
in some cases, or grant all via the DLG.

I'm afraid I can't remember the names of 
the classes, so can't give you the ldapDisplayName's of the object type in 
question. But they're easy to find, they should be prefixed with mS-SMS or 
something like that.

Note also that the advanced clients search 
on objectClass instead of objectCategory, so if you haven't already, you need to 
index objectClass.


--Paul

  - Original Message - 
  From: 
  Joe 
  McNicholas 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 10:53 
  AM
  Subject: [ActiveDir] _vbscript_ Container 
  Security
  
  I'm trying to create and secure the "LDAP://cn=System 
  Management,cn=System,dc=mydomain,dc=com" container, as required for 
  SMS[1].
  I'm able to create the container successfully, but 
  haven't found any examples of how to assign security to an OU or Container in 
  the AD. MS Script Centre and a quick google have come up blank, can 
  anyone point me to any examples?
  Thanks Joe 
  [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true

Re: [ActiveDir] need help

[Paul Williams]

Look into the Win32_Service class for 
info. on how to view and manage services via script. Or, if you fancy 
calling EXEs and not handling everything in code, use the SC.EXE 
tool.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, September 15, 2006 12:12 
  PM
  Subject: [ActiveDir] need help
  Guys i need to develop a 
  programe which display the services in all the dc 's , any idea where i can 
  find better help regarding or nay other alternative solution 
  Thanks in advance  
  


  "Joe McNicholas" [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 

09/15/2006 09:53 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 
  

  cc

  

  Subject
[ActiveDir] _vbscript_ Container 
  Security

  
  

I'm trying to create and secure the "LDAP://cn=System 
  Management,cn=System,dc=mydomain,dc=com" container, as required for 
  SMS[1]. 
  I'm able to create the container successfully, but 
  haven't found any examples of how to assign security to an OU or Container in 
  the AD. MS Script Centre and a quick google have come up blank, can 
  anyone point me to any examples? 
  Thanks Joe 
  [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true 

  

Re: [ActiveDir] dsget error

[Paul Williams]

It must be some kind of issue with the DS* 
tools. I was using a combination of ADFIND and DSMOD last week to enable 
~200,000 user objects (I forgot to set a password in a scrpit that created a 
bunch of objects and therefore had a shed load of objects with uac of 546) and 
it would die every time with that error after a couple of thousand 
objects. I figured, but didn't look into it, it's something to do with the 
fact that DSMOD queries the DN you pass it to check for object type, etc. which 
means there's loads of queries hitting the DC (one for each mod).

This is why Joe's ADMOD (1.7)is 
going to be loads better, as he only does one extra query which means there's 
only n + 1 LDAP requests hitting the DC as opposed ton x 2 with 
DSMOD.


--Paul

  - Original Message - 
  From: 
  Brian 
  Desmond 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, September 13, 2006 2:45 
  AM
  Subject: RE: [ActiveDir] dsget 
error
  
  
  The 
  query is probably timing out.
  
  Get 
  Joe’s ADfind and run something like this:
  
  Adfind 
  –default –f “((objectCategory=person)(objectClass=user))” displayName 
  samAccountName pwdLastSet
  
  You 
  can tag a –csv on there too 
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c 
  - 312.731.3132
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin 
  (ITS)Sent: Tuesday, September 12, 2006 9:29 PMTo: 
  activedir@mail.activedir.orgSubject: [ActiveDir] dsget 
  error
  
  Any time I try to run a large query using dsquery and dsget 
  where I pipe it to a text file for output, I eventually get a “dsget 
  failed:The server is not operational.” error from dsget. I’ve searched the 
  Internet for this and seen posts from a couple of other people who have had 
  this issue, with no resolution.
  
  Am I doing something wrong? Am I stupid? (yes, I probably 
  am) Am I missing some limitation of stdout?
  
  Here’s the command I was using:
  
  “dsquery user -name * -limit 0 | dsget -display -samid 
  –pwdneverexpires”
  
  Thnx,
  JC
  
  


  
ITS 
ENTERPRISE SERVICES EMAIL NOTICEThe information contained in 
this email and any attachments is confidential and may be subject to 
copyright or other intellectual property protection. If you are not the 
intended recipient, you are not authorized to use or disclose this 
information, and we request that you notify us by reply mail or 
telephone and delete the original message from your mail 
system.
  

[ActiveDir] Handling different schemas - managing maintaining updates

[Paul Williams]

I can't get too specific about the 
requirements, so please don't ask ;-)

I'm looking for your ideas, opinions and 
experience on how you maintain different sets of schemas for different forests 
that you manage (for the same customer).

Basically, consider this: you have an 
internal domain (single domain forest) and another (or several) single domain 
forest(s) in a DMZ. They might have Exchange and one or two other 
directory-enabled apps that extend the schema, and you have your own 
standard/default schema. 

Do you see any security implications in 
having the same schema in the DMZ-type networksas that of the internal 
domain? And if not, how do you manage updates and 
testing, etc?

I might have several single domain 
forests. Internal ones, and serveral of these DMZ based domains. 
It's not really a DMZ, but is a different network and is considered external to 
the internal domain(s). This is for a number of interoperability apps, and 
no we can't use ADAM or equivalent. We're using plenty of 
ADAM.

The main thing I'm intersted here is, as 
mentioned above, if you were happy to have a consistent schema, how do you 
maintain that? Would you use a script to compare and export differences, 
etc.?

Or, would you recommend against having a 
standard schema? I can't see why anyone would recommend against this 
unless there's a major security concern I've overlooked as it will greatly 
complicate future extensions, but I'm interested nonetheless.

Please assume a large enterprise 
environment that follows ITIL and has a proper test environment, e.g. ADAM - 
VM - Dev -Pre-prod -live.

Thanks,


--Paul

Re: [ActiveDir] Handling different schemas - managing maintaining updates

[Paul Williams]

You know ITIL. It's all guidelines 
and advice, etc. It's not hands on processes for you (or if it is, I slept 
through all that).

We obviously have a structured process for 
testing additions. My question is more around technically implementing 
such a process, with minimal intervention, around a whole bunch of schemas, i.e. 
would you look at implementing some sort of comparison and export, e.g. schema 
analyser from ADAM R2 or a bespoke script that achieves the same 
thing?

Good to see you are thinking along the 
same lines as me with the default base, but are you suggesting different streams 
of schema if and when changes occur in different forests? I don't like 
that (at the moment, I might be persuaded otherwise). It will also cause 
considerable, additionaleffort in testing new extensions for more than one 
schema, as there'll be different objects in each.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, September 13, 2006 2:37 
  PM
  Subject: RE: [ActiveDir] Handling 
  different schemas - managing  maintaining updates
  
  Without wishing to appear facetious :)- I would 
  suggest if the company follows ITIL practices then they already have a change 
  mgmt and config mgmt process and/or system which helps achieve your 
  goal.
  
  As 
  far as best practices are concerned, I would aim for a 'core' schema config 
  which is present in all instances of ADAM or AD schemas but manage differences 
  via the ITIL framework (mentioned above).
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: 13 September 2006 10:39To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Handling different 
  schemas - managing  maintaining updates
  
  I can't get too specific about the 
  requirements, so please don't ask ;-)
  
  I'm looking for your ideas, opinions and 
  experience on how you maintain different sets of schemas for different forests 
  that you manage (for the same customer).
  
  Basically, consider this: you have an 
  internal domain (single domain forest) and another (or several) single domain 
  forest(s) in a DMZ. They might have Exchange and one or two other 
  directory-enabled apps that extend the schema, and you have your own 
  standard/default schema. 
  
  Do you see any security implications in 
  having the same schema in the DMZ-type networksas that of the internal 
  domain? And if not, how do you manage updates and 
  testing, etc?
  
  I might have several single domain 
  forests. Internal ones, and serveral of these DMZ based domains. 
  It's not really a DMZ, but is a different network and is considered external 
  to the internal domain(s). This is for a number of interoperability 
  apps, and no we can't use ADAM or equivalent. We're using plenty of 
  ADAM.
  
  The main thing I'm intersted here is, as 
  mentioned above, if you were happy to have a consistent schema, how do you 
  maintain that? Would you use a script to compare and export differences, 
  etc.?
  
  Or, would you recommend against having a 
  standard schema? I can't see why anyone would recommend against this 
  unless there's a major security concern I've overlooked as it will greatly 
  complicate future extensions, but I'm interested nonetheless.
  
  Please assume a large enterprise 
  environment that follows ITIL and has a proper test environment, e.g. ADAM 
  - VM - Dev -Pre-prod -live.
  
  Thanks,
  
  
  --Paul
  
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  

Re: [ActiveDir] Strange password issue

[Paul Williams]

Have you actually seen this 
behaviour? As it was my understanding that this particular policy is 
processed by SCE outside of normal policy application (by the PDCe - I can't 
remember how often, 60 minutes comes to mind but I don't know why). I've 
tried to document this here:
-- http://www.msresource.net/content/view/36/46/


--Paul

  - Original Message - 
  From: 
  Passo, 
  Larry 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Sunday, September 10, 2006 3:19 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  If 
  the Domain Controllers OU is set to block GPO inheritance, and the domain GPO 
  that sets the password policy isn't set for No Override, then the domain 
  policies might not get set properly.
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: 
Friday, September 08, 2006 1:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue
err, actually the password policy is stored in the 
machine portion of the GPO and thus applies to all machines and therefore 
all local user objects too.

neil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A. 
RobinsonSent: 06 September 2006 17:27To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue

Impossible/irrelevant.If it's a domain account, the policy 
applies regardless, because the account is stored in AD. If it's a local 
account, then the policy doesn't apply regardless; domain account policies 
don't apply to local accounts. Is this a local account or a domain 
account?

Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Tom 
  KernSent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  If you mean before the policy was set up, then, no.
  This policy has been in effect for acouple ofyears and 
  the account was created a month ago..
  
  Maybe the PC is not getting the Default Domain Policy?
  
  
  On 9/6/06, Williams, Robert [EMAIL PROTECTED] 
  wrote: 
  



Tom,

This is just a 
stab in the dark but is it possible that this user's password was set 
prior to the Default Domain Policy being in effect? 

Robert 
Williams




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 
9:39 AMTo: 
activedirectorySubject: [ActiveDir] Strange 
password issue



I'm 
having this weird issue where I have a user account who is able to 
log in with a blank password.

The 
Default Domain Policy is set to a min password length of 6 
characters.

The 
userAccountControl on the user is set to 512.



The 
Domain is at win2k3 DFL and FFL.



Is 
there any other way besides a migration tool like Quest that could 
circumvent this policy and allow blank 
passwords?




Thanks
2006-09-06, 11:32:05The information contained in this e-mail 
message and any attachments may be privileged and confidential. If the 
reader of this message is not the intended recipient or an agent 
responsible for delivering it to the intended recipient, you are hereby 
notified that any review, dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this 
communication in error, please notify the sender immediately by replying 
to this e-mail and delete the message and any attachments from your 
computer. 
PLEASE READ: The 
information contained in this email is confidential and 
intended for the 
named recipient(s) only. If you are not an intended 
recipient of 
this email please notify the sender immediately and delete your 

copy from your 
system. You must not copy, distribute or take any further 

action in 
reliance on it. Email is not a secure method of communication and 

Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 

accept 
responsibility or liability for (a) the accuracy or completeness of, 

or (b) the 
presence of any virus, worm or similar malicious or disabling 

code in, this 
message or any attachment(s) to it. If verification of this 

email is sought 
then please request a hard copy. Unless otherwise stated 

this email: (1) 
 

Re: [ActiveDir] Strange password issue

[Paul Williams]

The only way that I'm aware of where you 
can have different lengths (without your own filters, etc.) is if you deny the 
domain controllers from reading the necessary attributes on the NC head. 
By doing this, and then having multiple policies, I believe you can achieve what 
you are talking about. I've not tested this - I'm basing this on a 
conversation I had with someone who has tested this (Mr. Wells) -although we had 
had a lot to drink at the time, and I might have got things muddled up (very 
possible).

Under those circumstances, I assume the 
values defined in the GPO work. It seems to be that the DCs favour the 
values on the NC head. The values on the NC head are written by the PDCe 
-that reads the domain polcies and applies the values to the 
domain.

I haven't got round to getting my source 
access sorted yet, so can't verify. Hopefully someone with access to the 
code can chip in here.

I'm not disputing what you're saying re. 
blocking. That will probably stop the PDCe applying this. However, I 
don't think the other DCs process this in the same way. Unless there's a 
fall back, and you're achieving that via specific filtering, e.g. DC computer 
objects or custom groups, i.e. some DCs getting one, and others getting 
another...

Interesting. I'll have to try and 
repro (which is going to take some time with the current work 
load).


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, September 11, 2006 3:02 
  PM
  Subject: Re: [ActiveDir] Strange password 
  issue
  
  
  My understanding was that the Password Policies 
  are applied similarly to any other Group Policy. I do recall doing some 
  testing some time ago where by using various security filtering on Group 
  PoliciesI was able to set up two DC's with two different effective 
  policies and so two different values for Password length.
  
  The thing to remember is that 
  domainpassword changes etc are processed by a domain controller. You 
  therefore need to check whether the Password policy is being applied to all of 
  the domain controllers. As Larry said, if there is blocking on the OU for 
  Domain Controllers and the Default Domain Policy does not have "No Override" 
  then the DC will not get the policy. Similarly, it is possible that security 
  filtering has been applied to the Default Domain Policy that stops it from 
  getting applied etc. However these things would be "permanent" so you would 
  still have a DC with the Policy not applied.
  
  However, my guess is that something was wrong a 
  month ago on a Domain Controller which processed the Passwordreset. It 
  is possible that it is still a problem (i.e. if blocking was the culprit), but 
  it is more likely to have cleared up. Is it possible that there was a DC added 
  briefly at the time that was not processing Policies for some 
  reason?
  
  Is it feasible to check all of the event logs on 
  all DC's at the time the password was created? It may show Group Policy 
  Processing errorsat the 
time.
  
  Alan CuthbertsonPolicy Management 
  Software:-http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml- 
  Original Message - 
  
From: 
Paul Williams 
To: ActiveDir@mail.activedir.org 

Sent: Monday, September 11, 2006 7:06 
PM
Subject: Re: [ActiveDir] Strange 
password issue

Have you actually seen this 
behaviour? As it was my understanding that this particular policy is 
processed by SCE outside of normal policy application (by the PDCe - I can't 
remember how often, 60 minutes comes to mind but I don't know why). 
I've tried to document this here:
-- http://www.msresource.net/content/view/36/46/


--Paul

  - Original Message - 
  From: 
  Passo, Larry 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Sunday, September 10, 2006 3:19 
  AM
  Subject: RE: [ActiveDir] Strange 
  password issue
  
  If the Domain Controllers OU is set to block GPO inheritance, and 
  the domain GPO that sets the password policy isn't set for No Override, 
  then the domain policies might not get set properly.
  
-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: 
Friday, September 08, 2006 1:16 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
password issue
err, actually the password policy is stored in the 
machine portion of the GPO and thus applies to all machines and 
therefore all local user objects too.

neil


From: [EMAIL PROTECTED] 
[mai

Re: [ActiveDir] Strange password issue

[Paul Williams]

Impossible/irrelevant. If it's a domain account, the policy applies 
regardless, because the account is stored in AD. If it's a local account, 
then the policy doesn't apply regardless; domain account policies don't 
apply to local accounts. Is this a local account or a domain account?


Any password policy, regardless as to where it is linked in the domain, will 
apply to any and all computer accounts within scope.


The domain password policy applies to all computer objects in the domain 
(within scope, i.e. not filtered).


The only thing that is special about the domain password policy (a GPO with 
account policy configured and linked to the domainDNS object) is that the 
PDCe applies the values set therein to the necessary attributes re. pwd 
policy on the domain NC head -which is why you have to link your GPO with 
the settings you want to the domain and can't link it to the DC's OU- which 
is where the DCs read that info. from.



--Paul



From: Laura A. Robinson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 06, 2006 9:27 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue


Impossible/irrelevant. If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account
policies don't apply to local accounts. Is this a local account or a
domain account?

Laura




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for a couple of years and
the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?




On 9/6/06, Williams, Robert
[EMAIL PROTECTED] wrote:

Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain
Policy being in effect?

Robert Williams



From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird  issue where I have a user
account who is able to log in with a blank password.

The Default Domain Policy is set to a min
password length of 6 characters.

The userAccountControl on the user is set to
512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool
like Quest that could circumvent this policy and allow blank passwords?



Thanks

2006-09-06, 11:32:05
The information contained in this e-mail message
and any attachments may be privileged and confidential. If the reader of
this message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that
any review, dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by replying to this e-mail
and delete the message and any attachments from your computer.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[Paul Williams]

But it's possible that someone changed this policy, created the account, and 
changed it back.


I've done this myself (several times for service accounts to avoid [HP] 
protect tool's obfuscation process).


It might not even have been intentional.  One admin could have messed with 
the policy and several minutes later (that's all its going to take if you're 
in the same site as the PDCe) another admin created the user.



