Re: [ActiveDir] Export Group's Members details
You should be able to cobble together something using the ds tools (dsquery, dsget). I'd envision something like a dsget of the members of the group piped to a dsget of the user information you are looking for. I'm not in a place I can take a look at the syntax at the moment though. Phil On 1/10/07, Haritwal, Dhiraj [EMAIL PROTECTED] wrote: Hi, How can I export the details of the members of a group like their firstname, lastname, display name, smtp address etc... I had tried with both csvde ldifde but not able to get all the information. Also is there any list which can show all the attributes of a user… Dhiraj Haritwal -- This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. --
Re: [ActiveDir] (OT)silly anon access question
Stab in the dark before I run away to have supper, does anonymous logon have rights to connect to this server via the network? Phil On 8/4/06, Tom Kern [EMAIL PROTECTED] wrote: I have a share set up on a test box. The perms on the share give anonymous logonaccess full control. When I try to net use to the share from a stand alone workstation or a user not logged into the domain, I get prompted for a user name and password. With Anon Logon, should'nt I just be able to map without any prompt? Thanks
Re: [ActiveDir] Acqusition of 2003 Forest - options experiences
ADMT does a pretty good job of domain migrations, although the exchange migration tools from Microsoft do leave a few tasks to be done manually (DL migration being one of them). There is a lot of benefit in some of the 3rd party Exchange migration utilities, but for many small AD migrations ADMT has enough functionality to manage it. For larger more complex migrations the 3rd party tools offer a lot of value. I've not tried to migrate Citrix servers in the past so I dont know if there are any specific pitfalls to watchout for with them. Phil On 7/12/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I think you'd be doing yourself a favor to at least look into Quest Software's tools including Migration Manager for Active Directory. While I haven't used that particular tool I have used several of their other tools including their Domain Migration Wizard to move from NT4 to 2000/2003 with much success. They really reduce the workload in my experience and they have so much experience that they are less likely to miss something then if you try to do it manually =) Andrew Fidel Danny [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/12/2006 01:18 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Acqusition of 2003 Forest - options experiences A company with an independent 2003 Forest has been acquired. Theyhave Exchange 2003 and a Citrix server. We have a similarconfiguration minus Citrix. The goal is obviously to migrate key AD objects, mailboxes, and servers into our 2003 forest.I understand that ADMT is often the right tool for the job, but Iwould greatly appreciate hearing your personal experiences and anycaveats that you may have run into. And is it the only tool you need? I am off to read some MS docs on the topic and specifically ADMT.Hopefully I am able to contribute back to the list.Thanks,...DList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Ammunition, please!
It's not a best practice, but if you are a small shop and you will be maintaining all of the acl's and permissions then it's not so bad. If you have to delegate that to someone who isnt a domain admin then you're pretty much out of luck since you need to grant them pretty serious rights to be able to log onto the DC and perform that duty. Also, running DHCP on a DCis a bad thing for security: http://technet2.microsoft.com/WindowsServer/en/Library/d0e19b57-c368-46c2-b017-caf25ae150ec1033.mspx?mfr=true See the Securing records when using the DnsUpdateProxy group section. Phil On 6/28/06, Larry Wahlers [EMAIL PROTECTED] wrote: On a lesser note, is there any problem with having a DC also be theirfile server and print server? Again, we're only talking 20 people here. Assuming I can at least get the server rack locked, and I put the fileshares on a separate partition (i.e., not on the C drive, of course).This is all good. I think I have enough ammunition to, at least, cover myself if management decides to go ahead and put a DC in that location.The reason is, of course, this group of 20 folks have no money, so we'llhave to buy them a server out of our own budget, because they are one of our supported clients and we have no choice. In my opinion, however, we*do* have a choice as to whether we allow a DC to be in a physicallynon-secure location.--Larry WahlersConcordia Technologies The Lutheran Church - Missouri Synodmailto:[EMAIL PROTECTED]direct office line: (314) 996-1876List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] pw reset domain account
I think a webpage where your admin or your manager can go in under their ID on their PC and submit a request to the system to reset your password, or to automatically reset your account might be a great solution. Although this would require some diligence in keeping certain attributes in AD populated for every user, so using this in conjunction with a provisioning solution (or built into the provisioning solution) might be the best idea. That would eliminate the need for a generic account, wouldnt require GINA modifications and wont be overly complex like trying to setup/maintain local accounts etc. Phil On 6/27/06, joe [EMAIL PROTECTED] wrote: Yeah the proper way to do this is to modify the GINA so that you can bypass normal logon and go to the website. That being said, not a lot of folks are going to modifying GINAs and anyone who is will find a bit o trouble with those GINA mods when they start deploying Vista ( i.e. they won't work). This is a tough nut to crack and the only thing I can really think of that comes close to secure is the machine that is deployed to a user also gets a local ID for them as well or possibly a very well locked down generic local ID that gets added to all workstations. That generic ID should have IE as the shell so it comes right up in a kiosk type mode right to that web site or better yet, a custom written gui app that is used as the shell that exposes that web page and doesn't allow you to do anything but go to that web page ( i.e. not a generic browser). I would also set up the policy for that ID on every machine such that it can't connect to any machine but the webservers hosting the kiosk website across the network... i.e. access this machine from the network DENY for the local generic userid. That would prevent someone from using runas or something like that to go surfing across other machines in an anonymous way since the passwords are all synced. It is a lot of work and a lot of chance of missing something. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS Sent: Monday, June 26, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe [EMAIL PROTECTED] wrote: Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. eg Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWSSent: Sunday, June 25, 2006 6:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] pw reset domain account There's a proposal at my company fora self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intentis to publicize the account and password so that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect,but my position is that there are too many unknown vectors for such an account to beabused. Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain accountcould be hacked upon? Conversely, is there any way such an account could be effectively locked down? Thanks, AW
Re: [ActiveDir] pw reset domain account
Yeah that is true, but the helpdesk can also have the ability to do password resets, but giving a way for the admin asst or manager to also do password resets would reduce helpdesk calls which is part of the reason for implementing something like this. If there are occassions when the manager is not around (off hours, vacation etc.) then the helpdesk can still provide the facility. If true self-help is the goal then definitely GINA was the best choice, with the changes to Vista though I am not sure what the best solution will be. Phil On 6/27/06, joe [EMAIL PROTECTED] wrote: Yeah but puts you right back where you were at, a call to someone else, might as well be the help desk instead of your manager. Visualize working on saturdays or late at night or what not. The idea behind a password kiosk is so people can help themselves. We struggled with this at the widget company and the solution was determined to be a GINA extension, not sure if they implemented it as I left before the dev work was done. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, June 27, 2006 1:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account I think a webpage where your admin or your manager can go in under their ID on their PC and submit a request to the system to reset your password, or to automatically reset your account might be a great solution. Although this would require some diligence in keeping certain attributes in AD populated for every user, so using this in conjunction with a provisioning solution (or built into the provisioning solution) might be the best idea. That would eliminate the need for a generic account, wouldnt require GINA modifications and wont be overly complex like trying to setup/maintain local accounts etc. Phil On 6/27/06, joe [EMAIL PROTECTED] wrote: Yeah the proper way to do this is to modify the GINA so that you can bypass normal logon and go to the website. That being said, not a lot of folks are going to modifying GINAs and anyone who is will find a bit o trouble with those GINA mods when they start deploying Vista ( i.e. they won't work). This is a tough nut to crack and the only thing I can really think of that comes close to secure is the machine that is deployed to a user also gets a local ID for them as well or possibly a very well locked down generic local ID that gets added to all workstations. That generic ID should have IE as the shell so it comes right up in a kiosk type mode right to that web site or better yet, a custom written gui app that is used as the shell that exposes that web page and doesn't allow you to do anything but go to that web page ( i.e. not a generic browser). I would also set up the policy for that ID on every machine such that it can't connect to any machine but the webservers hosting the kiosk website across the network... i.e. access this machine from the network DENY for the local generic userid. That would prevent someone from using runas or something like that to go surfing across other machines in an anonymous way since the passwords are all synced. It is a lot of work and a lot of chance of missing something. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS Sent: Monday, June 26, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] pw reset domain account Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe [EMAIL PROTECTED] wrote: Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. eg Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWSSent: Sunday, June 25, 2006 6:35 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] pw reset domain account There's a proposal at my company fora self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intentis to publicize the account and password so that it can be used from any users' pc when needed. They
Re: [ActiveDir] pw reset domain account
Not a vendory type person, but the password reset tools that I have seen do indeed use a hook into the GINA to provide a way to hit the password reset utility without logging on to the workstation. This may not be an ideal solution to implement now though since my understanding is that the GINA is no longer there in Vista. I am sure these vendors will find another way to do it, but these particular versions likely wont work immediately with Vista. Phil On 6/25/06, Laura E. Hunter [EMAIL PROTECTED] wrote: I don't even need to give you a black hat tool scenario, just a human one:You're checking your Event Logs one day and see that DOMAIN\SharedAccount has accessed a file share that it shouldn't have.Given the fact that everyone in your enterprise has the password forDOMAIN\SharedAccount, how are you going to determine who did it?Since there's no way to do so, you reset the SharedAccount password and re-communicate it to your userbase. (How are you doing that, bythe way? The method to do so will unavoidably be either [a] awful tomanage, [b] inherently insecure in itself, or more than likely both.) Then you're monitoring your log files a few days later and notice thatthe SharedAccount account has accessed another file share that itshouldn't have. Given the fact that everyone in your enterprise hasthe password for SharedAccount, how are you going to determine who did it?Since there's no way to do so, you..repeat until insane.I'm being humourous in my response, but please don't let that takeaway from the larger point, which is that that's a horribly insecure way to implement a solution like that - if that were the vendor'srecommended implementation, I'm thinking I'd run -far- in theopposite direction.Don't the Quest and/or NetPro self-service password tools write a hook into the GINA to alleviate the I don't know my password, so how do Ilog on to reset my password? question? *waits patiently for avendory-type person on the list to fill in details I don't have* LauraOn 6/25/06, AWS [EMAIL PROTECTED] wrote: There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused. Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down? Thanks, AW-Laura E. HunterMicrosoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Mitel AD Integration
I've been in an environment briefly that had Mitel in it already. After speaking with them about how it was set up it sounded scary indeed. I didn't get too far into it with them with regards to what was a requirement from Mitel and what was just what they had configured, but if what they were saying was correct then the requirements from Mitel for admin rights etc. was scary. Not much more info to share than that unfortunately, it's been a while sinceI was there and didnt get too deep into it with them (wasnt the focus of why I was there). In general though their AD was working fine. Phil On 6/20/06, Brian Desmond [EMAIL PROTECTED] wrote: Has anyone dealt with Mitel's Directory Integration with regard to AD? Had the first meeting about that today and it sounds scary – I haven't read the docs yet but I didn't get the good feeling today. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
Re: [ActiveDir] Is this like AD blog season or what?
I'd love to hear more about repadmin :) Becoming one of my favourite tools, would love to know as much as I can about it, especially any of those undocumented featuresalthough I guess writing a blog about them might make them documented. Too soon to start blogging about longhorn AD stuff? Phil On 6/22/06, Brett Shirley [EMAIL PROTECTED] wrote: I wouldn't mind hearing specific things people would like to hear about...I have my own internal list of ideas of stuff to blog about / proto blogs / etc, but wondering how much my plan matches desire.Cheers,-BrettShOn Thu, 22 Jun 2006, joe wrote: I wouldn't mind seeing some AD Dev guys blogging. The closest to it that I am aware of is Brett then ~Eric and Eric isn't in AD Dev nor ever was but one of the more visible AD gurus. I would probably pay to subscribe to a blog by DonH if he told stories of all of the AD Dev work and why various decisions were made. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, June 09, 2006 4:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is this like AD blog season or what? Active Directory Discussion : Introducing the Active Directory Discussion Blog: http://blogs.technet.com/ad/archive/2006/06/09/434604.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com The SBS product team wants to hear from you: http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] OT: Higher Education web access
So, you offer a web based view of their home directories? Are they also able to access that data via a share or something like that or is it strictly web based access to those files? If I understand correctly you have two requirements: - Web based access to files stored on a server with a quota to ensure that users dont blow up your disk space - Ability to create their own web pages Based on your website, you want they to be able to build sites completely from scratch. Do they have FTP access for uploading files? Is that important to keep? Would you consider moving to a system where much of the site is precreated and users are able to change it's look via templates etc.? Phil On 6/19/06, Paul Glenn [EMAIL PROTECTED] wrote: Hello all,Sorry for the OT, but I'm a bit at a loss on parts of the big move. As I've said in the past, I'm in the process of moving our student population from eDirectory to Active Directory. We've overcome several hurdles up to this point. Our next big one is how to give access to our student's files via a web brower and also a way to host their own web pages. Currently we accomplish this via IUAdmin and apache services. IUAdmin is not ported to the Windows platform and Apache for Windows has a few drawbacks. I was wondering if there are any higher education folks out there that wouldn't mind talking with me about their environment. To help give a better idea of what we do, I offer three web pages: Students can login to the following page and gain access to their files.http://locker.uky.edu The next link shows you some screenshots of what you would see if you logged in as bigtest. http://locker.uky.edu/help.htm Then off course we offer a way for them to publish their own webpages (the first link will show you where I get my signature): http://locker.uky.edu/~pglennThanks for any help even if it's just a pointer to another listservPaul -- ***I've got a fever and the only prescription is more cowbell.--Christopher Walken***
Re: [ActiveDir] Cross forest issue
Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out). The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable. Phil On 6/15/06, Guest, Mike [EMAIL PROTECTED] wrote: Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __ Mike Guest| Capgemini | Sale Server Support | Outsourcing UKOffice: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED]77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience__ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
Re: [ActiveDir] Cross forest issue
Indeed, you are quite right. My memory is not as good as I hoped: http://technet2.microsoft.com/WindowsServer/en/Library/517b4fa4-5266-419c-9791-6fb56fabb85e1033.mspx?mfr=true To implement access to a resource across a forest, add universal groups (or global groups in mixed-mode domains) from trusted forests to the domain local groups in the trusting forests. For example, add the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB. Phil On 6/15/06, Tony Murray [EMAIL PROTECTED] wrote: You can only add members to Domain Local groups across the forest trust. Behaviour by design. Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Friday, 16 June 2006 7:56 a.m.To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Cross forest issue Been a while since I looked at this and I've only got one forest in VM on my machine at the moment so I cant test it, but I believe that if you create a global group in ForestA you can add it to a Universal group in ForestB. You will not be able to add users from ForestA to the Domain Admins group in ForestB, but you can add them to the Administrators group (which you've already figured out). The way I've always dealt with this was to have admin accounts in each forest, not as ideal as a unified admin account, but quite workable. Phil On 6/15/06, Guest, Mike [EMAIL PROTECTED] wrote: Hi, New member here, with an issue L We have implemented 2 forests with a cross forest trust such that forest B trusts forest A one-way. The intention is that all admins in forest A will be able to manage both forests, and that accounts in forest B cannot be authenticated in forest A Whilst I can add the admins from forest A into a domain local group in forest B, allowing me to grant administrators rights, I cannot add any security principal from forest A to a universal (or global) group in forest B. This precludes me from granting domain, enterprise or schema admin rights to the forest A administrators – and thus defeats the objective of having the admins in a single forest. (FYI, creating a DL, adding a remote user, then trying to change that group to a universal group gives the message Foreign security principals cannot be members of universal groups) Forest B is in a DMZ, and is solely being used to give the benefits of centralised management to the servers in the DMZ. Consequently, we want to avoid having many user accounts in that forest. Company policy states that every admin must log on using their own account Hope you can help. __Mike Guest| Capgemini | Sale Server Support | Outsourcing UKOffice: + 44 (0)870 366 1814 | 700 1814| [EMAIL PROTECTED]77-79 Cross Street, Sale, Cheshire. M33 7HG Join the Collaborative Business Experience__ This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
Re: [ActiveDir] UserName Psswd Script
Hi Pete,
Have you tried going to the site listed at the bottom of every message?
If you go to http://www.activedir.org/List.aspxyou will find instructions on how to unsubscribe from the list.
Take care!