--Paul


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue


If you mean before the policy was set up, then, no.
This policy has been in effect for a couple of years and
the account was created a month ago..

Maybe the PC is not getting the Default Domain Policy?




On 9/6/06, Williams, Robert
[EMAIL PROTECTED] wrote:

Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain
Policy being in effect?

Robert Williams



From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Wednesday, September 06, 2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange password issue



I'm having this weird  issue where I have a user
account who is able to log in with a blank password.

The Default Domain Policy is set to a min
password length of 6 characters.

The userAccountControl on the user is set to
512.



The Domain is at win2k3 DFL and FFL.



Is there any other way besides a migration tool
like Quest that could circumvent this policy and allow blank passwords?



Thanks

2006-09-06, 11:32:05
The information contained in this e-mail message
and any attachments may be privileged and confidential. If the reader of
this message is not the intended recipient or an agent responsible for
delivering it to the intended recipient, you are hereby notified that
any review, dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this communication in
error, please notify the sender immediately by replying to this e-mail
and delete the message and any attachments from your computer.




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Strange password issue

[Paul Williams]

But you cannot set UAC to 512 if the 
password is blank, as it doesn't comply with the password policy. Try 
it. The other half of my post shows the error. I also tried it 
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
less specific) and it said it wasn't compliant with the security policy, so it 
is checking the password when you do this.

p.s. your query, while illustrating the 
point, isn't really appropriate. The following is how you should be 
looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, 
objectClass isn't indexed and although UAC is, this also applies to non-people 
objects, e.g. computers.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 11:35 
  AM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  UAC bitmask is 32. A normal user then gets UAC = 544. 
  
  Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) 
  You could then modify the attribute to 512 on these 
  users either with adsiedit or in a nice tool such as 
  ADModify.net.
  
  Note: if the option password not required is set. 
  Then you can either have a blank password or comply with the password policy 
  in defdom GPO.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  Pressed send 
  before I finished typing! : (
  
  Following on from 
  the last mail…
  
  You can, however, 
  modify the policy so that you can have shorter passwords, create the user, and 
  then change the password policy back. Perhaps someone did 
  this?
  
  If you test this, 
  when you set the policy to zero it says no password required (in the 
  Window).
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al 
  MulnickSent: 06 September 
  2006 19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange password 
  issue
  
  From what I recall, if the password 
  is not required, then there's no need to check the minimum length. Since 
  it would be overridden at the user object level, that does not affect the 
  domain. I don't recall the UAC bitmask, and I'm not going to figure it 
  out at the moment. I'll take your word that the password not required is 
  true for this user. If you remove that setting (i.e. require the user 
  to have a password) then that password would, by policy, have to be at least 6 
  chars in length. 
  
  On 9/6/06, Tom Kern [EMAIL PROTECTED] 
  wrote:
  
  
  This is a domain 
  account.
  
  
  
  To rehash-
  
  
  
  The Default Domain Policy is set to min password 
  length- 6 charcters.
  
  This was created 2 years ago and never 
  changed.
  
  User account is a domain account created a month 
  ago.
  
  It was bought to my attention that the user can log in 
  with no password.
  
  I confirmed.
  
  The userAccountControl attribute of the user object 
  was set to 512(not that i'm certain if setting the passwd_notreqd overrides 
  the DDP).
  
  The domain/forest is at w2k3 
  FL.
  
  
  
  Thanks
  
  
  
  
  On 9/6/06, Laura A. Robinson [EMAIL PROTECTED]  wrote: 
  
  
  
  
  Impossible/irrelevant.If 
  it's a domain account, the policy applies regardless, because the account is 
  stored in AD. If it's a local account, then the policy doesn't apply 
  regardless; domain account policies don't apply to local accounts. Is this a 
  local account or a domain account? 
  
  
  
  Laura
  





From: [EMAIL PROTECTED] [mailto: 
[EMAIL PROTECTED]] On Behalf Of Tom 
Kern

Sent: 
Wednesday, September 06, 2006 11:44 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange 
password issue
  
  
  If you mean before the policy was set up, then, 
  no.
  
  This policy has been in effect for acouple 
  ofyears and the account was created a month 
  ago..
  
  
  
  Maybe the PC is not getting the Default Domain 
  Policy?
  
  
  
  
  
  On 9/6/06, Williams, Robert [EMAIL PROTECTED]  
  wrote: 
  
  
  
  Tom,
  
  This is just a stab 
  in the dark but is it possible that this user's password was set prior to the 
  Default Domain Policy being in effect? 
  
  Robert 
  Williams
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, September 06, 2006 9:39 
  AMTo: 
  activedirectorySubject: 
  [ActiveDir] Strange password issue
  
  
  
  I'm having this weird issue where I have a user 
  account who is able to log in with a blank 
  password.
  
  The Default Domain Policy is set to a min password 
  length of 6 characters.
  
  The userAccountControl on the user is set to 
  512.
  
  
  
  The 

Re: [ActiveDir] Strange password issue

[Paul Williams]

Does it have a hash though? There's 
no password. It's null.

I don't know the answer to that. It 
could, I suppose, pad it out but...who knows?


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Cc: ActiveDir@mail.activedir.org ; 
  [EMAIL PROTECTED] 
  
  Sent: Thursday, September 07, 2006 3:10 
  PM
  Subject: Re: [ActiveDir] Strange password 
  issue
  This brings up a very good 
  point, HOW is it checking the password length? As we pointed out earlier once 
  the hash is created there should not be a way to easily check the password 
  length. Andrew Fidel 
  
  


  "Paul Williams" [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 

09/07/2006 07:35 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 

  

  cc

  

  Subject
Re: [ActiveDir] 
  Strange password issue

  
  

But you cannot set UAC to 512 if the password is blank, 
  as it doesn't comply with the password policy. Try it. The other 
  half of my post shows the error. I also tried it through the GUI 
  (ADSIEDIT gives errors that are easier on the eyes, although less specific) 
  and it said it wasn't compliant with the security policy, so it is checking 
  the password when you do this.  p.s. your query, while illustrating the point, isn't 
  really appropriate. The following is how you should be looking for 
  people with this bit set.  ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)) 
Remember, unless you've made it so, objectClass isn't 
  indexed and although UAC is, this also applies to non-people objects, e.g. 
  computers.   --Paul - Original Message - From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  Sent: Thursday, September 07, 2006 11:35 
  AM Subject: RE: [ActiveDir] Strange password 
  issue UAC bitmask is 32. A 
  normal user then gets UAC = 544. Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) You could then modify the attribute to 512 on these users 
  either with adsiedit or in a nice tool such as ADModify.net.  Note: if the 
  option password not required is set. Then you can either have a blank password 
  or comply with the password policy in defdom GPO.  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issuePressed send before I finished typing! : ( 
   Following on from the last mail… 
   You can, however, modify the policy so that 
  you can have shorter passwords, create the user, and then change the password 
  policy back. Perhaps someone did this?  If you test this, when you set the policy to zero it says no password 
  required (in the Window).   
  --Paul   
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Al MulnickSent: 06 September 2006 
  19:28To: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Strange password issue  From what I 
  recall, if the password is not required, then there's no need to check the 
  minimum length. Since it would be overridden at the user object level, 
  that does not affect the domain. I don't recall the UAC bitmask, and 
  I'm not going to figure it out at the moment. I'll take your word that 
  the password not required is true for this user. If you remove that 
  setting (i.e. require the user to have a password) then that password would, 
  by policy, have to be at least 6 chars in length. On 9/6/06, Tom Kern [EMAIL PROTECTED] wrote: This is a 
  domain account.  
  To rehash-  The Default Domain Policy is set to min password length- 6 
  charcters. This was created 2 
  years ago and never changed. User account is a domain account created a month ago. It was bought to my attention that the user can 
  log in with no password. I 
  confirmed. The 
  userAccountControl attribute of the user object was set to 512(not that i'm 
  certain if setting the passwd_notreqd overrides the DDP). The domain/forest is at w2k3 FL. 
   Thanks On 9/6/06, 
  Laura A. Robinson [EMAIL PROTECTED]  wrote: Impossible/irrelevant. If it's a domain account, the policy 
  applies regardless, because the account is stored in AD. If it's a local 
  account, then the policy doesn't apply regardless; domain account policies 
  don't apply to local accounts. Is this a local account or a domain account? 
   Laura  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Wednesday, September 06, 2006 11:44 AMTo: 
  ActiveDir@mail.activedir.org Subject: Re: [ActiveDi

Re: [ActiveDir] Strange password issue

[Paul Williams]

Yeah, I think I saw your post last 
night. Mail was taking 70 minutes to come through last night.

It's not really academic or obsolete, as 
this proves that it couldn't have been 544 and set back to 512. Which 
means that it is more than likely the password, or lack of, was set when the 
policy wasn't in place.


--Paul

  - Original Message - 
  From: 
  Laura A. Robinson 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 4:56 
  PM
  Subject: RE: [ActiveDir] Strange password 
  issue
  
  Since the OP has said that the accounts' UAC flags are 512, not 544, 
  the entire discussion around this is moot.
  
  BTW, 
  did anybody notice if my post about the 512/544 value hit the list yesterday? 
  I don't remember seeing it and am wondering if I actually sent it. 
  :-)
  
  Thanks,
  
  Laura
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Thursday, September 07, 2006 7:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
password issue

But you cannot set UAC to 512 if the 
password is blank, as it doesn't comply with the password policy. Try 
it. The other half of my post shows the error. I also tried it 
through the GUI (ADSIEDIT gives errors that are easier on the eyes, although 
less specific) and it said it wasn't compliant with the security policy, so 
it is checking the password when you do this.

p.s. your query, while illustrating 
the point, isn't really appropriate. The following is how you should 
be looking for people with this bit set.

((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))


Remember, unless you've made it so, 
objectClass isn't indexed and although UAC is, this also applies to 
non-people objects, e.g. computers.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 
  11:35 AM
  Subject: RE: [ActiveDir] Strange 
  password issue
  
  UAC bitmask is 32. A normal user then gets UAC = 
  544. 
  Try doing a ldap query for 
  ((objectClas=user)(useraccountcontrol=544)) 
  You could then modify the attribute to 512 on 
  these users either with adsiedit or in a nice tool such as 
  ADModify.net.
  
  Note: if the option password not required is set. 
  Then you can either have a blank password or comply with the password 
  policy in defdom GPO.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: den 6 september 2006 21:35To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Strange 
  password issue
  
  
  Pressed send 
  before I finished typing! : (
  
  Following on 
  from the last mail…
  
  You can, 
  however, modify the policy so that you can have shorter passwords, create 
  the user, and then change the password policy back. Perhaps someone 
  did this?
  
  If you test 
  this, when you set the policy to zero it says no password required (in the 
  Window).
  
  
  --Paul
  
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: 06 September 2006 
  19:28To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Strange 
  password issue
  
  From what 
  I recall, if the password is not required, then there's no need to check 
  the minimum length. Since it would be overridden at the user object 
  level, that does not affect the domain. I don't recall the UAC 
  bitmask, and I'm not going to figure it out at the moment. I'll take 
  your word that the password not required is true for this user. If 
  you remove that setting (i.e. require the user to have a password) then 
  that password would, by policy, have to be at least 6 chars in length. 
  
  
  On 9/6/06, Tom Kern [EMAIL PROTECTED] 
  wrote:
  
  
  This is a domain 
  account.
  
  
  
  To rehash-
  
  
  
  The Default Domain Policy is set to min password 
  length- 6 charcters.
  
  This was created 2 years ago and never 
  changed.
  
  User account is a domain account created a month 
  ago.
  
  It was bought to my attention that the user can 
  log in with no password.
  
  I confirmed.
  
  The userAccountControl attribute of the user 
  object was set to 512(not that i'm certain if setting the passwd_notreqd 
  overrides the DDP).
  
  The domain/forest is at w2k3 
  FL.
  
  
  
  Thanks
  
  
  
  
  On 

Re: [ActiveDir] AD object (User accounts) Permissions dissappearing

[Paul Williams]

If the permissions are being reset it is 
the result of DSPROP. Google adminSDHolder or look at this:
-- http://www.msresource.net/content/view/38/46/


The reason this is happening is because 
these users are members (directly or indirectly) of groups considered protected, 
e.g. administrators, backup operators, etc.


--Paul

  - Original Message - 
  From: 
  Danny 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, September 07, 2006 4:48 
  PM
  Subject: [ActiveDir] AD object (User 
  accounts) Permissions dissappearing
  Environment: Windows Server 2003 R2 and 2000 mixed AD forest 
  with Exchange Server 2003 SP2 and one BES (Blackberry Enterprise Server) 
  server.Scenario: Existing AD account with full Exchange mailbox and 
  provisioned BES user. Out of the blue the user is unable to send from their 
  BlackBerry. Permissions are checked in ADUC, and the required SendAs 
  permission granted to the BES account have disappeared. This has happened to 
  new and existing users. I do not know where to start. I am reviewing a 
  dcdiag /e /v to see if there are any potentially related 
  problems.Thanks,...D

RE: [ActiveDir] Strange password issue

[Paul Williams]

PWD_NOT_REQ is 32.



You can create an
account with this set and bypass the need to set a password (ADSI does this
automatically if you dont set a password when you create an enabled user without
a password), but you cant set it back to 512 (normal) when its blank, like Al
says:



C:\admod -b
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com objectclass::user
samaccountname::test-user useraccountcontrol::544 -unsafe -add



AdMod
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005



DN Count: 1

Using server:
connoa-dc-01.connoa.concorp.contoso.com

Adding
specified objects...

 DN:
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...



The command
completed successfully







C:\admod -b
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com useraccountcontrol::512
-unsafe



AdMod
V01.06.00cpp Joe Richards ([EMAIL PROTECTED]) June 2005



DN Count: 1

Using server:
connoa-dc-01.connoa.concorp.contoso.com

Modifying
specified objects...

 DN:
cn=testuser,dc=connoa,dc=concorp,dc=contoso,dc=com...: [connoa-dc-01.conn

oa.concorp.contoso.com]
Error 0x35 (53) - Unwilling To Perform





ERROR: Too many
errors encountered, terminating...



The command did
not complete successfully





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange
password issue





From what I recall,
if the password is not required, then there's no need to check the minimum
length. Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 






On 9/6/06, Tom Kern
[EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min password length- 6 charcters.





This was created 2 years ago and never changed.





User account is a domain account created a month ago.





It was bought to my attention that the user can log in with no
password.





I confirmed.





The userAccountControl attribute of the user object was set to 512(not
that i'm certain if setting the passwd_notreqd overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura A.
Robinson [EMAIL PROTECTED]  wrote: 







Impossible/irrelevant.If it's a
domain account, the policy applies regardless, because the account is stored in
AD. If it's a local account, then the policy doesn't apply regardless; domain
account policies don't apply to local accounts. Is this a local account or a
domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern





Sent: Wednesday,
September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange
password issue













If you mean before the policy was set up, then, no.





This policy has been in effect for acouple ofyears and the
account was created a month ago..











Maybe the PC is not getting the Default Domain Policy?



















On 9/6/06, Williams,
Robert [EMAIL PROTECTED]  wrote:








Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain Policy
being in effect? 



Robert Williams











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue











I'm
having this weird issue where I have a user account who is able to log in
with a blank password.





The
Default Domain Policy is set to a min password length of 6 characters.





The
userAccountControl on the user is set to 512.











The
Domain is at win2k3 DFL and FFL.











Is
there any other way besides a migration tool like Quest that could circumvent
this policy and allow blank passwords?















Thanks







2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer. 

RE: [ActiveDir] Strange password issue

[Paul Williams]

Pressed send before I
finished typing! : (



Following on from the
last mail



You can, however,
modify the policy so that you can have shorter passwords, create the user, and
then change the password policy back. Perhaps someone did this?



If you test this,
when you set the policy to zero it says no password required (in the Window).





--Paul













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange
password issue





From what I recall,
if the password is not required, then there's no need to check the minimum
length. Since it would be overridden at the user object level, that does
not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment. I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 






On 9/6/06, Tom Kern
[EMAIL PROTECTED] wrote:





This is a domain account.











To rehash-











The Default Domain Policy is set to min password length- 6 charcters.





This was created 2 years ago and never changed.





User account is a domain account created a month ago.





It was bought to my attention that the user can log in with no
password.





I confirmed.





The userAccountControl attribute of the user object was set to 512(not
that i'm certain if setting the passwd_notreqd overrides the DDP).





The domain/forest is at w2k3 FL.











Thanks

















On 9/6/06, Laura A.
Robinson [EMAIL PROTECTED]  wrote: 







Impossible/irrelevant.If it's a
domain account, the policy applies regardless, because the account is stored in
AD. If it's a local account, then the policy doesn't apply regardless; domain
account policies don't apply to local accounts. Is this a local account or a
domain account? 











Laura















From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Tom Kern





Sent: Wednesday,
September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange
password issue













If you mean before the policy was set up, then, no.





This policy has been in effect for acouple ofyears and the
account was created a month ago..











Maybe the PC is not getting the Default Domain Policy?



















On 9/6/06, Williams,
Robert [EMAIL PROTECTED]  wrote:








Tom,



This is just a stab in the dark but is it
possible that this user's password was set prior to the Default Domain Policy
being in effect? 



Robert Williams











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Wednesday, September 06,
2006 9:39 AM
To: activedirectory
Subject: [ActiveDir] Strange
password issue











I'm
having this weird issue where I have a user account who is able to log in
with a blank password.





The
Default Domain Policy is set to a min password length of 6 characters.





The
userAccountControl on the user is set to 512.











The
Domain is at win2k3 DFL and FFL.











Is
there any other way besides a migration tool like Quest that could circumvent
this policy and allow blank passwords?















Thanks







2006-09-06, 11:32:05
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the intended
recipient or an agent responsible for delivering it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by replying to
this e-mail and delete the message and any attachments from your computer. 

Re: [ActiveDir] Rid Master recovery

[Paul Williams]




Use NTDSUTIL to seize the role(s) - 
kb255504. Follow the steps in kb216498 to clean AD (metadata and FRS 
objects) and DNS.


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, September 05, 2006 1:02 
  PM
  Subject: [ActiveDir] Rid Master recovery 
  
  Guys , another 
  question One of My RID master 
  is crashed before transfering of FSMO role to other DC on the network , 
  is that any possiblities to make an another domain as RID master ( backup is 
  failed so i can not restore the failed RID master DC now) Thanks in advance  
  


  "Almeida Pinto, Jorge 
de" [EMAIL PROTECTED] 
Sent by: 
[EMAIL PROTECTED] 
09/04/2006 11:18 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 
  

  cc

  

  Subject
RE: [ActiveDir] Rid 
  Master

  
  

also see: RID Master 
  FSMO explained http://blogs.dirteam.com/blogs/jorge/archive/2006/05/25/1040.aspx 
  cheers,jorge 
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, September 04, 2006 
  18:11To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Rid Master Guys explain me , The functions of RID master , how 
  does i display RID of object created in AD 
  Thanks in advance 
  


  "joe" 
[EMAIL PROTECTED] Sent by: 
[EMAIL PROTECTED] 
09/04/2006 08:36 AM 


  
  

  Please respond 
  toActiveDir@mail.activedir.org

  

  
  

  To
ActiveDir@mail.activedir.org 
  
  

  cc

  

  Subject
RE: OT - RE: [ActiveDir] W. in 
  hell

  
  

While I wouldn't 
  want this to become a humour list, I saw the email and laughed and figured the 
  same thing Laura figured, that Outlook autofill bit the guy (which is funny 
  all by itself because we have all seen it happen if not had it happen to 
  ourselves) and then I moved on. I find all of the additional attention even 
  more humourous including the value judgements of the quality of the joke and 
  analysis of words. I classify the message as OT with the droves of other 
  messages that come through the list that are OT[1] and being sent here because 
  of a tenous relationship of being about technologies that utlitize AD[2] 
  though the question itself has nothing to do with AD or simply folks forgoing 
  it all and just saying WTF, I'll give it a shot and ask you guys because you 
  seem helpful. If you get a whole day of many of those coming through it is a 
  bit annoying. More annoying, at least to me, are questions that are ON TOPIC 
  but someone didn't take time to look at the archives or google and asking like 
  it was the first time it was asked versus maybe revisitng the previous 
  discussion in new light. However, unless the list goes moderated which no one 
  wants or at least a vast majority of the someone's don't want, the list is 
  just the way it is and will be and you read the messages if you want and blow 
  by them otherwise. Overall I would hate to lose the jocularity and 
  casualness of the list. It is one of the things that make it worth reading. :) 
  There have been quite a few times subjects have drifted off topic only 
  to expose something in the monkeying around or what not based on something not 
  everyone understood or knew that we wouldn't have otherwise found out that 
  immediately snaps it all back on topic and of great use.  
  joe [1] Though this was funnier than most OT stuff.There is my value 
  judgment on the quality. :) [2] Versus actually being AD Technology. 
  Examples of tech that utilize AD include but are not limited to GPOs, DNS, 
  Exchange, print queues, clustering, file server manipulations (copying files, 
  home drives, management, etc), etc. Not saying questions about all of those 
  are automatically OT, but we tend to get quite a few questions in those areas 
  that aren't about AD or the interaction with AD but about the non-AD aspects 
  of the tech. Examples being a question about how to do something in a GPO 
  versus say OU strategies for applying GPOs or the permissions on the GPO 
  objects and how AD interprets them. Or a general question about DNS like what 
  is returned in a query or how it is managed versus what records need to be in 
  DNS for AD to work or how its app NC replicates. -- O'Reilly Active 
  Directory 

Re: [ActiveDir] Completely OT: Maroons

[Paul Williams]

Posh!  I prefer browns myself.  Well, actually, reds...


--Paul

- Original Message - 
From: Mark Parris [EMAIL PROTECTED]

To: ActiveDir.org ActiveDir@mail.activedir.org
Sent: Monday, September 04, 2006 4:30 PM
Subject: Re: [ActiveDir] Completely OT: Maroons



The only notes I use are £20's

Perhaps we are Maroons as we live on an Island - like Robinson Crusoe???

Anyway time to have a break - feeling a deep shade of purple now.

M

-Original Message-
From: Craig Cerino [EMAIL PROTECTED]
Date: Mon, 4 Sep 2006 10:47:23
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Completely OT: Maroons

Are they using NOTES - - I find that happens in list environments a lot
when the sender is using NOTES

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Monday, September 04, 2006 10:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Completely OT: Maroons

Has anybody figured out what's causing the blank posts, or is it just me
who
got blank replies from Mark and Neil?

Thanks,

Laura


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Monday, September 04, 2006 4:15 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] Completely OT: Maroons




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

.+-Šwèþm§ÿÿÃ 
ÿiËb½çb¯ú+ƒòâ²ßÚ²œKŠËE
á¶Úÿÿü0Ãöœ¶+Þv*ÿ¢¸?.+-ÿjÊq.+-j·!Š÷ÿ†ÛiÿÿðÃÚrدyØ«þŠàþi¶

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Rid Master

[Paul Williams]




Google RID FSMO for the functions of the 
RID master. Many people, including myself [1], have documented this. 
This info. is easily findable on the big wild web.

As for how to view the RID of a user 
object, there are several ways. An easy was is to download ADFIND (www.joeware.net) and type the 
following:

 adfind -default -f 
samaccountname=username -nodn objectsid

e.g.

 adfind -default -f 
samaccountname=paulw -nodn objectsid


The value that is returnedis the 
SID. The RID is the last section (usually four, five or six digits 
long).


--Paul

[1] http://www.msresource.net/content/view/13/46/

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, September 04, 2006 5:11 
  PM
  Subject: [ActiveDir] Rid Master 
  Guys explain me , The 
  functions of RID master , how does i display RID of object created in 
  AD Thanks in advance 
   
  


  "joe" [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 

09/04/2006 08:36 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 

  

  cc

  

  Subject
RE: OT - RE: [ActiveDir] W. in 
  hell

  
  

While I wouldn't want this to become a humour list, I saw 
  the email and laughed and figured the same thing Laura figured, that Outlook 
  autofill bit the guy (which is funny all by itself because we have all seen it 
  happen if not had it happen to ourselves) and then I moved on. I find all of 
  the additional attention even more humourous including the value judgements of 
  the quality of the joke and analysis of words.  I classify the 
  message as OT with the droves of other messages that come through the list 
  that are OT[1] and being sent here because of a tenous relationship of being 
  about technologies that utlitize AD[2] though the question itself has nothing 
  to do with AD or simply folks forgoing it all and just saying WTF, I'll give 
  it a shot and ask you guys because you seem helpful. If you get a whole day of 
  many of those coming through it is a bit annoying. More annoying, at least to 
  me, are questions that are ON TOPIC but someone didn't take time to look at 
  the archives or google and asking like it was the first time it was asked 
  versus maybe revisitng the previous discussion in new light. However, unless 
  the list goes moderated which no one wants or at least a vast majority of the 
  someone's don't want, the list is just the way it is and will be and you read 
  the messages if you want and blow by them otherwise.  Overall I would 
  hate to lose the jocularity and casualness of the list. It is one of the 
  things that make it worth reading. :) There have been quite a few times 
  subjects have drifted off topic only to expose something in the monkeying 
  around or what not based on something not everyone understood or knew that we 
  wouldn't have otherwise found out that immediately snaps it all back on topic 
  and of great use.   joe 
[1] Though this was funnier than most OT 
  stuff.There is my value judgment on the quality. :)  [2] Versus 
  actually being AD Technology. Examples of tech that utilize AD include but are 
  not limited to GPOs, DNS, Exchange, print queues, clustering, file server 
  manipulations (copying files, home drives, management, etc), etc. Not saying 
  questions about all of those are automatically OT, but we tend to get quite a 
  few questions in those areas that aren't about AD or the interaction with AD 
  but about the non-AD aspects of the tech. Examples being a question about how 
  to do something in a GPO versus say OU strategies for applying GPOs or the 
  permissions on the GPO objects and how AD interprets them. Or a general 
  question about DNS like what is returned in a query or how it is managed 
  versus what records need to be in DNS for AD to work or how its app NC 
  replicates.  -- O'Reilly 
  Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm   
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Craig 
  CerinoSent: Monday, September 04, 2006 10:46 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: OT - RE: [ActiveDir] W. in 
  hellI 
  have a hell of a sense of humor (as I’m sure a lot of geeks here do) this just 
  isn’t the place for it when people come here for help.  /just sayin  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Akomolafe, DejiSent: Sunday, September 03, 2006 
  10:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: OT 
  - RE: [ActiveDir] W. in hell  Nah.it looks more like 
  the sender mistook this list for some other lists. On other lists, this would 
  

Re: [ActiveDir] nslookup. AD beginer question

[Paul Williams]

If you do NSLOOKUP DOMAIN-NAME.COM then 
you will get a list of all the DNS servers for that domain. For example, 
if you are using AD-Integrated DNS, you will get a list of any DCs that are also 
DNS servers. Basically, that command returns the (Same as parent) records 
for the domain.

If you want to pull all DCs in the domain, 
you need to run something like this:

nslookup -type=srv 
_ldap._tcp.dc._msdcs.domain-name.com


If you run the above command and get 
computer accounts back, see kb825675 as referenced by Steve. I wasn't 
aware that that bug also registered A records for the domain name, but it 
might...

If you're new to NSLOOKUP, consider what 
information you want. There's a bunch of different types of DNS record 
that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting 
AD, the main ones to look for are A and SRV (there's also an instance where you 
need to check the CNAME record too). Remember that simply pinging a DC 
doesn't mean that the necessary SRV records are in place. I personally 
always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot 
DNS and the locator process. Use NSLOOKUP to see if the records that you 
expect are there, and NLTEST to make the DsGetDC and DsGetSite 
calls.


--Paul

  - Original Message - 
  From: 
  Ramon Linan 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, August 28, 2006 7:14 
  PM
  Subject: [ActiveDir] nslookup. AD beginer 
  question
  
  
  Hi 
  Everyone,
  
  When I do a nslookup 
  domain.com, being domain.com my AD domain, what should I see? A list of the 
  dns server in my domain? A list of the DC? 
  
  The fact is that I am 
  doing nslookup and I am getting, domain controllers but also a user’s 
  computer
  
  Thanks

Re: [ActiveDir] nslookup. AD beginer question

[Paul Williams]

Probably because it's a secondary 
server. Check to see if that IP is hosting a secondary copy of the 
zone.


--Paul

  - Original Message - 
  From: 
  Ramon Linan 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, August 28, 2006 10:04 
  PM
  Subject: RE: [ActiveDir] nslookup. AD 
  beginer question
  
  
  What I actually did 
  was nslookup domain.com…I just found out that one of the computer is a linux 
  server that is managing a child domain child.domain.com…that is the reason is 
  showing up there.
  
  
  Anyway, I am also 
  getting an ip address for a windows server machine that is not a DC, don’t 
  know why…
  
  Rezuma
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, August 28, 2006 4:25 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD 
  beginer question
  
  
  
  You mean, you did 
  the following:
  
  
  
  nslookup 
  Enter
  
  set 
  q=aEnter
  
  domain.comEnter
  
  
  
  and the IP you got is for a user's 
  desktop?
  
  
  
  If so, one reason could be because 
  someone created an A record in DNS for domain.com and mapped it to the 
  desktop's IP. Maybe because the desktop is running web service and hosting the 
  domain.com web site.
  
  
  
  Is this what you meant? If so, you 
  will need to go and delete the record. You will then need to tell your users 
  that they will not be able to get to the domain.comwebsite site any 
  longer because that is your AD domain name. You could create another A record 
  named (for example) WWW under the domain.com zone and give it the desktop's IP 
  and tell your users that they should now use http://www.domain.com/ to get to that website instead of 
  domain.com
  
  
  
  This is a fairly common 
  misconfiguration. And it's a big problem for your clients and 
  DCs.
  
  
  
  
  
  Sincerely, 
   
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - 
  Directory Serviceswww.akomolafe.com- we know IT-5.75, 
  -3.23Do you now realize that Today is the 
  Tomorrow you were worried about Yesterday? 
  -anon
  
  
  
  
  
  From: 
  Ramon LinanSent: Mon 8/28/2006 1:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD 
  beginer question
  
  Thanks, but after 
  reading all that I still was not able to find out what kind of information do 
  you get when you do lookup domain.com, being domain.com your AD domain, and 
  why am I getting a user’s computer.
  
  Thanks
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Akomolafe, 
  DejiSent: Monday, August 28, 
  2006 2:21 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD 
  beginer question
  
  
  
  http://www.cni.org/pub/inetroom/nslookup.html
  
  
  
  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true
  
  
  
  http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true
  
  
  
  
  
  Sincerely, 
   
  _ 
   (, / | 
  /) 
  /) /)  /---| 
  (/_ __ ___// _ // _ ) 
  / |_/(__(_) // 
  (_(_)(/_(_(_/(__(/_(_/ 
  /) 
   
  (/ Microsoft MVP - 
  Directory Serviceswww.akomolafe.com- we know IT-5.75, 
  -3.23Do you now realize that Today is the 
  Tomorrow you were worried about Yesterday? 
  -anon
  
  
  
  
  
  From: 
  Ramon LinanSent: Mon 8/28/2006 11:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] nslookup. AD beginer 
  question
  
  Hi 
  Everyone,
  
  When I do a nslookup 
  domain.com, being domain.com my AD domain, what should I see? A list of the 
  dns server in my domain? A list of the DC? 
  
  The fact is that I am 
  doing nslookup and I am getting, domain controllers but also a user’s 
  computer
  
  Thanks

Re: [ActiveDir] Site down for 36 hours so far - anything proactive to do?

[Paul Williams]

Not much that you can do other than filter 
out the replication errors from your monitoring solution, so that calls aren't 
needlessly raised.

A couple of days won't cause you any 
issues. Just ensure that everything is replicating and talking properly 
when things come back online.


--Paul

  - Original Message - 
  From: 
  Danny 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 29, 2006 3:49 
  PM
  Subject: [ActiveDir] Site down for 36 
  hours so far - anything proactive to do?
  One of our sites has been without power for over 36 hours now. 
  Is there anything that I should do in AD if the site could potentially be down 
  for the another day or more? DC's are mixed between 2000 SP4, 2003 SP1, and 
  2003R2. Thanks,...D-- CPDE - Certified 
  Petroleum Distribution EngineerCCBC - Certified Canadian Beer Consumer 

Re: [ActiveDir] nslookup. AD beginer question

[Paul Williams]

If you don't have a host record (A) for 
the hostname "sami", then you should delete the SRV record [1]. If that 
isn't a DC, look at the KB mentioned by Steve and I. I've seen a bunch of 
XP workstations registering in DNS in the past.


--Paul

[1] Assuming of course that you don't have 
a DDNS issue, i.e. you don't have a record in DNS but you do have a server with 
that name.

  - Original Message - 
  From: 
  Ramon Linan 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 29, 2006 4:06 
  PM
  Subject: RE: [ActiveDir] nslookup. AD 
  beginer question
  
  
  I did the nslookup 
  -type=srv _ldap._tcp.dc._msdcs.domain.com and I 
  got
  
  _ldap._tcp.dc._msdcs.domain.com 
  SRV service location:
   
  priority = 0
   
  weight = 
  100
   
  port = 
  389
   
  svr hostname = sami.domain.com
  
  
  I can’t find that 
  machine anywhere, not in the AD or dns server!!!
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kevin 
  BrunsonSent: Tuesday, August 
  29, 2006 10:15 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] nslookup. AD 
  beginer question
  
  I think the key to 
  this question is a very simple troubleshooting step. Go into DNS and 
  look at the (same as parent folder) records. Delete the ones that aren’t 
  currently DNS servers. If you are using AD integrated DNS, then this 
  should be any domain controllers that you want clients to get DNS from. 
  Give it a day or two and see if the bad ones come back. If they 
  don’t then you can assume this was an obsolete entry. If they do then 
  you can start looking for why. 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Paul 
  WilliamsSent: Tuesday, 
  August 29, 2006 4:43 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] nslookup. AD 
  beginer question
  
  
  If you do 
  NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for 
  that domain. For example, if you are using AD-Integrated DNS, you will 
  get a list of any DCs that are also DNS servers. Basically, that command 
  returns the (Same as parent) records for the 
  domain.
  