Phil
On 6/13/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
PLEASE TAKE ME OFF YOUR LIST I AM GETTING HUNDREDS OF UNSOLICITED EMAILS, THX PETE
-- Original message -- From: [EMAIL PROTECTED]
Why a script? Why not: Net use * \\server\share /u:server\user * i.e. connect using an account defined locally on the machine named 'server'.
neil-Original Message- From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Za Vue Sent: 13 June 2006 16:19 To:
ActiveDir@mail.activedir.org Subject: [ActiveDir] UserName Psswd Script I need to map to a windows standalone server from a domain machine with a different username and password other than the domain account. Anyone
care to share a script? Thank you, Z.V.
gt ; List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx List archive:
http://www.activedir.org/ml/threads.aspx PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a ha rd copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
List info : http://www.activedir.org/List.aspx List FAQ :
http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
Doesnt the Quest migration tool now claim to be able to migrate without any trusts? It's been a little while since I looked into any migration tools though so maybe my memory is slipping. Phil On 6/1/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Moveuser.exe is the tool that I would typically use for this to do it in a batch fashion. Just not sure if the lack of trust will be an issue, but probably worth a try. Its in the Reskit tools. Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, June 01, 2006 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Profile migration to new domain Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no sid/sidhistory to reference. Not much point in getting that information either. There's also the permissions issues etc. Was it me, I'd suggest taking this opportunity to re-image the workstations in question. Cleaner, neater, more secure, and no lingering issues to deal with. Al On 6/1/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi allThe environment I'm in has multiple domains and I've been given a taskto move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too muchred tape. My dilemma is trying to preserve the user's desktop profileswhen they come over to my domain. In the past there's been a trust between any domain migrations I've performed which provides a host ofavenues but with no trust I'm not sure of a way to do it other than somemanual moves and permission/registry tweaks. However, doing that for 40 users with a manual process is not my idea of fun. Saving their email iscovered so it's not an issue. Any ideas or methods would be welcomed.Many thanksJerryList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Migrating AD to a lab
The way I like to deal with this (and I think it's been suggested by someone else here before) is to bring up a VM into production, promote it to be a DC/GC then turn it off. Make a copy of the VM and put that into the lab, then bring the original VM back online and DCPromo it back to a member server so that it cleans itself out of AD. Also, I like to reset all the passwords of all the accounts if possible; scripting this is a good way to do it. At the very least change the admin/service accounts. Phil On 3/11/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: Hello Peter, it depends on what you intend to test in your lab. Since lab security is usually more relaxed than production security (e.g. external employees getting domain admin access to test scripts or whatever) I wouldn't want my user-accounts (and worse - service and admin accounts) in the lab with their real passwords. If you just want the structure you can use the scripts provided with GPMC, and export/import user data without passwords using csvde. I'd just put the stuff in the lab you need there, e.g. if you just want to test GPOs the OU-Structure and some test accounts would be sufficient, if you want to test scripting for modifying users or provisioning you might need some more data. Pulling some backup / introducing another DC / pulling drives of a RAID-mirror are valid solutions if you need production data. I'd do a imaging-backup or pulling/replacing a drive if I have the same hardware. Also keep in mind that virtualisation is a valid solution, you can use P2V in VMWare or Virtual Server Migration Tool in VS. Virtualisation also provides you with the logical splitting of the production network to the test network, while still being able to access the test environment from any production machine. I've started to like to put my test-environment in the datacenter (well protected) and access it of my workplace. This is another important point: I've also found that I was lazily considering if I should go in the room with the test equipment when I knew I have to be back at my workplace soon or expected some important emails. Being able to access the test environment from the desk enables me more often to use the test environment when testing a script or something. If the test environemnt is physical I was sometimes putting a RDP-enabled workstation with two legs in between, so I was able to RDP to the workstation and then RDP into the test environment. And multimonitor at the primary desk also provides a great gain in productivity - e.g. RDP Fullscreen on the second monitor. Just my 0,02€ Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter JohnsonSent: Saturday, March 11, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating AD to a lab Hi all I was wondering, after finally got management buy in to build a lab, what the easist way is to get my domain info migrated into the lab for the purposes of testing dev etc? Do I simply Dcpromo a new box and then cut it off from the domain and NTDSUTIL it out or do I do a state recoverey from my Tivoli backups? Anyone got any ideas/pointers etc. Thanks greetings from a chill server room in Johannesburg South Africa. Peter Johnson
Re: RE : [ActiveDir] Migrating AD to a lab
I usually install DNS in production as well. Then it comes over to the lab. Phil On 3/11/06, TIROA YANN [EMAIL PROTECTED] wrote: Hello Phil,I'm interested about your method..When u put this VM into test environnement, how do u deal with DNS ? Can dns be installed *after*the introduction of the DC/GC VM ? Thanks for clarificaition,YannDe: [EMAIL PROTECTED] de la part de Phil RenoufDate: sam. 11/03/2006 21:23 À: ActiveDir@mail.activedir.orgObjet : Re: [ActiveDir] Migrating AD to a labThe way I like to deal with this (and I think it's been suggested by someone else here before) is to bring up a VM into production, promote it to be a DC/GC then turn it off. Make a copy of the VM and put that into the lab, then bring the original VM back online and DCPromo it back to a member server so that it cleans itself out of AD. Also, I like to reset all the passwords of all the accounts if possible; scripting this is a good way to do it. At the very least change the admin/service accounts.PhilOn 3/11/06, Ulf B. Simon-Weidner [EMAIL PROTECTED] wrote: ? Hello Peter, it depends on what you intend to test in your lab. Since lab security is usually more relaxed than production security ( e.g. external employees getting domain admin access to test scripts or whatever) I wouldn't want my user-accounts (and worse - service and admin accounts) in the lab with their real passwords. If you just want the structure you can use the scripts provided with GPMC, and export/import user data without passwords using csvde. I'd just put the stuff in the lab you need there, e.g. if you just want to test GPOs the OU-Structure and some test accounts would be sufficient, if you want to test scripting for modifying users or provisioning you might need some more data. Pulling some backup / introducing another DC / pulling drives of a RAID-mirror are valid solutions if you need production data. I'd do a imaging-backup or pulling/replacing a drive if I have the same hardware. Also keep in mind that virtualisation is a valid solution, you can use P2V in VMWare or Virtual Server Migration Tool in VS. Virtualisation also provides you with the logical splitting of the production network to the test network, while still being able to access the test environment from any production machine. I've started to like to put my test-environment in the datacenter (well protected) and access it of my workplace. This is another important point: I've also found that I was lazily considering if I should go in the room with the test equipment when I knew I have to be back at my workplace soon or expected some important emails. Being able to access the test environment from the desk enables me more often to use the test environment when testing a script or something. If the test environemnt is physical I was sometimes putting a RDP-enabled workstation with two legs in between, so I was able to RDP to the workstation and then RDP into the test environment. And multimonitor at the primary desk also provides a great gain in productivity - e.g. RDP Fullscreen on the second monitor. Just my 0,02EUR Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org http://www.windowsserverfaq.org/ Profile:http://mvp.support.microsoft.com/profile=""> http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Peter Johnson Sent: Saturday, March 11, 2006 4:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migrating AD to a lab Hi all I was wondering, after finally got management buy in to build a lab, what the easist way is to get my domain info migrated into the lab for the purposes of testing dev etc? Do I simply Dcpromo a new box and then cut it off from the domain and NTDSUTIL it out or do I doa state recoverey from my Tivoli backups? Anyone got any ideas/pointers etc. Thanks greetings from a chill server room in Johannesburg South Africa. Peter Johnson
Re: [ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name
You could also do this with ADModify:http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2 And if you want to make this change for all new user accounts that will be created as well then you might want to look into:http://support.microsoft.com/?kbid=250455 PhilOn 3/1/06, Danny [EMAIL PROTECTED] wrote: On 3/1/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: These may be of interest to you: http://support.microsoft.com/kb/277717/en-us http://support.microsoft.com/?kbid=300427They are definitely of interest to me. :)Thanks,...DList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Auto move computer
Use netdom to join the machine to the domain, or precreate the computer account. When you use netdom you can specify an OU. Phil On 2/27/06, Harding, Devon [EMAIL PROTECTED] wrote: If you're joining a new server to a domain (My Computer, Properties) how would you make it create the computer account in a specified OU, rather than the Computers container? -Devon-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, February 27, 2006 12:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computer You are misaligning priorities here. Start putting something in place tocreate computers in the correct OU the first time. For all things alreadycreated up to this time, try moving them all to the correct OU in one exercise.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCTMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Harding, DevonSent: Mon 2/27/2006 8:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computerWell, the script should check a particular OU (OU=Servers,DC=Domain,DC=Com). If the server is in that OU (and theoretically can only exits in onecontainer/OU), then Quit-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of[EMAIL PROTECTED]Sent: Monday, February 27, 2006 10:34 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computerThe issue will be how does the script know which OU the server should be in, unless of course all servers live in the same OU :)Does the naming convention correlate to the destination OU. I'm not sure weknow enough about your requirements and env yet to make a definitive stab atthis one :) neil-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Harding, DevonSent: 27 February 2006 15:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computerThis is basically what I want to happen: Admin logs on to server. Script checks whether admin is logging onto a serverin the local domain.If not, Quit.If it is, script checks if server is inthe correct OU.If not, move server to correct OU.If it is, Quit. That's it.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Harding, DevonSent: Friday, February 24, 2006 6:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computerJust servers for now.We'll do workstations later. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Friday, February 24, 2006 5:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computer What would? You mean you only plan to move servers and not workstations? Ordo you mean that the script would only move servers and not workstation? Ifyou are talking about the script, I don't see why it would not move anything you tell it to move.This herehttp://www.akomolafe.com/Portals/1/Move%20Computers%20to%20Specific%20OUs%20based%20on%20their%20IP.txt will give you an idea of post-join mass movement of computers. If I were to rewrite that today, I'd not use expensive query orping. But it's a start.Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCTMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf of Harding, DevonSent: Fri 2/24/2006 12:37 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Auto move computerThis would only be for servers, not workstations.From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-WeidnerSent: Friday, February 24, 2006 1:49 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move computerHi Devon,you know that you are able to change the default location where computer accounts are created when joining a domain in a Windows Server 2003 ActiveDirectory with redircmp.exe?However - here's a script which moves a computer to another OU: http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb11.mspxGruesse - Sincerely,Ulf B. Simon-WeidnerMVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zczhttp://tinyurl.com/44zczWeblog: http://msmvps.org/UlfBSimonWeidner http://msmvps.org/UlfBSimonWeidnerWebsite: http://www.windowsserverfaq.org http://www.windowsserverfaq.org/ Profile:http://mvp.support.microsoft.com/profile=""> From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Harding, Devon Sent: Friday, February 24, 2006 6:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Auto move computer Does any have a script that will auto-move a server into another OU
Re: [ActiveDir] Big problem with member of attribute
Have you looked at this KB article? You cannot view a user's Universal Group membership in Windows Server 2003 Active Directory Users and Computers when Universal Groups do not reside in the local domain http://support.microsoft.com/?kbid=833883 Phil On 2/23/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hallo, This is strange and difficult to explain. But I will try We have many domains, in these domain, many domain controllers. In on of these domain we have some universal groups to join users from other sub-domains The problem is this I can not see other sub domains universal groups the user belongs to , when I open Act Dur User and Comp, I only see the groups in that sub domain. But that's not the worst. there are some cases, that if I connect to other domain controllers, it show all the groups. I don't know if you can understand exactly what's happening, but that is it. Can you help me? Adrião Ferreira Ramos Superintendência de Tecnologia da Informação Depto. de Operações e Infra-estrutura - CII * [EMAIL PROTECTED] ( 11 - 3388-8193
Re: [ActiveDir] Is the Directory Infected?
Is there a file somewhere on his DC with the name CN=Schema,CN=Configuration,DC=company,DC=com-DC03.exe? It is possible to create a file with that name, perhaps that is what's infected. Personally, I would unplug the DC and rebuild it from scratch. I'd also take a real good look at the other DC's and servers to make sure they weren't infected also. Phil On 2/20/06, Noah Eiger [EMAIL PROTECTED] wrote: An associate emailed me yesterday and asked if he should be concerned about this which popped up on his DC console from Norton AV Corp Edition: "Message from DC03 to DC01 on 2/19/2006. Virus Found!Virus name: [EMAIL PROTECTED] in DC01 CN=Schema,CN=Configuration,DC=company,DC=com-DC03.exe" I said yes, looks like you have a virus on your DC. But what is actually infected here? Is the Directory infected? And why does it list that as an exe? Thanks. - nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
Re: [ActiveDir] Group Membership
The dstools or adfind: dsquery user ou=MyOU,dc=domain,dc=com -samid Username | dsget user -memberof You might want to make sure that you run the commands against a GC. Phil On 2/17/06, Harding, Devon [EMAIL PROTECTED] wrote: What's the quickest way to export a users' group membership? Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intendedrecipient and may contain confidential or privileged information.If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and anyattachments is prohibited. If you have received this communicationin error, please notify us by reply e-mail and immediately andpermanently delete this message and any attachments. Thank You.
Re: [ActiveDir] OT: DR strategy question
joe, this reminded me of a Dilbert book: http://www.amazon.com/gp/product/0836210263/103-1127052-4451861?v=glancen=283155 On 2/10/06, joe [EMAIL PROTECTED] wrote: My complaints about Excel... Well that would be several long emails. Let mejust point out the one major thing, whomever writes excel likes the mouse overly much. My arm is actually tired from using the mouse so much. Thechart wizard is a bit too assuming as well. Ah enough.joe
Re: [ActiveDir] Active Directory Migration Tool
It sounds like this is an Inter-forest move, but just to make sure you are talking about migrating users from one forest to another correct? If so then Brian has already answered your question. If you are talking about migrating users between domains in the same forest that procedure is actually a move and not a copy. Phil On 12/14/05, Brian Desmond [EMAIL PROTECTED] wrote: ADMT will do the trick, the wizard is fairly self explanatory. Just don't disable the users in the source domain. I don't hve anything handy, but, if you were to google for ADMT Forest migration I bet you'd find something. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lloyd WilliamsSent: Wednesday, December 14, 2005 12:49 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Migration Tool I need to copy (not move) a bunch of users from one active directory to to another. I believe the active directory migration tool is what I need to do this. Is there any web recourse that walks you through how to do this? Thanks Lloyd
Re: [ActiveDir] csv to ldf converter
How are your Display names formatted? Are they say: Firstname Lastname, or Lastname, Firstname? Are the first name and last name fields in the users populated and do they have the correct case? If so then AD Modify should fix that as you can tell it to build the Display Name from the Firstname and Lastname fields. If not then this won't help and I'll go back to what I was doing...actually either way I'll go back to what I was doing ;) Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: I just found that admodify.net cannot do what I want either. Basically if you look at my display name in e-mail here, it is all caps.. so... In a csvde directory export of all users and using a well known excel function (=proper(A1)) I am able to give proper case to each field I want to change. So I have that partdone, allDN, SN, CN and other capitalized fields have been reworked to proper case fields. The trouble I am having is converting the .csv file to .ldf so I can then modify these attributesin the directory using ldifde. If anyone would like to look at my current spreadsheet that does this conversion (well it used to anyway), I would be happy to send a copy off list. Scripting in Excel/VB is not my forte. Regards, Dave From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, December 13, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf converter You could just use csvde to do the import/export if that's what you're trying to do…. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CHIANESE, DAVIDSent: Tuesday, December 13, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] csv to ldf converter Would anybody have a handy csv to ldif macro for excel 2003? The one I have no longer functions. Even a .csv file to .ldf file conversion tool would help. TIA! Regards, Dave
Re: [ActiveDir] csv to ldf converter
Gotcha, too bad because doing this sort of thing with admodify is great. What I've done in the past is use some excel formulas to build a dsmod command, then just put that in a batch file to update each user. Not pretty, but it works. Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: They are all caps and I want them proper case. Or actually management wants them that way. :) We have this: On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: We want this: On 12/13/05, Chianese, David [EMAIL PROTECTED] wrote: From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, December 13, 2005 2:02 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] csv to ldf converter How are your Display names formatted? Are they say: Firstname Lastname, or Lastname, Firstname? Are the first name and last name fields in the users populated and do they have the correct case? If so then AD Modify should fix that as you can tell it to build the Display Name from the Firstname and Lastname fields. If not then this won't help and I'll go back to what I was doing...actually either way I'll go back to what I was doing ;) Phil On 12/13/05, CHIANESE, DAVID [EMAIL PROTECTED] wrote: I just found that admodify.net cannot do what I want either. Basically if you look at my display name in e-mail here, it is all caps.. so... In a csvde directory export of all users and using a well known excel function (=proper(A1)) I am able to give proper case to each field I want to change. So I have that partdone, allDN, SN, CN and other capitalized fields have been reworked to proper case fields. The trouble I am having is converting the .csv file to .ldf so I can then modify these attributesin the directory using ldifde. If anyone would like to look at my current spreadsheet that does this conversion (well it used to anyway), I would be happy to send a copy off list. Scripting in Excel/VB is not my forte. Regards, Dave From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, December 13, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] csv to ldf converter You could just use csvde to do the import/export if that's what you're trying to do…. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of CHIANESE, DAVIDSent: Tuesday, December 13, 2005 1:05 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] csv to ldf converter Would anybody have a handy csv to ldif macro for excel 2003? The one I have no longer functions. Even a .csv file to .ldf file conversion tool would help. TIA! Regards, Dave
Re: [ActiveDir] time sync..