  
  
  If you want to 
  pull all DCs in the domain, you need to run something like 
  this:
  
  
  
  nslookup 
  -type=srv 
  _ldap._tcp.dc._msdcs.domain-name.com
  
  
  
  
  
  If you run the 
  above command and get computer accounts back, see kb825675 as referenced by 
  Steve. I wasn't aware that that bug also registered A records for the 
  domain name, but it might...
  
  
  
  If you're new to 
  NSLOOKUP, consider what information you want. There's a bunch of 
  different types of DNS record that might be of interest (A, CNAME, PTR, SRV, 
  MX). When troubleshooting AD, the main ones to look for are A and SRV 
  (there's also an instance where you need to check the CNAME record too). 
  Remember that simply pinging a DC doesn't mean that the necessary SRV records 
  are in place. I personally always advise people to use a combination of 
  NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use 
  NSLOOKUP to see if the records that you expect are there, and NLTEST to make 
  the DsGetDC and DsGetSite calls.
  
  
  
  
  
  --Paul
  

- Original Message - 


From: Ramon Linan 


To: ActiveDir@mail.activedir.org 


Sent: Monday, 
August 28, 2006 7:14 PM

Subject: 
[ActiveDir] nslookup. AD beginer question


Hi 
Everyone,

When I do a 
nslookup domain.com, being domain.com my AD domain, what should I see? A 
list of the dns server in my domain? A list of the DC? 


The fact is that I 
am doing nslookup and I am getting, domain controllers but also a user’s 
computer

Thanks

Re: [ActiveDir] nslookup. AD beginer question

[Paul Williams]

There's a rather large error in my 
previous message:

  ...get a list of all the DNS servers 
  for that domain. For example, if you are using AD-Integrated DNS, you 
  will get a list of any DCs that are also DNS servers. Basically, that 
  command returns the (Same as parent) records for the 
domain.

That should read:

  ...get a list of all DCs for that 
  domain. Basically, that command returns the (Same as parent) records for 
  the domain, which arehost (A) records for the domain 
  [name].

Apologies all. I don't know what I 
was thinking about when composing that mail. I'll be sure to drink my 
first coffee of the day _before_ replying in the future! 


--Paul

(No I didn't spot the error; I was 
notified offline ;-)

  - Original Message - 
  From: 
  Paul Williams 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 29, 2006 10:43 
  AM
  Subject: Re: [ActiveDir] nslookup. AD 
  beginer question
  
  If you do NSLOOKUP DOMAIN-NAME.COM then 
  you will get a list of all the DNS servers for that domain. For example, 
  if you are using AD-Integrated DNS, you will get a list of any DCs that are 
  also DNS servers. Basically, that command returns the (Same as parent) 
  records for the domain.
  
  If you want to pull all DCs in the 
  domain, you need to run something like this:
  
  nslookup -type=srv 
  _ldap._tcp.dc._msdcs.domain-name.com
  
  
  If you run the above command and get 
  computer accounts back, see kb825675 as referenced by Steve. I wasn't 
  aware that that bug also registered A records for the domain name, but it 
  might...
  
  If you're new to NSLOOKUP, consider what 
  information you want. There's a bunch of different types of DNS record 
  that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting 
  AD, the main ones to look for are A and SRV (there's also an instance where 
  you need to check the CNAME record too). Remember that simply pinging a 
  DC doesn't mean that the necessary SRV records are in place. I 
  personally always advise people to use a combination of NSLOOKUP and NLTEST to 
  troubleshoot DNS and the locator process. Use NSLOOKUP to see if the 
  records that you expect are there, and NLTEST to make the DsGetDC and 
  DsGetSite calls.
  
  
  --Paul
  
- Original Message - 
From: 
Ramon 
Linan 
To: ActiveDir@mail.activedir.org 

Sent: Monday, August 28, 2006 7:14 
PM
Subject: [ActiveDir] nslookup. AD 
beginer question


Hi 
Everyone,

When I do a 
nslookup domain.com, being domain.com my AD domain, what should I see? A 
list of the dns server in my domain? A list of the DC? 


The fact is that I 
am doing nslookup and I am getting, domain controllers but also a user’s 
computer

Thanks

Re: [ActiveDir] Problem in AD

[Paul Williams]

Then your problem is likely a DNS issue.  Ensure that all clients are 
pointing to at least two DCs.  Ensure that your DCs are pointing to at least 
two as well, as they're also DNS clients.



--Paul

- Original Message - 
From: Pankaj Verma [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, August 24, 2006 7:06 AM
Subject: Re: [ActiveDir] Problem in AD



before installing dc01  dc02 , DC03 was the global cataglog server
..now dc01  dc02 are global catalog servers

On 8/23/06, Almeida Pinto, Jorge de
[EMAIL PROTECTED] wrote:




if it is single domain and not all DCs are a GC, make ALL DCs a GC

besides that also make sure a DNS server can be contacted

a bit more details please



Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services


LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address

 
 From: [EMAIL PROTECTED] on behalf of
Pankaj Verma
Sent: Wed 2006-08-23 19:07

To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem in AD




Hi All


I have 3 domain controllers.  I transfer all the FSMO roles from DC03
to DC02 after that I shutdown D03  I restarted D02  dC01 but after
that I was not able to communicate with active directory then switched
on DC03 after that every thing is working fine. If somebody can tell
me what could be the problem and after the in event viewer I am
getting an error

 Event id =1030  1058 source = usernv



--
Rgds
Pankaj verma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx






This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be 
copied,

disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.



--
RgdsPankaj verma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] Longhorn Beta

[Paul Williams]

Apologies.  I thought it had gone well and truly public back when it went 
out to MSDN, etc.



--Paul

- Original Message - 
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 9:10 PM
Subject: RE: [ActiveDir] [OT] Longhorn Beta


true when invited you can activate it on the connect site and play 
around with it


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of joe
Sent: Thu 2006-08-17 20:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Longhorn Beta


I believe Longhorn/Vista is an invite only Connect program.


--
O'Reilly Active Directory Third Edition - 
http://www.joeware.net/win/ad3e.htm






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN

Sent: Thursday, August 17, 2006 1:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Longhorn Beta



That was definitely the first place I checked, and unless I'm blind (which 
I've been accused of many times by the way), I don't believe it's an 
available option on the connect website to test.




I'll probably end up just using my MSDN copy in our test environment to 
create a Longhorn DC.






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams

Sent: Thursday, August 17, 2006 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT] Longhorn Beta



http://connect.microsoft.com/





--Paul

- Original Message - 


From: WATSON, BEN mailto:[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org

Sent: Thursday, August 17, 2006 4:35 PM

Subject: [ActiveDir] [OT] Longhorn Beta



Outside of my MSDN account is there a preferred way to obtain Longhorn 
Beta's for testing?




~Ben



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank you.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name

[Paul Williams]

Not quite.  You need to escape the comma like so:

((objectCategory=person)(objectClass=user)(displayName=phelps\, k*))


--Paul

- Original Message - 
From: Matheesha Weerasinghe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Monday, August 14, 2006 8:46 PM
Subject: Re: [ActiveDir] LDAP Logon Name



All I did was fix your query. It seemed like you were trying to do a
search for users who have phelps,k as the start of their
displayname.

I assume the printer wants a DN to do lookups. Any AD user should be
able to bind. But I dont know what it does with the bind credentials.
I've never configured a printer that needed to be given credentials to
an LDAP directory. Does it look at who submitted the job and do a
query for the persons email address and send them an email that its
done? I dont know.

You need to tell us how the LDAP credentials are going to be used by
the printer. Otherwise it may appear that we are not helpful. Which, I
well may be not ;-)

Sorry

M@



On 8/14/06, Alex Alborzfard [EMAIL PROTECTED] wrote:






Logon ID? Most likely the DN, but I need an account that can do the bind.

Per HP documentation after running the search, I am supposed to find the 
search prefix, which should begin after the individual user's CN.


This is the example right from documentation:



 Dn: 
 [EMAIL PROTECTED],OU=US,OU=Users,OU=Account,DC=americas,DC=cpqcorp,DC=net




I tried M@'s query, it worked…well kind of…it didn't generate an error, 
but got 0 entries on Matched DNs L


I also tried your tree view suggestion, but that didn't give me anything 
I could use for this printer.


I don't see anything even close to it. I'm beginning to HATE LDAP and HP 
both!!!





Alex






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick

Sent: Monday, August 14, 2006 1:53 PM

To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name




To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name








Agreed. But does your printer search for the logon ID? I doubt it.  Most 
LDAP authentication (I HATE that term) will use the DN of the user: 
cn=user,cn=users,dc=domain,dc=com would be default.








From there it should be able to lookup the mail address in the directory.





You should specify the service account it will use to bind to the 
directory and the password and it should be fine from there.  To see that 
information, use ldp, and rather than search, use the tree view and 
navigate to it. (note: when the tree asks you for a dn value, leave it 
blank and press OK.)






Al












On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote:



Your ldap filter doesnt look correct.






M@





On 8/14/06, Alex Alborzfard [EMAIL PROTECTED]  wrote:

According to product documentation, I have to configure embedded ldap
authentication. Apparently this printer has an Embedded Web Server
(EWS).
However, when I follow the documentation, using ldp tool, it fails when
trying to query ldap. The message I get is this:

***Searching...
ldap_search_s(ld, DC=pharmanet,DC=com, 2,
((objectclass=person)displayname=phelps,k*)), NULL,  0, msg)
Error: Search: Filter Error. 87
Server error:
Error94: ldap_parse_result failed: No result present in message
Getting 0 entries:

I connect to ldp as member of Domain Admins and Schema Admins, with the
same result.

Any ideas?

Alex

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Wednesday, August 09, 2006 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] LDAP Logon Name

Alex Alborzfard wrote:
 We have a HP printer/scanner that we want to setup for emailing
scanned
 documents.

 Management wants to ensure only domain users with email addresses can
do
 this.

 There is an option for setting up LDAP gateway, where you can set user

 name  password up.

 It's asking for LDAP logonname. I have tried my user name and account
 anme, but it didn't work.

 I looked it up in ADSIedit, but I couldn't find it.

I think that simplest way would be to refer to product documentation but

I would try to use DN, or CN (in CN=... format) of this user.

--
Tomasz Onyszko
http://www.w2k.pl/blog/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx








.+-wm ibb+ڲKE
0+v*?.+-jq.+-j!irدyثi

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] LDAP Logon Name

[Paul Williams]

You need to escape the comma, as a comma 
is a delimiter and in the case of displayName it shouldn't be a 
delimiter:

((objectCategory=person)(objectClass=user)(displayName=phelps\, 
k*))


I've not read the whole thread, so can't 
discuss whether or not this is the best way to do what you want. I will 
say I feel for you re. the HP documentation. I had some fun getting the AD 
iLO integration stuff to work because the guide wasn't very helpful at 
explaining what format and syntax things wanted. I found the help on the 
administration pages better, and simply tried a number of things that I thought 
should work.


--Paul

  - Original Message - 
  From: 
  Alex Alborzfard 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, August 14, 2006 8:22 
  PM
  Subject: RE: [ActiveDir] LDAP Logon 
  Name
  
  
  Good catch, but the 
  corrected query still didn’t work! L
  
  
  Alex
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Andrew CaceSent: Monday, August 14, 2006 2:50 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Logon 
  Name
  
  In the error below, 
  the LDAP filter is 
  "((objectclass=person)displayname=phelps,k*))". You 
  missed the opening parenthesis before displayname.
  
  -Andrew
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Alex AlborzfardSent: Monday, August 14, 2006 1:24 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP Logon 
  Name
  
  That was exactly the 
  same as HP documentation. I’ll try your filter and will post the 
  result.
  
  Thanks
  
  
  Alex
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Matheesha 
  WeerasingheSent: Monday, 
  August 14, 2006 1:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] LDAP Logon 
  Name
  
  
  I assume you need a filter such as 
  "((objectcategory=person)(objectclass=user)(displayname=phelps,k*))" 
  
  
  
  
  I optimised the user object search and put a opening 
  bracket when specifying the displayname.
  
  
  
  M@
  
  On 8/14/06, Matheesha Weerasinghe [EMAIL PROTECTED] 
  wrote: 
  
  
  Your ldap filter doesnt look 
  correct.
  
  
  
  
  M@
  
  
  On 8/14/06, Alex 
  Alborzfard [EMAIL PROTECTED]  wrote: 
  
  According to product documentation, I have to 
  configure embedded ldapauthentication. Apparently this printer has an 
  Embedded Web Server (EWS).However, when I follow the documentation, 
  using ldp tool, it fails whentrying to query ldap. The message I get is 
  this:***Searching...ldap_search_s(ld, "DC=pharmanet,DC=com", 
  2,"((objectclass=person)displayname=phelps,k*))", NULL,0, 
  msg)Error: Search: Filter Error. 87Server 
  error:Error94: ldap_parse_result failed: No result present in 
  messageGetting 0 entries:I connect to ldp as member of Domain 
  Admins and Schema Admins, with thesame result.Any 
  ideas?Alex-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tomasz 
  Onyszko Sent: Wednesday, August 09, 2006 3:05 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
  LDAP Logon Name Alex 
  Alborzfard wrote: We have a HP printer/scanner that 
  we want to setup for emailing scanned documents. 
  Management wants to ensure only domain users with email addresses 
  cando this. There is an option for setting up LDAP 
  gateway, where you can set user  name  password 
  up. It's asking for LDAP logonname. I have tried my user name 
  and account  anme, but it didn't work. I looked it up 
  in ADSIedit, but I couldn't find it. I think that simplest way would 
  be to refer to product documentation butI would try to use DN, or CN 
  (in CN=... format) of this user. --Tomasz Onyszkohttp://www.w2k.pl/blog/ - 
  (PL)http://blogs.dirteam.com/blogs/tomek/ - (EN)List 
  info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList 
  info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx 
  
  
  

Re: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders

[Paul Williams]

I'm not in a position to test whether this is a forest-wide or domain-wide 
principal.


However, when you can't find something you think should be there, you should 
search the GC.  I've seen numerous people have issues with a user or group 
not existing only to find it's in a parent domain.


Use ADFIND or LDP to search the GC.

Also, what are the actual permissions you are seeing and where?


--Paul

- Original Message - 
From: Han Valk [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 10:24 AM
Subject: RE: [ActiveDir] Recreate BUILTIN\Incoming Forest Trust Builders


First forgive my ignorance, I didn't that the group should only exist in 
the
forest root domain. But how is it possible that CHILDDOMAIN\Incoming 
Forest

Trust Builders has permissions on the child domain in ADUC when there
shouldn't be a CHILDDOMAIN\Incoming Forest Trust Builders?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 19:37
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
Trust Builders

Its only in the forest domain IIRC ;-)

M@


On 8/14/06, Han Valk [EMAIL PROTECTED] wrote:

No??? Child domain.

 -Original Message-
 From: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of
 Matheesha Weerasinghe
 Sent: Monday, August 14, 2006 17:38
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] Recreate BUILTIN\Incoming Forest
 Trust Builders

 By the way you are looking for this on the forest root right?

 M@


 On 8/14/06, Han Valk [EMAIL PROTECTED] wrote:

   Yep logged in as Domain Admin.

-Original Message- 
From: [EMAIL PROTECTED]

 mailto:[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
On Behalf Of
Matheesha Weerasinghe
Sent: Monday, August 14, 2006 13:00
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Recreate
BUILTIN\Incoming Forest
Trust Builders
   
I am wondering if there are ACLs defined on
the group itself
or the OU above to prevent you from seen it.
Do you see it as
the Administrator account of the domain?
   
M@
   
   
On 8/14/06, Han Valk  [EMAIL PROTECTED]
 mailto: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]   wrote:
   
  Problem is I don't see it anymore in the BUILTIN
container. Strange thing is
  that if I look at the security of the
domain object in
ADUC Incoming Forest
  Trust Builders is there.
   
   -Original Message-
   From:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
   [mailto: [EMAIL PROTECTED]
mailto: [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]  ] On Behalf Of
   Matheesha Weerasinghe
   Sent: Monday, August 14, 2006 10:22
   To: ActiveDir@mail.activedir.org
mailto:ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] Recreate
 BUILTIN\Incoming Forest
   Trust Builders
  
   I dont think so. objectsid attribute
is a systemonly
   attribute. Personally I am impressed
of that smart
   co-worker that managed to delete it.
 According to the AD
   Delegation appendices
  
   
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dba
   
e88-a216-45f9-9739-cb1fb22a0642DisplayLang=en 
   
 http://www.microsoft.com/downloads/details.aspx?FamilyID=29db
   
ae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en  its
not  possible to move
  delete rename this group.
  
   May be he exploited the dynamic objects
 feature in Windows
   2003 RTM?
  
   

http://blogs.dirteam.com/blogs/tomek/archive/2006/06/23/1175.aspx
  
  
   M@
  
  
  
   On 8/14/06, Han Valk 
[EMAIL PROTECTED] wrote:
  
 Hi,
  
 A smart co-worker deleted the
 BUILTIN\Incoming Forest
   Trust Builders group.
 Is it possible to recreate this group
 with the same
   well known SID?
 Authoritative restore is out of
the question,
   deletetion is too long ago.
  
 Han Valk.
 List info   :
 http://www.activedir.org/List.aspx
 http://www.activedir.org/List.aspx
 List FAQ:
 http://www.activedir.org/ListFAQ.aspx
 List archive:
 http://www.activedir.org/ml/threads.aspx
 http://www.activedir.org/ml/threads.aspx
  
  
  
  
  List info   : http://www.activedir.org/List.aspx

Re: [ActiveDir] FMSO roles split, patch question.

[Paul Williams]

Valid point.  But you should [try and] restore from the backup that ran the 
night before and that you verified successfully completed before you applied 
the patch...   ;-)


If you have a document process that goes through the proper change control, 
then there shouldn't be any reason to do this.  The patches should be tested 
in dev and pre-prod and then applied, only if there's a rollback option, and 
that should be something like uninstall patch; restore from last night's 
successful back if unable to boot and uninstall.



--Paul

- Original Message - 
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 4:02 PM
Subject: RE: [ActiveDir] FMSO roles split, patch question.


the reason is that is a DC dies during the patching you do not have to seize 
the rolesIMHO, I prefer transfering over seizing


Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of John Strongosky
Sent: Thu 2006-08-17 16:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


I cornfused is this a standard practice as I thought you did not want to 
move the FMSO roles back and forth.


john



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de

Sent: Thursday, August 17, 2006 4:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


in addition to that
DC1 having FSMOset1 and DC2 having FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event logs DCdiag, 
etc)

if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to DC1
apply patches to DC2 and reboot and check everything (event logs DCdiag, 
etc)

if everything OK!
transfer FSMOset2 from DC1 to DC2
voila (that's french)...done! ;-)

jorge





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe

Sent: Wednesday, August 09, 2006 01:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


It doesn't matter.



Sincerely,
  _
 (, /  |  /)   /) /)
   /---| (/_  __   ___// _   //  _
) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
  (/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon




From: John Strongosky
Sent: Tue 8/8/2006 4:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FMSO roles split, patch question.


We have our FMSO roles split between 2 dc's. They are Schema Master/Domain 
Tree Operator on 1 and on 2,  the roles PDC Emulator/Rid Pool/Intrastate on 
the other. After I apply the patches from Microsoft what is the beat 
practices for the boot order...or does it matter?


1. Remote DC/GC's first
2. no. 1
3. then no 2.


thanks






This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank you.



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] FMSO roles split, patch question.

[Paul Williams]

I have.  When bulk-patching NT 4 servers several died (OS was trashed, not 
the h/w) and had to be restored from the backup the night before.


There was that issue where the patch wrote ntoskrnl beyond the 7.8 GB 
section of the disk, although that hit workstations more than servers as 
they'd been build from images and had bigger disks than NT 4 boot loader 
could cope with g.



--Paul

- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, August 17, 2006 4:47 PM
Subject: Re: [ActiveDir] FMSO roles split, patch question.


As a person who tests/patches a bunch of single DCs I've never seen a 
patch kill a server.


Driver update may and has, yes.
Impair functionality of the server, yes.

But kill it completely?  Microsoft tests patches ahead of time and they 
would find ahead of time if basic functionality of a DC would be nailed.


But if the server dies... it was probably on the emergency list prior to 
patching.  Rebooting the box first ensures that you find these 'hospital 
bound' servers.


Almeida Pinto, Jorge de wrote:
the reason is that is a DC dies during the patching you do not have to 
seize the rolesIMHO, I prefer transfering over seizing

 Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of John Strongosky
Sent: Thu 2006-08-17 16:55
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


I cornfused is this a standard practice as I thought you did not want to 
move the FMSO roles back and forth. john




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de

Sent: Thursday, August 17, 2006 4:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


in addition to that
DC1 having FSMOset1 and DC2 having FSMOset2
transfer FSMOset1 from DC1 to DC2
apply patches to DC1 and reboot and check everything (event logs DCdiag, 
etc)

if everything OK!
transfer FSMOset1 and FSMOset2 from DC2 to DC1
apply patches to DC2 and reboot and check everything (event logs DCdiag, 
etc)

if everything OK!
transfer FSMOset2 from DC1 to DC2
voila (that's french)...done! ;-)
 jorge




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe

Sent: Wednesday, August 09, 2006 01:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FMSO roles split, patch question.


It doesn't matter.


Sincerely, _(, /  |  /) 
/) /)   /---| (/_  __   ___// _   //  _ ) /|_/(__(_) // 
(_(_)(/_(_(_/(__(/_
(_/ /)  (/   Microsoft MVP - 
Directory Services

www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday? -anon




From: John Strongosky
Sent: Tue 8/8/2006 4:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FMSO roles split, patch question.


We have our FMSO roles split between 2 dc's. They are Schema 
Master/Domain Tree Operator on 1 and on 2,  the roles PDC Emulator/Rid 
Pool/Intrastate on the other. After I apply the patches from Microsoft 
what is the beat practices for the boot order...or does it matter?


1. Remote DC/GC's first
2. no. 1
3. then no 2.


thanks





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank you.





--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I 
will hunt you down...

http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] [OT] Longhorn Beta

[Paul Williams]

http://connect.microsoft.com/


--Paul

  - Original Message - 
  From: 
  WATSON, 
  BEN 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, August 17, 2006 4:35 
  PM
  Subject: [ActiveDir] [OT] Longhorn 
  Beta
  
  
  Outside of my MSDN account is 
  there a preferred way to obtain Longhorn Beta’s for 
  testing?
  
  ~Ben

Re: [ActiveDir] ADFind Query

[Paul Williams]

Yeah right!  Our customers still have hundreds of NT 4 boxes...

I saw some (three) production 3.51 boxes four months ago...


--Paul

- Original Message - 
From: joe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Tuesday, August 15, 2006 2:34 AM
Subject: RE: [ActiveDir] ADFind Query


P.S. http://support.microsoft.com/lifecycle/?p1=7274   Mainstream support 
on

2K Server ended 6/30/2005... Get off of 2K servers folks


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 14, 2006 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind Query

Ah W2K. It is probably reporting the error incorrectly which is why you
don't see the problem on K3. The issue is you can't wildcard the OID, the
attribute does obviously exist.


--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, August 14, 2006 6:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADFind Query

I get the error Ben got with W2K. W2k3 doesnt give that error. The VM
I have here is W2k3 with SP3.

M@

On 8/14/06, joe [EMAIL PROTECTED] wrote:



You shouldn't be getting that error with that command... Even if the
attribute name was incorrect you wouldn't get that error, you would get 0
objects returned as the query processor doesn't output errors because of
incorrect attributes being specified.

However, that being said, this isn't going to work. You can't wildcard

OIDs

(or more accurately 2.5.5.2/6 data types).

Hopefully you guys prefixes all of the classes and attributes you added

with

a company prefix so you can search on that like so

adfind -schema -f name=joeware* ldapdisplayname -sl

or the shortcut

adfind -sc sl:joeware*




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm



 
 From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
WATSON, BEN
Sent: Monday, August 14, 2006 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind Query





Hey guys,



Simple question.  I'm trying to perform a search to locate all the schema
extensions that have been added in by our company.



I thought some simple syntax like this would work to find all schema
attributes with an attrbituteID prefixed with our OID.



adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
Attribute



I'm obviously missing something, any thoughts?



Thanks,

~Ben


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Restoring RID

[Paul Williams]

Restore it as you would any other 
DC. The documentation that you refer to is either out of date, or 
incorrect. The DS will invalidate the current RID pool when you restore 
and request a new one from the RID master (itself) which should be the same 
value as it was when it went down (if the backup is from the night before or 
very recent, unless you've been doing lots of security principal 
creations). If it isn't, the new value will be replicated in (the value is 
held by all DCs -I don't think the RID master does anything different when 
replicating) as far as I'm aware.

The issues with the RID master arise if 
you have multiple RID masters. Which, with k3 shouldn't really be possible 
if network and replication are OK.

There were a bunch of changes made in SP1, 
SP2 and SP3 for the RID master and the way a DC handles its current RID pool, 
etc. As far as I'm aware, all of these issues are in the past and Win2k 
SP4/ Wink3 don't have any problems.


--Paul

  - Original Message - 
  From: 
  Lucia Washaya 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, August 14, 2006 9:50 
  AM
  Subject: Re: [ActiveDir] Restoring 
  RID
  How do I move the RID role 
  when that server is already crashed? I want to recover from the loss of the 
  RID master, so I canot move it since it is not available. Or there is a way to 
  do it? Lucia 
  WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497Int'l Tel.: 
  Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 (after audio response 
  dial 
  174-5497)==The 
  cobra will bite whether you call it Cobra or Dear Mr. 
  Cobra.== 
  
  


  "Matt Hargraves" 
[EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 
14/08/2006 03:43 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 
  

  cc

  

  Subject
Re: [ActiveDir] Restoring 
  RID

  
  

I 
  always recommend transferring FSMO roles from a box before upgrading it, then 
  moving it back after the upgrade is completed successfully.If you've 
  got enough DCs to justify splitting FSMO roles, you've got enough to move it 
  to another box for a week to upgrade the box. On 8/13/06, Chong Ai Chung [EMAIL PROTECTED] 
  wrote: When the RID flexible single-master operations 
  DC is restored, it may use old RID pool values, and it can cause the restored 
  RID flexible single-master operations DC to begin issuing duplicate 
  SIDs.  The best way 
  is:  - to use another DC 
  to seize the RID master role. - Rebuild the OS on 
  crashed DC and promote it back as Domain Controller - 
  transfer the RID master role back to the rebuild DC.  Regards,  Ai Chung On 8/14/06, Lucia Washaya 
  [EMAIL PROTECTED] wrote: 
  Colleagues, 
  We have a server which crashed 
  during upgrade (2000 to 2003). Now we want to restore it. Problem is 
  this server is the RID holder and the documentation on the technet says 

  


  

  
  
"Restoring the RID Master can result 
  in Active Directory data corruption, so it is not recommended." So 
  what is the best way to restore this server? Thank you in 
  advance for your assistance Regards, 
Lucia WashayaCITS UNIOSILTel.: 022-295-526 xtn. 5497 
  Int'l Tel.: Via Italy + (39) 083123-5497Via USA +1(212) 963-9588 
  (after audio response dial 
  174-5497)==The 
  cobra will bite whether you call it Cobra or Dear Mr. Cobra. 
  == 

Re: [ActiveDir] fRSMemberReference - NTFRS

[Paul Williams]

Which object are you trying to modify the fRSMemberReference attribute on?

You need to modify that attribute on the nTFRSSubscriber object called 
CN=Domain System Volume (SYSVOL) which is located in the CN=NTFRS 
Subscriptions container underneath the computer object for the DC.


You do not need to modify this property on the nTFRSMember objects 
underneath the nTFRSReplicaSet object which resides under the CN=File 
Replication Service container under CN=System in the domain NC.


However, before modifying this attribute, check the name of the nTFRSMember 
object (the great grandchild of System) as it might still have the old name 
(which doesn't matter, it's only the cn).



--Paul

- Original Message - 
From: Devan Pala [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Sunday, August 13, 2006 2:48 AM
Subject: [ActiveDir] fRSMemberReference - NTFRS



Hi all,

I recently deployed a clean install of a Windows Server 2003 DC but since 
we were in the process of taking a server image for other builds of other 
DC's in the forest, I mistakingly left the netbios name of the server as 
our server guys had left it! Anyway, I only realize this mistake after 
running dcpromo and once I realized the mistake I quickly changed the 
domain controllers name to what it should be.


Now I'm having issues with group policy processing etc. Everything else is 
good; DNS, replication etc.
I ran the ntfrsdiag and one of the logs gives me the following: when I try 
to change the fRSMemberReference name in ADSIEDIT I get a the name 
reference is invalid error. I earlier had removed the unwanted computer 
name.


Does anyone have any ideas on how and which attributes to modify?

Thanks in advance.

Checking for errors/warnings in ntfrsutl ds ...
ERROR: This server's Member Ref property for the SYSVOL volume does NOT 
seem to be correct !!!


To fix this, use ADSIEdit and edit the fRSMemberReference Property of 
the nTFRSSubscriber object named CN=Domain System Volume (SYSVOL share) 
located under this Server's Computer Object.


This value should match the FQDN of this Server. Current Values are:
Current Value   = (null)
Suggested Value = CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File 
Replication Service,CN=System,DC=ad,,DC=com
 Please note there is a small chance the above Suggested Value may not 
be correct - See below for more info on what the Proper Value should be!
For more Info See KB Article : 312862 Recovering Missing FRS Objects and 
FRS Attributes in Active Directory - Search for the step about Updating 
the fRSMemberReference object (Step 8 on the Recovering from Deleted 
FRS Objects section

.. failed with 1 error(s)


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir][OT] Always point a DC with DNS installed to itself as the preferred DNS server...always?

[Paul Williams]

Only just found this one...

Re. [1].  I'm sorry, but it just had to be said.  Who the hell asks that? 
Honestly, who?  big grin



--Paul

- Original Message - 
From: joe [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Saturday, July 22, 2006 12:54 AM
Subject: RE: [ActiveDir][OT] Always point a DC with DNS installed to itself 
as the preferred DNS server...always?



Paul with the combination of your TLAs and your harsh Welsh Accent I 
haven't

the foggiest clue what you said here yeah...

:)


Warm[1]






[1] That kills me, inside joke...



--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Friday, July 14, 2006 6:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself as
the preferred DNS server...always?

I can't see how you can get a duplicate NDNC as the creation of such 
objects


is targetted at the DN master. The DN master will check the existing
crossRefs and stop this happening, as we can't rely on the DS stopping it 
as


the RDN is different for each NDNC (unless they've used well-known GUIDs
for the DNS NCs?).

Although the behaviour you speak of is new to me, and another one of those
slight, interesting changes, so thanks for that.

Can you elaborate on this new behaviour?  What, exactly, happens and in 
what


order?


--Paul

- Original Message - 
From: Grillenmeier, Guido [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, July 13, 2006 6:52 PM
Subject: RE: [ActiveDir] Always point a DC with DNS installed to itself as
the preferred DNS server...always?



note that DNS startup behavious changes with SP1, which is another
reason not to choose the DC itself as the preferred DNS server: with
SP1, AD will not allow the DNS service to read any records, until it has
successfully replicated with one of it's replication partners.  This is
to avoid false or duplicate registration of records (or even duplicate
creation of the application partitions).

As such, with SP1 it's better to point your DCs to a replication partner
as a primary DNS and to self as a secondary.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Donnerstag, 13. Juli 2006 17:02
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Always point a DC with DNS installed to itself
as the preferred DNS server...always?

Hi Al

I did want to throw in a personl experience I had with W2K3 that
validates
the Point your DNS server to a replication partner theory.  I did see
in
one environment where every DC had DNS and the msdcs partition was a
forest
partition.  An unfortunate DNS scavenge was done deleting some of the
GUID
records in the MSCDCS partition.  Replication started to fail shortly
after
that and the missing GUIDs were discovered.  The netlogon service was
restarted to make the DCs re-register but of course they re-registered
the
GUID on themselves.  They could find themselves but not their
replication
partners.  The replication partners could find them but not themeselves.
When the DCs were set to point to a hub replication partner for primary
and
themselves as secondary the problem went away - the netlogon service was
restarted, the GUIDs registered on the central DNS server, the spokes
did
the lookup for replication parnters on the hub site DC and eventually
things started working again.

This was pre - SP1 so this may not be a problem anymore, but after that
experience I have seen value in doing the DNS configuration so that the
DCs
all point to the hub first and themselves second.  I have not seen any
problems for the DC itself when the WAN link dropped for a length of
time
and the primary DNS server was not reachable.

Of course, if there are never any changes to DC IPs or names and the
MSDCS
is never scavenged (or the interval is long enough not to recreate the
above problem) then the above argument is moot.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]




 Al Mulnick

 [EMAIL PROTECTED]   To:
ActiveDir@mail.activedir.org

 Sent by:   cc:   (bcc:
James Day/Contractor/NPS)
 [EMAIL PROTECTED]Subject:  Re:
[ActiveDir] Always point a DC with DNS installed to itself as the

 tivedir.org preferred DNS
server...always?





 07/12/2006 09:58 PM AST

 Please respond to

 ActiveDir







You don't work at the post office do you? ;)


There are many many many ways to properly configure DNS.  One thing that
helps is to think of the terms client

Re: [ActiveDir] machine GP load

[Paul Williams]

I just whipped up this _vbscript_ to get 
you started. Idon't have time to provide a more detailed breakdown 
as that involves a little extra thought, but this should point you in the right 
direction...