One small addition to this: DCsin a child domain can sync with any DC intheir domain or any DC in theparent domain; the PDCe of a child domain can sync with the PDCe of the root domain or any DC in the root domain. Phil On 12/13/05, Tony Murray [EMAIL PROTECTED] wrote: Hi Manjeet Domain members sync their time with a local DC. DCs sync their time with the PDCE. The PDCEs for each domain sync with the root domain PDCE.The recommendation is for the root PDCE to sync with an internal hardware clock, but an exerternal time source would also do the trick. This is true for both mixed and native mode. Time should be ok if the PDCE is out for a short period of time, because the time on the machines that sync with it are not likely to go out of sync quickly. If you plan to take the the PDCE out for any length of time (e.g. for major maintenance)then consider transferring the PDCE role to another DC in advance. Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Manjeet SinghSent: Wednesday, 14 December 2005 8:11 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time sync.. In an windows 2003 AD environment- In terms of time sync, what's the effect on client when the server having PDC emulator role is down? One of my third party clients (outside the AD environment) is unable to sync the time with the AD ntp server when PDC emulator server was down. What are the actual roles of a PDC emulator in syncing the time? Is this functionally is different in mixed and native mode? Thanks, Manjeet
Re: [ActiveDir] Ntds.dit file corruption
Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on.Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here.From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem].This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up
Re: [ActiveDir] Ntds.dit file corruption
I was thinking about Longhorn :) It has been brought up here as a possible longhorn feature a couple of times, but yeah that doesn't help much for the immediate future. Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org
Re: [ActiveDir] Quest Migration manager(OT)
IIFP will do what you're looking for, but can be a bit of work to setup and get working. It is not the most intuitive interface I've worked with. Phil On 11/23/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I'm pretty sure Quest can't do this. I'm not sure why it only goes one way for pw's or if there is anyway to enable 2-way sync just for certain attribs.. I don't think management wants to not expire passwords which is why i'm here bugging you guys :( I guess using Identity Intergration Feature pack would be overkill as well Thanks again On 11/23/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Hi Tom, I know of no script that can do this. Why don't you just not expire the password in the source domain? The other option is to use a tool that will dump the passwords into a text file such a pwdump. However Joe may have a better solution. Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom KernSent: Wednesday, November 23, 2005 9:54 AMTo: activedirectorySubject: [ActiveDir] Quest Migration manager(OT) Hi all, I'm currently running the Quest DSA to sync 2 forests in one direction- source to target. However our source forest contains Exchange and OWA access and will for a few months till this is complete. The issue I'm running into is that a users's password will expire in the target domain and they will change it but since password dynch is only one way, it will never get updated on the source user object and when they try to log into my front end owa server, which is in the target domain, they get all confused. My question is- is there a free(Script?) way to synch passwords in the other direction for OWA or some way through Quest that I don't know about? Thanks. Apologies for the OT
Re: [ActiveDir] Quest Migration manager(OT)
That link is a bit misleading, the 180 day evaluation is for the full MIIS product. One of the links further down the page leads to the IIFP information. IIFP is a free product, but you do need a Win2k3 Enterprise box with SQL 2000 (Enterprise or STD) with SP4. Not sure of the support in IIFP/MIIS for SQL 2005. Phil On 11/23/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I forgot about that product. What threw me off was the fact that he stated free. However the term free is relative since it is a free eval for 180 days. I watched a webcast on this product when it was first released, it did not appear to be very intuitive and seemed very complex to configure and manage, at least from a systems administrator stand point. Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jackson ShawSent: Wednesday, November 23, 2005 10:37 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Quest Migration manager(OT) The Intelligent Integration Feature Pack (IIFP) from Microsoft will do the password sync. Free download. http://www.microsoft.com/windowsserversystem/miis2003/downloads/default.mspx Cheers, jackson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 23, 2005 10:20 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Quest Migration manager(OT) Thanks. I'm pretty sure Quest can't do this. I'm not sure why it only goes one way for pw's or if there is anyway to enable 2-way sync just for certain attribs.. I don't think management wants to not expire passwords which is why i'm here bugging you guys :( I guess using Identity Intergration Feature pack would be overkill as well Thanks again On 11/23/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Hi Tom, I know of no script that can do this. Why don't you just not expire the password in the source domain? The other option is to use a tool that will dump the passwords into a text file such a pwdump. However Joe may have a better solution. Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, November 23, 2005 9:54 AMTo: activedirectory Subject: [ActiveDir] Quest Migration manager(OT) Hi all, I'm currently running the Quest DSA to sync 2 forests in one direction- source to target. However our source forest contains Exchange and OWA access and will for a few months till this is complete. The issue I'm running into is that a users's password will expire in the target domain and they will change it but since password dynch is only one way, it will never get updated on the source user object and when they try to log into my front end owa server, which is in the target domain, they get all confused. My question is- is there a free(Script?) way to synch passwords in the other direction for OWA or some way through Quest that I don't know about? Thanks. Apologies for the OT
Re: [ActiveDir] Renaming AD accounts en masse
CSVDE is probably a good bet since you have the information in Excel already: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/1050686f-3464-41af-b7e4-016ab0c4db26.mspx Phil On 11/17/05, Rimmerman, Russ [EMAIL PROTECTED] wrote: What's the easiest and quickest way to rename a large (1000+) number of AD user accounts? LDIFDE? AD.NET? Or is there something easier? I'm going to be importing 1000+ AD accounts that are first.last for the username and will want to rename them to a specific username listed in an excel spreadsheet. ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system. ~~
Re: [ActiveDir] Renaming AD accounts en masse
Ahh right, I always get that mixed up thinking it's the other way around. On 11/17/05, Tony Murray [EMAIL PROTECTED] wrote: You can create with CSVDE but not modify, so it wouldn't be suitable for renaming. A script or LDIFDE would be the obvious alternatives. Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Friday, 18 November 2005 6:17 a.m. To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Renaming AD accounts en masse CSVDE is probably a good bet since you have the information in Excel already: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/1050686f-3464-41af-b7e4-016ab0c4db26.mspx Phil On 11/17/05, Rimmerman, Russ [EMAIL PROTECTED] wrote: What's the easiest and quickest way to rename a large (1000+) number of AD user accounts? LDIFDE? AD.NET? Or is there something easier? I'm going to be importing 1000+ AD accounts that are first.last for the username and will want to rename them to a specific username listed in an excel spreadsheet. ~~This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
Re: [ActiveDir] Raid suggestions for DC maybe OT
That is also something that comes up in big Exchange installs (using only part of each spindle), especially in SAN configs. Phil On 11/7/05, joe [EMAIL PROTECTED] wrote: How about just not partitioning the whole disk of the larger disks? Note I didn't come up with that idea, that came from a young whippersnapper I know out of Redmond whom I was discussing the fastest AD disk configs with a few weeks ago. I haven't tried it but it makes sense to me. Just allocate maybe 10-12GB of each of the36GB drives across an array or so. Course you could always say screw the fault tolerant RAIDs, this isn't Exchange, and run commando with a stripe set. If you have enough extra DC capacity in the site you could have them all running really fast and then when one blows it just goes away. Most applications that are written properly for AD handle that just fine except apps that hard sync to a single DC. If I have 7-8 disks, I wouldn't hesitate to put them in a single RAID-10/0+1 type config. OS and Logs are snoring on most DCs. All of the action is around the DIT unless you get that baby into memory which was the first I think 20 responses I got from the whippersnapper. Use 64 bit. I know but... use 64 bit... I know but use 64 bit I know but are you still here, use 64 bit joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Carr, Jonathan (OFT)Sent: Monday, November 07, 2005 6:54 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT We have allot of users coming back to our central site and we use the following config. adapter #1 raid 1 ( 2 disk) O/S adapter #2 raid 1 ( 2 disk) AD LOGS adapter #3 === raid 5 (3 disk) with global hot spare AD Data the key to this using this is that all the equipment (SCSI disk,SCSI controller) is Ultra 320 spec with low latency and low seek times (15 K rpm usually). The other thing that has been noticed is that use as small a disk as you can get. (8 GB) Some of the manufacturers are saying they only can supply 36GB drives on new equipment. These drive are ok but the seek time goes up because of the size of the drive this config works good also adapter #1 raid 1 ( 2 disk) O/S adapter #2 raid 1 ( 2 disk) AD LOGS and raid 5 (3 disk) with global hot spare (total of 6 on this channel) hope this helps This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: Sunday, November 06, 2005 11:12 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Raid suggestions for DC maybe OT LOL. I actually pinged Rick on the official guidelines previously for an Enterprise class DC with 4 disks, he was actually one of 4 people I queried since I hadn't seen what I considered good official docs on it. Rick quoted the K3 Deployment guide which is definitely a good start. It indicates RAID 1 - OS RAID 1 - Logs RAID 1 or 0+1- SYSVOL/DIT If you have less than 1000 users using the DC it says you can use one single RAID-1 for the whole thing. Though you have the same issue here as you have for anything, how are the 1000 users using it and what else is using it? Exchange? If so, I doubt I would do a single RAID-1 unless it was very few users. Otherwise you are looking at a minimum of 6 disks for all RAID-1s or 8 disks if 0+1 and RAID-1. When you actually look at it, the OS and the logs are using little IOPS on a dedicated DC and splitting them off onto their own disk is probably unneccessary. The DIT assuming it isn't all cached and is being heavily hit (like say by Exchange) is raping the disk subsystem. When you have an app that wants lots of IOPS what do you? You increase the number of spindles... So for throughput, the fastest four disk configuration is going to be aRAID-5 or a 0+1 or 10. In tests I did several years ago with one hardware vendor RAID-10 and 5 were very close (withina fewIOPS) with RAID-5 eeking out the lead. They both blew RAID-1 away. In more recent tests I heard of from someone using another hardware vendor, RAID 0+1 eeked out over RAID-5 by a fewIOPS and again blew RAID-1 out of the water. Obviously the tests were different so I recommend folks do their own testing with their own hardware. The fastest disk configs I am aware of are 6 and 8 disk RAID-10/0+1 setups with 8 disks supposedly being rock star fast if you have the room internally. To put it another way, if I had 8 disks, I certainly wouldn't be following the deployment guide config for those disks, it would be a RAID-10/0+1 setup. The 6 disk RAID-10s (The Dells I was
Re: [ActiveDir] Exchange server 2003
I think Brian was on the right track. I am unable to connect to either server over port 25; although you might not have a firewall in place your cable providor may be blocking port 25 inbound to your servers. That is fairly common in cable/dsl providors. Phil On 11/8/05, Abdul [EMAIL PROTECTED] wrote: Thanks My server is directly connected to internet through consumer cable No firewall. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Tuesday, November 08, 2005 12:53 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange server 2003 Have you opened tcp25 inbound on your firewall to the Exchange server? You need this for other SMTP servers to communicate with you. If this is a consumer class of cable, it's also possible they shutdown inbound smtp globally in which case you'll have to give them a ring to see if they'll open it for you. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AbdulSent: Tuesday, November 08, 2005 12:30 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange server 2003 Hi, I have setup exchange 2003 servers on ms and dc. Both connected to internet by cable. I can send and receive e.mail locally/internally. I can also send e.mail to external address. But I can not receive e.mail from external address. Any suggestion Check from dnsreport is as under http://dnsreport.com/tools/dnsreport.ch?domain=eitlink.com I am not sure how to correct the problem mentioned at the end of the report. Thanks Ranga
Re: [ActiveDir] OWA after resetting password
I am wondering that since this is a helpdesk password reset, are the helpdesk personel checking the Must Change Password at Next Login box. If that is checked then the user won't be able to log into OWA until they change their password themselves. Phil On 11/2/05, Peter Johnson [EMAIL PROTECTED] wrote: I'm assuming this difference in behavior is due to the fact that an OWAlogin is not an interactive login through LSASS. A possible solution is to get your hands on the ALTOOLS download from Microsoft. One of thetools in this set is the additional info dll. It allows you to reset thepassword on a DC in the site in which the user last logged in. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Figueroa,JohnnySent: 02 November 2005 15:36To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OWA after resetting password Thanks, the AvoidPdcOnWan is not on in our environment and there is nofirewall between the sites. I am waiting to hear from someone that knowsOWA internals, to see if what we see is the case and if there is anything that can be done about it.Thanks-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of[EMAIL PROTECTED]Sent: Wednesday, November 02, 2005 4:08 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OWA after resetting passwordI'm not an expert on OWA, but as you mentioned in the first part of yourmessage the DC performs the check against the PDC to see if the password has been changed.So long as OWA is using a DC to authenticate a user,which I'm assuming it does, then the DC will handle the PDC checkinvisibly.The replication interval wont have any effect on the PDC getting notified of the change as a separate mechanism is used to inform the PDCof the change.If your OWA is sitting on a secure network along with a selection ofDC's, is it possible that the DC's there can't contact the PDC due to firewall rules?Also, check if you're using AvoidPdcOnWan -http://support.microsoft.com/?kbid=225511Regards,Mark.-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Figueroa, JohnnySent: 02 November 2005 09:52To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OWA after resetting passwordThis is all in an Exchange 2003 and AD 2003 environment. I wonder if I have this right?. When the help desk resets a password inADUC, that password change is made against the DC that the tool isconnected to and the PDC Emulator. If a user logs on to the network the authenticating DC checks the password against its database, if thepasswords do not match then it goes to the PDC Emulator to resolve theconflict and the user gets on with the new password.If a user is only an OWA user and he tries to logon to OWA after a help desk password reset, it appears that if replication against the DCs inthe Exchange AD site has not happened then the new password is notrecognized. In other words there is a delay between resetting thepassword and the user being able to sign on with it. I take it that OWA does not check against the PDC Emulator but just the DCs in its site.Is there anything that can be done about this, other than reducing theinterval for replication on the site connector?Thanks Johnny FigueroaEnterprise Network Consultant/Integrator Network Services Banner HealthVoice (602)495-4195 Fax (602) 495-4406WARNING: This message, and any attachments, are intended only for theuse of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosureunder applicable law.If the reader of this message is not the intendedrecipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination,distribution or copying of the communication is strictly prohibited.Ifyou receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ For more information about Barclays Capital, please visit our web siteat http://www.barcap.com.Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message.Although the Barclays Group operates anti-virus programmes, it does notaccept responsibility for any damage whatsoever that is caused by viruses being passed.Any views or opinions presented are solely thoseof the author and do not necessarily represent those of the BarclaysGroup.Replies to this email may be monitored by the Barclays Group for operational or business reasons.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList
Re: [ActiveDir] OT: Robocopy command..
I know it's not really what you've asked, but would VSS be a good option for you? It seems like a good alternative to what you're talking about, but would need a client on the desktops of people who you want to be able to recover items on their own. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/2b0d2457-b7d8-42c3-b6c9-59c145b7765f.mspx Phil On 10/25/05, Frank Abagnale [EMAIL PROTECTED] wrote: Hi Alain, I have thought about this, but the supervisor of this dept does not want the files removed in the target directoryif they are deleted in the source, he kind of wants this as an archived/backed up copy. Alain Lissoir [EMAIL PROTECTED] wrote: Have you looked at /MIR? (Mirror) It adds files in the target folder added in the source folder. It updates files in the target folder updated in the source folder. It removes files in the target folder removed in the source folder. Untouched files just stay as they are and they are not copied over. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Tuesday, October 25, 2005 3:05 AMTo: ActiveSubject: [ActiveDir] OT: Robocopy command.. Hi. I have used robocopy tocopy an entire folder content from oldserver1 to newserver1. I want to keep this data on the newserver consistenthowever, I only want it to copyfile changesandadditional files that have been created, not the entire foldercontent. I was thinking of using robocopy d:\source d:\destination /e /IT/log:e:\log.txt /r:1 does anyone have any thoughts about the parameters I've used? thanks frank Yahoo! FareChase - Search multiple travel sites in one click. Yahoo! FareChase - Search multiple travel sites in one click.