Save, for example, as c:\count.vbs and 
run, from CMD, like so: 
 cscript c:\count.vbs 
 count.xls

Dim oRootDse, oBase

Set oRootDse = GetObject("LDAP://RootDSE")Set oBase = 
GetObject("LDAP://"  oRootDse.get("defaultNamingContext"))countObjects 
oBase.ADsPath, 0



' ***' 
countObjects(ADsPath, count)' ' Recursive function to count the number 
of children' in a container.' ' 
***Private Function 
countObjects(oParent, iCount)Dim oChild, cChildren, aSchema, 
sSchemaDim i : i = 0Set cChildren = 
GetObject(oParent)For Each oChild In cChildren 
aSchema = Split(oChild.schema,"/") sSchema = 
aSchema(UBound(aSchema,1))  i = i + 1 c = 
countObjects(oChild.ADsPath, i)  If(Not(sSchema = 
"inetOrgPerson" Or _ sSchema = "user" Or 
_ sSchema = "computer" Or 
_ sSchema = 
"group"))Then  WScript.Echo 
oChild.get("distinguishedName")  vbTab c End 
IfNextcountObjects=iEnd 
Function

--Paul

  - Original Message - 
  From: 
  Jerry 
  Welch 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, August 10, 2006 12:49 
  AM
  Subject: RE: [ActiveDir] machine GP 
  load
  
  Does anyone have, or know of, a utility program that 
  will provide a breakout of object counts in ADin each container, with a 
  rollup so that each container shows all of the containers below it 
  ?
  Joe ?
  Thanks,
  Jerry
  
  Jerry Welch
  CPS Systems
  US/Canada: 888-666-0277
  International: +1 703 827 0919 (-5 
  GMT)
  IP Phone (Skype): Jerry_Welch ( www.skype.net )
  

Re: [ActiveDir] machine GP load

[Paul Williams]

Ha ha. That's why my post says to 
run using CSCRIPT.


--Paul

  - Original Message - 
  From: 
  Ramon Linan 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, August 10, 2006 2:31 
  PM
  Subject: RE: [ActiveDir] machine GP 
  load
  
  
  I tried it out, I was 
  hitting the enter key forever thanks to:
  WScript.Echo 
  oChild.get("distinguishedName")  vbTab c
  
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul WilliamsSent: Thursday, August 10, 2006 8:59 
  AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] machine GP 
  load
  
  
  I just whipped up 
  this _vbscript_ to get you started. Idon't have time to provide a 
  more detailed breakdown as that involves a little extra thought, but this 
  should point you in the right direction...
  
  
  
  Save, for 
  example, as c:\count.vbs and run, from CMD, like so: 
  
  
   
  cscript c:\count.vbs  count.xls
  
  
  
  Dim oRootDse, 
  oBase
  
  
  
  Set oRootDse = 
  GetObject("LDAP://RootDSE")Set oBase = GetObject("LDAP://" 
   oRootDse.get("defaultNamingContext"))countObjects oBase.ADsPath, 
  0
  
  
  
  
  
  
  
  ' 
  ***' countObjects(ADsPath, 
  count)' ' Recursive function to count the number of children' in a 
  container.' ' 
  ***Private Function 
  countObjects(oParent, iCount)Dim oChild, cChildren, aSchema, 
  sSchemaDim i : i = 0Set cChildren = 
  GetObject(oParent)For Each oChild In cChildren 
  aSchema = Split(oChild.schema,"/") sSchema = 
  aSchema(UBound(aSchema,1))  i = i + 1 c = 
  countObjects(oChild.ADsPath, i)  If(Not(sSchema = 
  "inetOrgPerson" Or _ sSchema = "user" Or 
  _ sSchema = "computer" Or 
  _ sSchema = 
  "group"))Then  WScript.Echo 
  oChild.get("distinguishedName")  vbTab c End 
  IfNextcountObjects=iEnd 
  Function
  
  
  
  --Paul
  

- Original Message - 


From: Jerry 
Welch 

To: ActiveDir@mail.activedir.org 


Sent: 
Thursday, August 10, 2006 12:49 AM

Subject: RE: 
[ActiveDir] machine GP load


Does anyone have, 
or know of, a utility program that will provide a breakout of object counts 
in ADin each container, with a rollup so that each container shows all 
of the containers below it ?
Joe 
?
Thanks,
Jerry


Jerry 
Welch

CPS 
Systems

US/Canada: 
888-666-0277

International: +1 703 827 0919 
(-5 GMT)

IP Phone (Skype): 
Jerry_Welch 
( www.skype.net 
)

Re: [ActiveDir] UPPER case for username

[Paul Williams]

I've not tested this (just hashed it up as I read your post, so there's 
probably going to be some syntax errors, etc. --please test first).


But here's a quick and dirty vbscript that should change all uppercase 
accounts to lowercase.



set oConn=createObject(ADODB.Connection)
set oComm=createObject(ADODB.Command)

' configure provider and define command
oConn.provider=ADsDSOObject
oConn.openActive Directory Provider
oComm.activeConnection=oConn

' build query
sADsPath= LDAP://oRootDse.get(defaultNamingContext);
sFilter = ((objectCategory=person)(objectClass=user));
sAttrs = ADsPath,sAMAccountName;
sScope = SubTree
sQuery = sADsPathsFiltersAttrssScope

' configure command properties
oComm.commandText=sQuery
oComm.properties(Page Size)=128
oComm.properties(Size Limit)=10
oComm.properties(Cache Results)=false

' execute query
set oRs=oComm.execute

if(not oRs.eOF)then ' check to see if any results
oRs.moveFirst ' were returned

' iterate result set
while not oRs.eOF
sAMAccountName = oRs.fields(1).value
if(uCase(sAMAccountName) = sAMAccountName)then
 sAMAccountName = lCase(sAMAccountName)
 set oUser = getObject(oRs.Fields(0))
 oUser.putsAMAccountName,sAMAccountName
 oUser.setInfo
end if
oRs.moveNext
wend
else
' empty record set (no results returned)
end if


--Paul

- Original Message - 
From: Irwan Hadi [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Wednesday, August 09, 2006 2:14 AM
Subject: [ActiveDir] UPPER case for username



We are in the process of bringin in a couple hundred users from a
Novell Groupwise system to our AD 2003 + Exchange 2003 system. Our AD
is in Windows 2003 Native mode for forest and domain.

Because of the need to integrate Groupwise and Exchange, we need to
use Microsoft Exchange Connector for Groupwise (and Quest Migration
Wizard). The problem is, the administrator of the Novell Groupwise has
set their standard username to be in UPPER CASE, eg: JDOE, instead of
lower case eg: jdoe, and Exchange Connector for Groupwise will create
the username with the same case it is now in Groupwise.

This means in our AD domain, we will have a couple hundred users who
use UPPER CASE for their username.

Now the questions are:
- Will this cause any problem with any of Microsoft product in the
future (eg: Sharepoint).
- Is there a way to change the username  in CAPS to be in lower
letter, once Exchange connector for Groupwise creates the user?

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Weak AD passwords

[Paul Williams]

Title: Message



Lophcrack was purchased by Symantec and is 
now sold as an enterprise security product. It's called LC5, I believe, 
but has recently been discontinued (after symantec stopped selling it to people 
outside of North America) and support runs out at the end of the year. 
Which is a real pain as I've recently recommended it and now need to revise my 
recommendations!


--Paul

  - Original Message - 
  From: 
  McCann, 
  Danny 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, August 09, 2006 3:59 
  PM
  Subject: RE: [ActiveDir] Weak AD 
  passwords
  
  Hi
  
  Haven't used it, but one of my colleagues swears it's too good. 
  :)Try Rainbow Tables.
  
  Cheers
  
  Danny
  
  

-Original Message-From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: 20 March 2006 21:38To: ActiveDir@mail.activedir.orgSubject: 
[ActiveDir] Weak AD passwords
Can anyone 
recommend any tools to find which of our users have weak AD passwords? 
We used to use L0phtcrack back in the day, but it doesn't appear to be 
supported any longer? Other than enforcing complex passwords (which we 
do) and 8 character minimum, we'd like to figure out who uses things like 
"Password1" or something silly like that.

Thanks in 
advance
Email has been scanned for 
viruses by Altman Technologies' email management service

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have 
  received this message in error pleasedelete it, together with any 
  attachments, from your 
  system.~~

Re: [ActiveDir] Moving Sysvol .

[Paul Williams]

Yes, you can relocate the SYSVOL. 
It's just a little more involved (couple of extra steps, not difficult) than 
moving the DIT. See:
-- http://support.microsoft.com/?id=842162


However, if I might be so bold as to make 
a suggestion here, I would recommed you leave SYSVOL where it is, giving 
you:

0: Windows
1: DIT and Logs
2: SYSVOL


You don't want SYSVOL on the same disk as 
the database. Especially if you are delegating things like GPO 
modification, etc. to non-admins or lesser admins.


--Paul

  - Original Message - 
  From: 
  Yann 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 08, 2006 1:14 
  PM
  Subject: [ActiveDir] Moving Sysvol 
.
  
  Hello :)
  
  I have my ADw2k3sp1 hard disk configured as this:
  hdd1: AD logs.
  hdd2: ntds.dit + sysvol.
  
  I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's 
  ok. But how to move the sysvol folder in hdd1 ? is there a way to do this 
  ?
  
  Thanks for your replies.
  
  Yann
  
  
  
  Découvrez un nouveau moyen de poser toutes vos questions quelque soit le sujet 
  ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et 
  vos expériences. Cliquez 
  ici. 

Re: [ActiveDir] DCs Hyper-Threading

[Paul Williams]

I believe, from a past conversation, that 
disabling hyper-threading on bridgehead servers with lots of inbound 
connections, i.e. in enterprise deployments, should be *considered* as 
the replication queue has two parallel threads for processor, core or hyper 
threading processor as the system call sees all in the same way -multiple 
processors. However, there's no real guideline here as there are so many 
variables, i.e. amount of change, compression, new objects, mods, whether the 
data is in cache or not, etc.

I don't think it matters all that much for 
the AD stuff. You might need to look into the FRS side of things (in big 
environments). It will matter for CPU-intensive apps that weren't written 
directly for multiple-processor systems. Under such circumstances, it is 
often recommended to disable hyper threading. 

For example, you have to disable HT for 
SAP servers. I don't think SQL cares as that is written for multiple-CPU 
support and can probably tell the difference between two physical processors and 
HT processors but don't know. Like Al said, check the Virtual Server 
readme, as NIC teaming isn't supported for the host, apparently (unless, like 
AD, that's just load-balanced teaming).


--Paul

  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 08, 2006 2:11 
  PM
  Subject: Re: [ActiveDir] DCs  
  Hyper-Threading
  From Tim 
  Mangan's whitepaper on hyperthreading under 2003: "The results in this paper are exclusively related to 
  Windows Server 2003. We are currently running the tests used in the 
  development of this paper under erver 2000. We can verify reports of performance and stability problems with 
  Hyper-Threading on Windows 2000 Server, and at this time recommend customers 
  disable Hyper-Threading under 2000." http://www.tmurgent.com/images/WP_HyperThread.pdf So disable under 2000 is the recomendation, As to 2003 
  he shows a small performance increase in all cases except multithreaded 
  CPU-bound applications, which is expected. Personally I leave hyperthreading 
  turned on for my 2003 installs. It also makes single-dual cpu upgrades 
  easier since the SMP kernal is already used =) Thanks, Andrew 
  Fidel 
  


  "Wyatt, David" 
[EMAIL PROTECTED] Sent 
by: [EMAIL PROTECTED] 
08/07/2006 09:45 AM 

  
  

  Please respond 
  toActiveDir@mail.activedir.org
  

  
  

  To
ActiveDir@mail.activedir.org 
  

  cc

  

  Subject
[ActiveDir] DCs  
  Hyper-Threading

  
  

What are people's views on whether to enable or disable hyper-threading 
  on a Proliant box running Windows 2003 as a DC. I remember Intel advised 
  HT to be disabled on Windows 2000 but has this changed for Windows 2003?. 
  Are the performance benefits significant for a DC?   Thanks David    This message contains confidential 
  information and is intended only for the 
  individual or entity named. If you are not the named addressee you should not disseminate, 
  distribute or copy this e-mail. Please 
  notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your 
  system. E-mail 
  transmission cannot be guaranteed to be secure or error-free as information could be 
  intercepted, corrupted, lost, destroyed, arrive 
  late or incomplete, or contain viruses. The 
  sender therefore does not accept liability for any errors or omissions in the contents of this 
  message which arise as a result of e-mail 
  transmission. If verification is required 
  please request a hard-copy version. This message is provided for informational purposes and 
  should not be construed 
  as an invitation or offer to buy or sell any securities or 
  related financial instruments. GAM operates in many jurisdictions 
  and is regulated or licensed in those 
  jurisdictions as required.  

Re: [ActiveDir] Moving Sysvol .

[Paul Williams]

I believe the school of thought here is 
that the person has write access to the same volume as the DIT, which means he/ 
she can easily perform DOS attacks, etc. by filling up the disk. 
I agree it's unlikely, but there you 
go. Take the [real] examples of where people with write access to SYSVOL 
have decided to replicate ghost images, etc. which not only trashes FRS, but 
fills the disk so that only the 20MB reserve files are left (which can easily be 
used up with dodgy custom synchronisation scripts that don't know what an USN is 
[past experience showing?] ;-)

I don't believe the recommendations for 
Logs and DIT go either. Yes, the logs are predominently write, while most 
of the DIT usage is read, but the logs are circular. Why waste a mirrored 
set for  100 MB of disk even if disk is cheap? Plus, as already stated 
in the same argument, most of the activity is read, so is there really 
performance to be gained by having nano-second better response times on the file 
writes? Other than implementation or re-provisioning or restoration, I 
can't see the need to separate the logs.

I'm involved with a design at the moment 
that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier 
recommendations for the disks for DCs. We're arguing over whether RAID10 
or RAID5 for the logical disk(s) that conatin the non-OS volumes should be used, 
but there's not much difference there on a 4 - 6 disk set -the argument is 
political to do with different standards for the management people. But 
then, the SYSVOL volume is also a scratch area for administrators. The DIT 
and OS volumes are very much off limits, and secured thus.


--Paul


  - Original Message - 
  From: 
  Darren Mar-Elia 
  
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 08, 2006 3:58 
  PM
  Subject: RE: [ActiveDir] Moving Sysvol 
  .
  
  Yea, I'm not sure why one has to do with the other (GPO 
  delegation and security of the DIT). GPO delegation simply involves granting 
  permissions on a individual GPC objects in AD and individual folders in the 
  GPT (SYSVOL).The only risk I can see is that it ismarginally 
  easier to fill up a disk by writinga ton of data intoSYSVOL than 
  it is to do that by generating millions of AD objects (both of which a 
  "lesser" admin can do), butif either happens, you probably have bigger 
  problemsthan the disk with the DIT on it 
  fillingup.
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, August 08, 2006 6:58 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Moving Sysvol .
  
  ... but then there's the school of thought that says you 
  should:
  
  - 
  PlaceDITandlogsonseparatespindles,sinceDITisreadintensiveandlogsarewriteintensive
  
  Since SYSVOL is also read intensive, I'd prefer to place SYSVOL with 
  the DIT. 
  
  To 
  be honest, I don't follow the delegation argument...GPOs exists in SYSVOL and 
  AD so if delegating access to GPOs, surely there is an argument for placing 
  SYSVOL and DIT on the *same* disk(?)
  
  
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: 08 August 2006 13:35To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol 
  .
  
  Yes, you can relocate the SYSVOL. 
  It's just a little more involved (couple of extra steps, not difficult) than 
  moving the DIT. See:
  -- http://support.microsoft.com/?id=842162
  
  
  However, if I might be so bold as to 
  make a suggestion here, I would recommed you leave SYSVOL where it is, giving 
  you:
  
  0: Windows
  1: DIT and Logs
  2: SYSVOL
  
  
  You don't want SYSVOL on the same disk 
  as the database. Especially if you are delegating things like GPO 
  modification, etc. to non-admins or lesser admins.
  
  
  --Paul
  
- Original Message - 
From: 
Yann 
To: ActiveDir@mail.activedir.org 

Sent: Tuesday, August 08, 2006 1:14 
PM
Subject: [ActiveDir] Moving Sysvol 
.

Hello :)

I have my ADw2k3sp1 hard disk configured as this:
hdd1: AD logs.
hdd2: ntds.dit + sysvol.

I would like to change my hdd2, so i move the ntds.dit in hdd1 and 
that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do 
this ?

Thanks for your replies.

Yann



Découvrez un nouveau moyen de poser toutes vos questions quelque soit le 
sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos 
opinions et vos expériences. Cliquez 
ici. 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure 

Re: [ActiveDir] Moving Sysvol .