Re: [ActiveDir] OT: Exchange Insider articles
Damn, this Gmail switching to rich text editing is messing with me! Sorry folks. Phil On 10/20/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Ah, the MS cut and paste from OWA bugthat leaves the OWA tag in thehtml:-) https://mail.microsoft.com/exchweb/bin/redir.asp?URL="">Try this: http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspxHutchins, Mike wrote: That link send me to an OWA login for MS... *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Phil Renouf *Sent:* Wednesday, October 19, 2005 8:07 PM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] OT: Exchange Insider articles Since Exchange seems to come up here fairly often I figured there would be some people interested to know that there are some new articles being posted to the Exchange site titled Exchange Insider articles. There is a lot of great information there and I believe there are more to come. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx https://mail.microsoft.com/exchweb/bin/redir.asp?URL="" PhilList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Virtual Servers in Branch Offices
And by doing it this way you don't need to give anyone access to the physical machine, you can give them access to the Virtual Server website and allow them to access the f/p server that way. Phil On 10/19/05, Al Mulnick [EMAIL PROTECTED] wrote: Strange, I was just having this conversation today with a co-worker. :) My thoughts? I'd say make it a GC and put the f/p in the virtual. Why? because you still need to protect the physical, but the virtual you can give out access to. The downside is that the virtual machine requires IIS (in Microsoft products) meaning you have a vector for attack. But nothing that requires changing the security otherwise for the GC. I prefer not to put IIS on a GC for security reasons, but if you can get away without it then I should think that this method would provide greater ability to secure it. Keep in mind that physical access is still warranted. It's just that you wouldn't have to worry about somebody taking the GC home on a USB key like they otherwise could ;) It's not pretty no matter which way you turn IMHO. Could be better. Al -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noah Eiger Sent: Wednesday, October 19, 2005 11:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices I assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtual machine itself simply copied. (Just for the record, this is covered in the white paper. Did not mean to imply that it is not. Security in this respect is refered over to NTFS permissions). So given that you could have a single physical machine at a branch office and that you must have a DC and F/P service, what is the prefered configuration? -- nme P.S. thanks for keeping this thread going. From: Dean Wells [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 18, 2005 8:42 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? Dean Virtual DCseffectively weaken thebroader-definition of security in a number of ways including the context of physical access ... this is due primarily to the relative ease with which the entire DC's state can be duplicated, subsequently, becoming portable and reproduced in a running state elsewhere with little to no effort. The host machine has no bearing ... it's rather like saying the rack in which the server is physically housed has to be a domain member (or any further extension of that particular metaphor). Keep in mind the VM (for the most part) doesn't even realize it's virtual. /Dean -- Dean WellsMSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Friday, October 14, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the whole universe as we know it existing under the fingernail of some other giant being... Whoa, dude! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer
[ActiveDir] OT: Exchange Insider articles
Since Exchange seems to come up here fairly often I figured there would be some people interested to know that there are some new articles being posted to the Exchange site titled Exchange Insider articles. There is a lot of great information there and I believe there are more to come. http://www.microsoft.com/technet/prodtechnol/exchange/2003/insider/default.mspx Phil
Re: [ActiveDir] Virtual Servers in Branch Offices
Would you put the admin site on a server not at that location? Because if you wouldn't then that won't help much since if you had another server to put the admin site on at the remote location then that would be a good place to put the f/p services. Phil On 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You can separate the 2 roles. You can put the admin site on a non-dc server.Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Al MulnickSent: Wed 10/19/2005 6:32 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch OfficesStrange, I was just having this conversation today with a co-worker.:) My thoughts?I'd say make it a GC and put the f/p in the virtual.Why?because you still need to protect the physical, but the virtual you can giveout access to.The downside is that the virtual machine requires IIS (in Microsoft products) meaning you have a vector for attack. But nothing thatrequires changing the security otherwise for the GC.I prefer not to put IIS on a GC for security reasons, but if you can get away without it then I should think that this method would provide greater abilityto secure it.Keep in mind that physical access is still warranted.It'sjust that you wouldn't have to worry about somebody taking the GC home on a USB key like they otherwise could ;)It's not pretty no matter which way you turn IMHO.Could be better.Al -Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Noah Eiger Sent: Wednesday, October 19, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices I assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtual machineitself simply copied. (Just for the record, this is covered in the whitepaper. Did not mean to imply that it is not. Security in this respect is refered over to NTFS permissions). So given that you could have a single physical machine at a branchoffice and that you must have a DC and F/P service, what is the preferedconfiguration? -- nme P.S. thanks for keeping this thread going. From: Dean Wells [mailto:[EMAIL PROTECTED] ] Sent: Tuesday, October 18, 2005 8:42 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromisethe DC? The white paper does not really make this clear. Also, I am assumingthat a host machine would be a domain member, right? Does it authenticate off the virtual DC? Dean Virtual DCs effectively weaken the broader-definition ofsecurity in a number of ways including the context of physical access ...this is due primarily to the relative ease with which the entire DC's state can be duplicated, subsequently, becoming portable and reproduced in arunning state elsewhere with little to no effort. The host machine has no bearing ... it's rather like sayingthe rack in which the server is physically housed has to be a domain member (or any further extension of that particular metaphor).Keep in mind the VM(for the most part) doesn't even realize it's virtual. /Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Noah Eiger Sent: Friday, October 14, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simplyauthenticating over the WAN is not really an option. The WAN links are ok(and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add anysecurity? Would it be harder for someone with physcial access to compromisethe DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate offthe virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the whole universe as we know it existing under thefingernail of some other giant being... Whoa, dude! From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] Sent: Thursday, October 13, 2005 12:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in BranchOffices Other important factors in this scenario must be thephysical and logical security of
Re: [ActiveDir] Virtual Servers in Branch Offices
Yeah, I was just wondering if you saw any issues with putting it on a box across a WAN link. I have never looked into that before so I was just wondering your opinion on it for my own curiosity. Phil On 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I don't get your drift. There is no requirement for the web server to be inthe same location as the virtual server. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize that Today is the Tomorrow you were worried aboutYesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Phil RenoufSent: Wed 10/19/2005 8:07 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Virtual Servers in Branch Offices Would you put the admin site on a server not at that location? Because if youwouldn't then that won't help much since if you had another server to put theadmin site on at the remote location then that would be a good place to put the f/p services.PhilOn 10/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You can separate the 2 roles. You can put the admin site on a non-dc server. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 10/19/2005 6:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Strange, I was just having this conversation today with a co-worker.:) My thoughts?I'd say make it a GC and put the f/p in the virtual. Why? because you still need to protect the physical, but the virtual youcan give out access to.The downside is that the virtual machine requires IIS(in Microsoft products) meaning you have a vector for attack. But nothing that requires changing the security otherwise for the GC. I prefer not to put IIS on a GC for security reasons, but if you canget away without it then I should think that this method would provide greater ability to secure it.Keep in mind that physical access is still warranted.It's just that you wouldn't have to worry about somebody taking the GChome on a USB key like they otherwise could ;) It's not pretty no matter which way you turn IMHO.Could be better. Al-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Wednesday, October 19, 2005 11:42 AM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch OfficesI assume you are refering to the fact that the the host could be compromised over the network and the virtual hard drive or virtualmachine itself simply copied. (Just for the record, this is covered in thewhite paper. Did not mean to imply that it is not. Security in this respect is refered over to NTFS permissions).So given that you could have a single physical machine at abranch office and that you must have a DC and F/P service, what is theprefered configuration?-- nmeP.S. thanks for keeping this thread going. From: Dean Wells [mailto: [EMAIL PROTECTED] ]Sent: Tuesday, October 18, 2005 8:42 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Virtual Servers in Branch OfficesDoes placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access tocompromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does itauthenticate off the virtual DC?DeanVirtual DCs effectively weaken the broader-definition of security in a number of ways including the context of physical access... this is due primarily to the relative ease with which the entire DC'sstate can be duplicated, subsequently, becoming portable and reproduced in a running state elsewhere with little to no effort.The host machine has no bearing ... it's rather likesaying the rack in which the server is physically housed has to be a domain member (or any further extension of that particular metaphor).Keep in mindthe VM (for the most part) doesn't even realize it's virtual./Dean-- Dean WellsMSEtechnology* Email: [EMAIL PROTECTED] mailto: [EMAIL PROTECTED]http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Noah EigerSent: Friday, October 14, 2005 12:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch OfficesThanks for the thoughts. And thanks Tony for thereference -- just finished reading it.Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN linksare ok (and getting better) but are located in places where environmental(as in the weather) conditions often cause short interruptions. Does placing the DC inside a
Re: [ActiveDir] slightly OT: MissionControl for MIIS
I'd be interested in hearing if any of you have been using this. Having used MIIS a bit lately I'd love to hear about anything that makes it easier to manage. Phil On 10/17/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Hi David,The licensing scheme is per-production-MIIS-server-processor (likeMIIS), plus a charge for each 5 management agents. Test servers, or processors not used by MIIS aren't counted. The rest of the questionsI'll leave to others, as I suspect my opinions are biased :)You might get more feedback on MIIS-related topics from the MMSUG Yahoogroup. -gilCTO, NetPro-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of McClure DavidSent: Monday, October 17, 2005 9:19 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] slightly OT: MissionControl for MIIS Hi listers,I'm considering MIIS for a project haven't been able to find muchnon-MSinformation about MIIS out there on the web.Hoping for help fromy'all.One of the minor knocks against MIIS seems to be a lack of mgmt/troubleshooting tools.Netpro claims to have filled this gap withMissionControl for MIIS.Does anyone have any experience with this toolthat you'd be willing to share?I'm interested in high-level stuff at thispoint, such as:What's the licensing scheme?In your opinion, doesMissionControl fulfill it's promises?What's your impression of ease ofimplementation, usability, overall bang-for-the-buck, etc? Thanks!---This message and any included attachments are from Siemens MedicalSolutionsUSA, Inc. and are intended only for the addressee(s). The information contained herein may include trade secrets or privilegedorotherwise confidential information.Unauthorized review, forwarding,printing,copying, distributing, or using such information is strictly prohibited and maybe unlawful.If you received this message in error, or have reason tobelieveyou are not authorized to receive it, please promptly delete thismessage andnotify the sender by e-mail with a copy to [EMAIL PROTECTED]Thank youList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Virtual Servers in Branch Offices
I don't think running a DC inside a virtual machine would give any added security; if someone could log onto the server running the VMs then it is just as bad as being able to have physcial access to a normal DC since they can control starting and stopping the VMs. As Rick mentioned they could also copy the VHD to another machine and work on it at their leisure, so it might actually give you a little less security than just running a normal DC secured from physical access. Phil On 10/14/05, Rick Kingslan [EMAIL PROTECTED] wrote: Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physical access to compromise the DC? Hmmm interesting. Yes, and no. Physical access is always an issue, but the NTDS.DIT is not out there in the open on a disk as it might be in a traditional DC. However, anyone with a VS *COULD* mount and start your DC - so the same rules apply. Don't allow anyone you do not trust physical access to your systems. As to domain member - I don't recall VS requiring Domain Membership (more, because I just haven't tried...). So, does this mean that a machine that is a work group system could host a VS with a number of DCs? Ummm - yeah. I suppose so. But, if it *IS* a domain member, then yes - it could likely authN off of the VM that it hosts - but obviously not at start up. Brings up a Schrödinger's cat' quandary, now doesn't it? Rick From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Friday, October 14, 2005 2:01 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Thanks for the thoughts. And thanks Tony for the reference -- just finished reading it. Unfortunately, deploying the DC at HQ or simply authenticating over the WAN is not really an option. The WAN links are ok (and getting better) but are located in places where environmental (as in the weather) conditions often cause short interruptions. Does placing the DC inside a virtual machine add any security? Would it be harder for someone with physcial access to compromise the DC? The white paper does not really make this clear. Also, I am assuming that a host machine would be a domain member, right? Does it authenticate off the virtual DC? [1] Thanks again. -- nme [1] This sort of reminds me of the scene in Animal House when they talk about the whole universe as we know it existing under the fingernail of some other giant being... Whoa, dude! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] Sent: Thursday, October 13, 2005 12:48 AMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Virtual Servers in Branch Offices Other important factors in this scenario must be the physical and logical security of the server housing the DC role. 1. Will the server be securely locked away in the branches? If not, do not deploy a DC. 2. Do you trust the file server admins to have physical access to the server hosting the DC role? 3. Who administers theserver that hosts the file and DC roles? Are they also trusted? When designing the branch office, I would always ask the questions below, too: 1. Is a local DC required? i.e. what are the drawbacks if a DC is not deployed? 2. Is logon/startup traffic over the WAN larger than replication traffic over the WAN? If not, consider not deploying a local DC. 3. Does a local DC offer redundancy in the event of a WAN failure? If other apps are accessed over the WAN, then consider deploying the DC at a central location and not at the branch. hth, neil ___ Neil Ruston Global Technology Infrastructure Nomura International plc From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tony MurraySent: 13 October 2005 01:12To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Servers in Branch Offices Here's a link to a Microsoft document that covers what you need to do to run a production DC on Virtual Server 2005. http://tinyurl.com/5enjd Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Noah EigerSent: Thursday, 13 October 2005 11:30 a.m.To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Servers in Branch Offices Hi - Just to follow up on the design thread Since I am placing DCs in small branch offices is there a value in using Virtual Server 2005 to create separate virtual boxes (DC file server) running on the same physical box? Some users have administrative access to the file server, and I'd love to keep them off the DCs. I am also curious about optimal physical and virtual drive configurations for such a box. I reviewed the thread here about Virtual Domain Controllers but it seemed to focus on using them as backups. I am talking about production. Any thoughts most welcome. -- nme This communication, including any attachments, is confidential.If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy
Re: [ActiveDir] salary(OT)
On 10/14/05, joe [EMAIL PROTECTED] wrote: I had done a couple of things, first I had learned Calc far better than Ihad ever learned in class all the way up to Calc IV and I had gotten a reputation of only tuturing really smart girls. ;o) You're even smarter than I thought ;) Phil
Re: [ActiveDir] Reverse DNS
So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, rubix cube [EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, Ed Crowley [MVP] [EMAIL PROTECTED] wrote: I can't fathom why any organization would have to. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Derek HarrisSent: Wednesday, October 12, 2005 3:35 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you have to. Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools. The only gripe I've got with them is that they won't host SPF records. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bernard, AricSent: Wednesday, October 12, 2005 3:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet. Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records. If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of rubix cubeSent: Wednesday, October 12, 2005 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal DNS? or is it enough to keep it hte same way? Also assuming that I want the ISP to configure the reverse dns for me, I just ask them to add a reverse DNS for my subnet? Thanks r.c. On 10/12/05, Brian Desmond [EMAIL PROTECTED] wrote: That's not entirely true. Your ISP will need to delegate your subnet(s) to your DNS servers if you want to run your own reverse DNS. If you own yoru subnet, you need to work with the registrar to get the delegation. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ed Crowley [MVP]Sent: Wednesday, October 12, 2005 1:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Reverse DNS It's likely that your ISP will have to host your Internet reverse zone if they own your IP addresses. Really, you're going to have to ask them. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of rubix cubeSent: Wednesday, October 12, 2005 9:47 AM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Reverse DNS Hi list, How do you exactly configure a reverse DNS zone? which type should it be? (standard, primary, active directory integrated), should it allow for zone transfer, if I want to configure it on my internal DNS server (which doesn't do any zone transfers with any one else its only internal, but it can resolve external names), how should I do that? I need it for
Re: [ActiveDir] Reverse DNS
Why lurk when you can participate so effectively? :) Phil On 10/15/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Or get a better ISP or DNS record keeper that will allow you to do whatyou need to do.okay okay I don't lurk well ... I know I know... Phil Renouf wrote: So you have a publicly accessible DNS server that you manage and is in your DMZ and an internally accessible DNS server that is on your internal network. Is that right? You have a domain on your publicly accessible DNS server for your public servers (web, email etc.) and currently you only have a forward lookup zone created on that DNS server. What you want is to be able to also host reverse DNS for the subnet that you were given by your ISP? If that is the case then the advice has been given; talk to your ISP and have them delegate that subnet to your DNS server and setup a reverse lookup zone on your publicly accessible DNS server. That or have your ISP host the reverse lookup zone, although that would require them to manage the entries as well. Phil On 10/13/05, *rubix cube* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I have 2 internal DNS's, one on the DMZ zone which hosts the public IPs of the servers we publish (email, website, systems, etc... around 15 IPs) and the other DNS which resolves only the internal IPs, I wanted to setup the reverse DNS and publish my internal DNS (the one at the DMZ) because am not sure about my ISP. I went through some trouble trying to create an SPF record with him, and I don't have any control panel or tools for my records on his side On 10/13/05, *Ed Crowley [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I can't fathom why any organization would have to. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!™ *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Derek Harris *Sent:* Wednesday, October 12, 2005 3:35 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject: *RE: [ActiveDir] Reverse DNS I agree with Aric's advice: don't expose your internal DNS server unless you have to.Network Solutions hosts my DNS records, and I can manage them myself using their web-based tools.The only gripe I've got with them is that they won't host SPF records. *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] *On Behalf Of *Bernard, Aric *Sent:* Wednesday, October 12, 2005 3:08 PM *To:* ActiveDir@mail.activedir.org mailto: ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Reverse DNS You probably do not want to go out and expose your internal DNS server (presumably supporting your internal forest) to the Internet.Your internal DNS names and IP addresses should remain private, unless of course you are using public IP addresses internally and in such a case you would only want to expose those required externally. It is highly likely that your ISP already has some form of a reverse lookup zone in place for your subnet even if it only has generic records.If that is the case, I would probably go about just having them modify the existing zone altering the existing records with the proper names of your systems unless you cannot depend on them for timely changes (find another ISP) or you have a lot of PTR records that need to be published externally or the records you do publish will be fairly dynamic. Regards, Aric *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *rubix cube *Sent:* Wednesday, October 12, 2005 1:44 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Reverse DNS Thanks all, And when I configure the DNS reverse zone on my internal DSN server and ask my ISP to delegate my subnet (We pay monthly fees for the subnet and internet access), then anything else I should do? to my internal DNS, should I publish my internal DNS? or is it enough to keep it hte same way? Also assuming that I want the ISP to configure the reverse dns for me, I just ask them to add a reverse DNS for my subnet? Thanks r.c. On 10/12/05, *Brian Desmond* [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] wrote: *That's not entirely true. Your ISP will need to delegate your subnet(s) to your DNS servers if you want to run your own reverse DNS. If you own yoru subnet, you need to work with the registrar to get the delegation. * * * **Thanks,*** **Brian Desmond*** ** [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] **c - 312.731.3132** *From:* [EMAIL PROTECTED] mailto
Re: [ActiveDir] Design Question
Just to re-iterate this: the BO Guide does not specifically recommend a multi domain forest even for larger organisations. It uses the multi domain forest as an example and specifically states that configuration is just an example and not a recommendation. There is a section in the document on design, but I don't think it recommends a multi domain forest there either. Even big companies generally start out by trying to have a single forest single domain and only move from that if it makes sense. The empty root domain was a common recommendation a number of years ago, but that position has been revised as the reasons it was recommended were based on the empty root giving you more security but it doesn't offer more security. There has been extensive coverage of this on the list as well and I think a recent post by joe touched on it again. Phil On 10/12/05, Noah Eiger [EMAIL PROTECTED] wrote: Thanks again. Yep, I figured the guide was aimed at larger groups. I just wanted to check out the Caddilac version and see what parts applied to us, if any. Frankly one of the other things that made me sort of doubt the single-domain model was the number of posts on this list that say something like: I have four domains and an empty root Thanks again. I will KISS. -- nme From: Arthur Freyman [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 12, 2005 1:49 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Design Question You're absolutely right. Although there is a fairly compelling argument which states that it is best security practice to turn off cached logons. Additionally, it somewhat limits the value of the ability to logon to the workstation, if the user cannot perform their normal business functions, depending of what those may be. Of course its better then nothing.. Arthur Freyman From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Thommes, Michael M.Sent: Wednesday, October 12, 2005 1:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Design Question Unless specifically turned off, your "disconnected" branch office user should still be able to logon using cached credentials. Of course, other network resources may not be available. Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Arthur FreymanSent: Wednesday, October 12, 2005 2:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Design Question I've had to grapple with this issue a number of times when I designed AD implementations. It is basically an argument of a centralized vs distributed model. There are obvious pros and cons to each approach, but ultimately it comes down to reliability and speed of links to your branch offices. You could improve your management and security by not having DCs in the branch offices, but you have to realize that if the link is down, your branch office people won't be able to login. This could be particularly a significant factor if you implemented single sign on and you depend on AD for access to other applications. You should perhaps look at statistics of downtime for your WAN links and see if you can put up with branch offices being down for that period of time. Arthur Freyman From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, October 12, 2005 12:41 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Design Question That's a good question on the number of domains in the Branch Office Guide -- it seems to be overkillunless they all have separate and independent IT departments or if there a requirement for a separate password policy or something else bizzarre. I suppose you could deploy a DC to each branch, and especially if you have a slow, unreliable WAN link such as a fractional T-1 to each location and with 10 branches you should be OK using 10 extra DCs. Regards, Chuck Gafford Systems Architect Unisys Imagine It. Done. -Original Message-From: Noah Eiger [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wed, 12 Oct 2005 11:49:43 -0700 Subject: RE: [ActiveDir] Design Question Thanks, all. Good to see confirmation of the few-domains-as-possible concept. Yes, I was planning to deploy a DC to each branch. Some are not as physically secure as I would like, though I realize that security is somewhat a function both of access and intent. I don't see a lot of latter -- but maybe that is what we all thought on September 10. Does that change the model? -- nme P.S. Why does MS still recommend so many domains in the Branch Office Guide? Is it for replication load? From: Al Mulnick [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 12, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Design Question The same reasons apply to this situation as those of a much larger organization: deploy multiple domains if you need x, y, and z functionality. Otherwise try to
Re: [ActiveDir] Domain Migration
I would migrate the users and desktops. That way the users keep their passwords, the users desktop profiles stay the same etc. Using ADMT isn't all that complex and the helpfile provides you with step by step instructions for how to get things configured to allow for migration. Once that is done the migrations are pretty easy; do a couple in a lab and you'll get the hang of it pretty quickly. Phil On 10/13/05, DeStefano, Dan [EMAIL PROTECTED] wrote: Thanks for the suggestion. As a matter of fact, while reading the ADMThelp file last night I did think it would be easier to proceed as you suggest - building the new domain and creating the users, then justexmerge the mailbox data into their accounts. Maybe we would cut overthe MX record on Friday evening then, when mail starts being received by the new org/server, export/import the mailbox data.Do you have any idea where I can find the word white papers or has thatwhole thing been abandoned in favor of the online documentation?Dan -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Charlie KaiserSent: Wednesday, October 12, 2005 8:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain MigrationPersonally, for 30-40 users, I'd create my own exchange org and use exmerge every time. I would also build my own AD and use ADMT or 3rdparty tool to migrate users, or, again, for 30-40, just recreate them. Alot of it will depend on the apps involved and what they need. The other apps will most likely drive your decisions. You might find that movingexchange is a necessary prerequisite for some of the apps, or viceversa.I usually get my domain structure up and running, test replication and general AD performance, then populate with a few test users. I then dothe exchange install prior to migrating users to the domain. At thatpoint, if something blows up, I can still wipe and rebuild with no loss except my time.**Charlie KaiserW2K3 MCSA/MCSE/Security, CCNASystems EngineerEssex Credit / Brickwalk510 595 5083** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of DeStefano, Dan Sent: Wednesday, October 12, 2005 3:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Migration I am in the information-gathering phase of a domain migration. The situation is the company I work has split off from another, larger company. However, we still use their systems (AD, Exchange, custom apps, etc). We will be splitting off from the parent company in a couple of months into our own forest/domain and I wanted to get some input on the proper procedures and order in which to perform them. In a nutshell, should the order be: 1.migrate users over using ADMT (approximately 30-40 users) 2.migrate apps over 3.use exchange server migration wizard to migrate exchange server into new domain generally, is the above correct? Prior to the migration we will be getting out own Exchange server just for our users. Is there any way to change the organization on this exchange server and re-associate it with the newdomain and users. I would imagine not, that the proper procedure would be to export all mailboxes using exmerge, reinstall Exchange in a new organization in the new forest, then merge the mailboxes using exmerge. Also, I remember there used to be several word white papers on MS site for w2k (domain migration cookbook, etc), but for 2k3 all I can find are online articles, no downloadable white papers that can be easily printed. Can anyone direct me to some word or pdf docs that discuss the above? Thanks in advance, Dan DeStefano NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/NOTICE:The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above.If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited.If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies.Thank you. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] Design Question
I think I need to start proof reading my posts before sending them :) I completely agree that by using a multi-domain forest example they are passively recommending it's use to some people. I think in the next iteration it might be useful to use another example, or perhaps multiple examples to try and avoid making people think that is the only (or best) way to design a BO AD implementation. I think I should have said that even big companies should start by looking at a single forest single domain, you are right that many companies continue to look at a multi-domain forest for different reasons (some technical, some political). My point there really was that size doesn't always dictate this aspect of an AD design. And...I generalized the root domain comment, that was certainly a mistake. It was a common recommendation that it be done for securityand even Microsoft mistakenly recommended an empty root for a while for that reason. I know that I had that mindset for a while when AD first came out until I started learning more about AD. Security wasn't (and isn't) the only reason for an empty root. I think that a good explaination of some good reasons for implementing an empty forest root might be a good idea as it is an area that doesn't have a lot of information about it. I wouldn't mind getting your (and others) opinion on when to use an empty root; the GPO example was good and was an aspect I hadn't thought of before. Phil On 10/13/05, joe [EMAIL PROTECTED] wrote: I think the problem is that by showing the multi-domain forest example it is a tacit recommendation of its use to some people. I don't necessarily agree that people should read it that way but I can see where people would. Plus many people don't want to start from scratch, they will take what someone has, mark it down for their own, and then try to decide what to change. Even big companies generally start out by trying to have a single forest single domain and only move from that if it makes sense. I agree they dothis if they are coming from another OS or have a VERY decentralized NT infrastructure. From what I have seen, the companies that organized under NT4 to have account domains tend to follow those same account domain designs when moving to AD. The resource domains they tend to fold in. I think the reason here being to avoid the whole customer training piece. Personally though, I think companies really need to start training people to use UPNs and then the underlying domain structure isn't so very important. The empty root domain was a common recommendation a number of years ago, but that position has been revised as the reasons it was recommended were based on the empty root giving you more security but it doesn't offer more security. There has been extensive coverage of this on the list as well and I think a recent post by joe touched on it again. The empty root domain discussions always kind of irk me. SOME people said it should be done for security. Those same people were the ones thinking a domain was a security boundary. Those who knew it wasn't a security boundary still would recommend empty roots and still do if there appear to be reasons for it. In other words, not everyone that has an empty root did it because they thought it was for securing the enterprise admin group, in fact in the company that I personally moved from NT4 to AD securing the Enterprise Admin group was never a consideration behind the reasoning of the empty root. The one thing that I think could sort of be considered security related is the fact that you can dictate via administrative policy that no one dorks with the policy on the forest root so you know you always have a haven away from dorked up GPOs. This is especially true if you let someone other than domain admins create/modify/link GPOs rather high in the AD structure of a domain. I have seen first hand domains that have been locked down for all users on all machines to kiosk mode. It isn't funny when it is happening but is a riot months later when you can laugh about it. Personally I am against anyone but DAs modifying policy in the domains but then I HATE GPOs anyway and consider them to be extremely dangerous. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, October 13, 2005 2:51 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Design Question Just to re-iterate this: the BO Guide does not specifically recommend a multi domain forest even for larger organisations. It uses the multi domain forest as an example and specifically states that configuration is just an example and not a recommendation. There is a section in the document on design, but I don't think it recommends a multi domain forest there either. Even big companies generally start out by trying to have a single forest single domain and only move from that if it makes sense. The empty root domain was a common recommendation a number of
Re: [ActiveDir] Design Question
Hey Noah, It is great that you are using the Branch Office Guide to help you out with the design, there is a lot of useful information in that document. With regards to the multi domain forest, the Branch Office Guide specifically states that it uses that only as an example not as a recommendation of how to design your forest. Later on in the document it discusses design decisions etc. As Rich and Hunter have mentioned, it is good to start with trying to achieve a Single forest/Single domain environment and only move away from that if there are reasons to do so. Phil On 10/12/05, Noah Eiger [EMAIL PROTECTED] wrote: Hi - I am designing a new domain structure what will have a HQ and then roughly 10 branch offices, less than 200 users total. The Microsoft Branch Office Deployment guide shows a single forest with three domains: root, hq, and branches (and oodles of domain controllers). Allen, Minasi, etc etc etc all say to try to limit yourself to a single domain if possible. My inclination is to go with the latter (single domain) model. With this size organization is there a need for multiple domains? An empty root? Thanks. -- nme
Re: [ActiveDir] Forest prep/domain prep in a MT root Domain
You can run the forest prep from anywhere as long as you have the appropriate rights. That said this should be done on the Schema Master. Once forestprep is done and replicated properly you can run domainprep in each child domain. Phil On 10/11/05, John Strongosky [EMAIL PROTECTED] wrote: Hey everyone, long time reading hereI'm confused as I'm new to AD and doing my research for our conversion..so here is my question we are gong to have an MT root domain and a sub ( if that the correct term) domain where we are going to put exchange, let call the root domain AD.sdccd and the sub domain admin. What is the proper procedure for running Forest prep and Domain Prep? From all my reading I don't think I run forest prep on the sub domain but do run domain prep on the MT root and on the sub domain. Am I correct john
Re: [ActiveDir] Modifying Domain Admins Administrators Group
Ethereal, it's free:) http://www.ethereal.com/ Phil On 10/11/05, Rocky Habeeb [EMAIL PROTECTED] wrote: [1]Did I mention I don't even have a protocol analyzer or a Flukedevice?_ -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Rich MilburnSent: Tuesday, October 11, 2005 12:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Rocky, you should make the time to become familiar with a few of them,because if you do, you'll see how useful they can be - they can save youmultiples of the time you invested into them, if you admin AD at all (more than just adding a user and resetting a password here and there :)---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform Development Applebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819--I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Tuesday, October 11, 2005 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group joe,You know this is not possible.No one has your knowledge base!I meanno one.You're in a class by yourself.You define the class, it's alittle bit like God.No one can touch you!Okay enough adulation. Anyways, I would hope it would come in between $100 and $500 USD but whoknows how long it will take you to create and perfect it and I, for one,know, unlike 99.999% of all software released, it will not have bugs in it when it's released.Something we can count on with joeware.Do you know that I have downloaded most of your free tools but have notused virtually any of them because I simply don't have the knowledge base?I did use a couple of them during my migration from Forest X toForest Y and I sure appreciated them then.As always,YMYMYMRocky -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of joeSent: Monday, October 10, 2005 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Define within reason.-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Rocky HabeebSent: Monday, October 10, 2005 12:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Is a tool like that something people would be willing to pay for? Affirmative Mr. joe. (Within reason of course)YMYMYM___ -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of joeSent: Sunday, October 09, 2005 11:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group Ah global won't have the issue with primary group since it used the NET*calls. However, it won't catch nesting that is disallowed in NT, thoseentries will be curiously absent because the NET calls don't know anything about it. If you are simply looking for any change on a group,fire a notification on the changing of the metadata or the USN or thewhenChanged stamp.What would I do? The answer is of course, it depends. :o) It depends on what I perceive the risks are and the necessity forprotecting things. It could be very little or it could be a lot withseveral cross checks. Generally, monitoring from multiple angles as well as trying to prevent the possibility of any change is the best solutionin my opinion. Sort of like root kit detection, you won't know whenlooking at things one way, you have to look from different angles and check the shadows.If I really wanted to be sure I would have a service running on every DCthat made the sure the group memberships were exactly what I wanted.These would be services that had change notifications set up for each monitored group so AD told me when the group changed versus me lookingat it and seeing if something changed on some x interval. But just thesame, that service would still look at some very regular very short interval just in case the change notification dorked up and I would doit using multiple interfaces. If I was REALLY being paranoid I wouldpossibly have the service shut down the box if it detected a changebeing originated on it in case that one box has been somehow compromised. That service might also, for instance, look for certainknown vectors and try to clean those up if detected as well. There areother things but the more you tell people about what you are doing to protect a system, the more you tell them on what they may need to do tocompromise a system.Is a tool like that something people
Re: [ActiveDir] Results of survey - Most common cause of Active Directory failures?