[Paul Williams]

Yeah, I'm not disagreeing with what you 
and Darren say. In fact, I mostly agree. I'm just working in a high 
security environment where every detail is scruitinised and extra care needs to 
be taken with everything. I've always been one of these people that try 
and look at both sides of the security versus operability arguments and think 
that if it can be hardened without causing issues, it should be.Many 
of us on this list, and in the groups, are of the opinion that non DAs shouldn't 
have write access to the OS and DIT volumes, even if performing proper 
administrative functions. Therefore a scratch volume that contains SYSVOL 
works well if you have non-DAs working with GPOs using native tools. The 
AD side of GPO is easily managed against most forms of attack. The file 
system still poses an element of risk.


The tools for doing this stuff are a 
given. If they're not using the management tools on the management servers 
then they shouldn't be allowed to work. This is just another little piece 
in the big puzzle that is locking everything down to the point of (insert 
opinion here)...

In my case, the scratch area played an 
important part in the decision and that swung the idea for me so I spout it off 
a lot now. But consider the malicious user, as opposed to the foolish, or 
naive admin. If they've got write (or even read) access to certain areas 
of the DC where sensitive files are...


--Paul


  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, August 08, 2006 4:37 
  PM
  Subject: RE: [ActiveDir] Moving Sysvol 
  .
  
  All fair points, Paul - I guess I'd view these concerns 
  in a different way:
  
  - Use a GPO management tool to abstract away native 
  GPO rights
  - If admins cannot be trusted not to fill SYSVOL 
  with sh** then don't give them any rights in SYSVOL [similar to above 
  point]
  - If SYSVOL has its own partition, you still have 
  the potential for adminA to fill the disk with cr** and thus hinder the 
  legitimate efforts of adminB to make changes to a GPO. Granted, this 'DOS' 
  only affects SYSVOL, but then if GPO is broken then you're in big trouble 
  anyway :)
  - Granted a separate disk for logs 
  *is* overkill. Consider using that partition / diskin other ways (GPO 
  backups; system state backups, build source filesetc 
  etc).
  
  my 2 penneth,
  neil
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: 08 August 2006 16:22To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving Sysvol 
  .
  
  I believe the school of thought here is 
  that the person has write access to the same volume as the DIT, which means 
  he/ she can easily perform DOS attacks, etc. by filling up the disk. 
  I agree it's unlikely, but there you 
  go. Take the [real] examples of where people with write access to SYSVOL 
  have decided to replicate ghost images, etc. which not only trashes FRS, but 
  fills the disk so that only the 20MB reserve files are left (which can easily 
  be used up with dodgy custom synchronisation scripts that don't know what an 
  USN is [past experience showing?] ;-)
  
  I don't believe the recommendations for 
  Logs and DIT go either. Yes, the logs are predominently write, while 
  most of the DIT usage is read, but the logs are circular. Why waste a 
  mirrored set for  100 MB of disk even if disk is cheap? Plus, as 
  already stated in the same argument, most of the activity is read, so is there 
  really performance to be gained by having nano-second better response times on 
  the file writes? Other than implementation or re-provisioning or 
  restoration, I can't see the need to separate the logs.
  
  I'm involved with a design at the moment 
  that has a 30+ GB DIT (~320,000 users at the moment) and I'm using my earlier 
  recommendations for the disks for DCs. We're arguing over whether RAID10 
  or RAID5 for the logical disk(s) that conatin the non-OS volumes should be 
  used, but there's not much difference there on a 4 - 6 disk set -the argument 
  is political to do with different standards for the management people. 
  But then, the SYSVOL volume is also a scratch area for administrators. 
  The DIT and OS volumes are very much off limits, and secured 
thus.
  
  
  --Paul
  
  
- Original Message - 
From: 
Darren 
Mar-Elia 
To: ActiveDir@mail.activedir.org 

Sent: Tuesday, August 08, 2006 3:58 
PM
Subject: RE: [ActiveDir] Moving Sysvol 
.

Yea, I'm not sure why one has to do with the other (GPO 
delegation and security of the DIT). GPO delegation simply involves granting 
permissions on a individual GPC objects in AD and individual folders in the 
GPT (SYSVOL).The only risk I can see is that it ismarginally 
easier to fill up a disk by writinga ton of data intoSYSVOL than 
it is to do that by generating millions of AD objects (both of 

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Paul Williams]

This is a real problem for me.  I've got no qualms about doing things in an 
unsupported fashion, as I feel I know what I'm doing.  However, our 
customers won't have any of it.  Especially as we won't be around to help 
support it, etc.


Another example is replicating NDNCs.  Apparently, I can't script the 
population of mSDS-NC-Replica-Locations, I can only get bridgeheads that 
don't, for example, run DNS to replicate the DNS NDNCs by using the 
applicable NTDSUTIL options.  I doubt NTDSUTIL is doing anything different 
to my script (in this one instance of course) but the DSE said that my 
script was unsupported.


I'd be interested in knowing why some of these switches in the answer file 
only work under select circumstances.  As it seems that doing so is going to 
force some people to do one of two things:

-- Perform unsupported tasks to automate their DC promotions
-- Write a number of pre- and post-promotion scripts, which can be a pain 
as it adds additional complexity to the automation environment, etc.


[I hope] Longhorn should have better support for these options as the new 
DCPROMO UI alows you to select GC, etc.



--Paul

- Original Message - 
From: Dean Wells [EMAIL PROTECTED]

To: Send - AD mailing list [EMAIL PROTECTED]
Sent: Friday, August 04, 2006 2:32 AM
Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC 
in forest




Granted ... though perhaps a moot point to those (on the consumer side of
the fence) capable of using such a tweak since proving such usage is
challenging to say the least.

Aside, since its purpose has been well served twice in as many days and on 
2

unrelated topics, maybe it could be considered a feature suggestion ...

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com



-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Thursday, August 03, 2006 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest

Touching schema.ini would qualify as very not supported ...

-B

On Thu, 3 Aug 2006, Paul Williams wrote:

 Setting FFL=2 automatically when building first DC in forestIt might
be worth looking at the %systemroot%\system32\schema.ini file again.  I
just had a poke around in there after reading Dean's answer to your
question yesterday and the first section, the [DEFAULTROOTDOMAIN]
section is setting nTMixedMode.  You can change that to 0 (for native)
and try adding mSDS-Behavior-Version and setting it to 2.

 I don't know if that will work, but you're probably in a position to
test this...


 --Paul

   - Original Message -
   From: [EMAIL PROTECTED]
   To: ActiveDir@mail.activedir.org
   Sent: Thursday, August 03, 2006 9:39 AM
   Subject: [ActiveDir] Setting FFL=2 automatically when building
first DC in forest


   According to http://support.microsoft.com/kb/223757/en-us the
SetForestVersion entry in the dcpromo answer file can only be used to
set FFL to 1 or 0 when building a new forest.

   Is this correct? I'd like to automate the transition to FFL=2 when
building the first DC in a forest (without a script).

   Perhaps another change request for Longhorn? :)

   neil

   PLEASE READ: The information contained in this email is
confidential and
   intended for the named recipient(s) only. If you are not an
intended
   recipient of this email please notify the sender immediately and
delete your
   copy from your system. You must not copy, distribute or take any
further
   action in reliance on it. Email is not a secure method of
communication and
   Nomura International plc ('NIplc') will not, to the extent
permitted by law,
   accept responsibility or liability for (a) the accuracy or
completeness of,
   or (b) the presence of any virus, worm or similar malicious or
disabling
   code in, this message or any attachment(s) to it. If verification
of this
   email is sought then please request a hard copy. Unless otherwise
stated
   this email: (1) is not, and should not be treated or relied upon
as,
   investment research; (2) contains views or opinions that are solely
those of
   the author and do not necessarily represent those of NIplc; (3) is
intended
   for informational purposes only and is not a recommendation,
solicitation or
   offer to buy or sell securities or related financial instruments.
NIplc
   does not provide investment services to private customers.
Authorised and
   regulated by the Financial Services Authority. Registered in
England
   no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-
le-Grand,
   London, EC1A 4NP. A member of the Nomura group of companies.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Paul Williams]

Yes, I'll do the same then...

This particular customer should have a lot of weight.


--Paul

- Original Message - 
From: [EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Friday, August 04, 2006 9:09 AM
Subject: RE: [ActiveDir] Setting FFL=2 automatically when building first DC 
in forest




Let's just hope that Longhorn enables us to build machines (DCs) in a
truly unattended fashion then :) only then can I avoid touching
schema.ini. [I don't consider post build scripts to acceptable.]

MS will be ratifying our designs late this year - I think I can lean
hard enough on the MS guys to persuade them to support us :)

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: 04 August 2006 01:34
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Setting FFL=2 automatically when building first
DC in forest

Touching schema.ini would qualify as very not supported ...

-B

On Thu, 3 Aug 2006, Paul Williams wrote:


Setting FFL=2 automatically when building first DC in forestIt might

be worth looking at the %systemroot%\system32\schema.ini file again.  I
just had a poke around in there after reading Dean's answer to your
question yesterday and the first section, the [DEFAULTROOTDOMAIN]
section is setting nTMixedMode.  You can change that to 0 (for native)
and try adding mSDS-Behavior-Version and setting it to 2.


I don't know if that will work, but you're probably in a position to

test this...



--Paul

  - Original Message - 
  From: [EMAIL PROTECTED]

  To: ActiveDir@mail.activedir.org
  Sent: Thursday, August 03, 2006 9:39 AM
  Subject: [ActiveDir] Setting FFL=2 automatically when building first



DC in forest


  According to http://support.microsoft.com/kb/223757/en-us the

SetForestVersion entry in the dcpromo answer file can only be used to
set FFL to 1 or 0 when building a new forest.


  Is this correct? I'd like to automate the transition to FFL=2 when

building the first DC in a forest (without a script).


  Perhaps another change request for Longhorn? :)

  neil

  PLEASE READ: The information contained in this email is confidential

and

  intended for the named recipient(s) only. If you are not an intended



  recipient of this email please notify the sender immediately and

delete your

  copy from your system. You must not copy, distribute or take any

further

  action in reliance on it. Email is not a secure method of

communication and

  Nomura International plc ('NIplc') will not, to the extent permitted

by law,

  accept responsibility or liability for (a) the accuracy or

completeness of,

  or (b) the presence of any virus, worm or similar malicious or

disabling

  code in, this message or any attachment(s) to it. If verification of

this

  email is sought then please request a hard copy. Unless otherwise

stated

  this email: (1) is not, and should not be treated or relied upon as,



  investment research; (2) contains views or opinions that are solely

those of

  the author and do not necessarily represent those of NIplc; (3) is

intended

  for informational purposes only and is not a recommendation,

solicitation or

  offer to buy or sell securities or related financial instruments.

NIplc

  does not provide investment services to private customers.

Authorised and

  regulated by the Financial Services Authority. Registered in England



  no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St

Martin's-le-Grand,

  London, EC1A 4NP. A member of the Nomura group of companies.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx



PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete 
your

copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication 
and
Nomura International plc ('NIplc') will not, to the extent permitted by 
law,
accept responsibility or liability for (a) the accuracy or completeness 
of,

or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those 
of
the author and do not necessarily represent those of NIplc; (3) is 
intended
for informational purposes only and is not a recommendation, solicitation 
or

offer to buy or sell securities or related financial instruments.  NIplc
does not provide investment services to private customers.  Authorised and
regulated by the Financial Services Authority.  Registered

Re: [ActiveDir] OT: DNS entry

[Paul Williams]

If you've got the necessary auditing enabled in 
your domain, and you had auditing ACEs configured on the DNS zone (location 
depends, generally you'd set it on CN=MicrosoftDNS folder) then yes, you 
can. But you'll have to search each DCs security event log for this 
info.

Otherwise, you can't get this info. You can 
check the whenChanged attribute on the tombstoned record for a rough 
idea of when the deletion occurred and try and move from there by looking at 
logon events, again if you have auditing enabled.

If you're not using AD-Integrated DNS, then none 
of the above will really help.


--Paul

  - Original Message - 
  From: 
  James Carter 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, August 04, 2006 12:09 
  PM
  Subject: [ActiveDir] OT: DNS entry
  
  
  We had a static Server DNS entry deleted over the weekend.
  
  Is there anyway to find out who deleted this entry? This is a Windows 
  2003 R2 server/domain
  
  thanks
  
  JAmes
  
  
  Do you Yahoo!?Next-gen email? Have it all with the all-new 
  Yahoo! Mail Beta.

Re: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box

[Paul Williams]

I've done this a couple of times, but on the exchange gateway servers, not 
on an SBS box.  I've never seen SBS.


Anyway, the easiest way to do this is to create a second virtual SMTP server 
and set it to listen on port 26 (and send on 25).  Configure the first 
virtual server to send on 26 (its already listening on 25).  Then register 
the sink on the second virtual server.


The reason is that most of your clients are MAPI clients, so don't trigger 
the SMTP sink.


If you're using a connector, you need to point the second virtual server at 
the connector (I think, it's been even longer since I did one where they had 
an SMTP connector).


I'm afraid I can't give you the scripts as they're at customer sites, etc. 
One thing I will say is troubleshooting this is a real pain.  On one problem 
I had Dev Support MSFT people help out.  We took it from the bottom up. 
Unregistered all the sinks (that I'd registered, the VBS script you use to 
register allows you to view all sinks) and then registered a new one that 
simply created a text file on the D drive.


As you're using VBS, not VB, ensure that you use absolute paths for things 
like text files, etc. as the script will run and not error without absolute 
paths but they won't work...



--Paul

- Original Message - 
From: Bart Van den Wyngaert [EMAIL PROTECTED]

To: ActiveDir ActiveDir@mail.activedir.org
Sent: Wednesday, August 02, 2006 9:41 PM
Subject: [ActiveDir] OT - Adding disclaimer on E2K3 on a SBS 2K3 box



Hi guys,

I'm having trouble with adding a disclaimer on E2K3 on a SBS 2K3 box.
I'm using the EventSink with a .vbs to add the disclaimer. The box is
configured with a default SMTP server and a SMTP connector which
forwards all external email to the SMTP of the ISP.

Anybody who has done the trick already? If so, can you please tell me
the little secret for this? *g*

Many thanks to all,
Bart
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] OT: SBS question

[Paul Williams]

I've never seen SBS, but my younger brother has just started a new job 
(first one since leaving Uni) and bought a new server and it came with SBS. 
When he built it it appeared he had no choice but to make it a DC, even 
though he only wanted it as a member server -there's already an SBS box 
there.


Anyway, we didn't know at the time (this was a phone conversation) so I told 
him to go ahead with the promotion (thinking it was just a stupid Dell 
wizard) and demote it later.  He did this and now it reboots every day.


So, I think I know the answer to this from the tidbits of info. I've seen in 
the groups and forums, etc. but can the 2nd SBS box be added to the domain 
with the first SBS or does he need to get a k3 Std. license instead?  All he 
wants at this point in time is a SQL and file server.


(As you can guess, this is a small company, he's one of three dev guys 
there).


And, if they wanted to replace the existing SBS box with this new one, how 
do they go about that if you can't have more than one SBS box?  I doubt they 
want to migrate...


Thanks,


--Paul

- Original Message - 
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
[EMAIL PROTECTED]

To: ActiveDir@mail.activedir.org
Sent: Thursday, August 03, 2006 3:45 AM
Subject: Re: [ActiveDir] Information about lingering objects in a Windows 
2000-based forest or in a Windows Server 2003-based forest:




You know us blondes

With barely a twig, let alone a tree in our forest...and I'll have you 
know this twig is clean installed 2k3 domain (I strongly believe in no 
inplace even in our twig domains down here).


(and for the record for everyones trivia tonightwhile I choose to have 
a single DC (at this time) ... SBS can support additional DCs in our 
domain hey.. I've even used ntdsutil and ADSIedit even down here  ;-)


Brett Shirley wrote:

Susan, how on earth could _you_ get a lingering object?  Seems impossible
with only one DC, oh wait did you just forget to delete it?

From The Love,
-B

On Wed, 2 Aug 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:


Information about lingering objects in a Windows 2000-based forest or in 
a Windows Server 2003-based forest:

http://support.microsoft.com/?kbid=910205

--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I 
will hunt you down...

http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx




--
Letting your vendors set your risk analysis these days? 
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I 
will hunt you down...

http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Paul Williams]

Title: Setting FFL=2 automatically when building first DC in forest



It might be worth looking at the 
%systemroot%\system32\schema.ini file again. I just had a poke around in 
there after reading Dean's answer to your question yesterday and the first 
section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. 
You can change that to 0 (for native) and try adding 
mSDS-Behavior-Version and setting it to 2.

I don't know if that will work, but you're 
probably in a position to test this...