Start a blog? :) Since that takes some time to get traffic, perhaps joe would be willing to post your survey on his blog? I imagine hegets some good traffic to his blog. Phil On 10/10/05, Gil Kirkpatrick [EMAIL PROTECTED] wrote: We usually do a big State of the AD World survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory failures? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? mc This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
Re: [ActiveDir] [Fwd: [mssmallbiz] sbs podcast #3]
I am sure it was just a slip during the summary of the podcast, but below Vlad mentions that Exchange support within Virtual Server came at SP1, that is actually SP2 as we've discussed here over the last couple of days. Phil On 10/8/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Apologies for the OT...but this is a podcast done by SBS's MothershipLos Colinas [PSS/CSS escalation team for SBS]Please note the discussion regarding imaging for disaster purposes and virtualiztion. Original Message Subject:[mssmallbiz] sbs podcast #3Date: Sat, 8 Oct 2005 10:40:38 -0400From: Vlad Mazek [EMAIL PROTECTED]Reply-To: [EMAIL PROTECTED]To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]SBS Podcast #3http://blogs.technet.com/sbs/archive/2005/10/08/412193.aspx wasuploaded earlier this morning and the best news is that they are gettingsome real audio equipment. So great news to some of you that havecomplained about the voice quality, apparently it's an 8k LiveMeeting session. They had over 250 downloads of the previous episode, over halfthanks to Susan Bradley http://www.msmvps.com/bradley .Here is a brief summary of the podcast: Support for SBS in VmwareWhat support? - as many of you already know, PSS does not support SBSissues you face with Vmware and will request that you replicate theissue inside Virtual Server or on a real system. One caveat was that you will face performance issues but a number of people still do it. Theybrought up a case in which a customer runs the Terminal Server inside ofa Virtual Server running on top of SBS 2003, cautioning that they had a fairly powerful system.They referenced the KB article regarding support policy Support policyfor Microsoft software running in non-Microsoft hardware virtualizationsoftware: http://support.microsoft.com/default.aspx?scid=kb;en-us;897615On whether you will actually see SBS supported in a virtual environment:because SBS components must be capable of running inside of a virtual machine there is no way to guarantee that the entire system will workunless all the components work. One example that was provided wasMicrosoft Exchange, part of SBS, which was not supported inside of avirtual machine until Service Pack 1. Bare metal SBS RestorePeople that have proper backups do not call PSS. They joked many timesabout how only one guy that called PSS actually had a disaster recoveryscenario setup. Among best practices, SBS podcast team suggested the use of standard ntbackup in addition frequent ASR (automated systemrecovery) backups.SBS team cautioned against use of imaging solution as most of them donot guarantee that you can restore a domain controller and most are not recommended on a server. Disaster recovery conversation was prettyvaluable, discussing active directory backups and the need for thesecondary domain controller.Migrating Public FoldersPodcast folks discussed several ways to migrate the public folder content without forklifting the database. One of the more popularsolutions was to copy all the public folder items into a mailbox andexport it as pst, then merge it back on the new server. Another solution would be to export the entire contents to a csv, which does get most ofthe flat text content out. Finally, they discussed the option ofaccessing public folders with PFDavAdmin and MFCMAPI utilities.Vlad note: If the PFDavAdmin and MFCMAPI terms are new to you please do not attempt to use these.Entourage SP2Microsoft Entourage 2004 SP2 brings the same look feel and most optionsof Outlook to Entourage as a true Exchange Client. Sync speed has beenimproved and you're allowed to have multiple address books and calendars. Previously to SP2 opening someone elses calendar would mergethe content of the two calendars together. Exciting. Other enhancementsinclude the ability to browse the GAL and organizational structure, faster Public Folder browsing, calendar sharing, ability to setupsharing and delegation and grouping messages by thread/conversation.As for better integration as a true Exchange client: If the domainpassword is about to expire you will now receive a notice inside Entourage. You cannot change the password there (go through OWA) but atleast you'll know about it before you're locked out of the server.Office 2003 SP2Brief but funny discussion on Office 2003 SP2: Remember to reboot the system after you install SP2. Otherwise you will not be able to send anymail or access your outgoing items.Issue of the Office 2003 SP2 deployment via WSUS was brought up, as itapparently failed for a number of people. Podcast folks promised to investigate.DPM agent on SBS 2003Podcast team discussed DPM and called it VSS on steroids which is afairly accurate description. You can find more details on that here. http://www.vladville.com/2005/09/data-protection-manager-2006-released.htmlPretty good podcast, even given the audio quality it was still fairlyentertaining - go ahead and download it
Re: [ActiveDir] Server Roles
I've seen 500 and 1000 user sites with no DC. They were on the end of decent network links, but nothing outrageuous. To determine if you really need a DC at a remote location I would sit down and look at the stability of your network link and its current utilization. Then spend some time thinking about how critical the site is and can they live with having no access to a DC for a few hours if the network link went down? I'd also look at the log on traffic vs replication traffic. If replication traffic would be higher than logon traffic then right there you have a very good argument for not putting a DC at that site. Phil On 10/7/05, Mylo [EMAIL PROTECTED] wrote: Mark,How many users to site are you talking about in the no local DCscenario. 10, 20..50 ? CheersMylo[EMAIL PROTECTED] wrote:I've looked at using Virtual Server for small sites and it makes senseto me.The only drawback is that all your eggs are in one basket - lose the host and you lose everything.The same's true for patching asyou'll need downtime on all of the guest machines when the host isupdated.One nice advantage of using Virtual Server in this scenario is the ability to access the Virtual Server Administration Console andtherefore have complete remote control over the virtual hardware and theconsole.This is ideal for small sites with no local admin/technical staff.I have to agree with Joe about whether you actually need a DC or notthough.At a number of sites we've chosen not to deploy a local DC atall.In fact, we tend to tie the DC deployment decision into whether or not that site is going to have Exchange server locally.Regards,Mark.-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joeSent: 07 October 2005 01:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Server RolesMylo,I pretty much agree with Gil but I don't think most people or orgs havethe slightest idea how to evaluate their environments for risks. Plus too many people have the mindset that if they don't know of a way tohack something, no way exists. If this is the direction taken, bringsomeone else in to do it. Even if you do that it still may not work out well though because of assumptions that are made during the analysisthat don't end up being true in implementation. Oh yeah, of course welook at the logs Of course we patch right away and watch the security bulletins The fewer vectors available to compromise tendsto mean the less chance of being compromised.I think max paranoa is the safer path.IIS on a DC makes me very queasy. Granted it is based on the history of IIS and it is all fixed now, but consider... How many exploits do youneed against your DCs before it is considered too many? Is a singlecompromise acceptable? I don't mind losing most one off servers, it hurts but I can survive. If someone walked through a hole on a DC or acert server your base security for the entire environment, all serversand clients, has been compromised and you can not easily have much faith in those pieces any longer. I can rebuild an IIS server in a couple ofhours, how fast can you rebuild from scratch your domain structure? YourCert structure?Exchange... Well I have all sorts of love for Exchange but right off, if Exchange is running on a GC, you have no fault tolerance or loadbalancing for directory work, that is the one and only GC that will everbe used. The Exchange provider should be complaining about that all alone. Failover to another GC in another site may suck, but at least itis possible.If someone insists that they can only have one server at a site, at thistime my recommendation is that it not be a DC. If you keep your GPOs in check this shouldn't be a serious issue unless you have a crappynetwork.DCs are a special case and should be treated specially, it isn't justsome extra service on a machine. Services I will run on a DC are things like WINS and DNS and quite honestly I don't much like DNS on DCseither. It bothers me to run a service on the machine that the DC iscompletely dependent on.With WINS, I always deployed LMHOSTS files on the DCs, that way if WINS failed, things still worked.joe-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Gil KirkpatrickSent: Thursday, October 06, 2005 7:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Server RolesAs you mentioned, this topic has been debated frequently on this list.Running other services on a DC raises the hackles on the back of my neck, and I expect that most on the list will have similar reactions.And you've listed most of the reasons why the proposed deployment wouldbe a bad idea. But truthfully, the right answer has to be based on a proper risk assessment for your client's environment. I think in thepast most people either a) never did a risk assessment, or b) didn'tunderstand the risks with branch office DCs running multiple services. Consequently, most AD professionals now default to its
Re: [ActiveDir] AD Restore Problem
That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6bdisplaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alertOkay so unless you are insane SBS.. images of your DCs are ixnay.What does Sun, Linux, Mac or any other competing Server OS do in their worldto ensure the Kingdom easily and quickly comes back up?yeah I knowthey don't have AD but they have to have some competing glue, right? What have they done if anything?How to detect and recover from a USN rollback in Windows Server 2003:http://support.microsoft.com/?kbid=875495 That KB is interesting as it clearly indicates that having a DC in aVirtual Server environment is not supported... yet we SBSers have gottenword that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment.Brett Shirley wrote:If you have any replicas of those servers, when you restore those VMWareimages, you will have corrupted your forest during restore. -BrettSh [msft]This posting is provided AS IS with no warranties, and confers norights.On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace inthe hole. The environment is a TLD with 4 child domains. I am planningon running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put thephysical VMWare server and all of the DC virt servers in that site. Noneof the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation inproduction.Once I have them running, I plan to use the VM scripting to gracefullyshut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes Ithen restart the virtual servers.This plays into the different hardware scenario since I can use VMWare to abstract the hardware.Of course, this whole process is the backup to the normal system statebackup of all my backbone DCs.FWIW - Frank From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Wednesday, October 05, 2005 5:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go tohttp://www.mail-archive.com/activedir@mail.activedir.org/ and search forusn rollback. You can get the same information by searchingsupport.microsoft.com, but without the colorful and enlightening commentary that the list provides.HunterList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Restore Problem
Actually, reading your article more closely it doesn't explicitly state DC's are supported in Virtual Server, but it sort of touches on it: Because it is difficult to detect and recover from a USN rollback, we recommend that administrators install hotfix 875495 on all Windows Server 2003 domain controllers, especially those in virtualized hosting environments. The caution that I see in the article is that you can potentially cause a USN rollback using features of Virtual environments (including VS and VMWare). Phil On 10/6/05, Phil Renouf [EMAIL PROTECTED] wrote: That article might not have been caught yet, support for DC's in Virtual Server is a relatively new thing, but it is supported. http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4209-8ed2-e261a117fc6bdisplaylang=en That doesn't help SBS much though since Exchange is not yet supported in Virtual Server. Phil On 10/6/05, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: stupid question alertOkay so unless you are insane SBS.. images of your DCs are ixnay.What does Sun, Linux, Mac or any other competing Server OS do in their worldto ensure the Kingdom easily and quickly comes back up?yeah I knowthey don't have AD but they have to have some competing glue, right? What have they done if anything?How to detect and recover from a USN rollback in Windows Server 2003: http://support.microsoft.com/?kbid=875495That KB is interesting as it clearly indicates that having a DC in aVirtual Server environment is not supported... yet we SBSers have gottenword that once Exchange 2003 sp2 supports Vserver all of the parts of the 'standard' box will be supported in a virtual environment.Brett Shirley wrote:If you have any replicas of those servers, when you restore those VMWareimages, you will have corrupted your forest during restore. -BrettSh [msft]This posting is provided AS IS with no warranties, and confers norights.On Thu, 6 Oct 2005, Carroll Frank USGR wrote: I am working my way down the VMWare path also for my ultimate DR ace inthe hole. The environment is a TLD with 4 child domains. I am planningon running a single VMWare server that has virtual DCs for all 5 domains. I am going to peel off a dedicated site/vlan and put thephysical VMWare server and all of the DC virt servers in that site. Noneof the virtual DCs are going to be GCs. The reason for the dedicated site is so I can keep people from using them for validation inproduction.Once I have them running, I plan to use the VM scripting to gracefullyshut them down once a day and then shoot the image file of the shutdown DC off to tape, which then goes off-site. After the backup completes Ithen restart the virtual servers.This plays into the different hardware scenario since I can use VMWare to abstract the hardware.Of course, this whole process is the backup to the normal system statebackup of all my backbone DCs.FWIW - Frank From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Wednesday, October 05, 2005 5:37 PM To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Restore Problem You will still need to abandon the snapshot/image approach. Go to http://www.mail-archive.com/activedir@mail.activedir.org/ and search forusn rollback. You can get the same information by searching support.microsoft.com, but without the colorful and enlightening commentary that the list provides.HunterList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Modifying Domain Admins Administrators Group
Limit the number of domain admins, audit user and group management and use MOM to alert you to changes to the group membership of the Domain Admins group. You could likely script that alerting as well if you don't use MOM. Phil On 10/6/05, Devan Pala [EMAIL PROTECTED] wrote: Hi,We have about 7 domain administrators in a particular child domain. I justfound out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs haveobviously been overwritten therefore I would like to know the simplestmethod to avoid this scenario from ever happening again. What are my options?Thank you so much.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Multiple forests with a common DNS parent zone
It is? This is the first I have heard of being able to merge forests, the only way I am aware of is migrations. Anyone have more information on this if that is the case?
Phil
On 10/5/05, ActiveDirectory [EMAIL PROTECTED] wrote:
Also, if your Forests are all Native 2003 domains you might look into their consolidation features.Since none of your names overlap and the zones are the same you may have better luck.I don't know the details as I've never done it myself, but it is theoretically possible to merge them together.
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 03, 2005 2:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Multiple forests with a common DNS parent zone
IF the NetBIOS names of the new root will NOT be the same as the old root, I can not make a technical case against your migration plans. It should work.But, if the NetBIOS names are going to be the same (maybe because your users are too attached to that name, and you don't want to introduce too much changes), then you can't do it the way you described it.
Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED]
on behalf of [EMAIL PROTECTED]Sent: Mon 10/3/2005 2:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Multiple forests with a common DNS parent zone
I have encountered a situation where 4 forests exist today, all of which have a common DNS parent zone - let's call it xxx.com.Forest 1 has root domain named
xxx.com with multiple child domains Forest 2 has root domain named ap.xxx.com with multiple child domains Forest 3 has root domain named am.xxx.com with multiple child domains Forest 4 has root domain named
jp.xxx.com with no childrenDNS resolution between the 4 forests works fine. Xxx.com is hosted on UNIX BIND servers with all child zones delegated to Windows DNS servers. All child zone DNS servers forward to the servers hosting
xxx.com. Existing forests are w2k native and no trusts exist between these forests.There is a proposal to build a new, fifth forest and to migrate all objects from the 4 forests above into this new forest.
Forest 5 will have root domain named global.xxx.com and 4 children - representing the 4 forests above.Does anyone have any concerns over the re-use of the same DNS name -
xxx.com?I feel uncomfortable with this proposal but don't have any technical reasons to block it.Any comments?Thanks,neil ___
Neil Ruston Global Technology Infrastructure Nomura International plc Telephone: +44 (0) 20 7521 3481PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Anti-virus protection in domain enviroment
Take a look at this article, it should give you the information you need to configure Antivirus on your DC's: http://support.microsoft.com/default.aspx/kb/822158 I don't have any experience running NOD32 on anything :) As for clients, most environments I have been in use a product similar to McAfee's EPO to centrally manage all the AV agents on the desktop to make sure they are configured to the corporate standard and that they have up to date scan engines and DAT files. Phil On 10/4/05, Boris Demirov [EMAIL PROTECTED] wrote: Hello everybody,I got some questions about the anti-virus protection of a domain controllerand the domain environment: In my opinion the best AV program for the moment is NOD32 - I am using itsuccessfully on many workstations, but I am not quite sure how it will act ona DC. What kind of protection do you use on your DCs and have somebody got a closer look on the NOD32 installed on a DC?And something else to ask: what kind of AV protect your workstations indomain, do you use a single copy of a normal AV or some enterprise edition?All advises on the topic of antivirus protection in domain controller and the stations in the domain are welcome.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Windows 2000 AD to 2003 - Almost Complete...
I haven't looked at your event errors, just quickly going to point out a good KB article on things to look out for when upgrading a domain from Win2k to Win2k3: http://support.microsoft.com/default.aspx?scid=kb;[LN];555040 Much of the steps you've already followed. Phil On 10/4/05, Jennifer Fountain [EMAIL PROTECTED] wrote: Hi all:I am almost ready to add my first 2003 DC to the network but I wanted torun a couple things by the group to just check myself.So far, I have done the following:1.Installed ADCE clients on my 9x Boxes and installed sp 6a on all nt4 boxes.2.Ran the InetOrgPersonPrevent.ldf - I have exchange 2000 on mynetwork.3.Ran renameattribute.exe because I had/use SFU.4.Ensured all DCs are sp45.Ran adprep /forestprep and /domainprepAfter I rean the adprep, I noticed a couple errors on some my dcs.Replication works fine so I wasn't sure if I should be concerned. (Only included two examples):Event Type: ErrorEvent Source: NTDS GeneralEvent Category: (9)Event ID: 1153Date: 10/3/2005Time: 10:13:19 AMUser: Everyone Computer: server(Description:Class identifier 655567 (class name msWMI-UintRangeParam) has an invalidsuperclass 655563.Inheritance ignored.Event Type: ErrorEvent Source: NTDS General Event Category: (9)Event ID: 1153Date: 10/3/2005Time: 10:13:19 AMUser: EveryoneComputer: serverDescription:Class identifier 655565 (class name msWMI-IntRangeParam) has an invalid superclass 655563.Inheritance ignored.At this point, I should be ready but a little gunshy to install thefirst 2k3 DC.So, Did I miss anything?Kind Regards,Jennifer FountainSystems Administrator/Security RB Distribution3400 E Walnut StreetColmar, PA18915*The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.Anyreview, retransmission, dissemination or other use of, or taking of any actionin reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the senderand delete the material from any computerList info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Access to ADUC from anywhere
It would be better to just do a RUNAS for a cmd prompt if you are going to be doing this at many desktops. Phil On 10/4/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: just my .02$.../DOMAIN in command is literal, you don't have to replace with your domain name... it should be as it is /DOMAINI had once given this solution, to Helpdesk guys and they were replacing /DOMAIN with actual domain name.Also, those guys should be logged with their id and and should have reset password right for users in question. --Kamlesh On 10/5/05, joe [EMAIL PROTECTED] wrote: Is password reset all they need? If so, they don't need the GUI.NET USER USERID password /DOMAIN If the machine isn't in the same domain as the userid, then you can usechangepwd or cusrmgr or even a 3 line _vbscript_. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Figueroa, Johnny Sent: Tuesday, October 04, 2005 12:17 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Access to ADUC from anywhere I am looking to provide access to Active Directory Users and Computers MMCto some folks that move around a lot and may not have access to theircomputers. The goal is to allow them to reset passwords while out on the floor working with users.I've tried a customized MMC but it looks like you need to Adminpak. MSI orat least parts of it: http://support.microsoft.com/default.aspx?scid=kb;en-us;314978 Do I have any other options?ThanksJohnny FigueroaEnterprise Network Consultant/Integrator Network Services Banner HealthVoice (602) 495-4195 Fax (602) 495-4406WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may containinformation that is privileged, confidential and exempt from disclosure under applicable law.If the reader of this message is not the intendedrecipient or employee/agent responsible for delivering the message to theintended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited.If you receive this communication in error, please notify us immediatelyList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] Cleanup of Active Directory...
I believe admod will export to a csv file, or you could also use dsquery/dsget to pipe out to a file you could load into Excel. Phil On 10/3/05, Frank Abagnale [EMAIL PROTECTED] wrote: Hi all, If you remember some of my previous posts, I've had issues with excessive numbers of Domain Admins and a poorly managed Active Directory network. I have now managed to control the number of Domain Admins to a suitable manner for our environment and delegated the appropriate permissions for the Service Desk. I now need ton data'cleanse' Active Directory due to the number of fields which contain incorrect data which has been manually entered by previous Service Desk users. The fields which are showing incorrect data are the ones in the General and Organization tabs. Fields such as Description, Office, Title, Departmentetc are all showing the wrong data and are inconsistent.There are potentially3500 users which may require account fields to be modified What I want to do is to clean this up. Is there a way in which I can export this data to an excel spreadsheet and then re-import with out duplicating any accounts? Do I need to script this?(if so, does anyone have any scripts?) Alternatively, is it worth employing someone to do it manually? time consuming and probably not the most favoured option, though any idea's would be appreciated. Oh, it's a Single W2k3 domain, 2003 FFL, thanks... frank Yahoo! for GoodClick here to donate to the Hurricane Katrina relief effort.
Re: [ActiveDir] Domain Controller Security
Your TAM will not give you details on these attacks either. They may sit down with you and go over your concerns and try to help you work out the risk and some good mitigation steps, but they certainly will not give you any more information on the attacks than we have here. I know thats not what you were trying to say ASB, just making sure that no one was expecting to get that information from their TAM. Phil On 9/23/05, ASB [EMAIL PROTECTED] wrote: Andknowing it, I can always take extra precautions. The knowing it consists of don't do it, because you can't secure it There are no extra precautions to take. Certainly, you can increase your auditing, but you could do that now without knowing anything else. basically, 25% more prepared and secure against this type of attack is better than 0%. The more people that know, the higher the potential of attack. And, as folks have pointed out, since there are no viable workarounds, it doesn't help anyone to have the number of potential attackers increased. Call your TAM and see if he or she will provide enough details for you to feel comfortable. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 9/23/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: I have to disagree a bit here... Certainly, obscuringofinformationis not the way to feel secure. If I don't know, how it is done, then how do I know, that I will be able to detect it, and trace it.Andknowing it, I can always take extra precautions. Which I think, better than not knowing it at all. basically, 25% more prepared and secure against this type of attack is better than 0%. and certainly it helps calibrate how much paranoid I have to be. :-) I would like to know, how it is done, asour team is currently migratingsome good number ofdomains to single domain. And we are going to give localguys rights to logon to DC for some system maintenance purposes, till final single domain is cleaned up and we revert back to core team for day-to-day maintenance. So I am very much interested in knowing it. On 9/23/05, joe [EMAIL PROTECTED] wrote: The docs are wrong. Many of us have been hounding MS on this for years. They really started straightening out docs with K3. Some of the older 2K docs still suggest this security boundary at the domain. It really came to a head when Lucent put out a paper on this and it started getting quoted in the newsgroups and some of us just flamed the crap out of it. No one here or anywhere should really publish how to exploit rights on a DC to take over a forest. The answer is pretty self-evident if someone understands the underpinnings and processes used in AD and since we can'tfully protectagainst it, it is better left undocumented. If there was a guaranteed safe way to protect ourselves, then we could publish thatworkaround and some time later publish the issue. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges? Dan From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller Security Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain. Phil On 9/22/05, Gideon Ashcraft [EMAIL PROTECTED] wrote: The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain). So, if there is only oneserver in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree) Gideon Ashcraft Network Admin Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security Look through the archives. The short answer
Re: [ActiveDir] OT: SAN Assessment
As someone else mentioned, when sizing a SAN for Exchange you are more concerned about performance than the size of the storage. That means that although you need to make sure you have enough disk space, more important is ensuring that the number of disks you get will meet the performance needs of your Exchange solution. To get that performance number can be fairly involved and deals with getting performance data from your existing Exchange installation (if you have one), or doing some calculations based on assumptions if you don't have Exchange. Anyone who is experienced with sizing Exchange solutions on a SAN will have the knowledge to help you out with those assumptions. It will likely also involved doing validation of the performance you expect to get from the SAN once it is in place. This is important because you may find ways to improve performance even more by tweaking some configuration on the server or SAN, but more importantly you may find performance bottle necks that you can fix prior to going to production. Depending on the size of your Exchange environment and how complex it is that performance testing could go on for 4-6 weeks. Longer if it is an incredibly complex environment (Geo-clusters etc.) Phil On 9/22/05, Lawana Gibson [EMAIL PROTECTED] wrote: Good mornin',We have a SAN environment within our library.We're running a FC4500with 1.2 TB of disk space.I have seven servers connected to the SAN and a PowerVault 136T Tape Library.We had Dell (we're a Dell shop)come in and assess our environment; we made the decision on how muchdisk space we needed, etc.So basically they took our specifications and produced a system (hardware, mgmt software, HBA).We had theminstall a turn key system so all we had to do was start moving dataover to the disks (or LUNS).BUTyou have to be very careful and make sure they are giving you the most current equipment; they are notselling you mgmt software that will not work with your serverenvironmentbasically make sure they know your network.Make sureyour sales/technical accountant is aware of when your equipment comes in, who they sent to install the equipment, etc.Have them/make themdocument everything!I have horror stories related to our SANinstallation, but once I finally complained loud enough (and wethreatened not to pay them) they sent someone out to reconfigure our system.We are now in the phase of upgrading our SAN environment...as amatter of fact I'm meeting with them next week.If I had one thing towarn you or suggest...make sure YOU are aware of what you're getting as far as software, HBAs and drivers, SAN management software, etc.Because if you don't know, you could be stuck with a monster on yourhands.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Devan PalaSent: Wednesday, September 21, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: SAN AssessmentHi,We're in the process of planning to migrate from Notes to Exchange andone the dependenices of this migration is a SAN environment.Has anyone utilized the services of any independent consulting bodies tocarry out a SAN assessment. Essentially, helping in the process ofdetermining requirements and laying out a path to successful deployment withconsiderations for high availability, scalability and futureconsiderations.Thanks,List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Domain Controller Security
I remember a conversation about creating OU's under the Domain Controllers OU and how MSFT didn't recommend it, or didn't support it or something. joe? That aside, you can't give local logon to a DC, thereare no local accounts on a DC only domain accounts. That means that if he can log on to that DC he has enough rights to do some bad things (which has already been covered in this thread so I won't bother getting into it again). As joe just said: don't do this. Phil On 9/22/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: You might consider a lower level OU under the Domain Controllers OU with a different GPO that grants him local logon to just that DC. Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTESecurity OperationsRemedy Group: NOPS SECURITY EDOS SYS Direct Manager: Bud FurrowEmail: [EMAIL PROTECTED]Outside Phone: 925-926-5898Tie Line Phone: 8-473-5898 C ell: 925-200-4077** Gil Kirkpatrick [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09/21/2005 05:03 PM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Domain Controller Security Yes, untrusted admin + DC logon access = no more security.If you're trying to lock him down, then you can't give him access to the DC. Can you give him a member server for the file shares and justdelegate the password administraion on the OU?-g-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of ASB Sent: Wednesday, September 21, 2005 4:53 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller Security That sounds dangerous.If you give him access to that server, particularly local logonaccess, you might as well just put him in the Enterprise Admin groupand save both of you a few moments of work. -ASBFAST, CHEAP, SECURE: Pick Any TWOhttp://www.ultratech-llc.com/KB/On 9/20/05, van Donk, Fred [EMAIL PROTECTED] wrote: I have a contractor in a remote site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site. He is not allowed to log on to any other server is the domain. When I make him a Server Operator he can logon to any server in the domain. Any idea on how to lock him down to that one server and then how tolock him down on that one OU where he should only be allowed to change the passwords of the users. Thanks! FredList info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain. Phil On 9/22/05, Gideon Ashcraft [EMAIL PROTECTED] wrote: The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain). So, if there is only oneserver in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree) Gideon Ashcraft Network Admin Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security Look through the archives. The short answer is... Just don't do it. You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory. Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Security I have a contractor in a remote site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site. He is not allowed to log on to any other server is the domain. When I make him a Server Operator he can logon to any server in the domain. Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users. Thanks! Fred List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: SAN Assessment
Absolutely, it is important to work with your SAN vendor through the whole process to make sure that everything is configured properly on the SAN and that you've got everything you need since there is a lot more to a SAN than just some HBAs and some disk. They know their product better than anyone and it is important for them to be a part of the whole process. Just make sure that the people you are dealing with at your SAN vendor have specific knowledge about running Exchange on the SAN because as Al said, it does have some nuances. Phil On 9/22/05, Al Mulnick [EMAIL PROTECTED] wrote: LOL. I'm laughing becausea company I used to get paid by thought that's how long it would take as well (I spec'd the project, and budgeted 7 weeks of lab for the environment and was being overly aggressive for that; another story.) How long was the actual? Don't know becuase of the politics surrounding the implementation, the engineering was influenced by outsided entities that munged it all up and it's still not quite done. At one point I offered to host 4K userdensity Exchange clusters on iPaq devices clustered with a bluetooth piconet. Shame they didn't take me up on that ;) I can say that a general principal for Exchange sizing is to focus on the attaining the desired performance level first and the space second. Exchange is highly disk dependent for performance especially as you scale up in db size and user density. As for sizing, you also generally want to work with restoration times (restoration of data, service, etc)and work backwards to derive your density that you need to achieve and then play that back to the disk subsystem and layout. Exchange is spindle hungry for most SAN implementations, very similar to other two-phase commit database applications. There are some nuances to be aware of, but basically the same concept applies. Lawana is absolutely correct in how to get the proper configuration and how important it is. Some SAN vendors I've dealt withinclude that evaluation and supported configuration service in the maintenance. Something to check on. I have ALWAYS gone back to the SAN vendor to get the thumbs up on the configuration prior to even testing. Saves a lot of time that way. My 0.035 anyway. ajm From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 11:21 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: SAN Assessment As someone else mentioned, when sizing a SAN for Exchange you are more concerned about performance than the size of the storage. That means that although you need to make sure you have enough disk space, more important is ensuring that the number of disks you get will meet the performance needs of your Exchange solution. To get that performance number can be fairly involved and deals with getting performance data from your existing Exchange installation (if you have one), or doing some calculations based on assumptions if you don't have Exchange. Anyone who is experienced with sizing Exchange solutions on a SAN will have the knowledge to help you out with those assumptions. It will likely also involved doing validation of the performance you expect to get from the SAN once it is in place. This is important because you may find ways to improve performance even more by tweaking some configuration on the server or SAN, but more importantly you may find performance bottle necks that you can fix prior to going to production. Depending on the size of your Exchange environment and how complex it is that performance testing could go on for 4-6 weeks. Longer if it is an incredibly complex environment (Geo-clusters etc.) Phil On 9/22/05, Lawana Gibson [EMAIL PROTECTED] wrote: Good mornin',We have a SAN environment within our library.We're running a FC4500with 1.2 TB of disk space.I have seven servers connected to the SAN and a PowerVault 136T Tape Library.We had Dell (we're a Dell shop)come in and assess our environment; we made the decision on how muchdisk space we needed, etc.So basically they took our specifications and produced a system (hardware, mgmt software, HBA).We had theminstall a turn key system so all we had to do was start moving dataover to the disks (or LUNS).BUTyou have to be very careful and make sure they are giving you the most current equipment; they are notselling you mgmt software that will not work with your serverenvironmentbasically make sure they know your network.Make sureyour sales/technical accountant is aware of when your equipment comes in, who they sent to install the equipment, etc.Have them/make themdocument everything!I have horror stories related to our SANinstallation, but once I finally complained loud enough (and wethreatened not to pay them) they sent someone out to reconfigure our system.We are now in the phase of upgrading our SAN environment...as amatter of fact I'm meeting with them next week.If I had one thing towarn you or
Re: [ActiveDir] Domain Controller Security
When Windows 2000 first came out the domain was thought of as the security boundary and Microsoft even stated that in documentation, books and certifications. Through the course of using AD there were a few things that came to light as some talented and curious folks started noticing things and that has led to the security boundary stance being revised. The original statement was a mistake and I believe Microsoft has recognized and admitted that.Any up to date documentation will reflect that notion of the forest being the security boundary. I don't think anyone is going to get into how privilege escalation can be done, I know I certainly won't get into it other than to make people aware that it is possible. Phil On 9/22/05, DeStefano, Dan [EMAIL PROTECTED] wrote: I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges? Dan From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller Security Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security boundary in AD is at the forest, not the domain. Phil On 9/22/05, Gideon Ashcraft [EMAIL PROTECTED] wrote: The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain). So, if there is only oneserver in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree) Gideon Ashcraft Network Admin Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security Look through the archives. The short answer is... Just don't do it. You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory. Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of van Donk, FredSent: Tuesday, September 20, 2005 4:52 PM To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain Controller Security I have a contractor in a remote site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site. He is not allowed to log on to any other server is the domain. When I make him a Server Operator he can logon to any server in the domain. Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users. Thanks! Fred List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ NOTICE: The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited. If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies. Thank you.