--Paul


  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, August 03, 2006 9:39 
  AM
  Subject: [ActiveDir] Setting FFL=2 
  automatically when building first DC in forest
  
  According to http://support.microsoft.com/kb/223757/en-us the SetForestVersion entry 
  in the dcpromo answer file can only be used to set FFL to 1 or 0 when building 
  a new forest.
  Is this correct? I'd like to automate the 
  transition to FFL=2 when building the first DC in a forest (without a 
  script).
  Perhaps another change request for Longhorn? 
  :) 
  neil 
  PLEASE READ: The 
  information contained in this email is confidential and 
  intended for the 
  named recipient(s) only. If you are not an intended 
  recipient of this 
  email please notify the sender immediately and delete your 

  copy from your 
  system. You must not copy, distribute or take any further 
  action in reliance 
  on it. Email is not a secure method of communication and 
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  this email: (1) is 
  not, and should not be treated or relied upon as, 
  investment 
  research; (2) contains views or opinions that are solely those of 
  
  the author and do 
  not necessarily represent those of NIplc; (3) is intended 
  for informational 
  purposes only and is not a recommendation, solicitation or 

  offer to buy or 
  sell securities or related financial instruments. NIplc 
  does not provide 
  investment services to private customers. Authorised and 
  regulated by the 
  Financial Services Authority. Registered in England 
  no. 1550505 VAT 
  No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 
  
  London, EC1A 4NP. 
  A member of the Nomura group of companies. 

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Paul Williams]

Title: Setting FFL=2 automatically when building first DC in forest



Ah nice, you got there before me with a better 
answer! :P

I'm poking around in there now, as I'm in a 
similar position to Neil a the mo'.

Question: Can I provide schema.ini as an argument 
to the promotion or unattended or do I need to mod the default file prior to 
running the unattended script?


 mint-sauce-fearing friend 

LOL. Yep. I'm adverse to such things 
as I'm fed up of the damned English, Scottish, Irish, South African and 
Australian (and there's a damned cheek) meet'g and bleh'g at me... 
;-)



  - Original Message - 
  From: 
  Dean 
  Wells 
  To: Send - AD mailing list 
  Sent: Thursday, August 03, 2006 1:30 
  PM
  Subject: RE: [ActiveDir] Setting FFL=2 
  automatically when building first DC in forest
  
  
  That’s 
  v. close my mint-sauce-fearing friend but it’s likely that that will set only 
  the dom. func. level to K3 native (though to be honest I’ve not tried). 
  So, since forests tend to drag domains with them, functional level wise, (i.e. 
  when a new domain is created within an existing forest), we simply need to 
  tell the forest func. level to seed itself with a value of 2 … see my previous 
  post for instructions on how to do that.
  
  
  
  
  
  
  --Dean 
  WellsMSEtechnology* 
  Email: [EMAIL PROTECTED]http://msetechnology.com
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Paul WilliamsSent: Thursday, August 03, 2006 
  8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] Setting FFL=2 automatically when building first DC in 
  forest
  
  
  It might be worth 
  looking at the %systemroot%\system32\schema.ini file again. I just had a 
  poke around in there after reading Dean's answer to your question yesterday 
  and the first section, the [DEFAULTROOTDOMAIN] section is setting nTMixedMode. You 
  can change that to 0 (for native) and try adding mSDS-Behavior-Version 
  and setting it to 2.
  
  
  
  I don't know if 
  that will work, but you're probably in a position to test 
  this...
  
  
  
  
  
  --Paul
  
  
  

- Original 
Message - 

From: [EMAIL PROTECTED] 


To: ActiveDir@mail.activedir.org 


Sent: Thursday, August 
03, 2006 9:39 AM

Subject: [ActiveDir] 
Setting FFL=2 automatically when building first DC in 
forest


According to 
http://support.microsoft.com/kb/223757/en-us the 
SetForestVersion entry in the 
dcpromo answer file can only be used to set FFL to 1 or 0 when building a 
new forest.
Is this 
correct? I'd like to automate the transition to FFL=2 when building the 
first DC in a forest (without a script).
Perhaps 
another change request for Longhorn? :) 
neil 


PLEASE READ: The 
information contained in this email is confidential and 


intended for the 
named recipient(s) only. If you are not an intended 


recipient of this 
email please notify the sender immediately and delete your 


copy from your 
system. You must not copy, distribute or take any further 


action in 
reliance on it. Email is not a secure method of communication and 


Nomura 
International plc ('NIplc') will not, to the extent permitted by law, 


accept 
responsibility or liability for (a) the accuracy or completeness of, 


or (b) the 
presence of any virus, worm or similar malicious or disabling 


code in, this 
message or any attachment(s) to it. If verification of this 


email is sought 
then please request a hard copy. Unless otherwise stated 


this email: (1) 
is not, and should not be treated or relied upon as, 


investment 
research; (2) contains views or opinions that are solely those of 


the author and do 
not necessarily represent those of NIplc; (3) is intended 


for informational 
purposes only and is not a recommendation, solicitation or 


offer to buy or 
sell securities or related financial instruments. NIplc 


does not provide 
investment services to private customers. Authorised and 


regulated by the 
Financial Services Authority. Registered in England 


no. 1550505 VAT 
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, 


London, EC1A 4NP. 
A member of the Nomura group of companies. 
  

Re: [ActiveDir] Remove Defunct domains..

[Paul Williams]




See kb216498 for the info. on the NTDSUTIL 
cleanup. Basically you need to perform a metadata, DNS and FRS 
cleanup. ThatKB details all the necessary steps.

You'd determine the IP address of the workgroup 
by the 1B and 1C records registered for that name.

The domain master browser is performed by the 
PDCe. A master browser is also elected on a per-subnet basis. Check 
out the Win2k RK book - TCP/IP core networking guide for more info. 
There's an appendix on the browser service.


--Paul



  - Original Message - 
  From: 
  HBooGz 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, August 03, 2006 1:33 
  PM
  Subject: Re: [ActiveDir] Remove Defunct 
  domains..
  Thanks Neil -How would one determine the IP of the 
  members of a particular workgroup ?RE: NTDSUTIL - just do a search, 
  that matches the whole string, for the domain name ? and remove accordingly 
  ?
  On 8/3/06, [EMAIL PROTECTED] 
  [EMAIL PROTECTED] 
  wrote: 
  


Look for 
1b and 1c records in WINS for the defunct domain. Remove them and wait for 
WINS replication.

You 
should also use ntdsutil and remove the redundant AD objects 
too.

You can 
never stop ppl creating new workgroups - you should be able to determine the 
IP address of their members however and then track back to individual 
machines / users.


neil



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
HBooGz
Sent: 03 August 2006 03:04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Remove Defunct 
domains..


hey guys -


Yes, i'm using wins.

Yes, they are appearing outside of network neighborhood.

what exactly would i examine (node type) that would help me pinpoint 
where these are appearing ? and how to get rid of it ?

definitely appears to be a browsing issue ?

how can i force who is the "master browser" for the domain ? all 
workstations are windows 2000 and windows xp


i'm also seeing workgroups that should have never been created and i'm 
now policing against -- any way to rid myself of this or detect where they 
are being generated ?

Thanks
On 8/2/06, Ayers, 
Diane [EMAIL PROTECTED] 
wrote: 

  
  
  dusting off old NT 4.0 sectors 
  
  Check your WINS database if you are using WINS. Part of the 
  browsing data comes from WINS and the database will tell you where those 
  records are coming from. You can address it viathe hosts 
  if it's coming from there or clean up your WINS db. 
  
  Diane
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Brian 
  DesmondSent: Wednesday, August 02, 2006 3:10 PM
  To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Remove Defunct domains.. 
  
  
  
  
  That's a browser 
  function not something in AD. There's probably still computers joined to 
  those domains (even though they don't exist) or computers in workgroups 
  with the same names… 
  
  
  Thanks,
  Brian 
  Desmond
  [EMAIL PROTECTED]
  
  c - 
  312.731.3132
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  WATSON, BENSent: Wednesday, August 02, 2006 5:05 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Remove Defunct domains.. 
  
  You can remove the orphaned 
  domains through NTDSUTIL. Doing a metadata cleanup.
  
  
  
  
  
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of 
  HBooGzSent: Wednesday, August 02, 2006 2:46 PM 
  To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] Remove Defunct domains.. 
  
  Whenever i browse Network Neighborhood or view the list of availble 
  networks, there are a few domains that appear that shouldn't. Is there a 
  way to remove these domain/domain entries manually ?ADSI edit 
  ?-- HBooGz:\ 
  
  -- 
HBooGz:\ 

PLEASE READ: The information contained in 
this email is confidential and 
intended for the named recipient(s) only. 
If you are not an intended 
recipient of this email please notify the 
sender immediately and delete your 
copy from your system. You must not copy, 
distribute or take any further 
action in reliance on it. Email is not a 
secure method of communication and 
Nomura International plc ('NIplc') will 
not, to the extent permitted by law, 
accept responsibility or liability for 
(a) the accuracy or completeness of, 
or (b) the presence of any virus, worm or 
similar malicious or disabling 
code in, this message or any 
attachment(s) to it. If verification of this 
email is sought then please request a 
hard copy. 

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Paul Williams]

Title: Setting FFL=2 automatically when building first DC in forest



Am hwyl, dwi am ymateb drwy beidio a dweud dim 
byd mwy nagadlewyrchu dy bwynt!


  - Original Message - 
  From: 
  [EMAIL PROTECTED] 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, August 03, 2006 2:10 
  PM
  Subject: OT: [ActiveDir] Setting FFL=2 
  automatically when building first DC in forest
  
  
  LOL. Yep. I'm 
  adverse to such things as I'm fed up of the damned English, Scottish, Irish, 
  South African and Australian (and there's a damned cheek) meet'g and bleh'g at 
  me... ;-)
  
  O 
  dear - we'll be seeing posts in Welsh next 
  :)
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: 03 August 2006 13:43To: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 
  automatically when building first DC in forest
  
  Ah nice, you got there before me with a better 
  answer! :P
  
  I'm poking around in there now, as I'm in a 
  similar position to Neil a the mo'.
  
  Question: Can I provide schema.ini as an 
  argument to the promotion or unattended or do I need to mod the default file 
  prior to running the unattended script?
  
  
   mint-sauce-fearing friend 
  
  LOL. Yep. I'm adverse to such 
  things as I'm fed up of the damned English, Scottish, Irish, South African and 
  Australian (and there's a damned cheek) meet'g and bleh'g at me... 
  ;-)
  
  
  
- Original Message - 
From: 
Dean Wells 
To: Send - AD mailing list 
Sent: Thursday, August 03, 2006 1:30 
PM
Subject: RE: [ActiveDir] Setting FFL=2 
automatically when building first DC in forest


That’s 
v. close my mint-sauce-fearing friend but it’s likely that that will set 
only the dom. func. level to K3 native (though to be honest I’ve not 
tried). So, since forests tend to drag domains with them, functional 
level wise, (i.e. when a new domain is created within an existing forest), 
we simply need to tell the forest func. level to seed itself with a value of 
2 … see my previous post for instructions on how to do 
that.






--Dean 
WellsMSEtechnology* 
Email: [EMAIL PROTECTED]http://msetechnology.com




From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting 
FFL=2 automatically when building first DC in 
forest


It might be 
worth looking at the %systemroot%\system32\schema.ini file again. I 
just had a poke around in there after reading Dean's answer to your question 
yesterday and the first section, the [DEFAULTROOTDOMAIN] section is setting 
nTMixedMode. 
You can change that to 0 (for native) and try adding mSDS-Behavior-Version 
and setting it to 2.



I don't know if 
that will work, but you're probably in a position to test 
this...





--Paul



  
  - Original 
  Message - 
  
  From: [EMAIL PROTECTED] 
  
  
  To: ActiveDir@mail.activedir.org 
  
  
  Sent: Thursday, 
  August 03, 2006 9:39 AM
  
  Subject: [ActiveDir] 
  Setting FFL=2 automatically when building first DC in 
  forest
  
  
  According to 
  http://support.microsoft.com/kb/223757/en-us the 
  SetForestVersion entry in the 
  dcpromo answer file can only be used to set FFL to 1 or 0 when building a 
  new forest.
  Is 
  this correct? I'd like to automate the transition to FFL=2 when building 
  the first DC in a forest (without a script).
  Perhaps another 
  change request for Longhorn? :) 
  neil 
  
  
  PLEASE READ: 
  The information contained in this email is confidential and 
  
  
  intended for 
  the named recipient(s) only. If you are not an intended 
  
  
  recipient of 
  this email please notify the sender immediately and delete your 
  
  
  copy from your 
  system. You must not copy, distribute or take any further 
  
  
  action in 
  reliance on it. Email is not a secure method of communication and 
  
  
  Nomura 
  International plc ('NIplc') will not, to the extent permitted by law, 
  
  
  accept 
  responsibility or liability for (a) the accuracy or completeness of, 
  
  
  or (b) the 
  presence of any virus, worm or similar malicious or disabling 
  
  
  code in, this 
  message or any attachment(s) to it. If verification of this 
  
  
  email is sought 
  then please request a hard copy. Unless otherwise stated 
  
  
  this email: (1) 
  is not, and should not be treated or relied upon as, 
  

Re: [ActiveDir] Setting FFL=2 automatically when building first DC in forest

[Paul Williams]

Title: Setting FFL=2 automatically when building first DC in forest



Ha ha.

(I don't actually speak Welsh. A friend of 
mine translated my English sentance into Welsh for that witty 
reply).


  - Original Message - 
  From: 
  Dean 
  Wells 
  To: Send - AD mailing list 
  Sent: Thursday, August 03, 2006 3:25 
  PM
  Subject: RE: [ActiveDir] Setting FFL=2 
  automatically when building first DC in forest
  
  
  Nod, 
  but sfkds sdkfk skdwpoe cdof slkap d dkds y dlsdk lspw dod sfd qwpw slla dsk 
  ccdpow yours too.
  
  
  
  
  
  
  --Dean 
  WellsMSEtechnology* 
  Email: [EMAIL PROTECTED]http://msetechnology.com
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Thursday, August 03, 2006 9:47 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting FFL=2 
  automatically when building first DC in 
  forest
  
  
  Am hwyl, dwi am 
  ymateb drwy beidio a dweud dim byd mwy nagadlewyrchu dy 
  bwynt!
  
  
  

- Original 
Message - 

From: [EMAIL PROTECTED] 


To: ActiveDir@mail.activedir.org 


Sent: Thursday, August 
03, 2006 2:10 PM

Subject: OT: [ActiveDir] 
Setting FFL=2 automatically when building first DC in 
forest



LOL. 
Yep. I'm adverse to such things as I'm fed up of the damned English, 
Scottish, Irish, South African and Australian (and there's a damned cheek) 
meet'g and bleh'g at me... ;-)



O 
dear - we'll be seeing posts in Welsh next :)




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
WilliamsSent: 03 August 2006 13:43To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting 
FFL=2 automatically when building first DC in forest

Ah nice, you 
got there before me with a better answer! 
:P



I'm poking 
around in there now, as I'm in a similar position to Neil a the 
mo'.



Question: Can I 
provide schema.ini as an argument to the promotion or unattended or do I 
need to mod the default file prior to running the unattended 
script?





 
mint-sauce-fearing 
friend 



LOL. 
Yep. I'm adverse to such things as I'm fed up of the damned English, 
Scottish, Irish, South African and Australian (and there's a damned cheek) 
meet'g and bleh'g at me... ;-)





  
  - Original 
  Message - 
  
  From: Dean 
  Wells 
  
  To: Send - 
  AD mailing list 
  
  Sent: Thursday, 
  August 03, 2006 1:30 PM
  
  Subject: RE: 
  [ActiveDir] Setting FFL=2 automatically when building first DC in 
  forest
  
  
  That’s 
  v. close my mint-sauce-fearing friend but it’s likely that that will set 
  only the dom. func. level to K3 native (though to be honest I’ve not 
  tried). So, since forests tend to drag domains with them, functional 
  level wise, (i.e. when a new domain is created within an existing forest), 
  we simply need to tell the forest func. level to seed itself with a value 
  of 2 … see my previous post for instructions on how to do 
  that.
  
  
  
  
  
  
  --Dean 
  WellsMSEtechnology* 
  Email: [EMAIL PROTECTED]http://msetechnology.com
  
  
  
  
  From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
  WilliamsSent: Thursday, August 03, 2006 8:18 AMTo: 
  ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Setting 
  FFL=2 automatically when building first DC in 
  forest
  
  
  It might be 
  worth looking at the %systemroot%\system32\schema.ini file again. I 
  just had a poke around in there after reading Dean's answer to your 
  question yesterday and the first section, the [DEFAULTROOTDOMAIN] section 
  is setting nTMixedMode. 
  You can change that to 0 (for native) and try adding mSDS-Behavior-Version 
  and setting it to 2.
  
  
  
  I don't know 
  if that will work, but you're probably in a position to test 
  this...
  
  
  
  
  
  --Paul
  
  
  

- 
Original Message - 

From: [EMAIL PROTECTED] 


To: ActiveDir@mail.activedir.org 


Sent: Thursday, 
August 03, 2006 9:39 AM

Subject: [ActiveDir] 
Setting FFL=2 automatically when building first DC in 
forest


According to 
http://support.microsoft.com/kb/223757/en-us the 
SetForestVersion entry in the 
dcpromo answer file can only be used to set FFL to 1 or 0 when building 
a new forest.
Is 
this