Re: [ActiveDir] dns suffix search list
You can not modify the search suffix list via DHCP. Phil On 9/22/05, Dan Holme [EMAIL PROTECTED] wrote: Marcus: What scope option is that? Funny… I thot it was there too and couldn't find the option… Tom: http://www.microsoft.com/technet/scriptcenter/scripts/network/client/modify/nwmovb21.mspx is the WMI script also Group Policy allows configuring the DNS Suffix Search Order. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, September 22, 2005 8:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dns suffix search list By lots of machines, are you referring to workstations? If so, are they in a scope that's managed by DHCP? You could manipulate the search suffix that way… From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kern, TomSent: Thursday, September 22, 2005 2:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] dns suffix search list I'm only running win2k I'd like to make the script query a text file of client names, so i can just execute it from my desktop rather than a script. how would i go about doing that? Thanks -Original Message- From: Grillenmeier, Guido [mailto: [EMAIL PROTECTED]] Sent: Thu 9/22/2005 2:31 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] dns suffix search list
Re: [ActiveDir] Firewall
You mean securing your network from the internet? Or is this just an internal security question? Phil On 9/21/05, Za Vue [EMAIL PROTECTED] wrote: For small networks with 250 nodes or less, what/how are you allprotecting your servers? Windows firewall, 3rd part vendor, or just standard Windows security?-Z.V.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Firewall
I don't like Pix's, hate how they are managed and I think the interface is bad. I prefer Netscreen and Nokia (or a server running Checkpoint, but the Nokias are better for most instances). For a small company ISA Server might be an option as well, it is a lot better in the latest version than it was in the past. I still like little appliances like the Nokia though. Phil On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: This sort of application is something that a little Pix works well for -something like a 515E. I've also seen a bunch of those Sonicwalls and Fireboxes as well in thismarket.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Za VueSent: Wednesday, September 21, 2005 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FirewallFor small networks with 250 nodes or less, what/how are you all protecting your servers? Windows firewall, 3rd part vendor, or juststandard Windows security?-Z.V.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] The new acctinfo2.dll
I believe that acctinfo2.dll has been available for quite some time. If you have a TAM just ask them for the file and they should be able to get it to you. Phil On 9/21/05, TIROA YANN [EMAIL PROTECTED] wrote: Hello folks ;o)I heard that the new acctinfo2.dll has been released Can someone could confirm me this and point me to link to download it ? Thanks for help :)Cordialement,Yann TIROACentre de Ressources Informatique.Campus Scientifique de la DOUA.Bât. Gabriel Lippmann - 2 ème étage - salle 238.43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Firewall
Nokia and Pix are similarly priced at the low end. Phil On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: Yeah, a Nokia running Checkpoint is really expensive, and probably way out of budget for what the OP is looking for if I had to hazard a guess. I think Pix and Checkpoint and others all have their places. For a small business looking for an Internet firewall, I think a mid-end pix fits the bill pretty well. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Wednesday, September 21, 2005 11:03 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Firewall I don't like Pix's, hate how they are managed and I think the interface is bad. I prefer Netscreen and Nokia (or a server running Checkpoint, but the Nokias are better for most instances). For a small company ISA Server might be an option as well, it is a lot better in the latest version than it was in the past. I still like little appliances like the Nokia though. Phil On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: This sort of application is something that a little Pix works well for -something like a 515E.I've also seen a bunch of those Sonicwalls and Fireboxes as well in this market.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED] ] On Behalf Of Za VueSent: Wednesday, September 21, 2005 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FirewallFor small networks with 250 nodes or less, what/how are you all protecting your servers? Windows firewall, 3rd part vendor, or juststandard Windows security? -Z.V.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: SAN Assessment
That is good to hear, many SAN vendors will give you bad advice regarding Exchange on a SAN as they just assume Exchange is like any other SAN connected server when in fact that is not the case. Exchange really depends on the performance of the disk so making some bad deicisions early on can end up costing you a lot of money down the road. If the HP guys have good Exchange experience then that is cool, but they will still be vendor specific. I know that MCS does a lot of Exchange SAN sizing and MCS isn't vendor specific so they won't really care what storage vendor you go with. There are different quirks to each storage vendors solutions that will impact your SAN design so getting someone who is knowledgable on SAN and Exchange configuration is essential. MCS isn't always cheap, but when it comes to a project like Exchange with a SAN backend I think it's worth it. Whoever you choose to go with, just make sure that they have Exchange expertise to go along with the SAN expertise. Phil Note: for some reason I feel the need to admit that I do work for MCS, so I suppose you can take this with a grain of sand, especially since I do Exchange ;) On 9/21/05, Bernard, Aric [EMAIL PROTECTED] wrote: And if you do have or considering HP SAN equipment, call you HPrepresentative and let them know you need help with capacity planning and configuration for your SAN for Exchange.Most of the folks at HPinvolved with this kind of activity follow Pierre's (an HP employee)methodology and best practices.In many cases they can provide assistance at little or no direct cost to you.Aric-Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Coleman, HunterSent: Wednesday, September 21, 2005 3:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: SAN Assessment If you have the time, pick up a copy of Pierre Bijaoui's ScalingMicrosoft Exchange 2000. I don't think it's been updated for Exchange2003, but most everything he covers in there carries forward. It's very good information on building storage infrastructure for Exchange,including SANs.It may not replace a consulting engagement, but it will give you enoughbackground to understand (and question) any recommendations. -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of Devan PalaSent: Wednesday, September 21, 2005 4:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: SAN AssessmentWell we don't have a preferred vendor. We're looking at all the obvious choices: HP, EMC, StorageTek (SUN) etc.Right now its more important to just get an independent (non-vendorspecific) assessment carried out.Thanks,Firefox - Rediscover the web Original Message FollowsFrom: Bernard, Aric [EMAIL PROTECTED]Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: SAN AssessmentDate: Wed, 21 Sep 2005 14:25:57 -0400Yep, lots of consulting firms do his sort of work.Who is the SAN vendor?Typically they will be happy to come out and help with thiskind of activity as it usually means additional sales now or in thefuture.Aric-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Brian DesmondSent: Wednesday, September 21, 2005 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: SAN AssessmentI work for a consulting firm that does these sorts of things, so, yes Iknow people utilize consulting firms to do this stuff. :) Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Devan PalaSent: Wednesday, September 21, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: SAN AssessmentHi,We're in the process of planning to migrate from Notes to Exchange andone the dependenices of this migration is a SAN environment. Has anyone utilized the services of any independent consulting bodies tocarry out a SAN assessment. Essentially, helping in the process ofdetermining requirements and laying out a path to successful deployment withconsiderations for high availability, scalability and futureconsiderations.Thanks,List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList
Re: [ActiveDir] Firewall
The IP40 is their low end box, but the IP130 would fit many small/medium businesses as well. http://www.nokia.com/nokia/0,0,76748,0.html Also, I just took a look at Checkponts website and aparently they have a new version called Checkpoint Express that is focused on small businesses. This may be another option (checkpoint on a server), but I don't know what the price is. Phil On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: I'm only familiar with their higher end stuff. I didn't know they even had a lowend appliance. What do they call them? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Wednesday, September 21, 2005 8:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Firewall Nokia and Pix are similarly priced at the low end. Phil On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: Yeah, a Nokia running Checkpoint is really expensive, and probably way out of budget for what the OP is looking for if I had to hazard a guess. I think Pix and Checkpoint and others all have their places. For a small business looking for an Internet firewall, I think a mid-end pix fits the bill pretty well. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Wednesday, September 21, 2005 11:03 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Firewall I don't like Pix's, hate how they are managed and I think the interface is bad. I prefer Netscreen and Nokia (or a server running Checkpoint, but the Nokias are better for most instances). For a small company ISA Server might be an option as well, it is a lot better in the latest version than it was in the past. I still like little appliances like the Nokia though. Phil On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: This sort of application is something that a little Pix works well for -something like a 515E.I've also seen a bunch of those Sonicwalls and Fireboxes as well in this market.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message-From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED] ] On Behalf Of Za VueSent: Wednesday, September 21, 2005 7:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] FirewallFor small networks with 250 nodes or less, what/how are you all protecting your servers? Windows firewall, 3rd part vendor, or juststandard Windows security? -Z.V.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] disabling users
You can absolutely get by without knowing any scripting or programming. Many (many) people do it and I would say that the majority of IT people don't know how to script at all. That said, scripting just makes your life easier and is so helpful (and sometimes is the only choice) that it is very useful to know how to script in a couple of languages (because there is never any perfect language). Probably best in your situation to pick one language and focus on it, then once you've gotten that one down you can pick another one and check it out. To take this another step further, is it required to know how to program? Absolutely not. It is good to know a bit about programming so you can talk with the programmer intelligently, but as an admin it's not required to know how to program. Obviously the more skills you have the better off you are, but don't stress about learning to program if you have other skills to worry about first. Phil On 9/21/05, Tom Kern [EMAIL PROTECTED] wrote: you don't think one can get by in IT with just one lang? can't you do everything in perl that you can do in _vbscript_ and then some? I'm sure you can get by on windows with just perl. i'm in a multi platform enviorment and frankly i just don't have the time to learn both _vbscript_ and perl. i would end up just knowing both a little and badly. my brain can't keep jumping from one to the other and in scripting, if you don't use one lang for a while, you forget it. in which case i'd just end up bugging you guys on this list again for examples. i'd like to get to the point where i can do it myself and trying to learn both will never work for me. i have a hard enough time keeping as much as i can about windows and AD and exchange and some linux stuff in my head. 2 scripting langs will make my head explode. i'll never remeber them at all. i just need to learn one and devote myself to learning it well instead of being a scripting jack of all trades and master of none. as to perl books, then where can one lern COM on perl? thanks alot guys! On 9/21/05, Brian Desmond [EMAIL PROTECTED] wrote: Joe Richards might know some Win32 Perl resources._vbscript_ isn't that hard, really. If you know the COM ADSI stuff for Perl as far as methods, names, etc, its just a different syntax for using it._vbscript_ you have the advantage of the technet scriptcenter which hasexamples complete enough to copy and paste together and run. I'm not a CS major either, I don't even have any formal training in thisfield. The only things I've been taught in a classroom are how to read,write, and do some math. Everything I know I learnt going to work everyday and doing new things, asking questions here and there around this list andother places. I realized I needed to learn _vbscript_ and so I startedtackling projects with _vbscript_s, and with a bit of work I got to be pretty good at it. I still need a copy of the platform sdk on my other monitor toremember methods, parameters, etc, but I know the syntax. That said, if I'mfeeling lazy I still go and piece things together with scriptcenter snippets.My point here is that it would probably be long term beneficial to you to atleast be able to do simple things in _vbscript_ like read a file, run aexternal command, etc. As I said in my first message, if you post what you have, I'll try and edit it as an example for you.Thanks,Brian Desmondmailto: [EMAIL PROTECTED] [EMAIL PROTECTED]c - 312.731.3132 _From: [EMAIL PROTECTED][mailto: [EMAIL PROTECTED]] On Behalf Of Kern, TomSent: Wednesday, September 21, 2005 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] disabling users I only have time to learn one scripting lang.i figured perl is the better way to go as i have to work with linux and solaris as well.know of any good docs,books,sites on perl and COM+ or adsi? something that will teach you both like the _vbscript_ resources do?i really think there is a market for perl and AD/win32 out there that is untapped.O'reilly has let most of their win32 perl books become outdated and stop at Win NT as has Dave Roth.I'm not a programmer and i don't have time to learn multipe scripting langs, so i always thought perl would be the best way to go.I find it as approachable as _vbscript_ but unlike _vbscript_, I don't find many rescources for using it on win32 systems.I'm afraid learning perl and working with windows might be an uphill battle. are there resources for teaching you how to use perl withcdo,wmi,adsi,ado,etc?i'm not a total newbie to perl, i've used it on linux but i've never reallydone much on windows with activestate. and as i've said, i'm not a programmer and i didn''t major in comp sci, so alot of this stuff is not second nature to me and hasn't been pounded in for years.so jumping from lang to lang for me is not really an option. thanks-Original Message-From: Brian Desmond [mailto:[EMAIL PROTECTED] ]Sent: Wed 9/21/2005 2:46 PMTo: ActiveDir@mail.activedir.orgCc:Subject: RE:
Re: [ActiveDir] General Access Machines
Totally agree with what Brian is saying. Just wondering what your reasoning is for wanting to keep your domain isolated from the main IT group. Phil On 9/19/05, Brian Desmond [EMAIL PROTECTED] wrote: Trusting the campus domain and having students logon with their mainusername password seems like the best and most logical solution. You could export all of the usernames from the campus domain, but you won'tget the passwords. Giving people even more sets of credentials to rememberis pretty counterproductive, so letting them use their campus account would make the most sense to me.Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Za VueSent: Monday, September 19, 2005 12:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] General Access MachinesMy environment: Windows 2003 Active DirectoryThose managing labs for colleges/universities:How do you all manage and secure your open accesslabs? Currently my lab PCs have a single sign-on domain account that logs on automaticallyto the PCs. GPO locks down the machines pretty tight. This does notprevent anyone from walking in and use the machines, which I am trying to prevent.I could trust my domain with the main campus domain and have studentslog in using their college id/password. I like to maintain ourindependentfrom the main ITgroup as much as possible. Could I dump the LDAP database into my domain and have students log in asthemselves?I have about 450-500 students.-Z.V.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] demoting DC's
Further to this I always try to have my subnets defined in AD somewhere rather than leaving them un-defined. This is so that the new alert you get on a DC when a client logs in that doesn't have a defined subnet will mean more to you if it isn't happening all the time. Phil On 9/12/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Althought the branch offices will not host DCs, you should leave the AD sites and subnets structure as is because DFS also uses sites and subnets to locate the nearest root servers and in your case the targets. The DC-less sites will then automatically be covered (by default enabled) by the DCs in the Regional Core Site. If you would not have any site aware services in a site (like DCs and/or DFS root or target servers, Exchange) you could then remove the site definition for the branches and assign the subnets from the branches to the Regional Core Site(s) Cheers Jorge From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Frank AbagnaleSent: Monday, September 12, 2005 12:20To: ActiveSubject: [ActiveDir] demoting DC's I'd like to reduce the number of dual role DC's which act as File Print/DFS Servers currently in operation in my environment. At the moment I have around 80 We have a DFS target share on each of the 80 File Print/DFS Servers. We have a hub and spoke network design, where by we have a Regional Core Site which has 12 branch sites attached to it. Each branch site has once DC which acts as a FP/DFS server. At the moment, each branch site has it's own Site Subnet defined in AD so that the local user will be authenticated by it's local branch site DC. I would like to demote all 12 branch site DC's to member servers, so they are just plain File Print/DFS Servers. I would like users to authenticate to the Regional Core Site FP servers (which are managed by core Infrastructure) If I demote a branch site DC to a member server, should I leave the IP subnet undefined in AD, and allow the Workstation to automatically find it's next closest DC, or should I add the IP Subnet manually to the Regional Core Site so this handles authentication? I don't know much about DFS, but if I did the latter, would this affect my DFS structure? is there any problems with putting multiple DFS Servers within the same AD Site? What would you do? thanks Frank Yahoo! for GoodClick here to donate to the Hurricane Katrina relief effort. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] ISA 2004 and Microsoft Cluster Server
The real question here is: Will Microsoft support ISA running under VCS?. That is a question that only Microsoft can answer so I would send that question to your TAM, or if you don't have a TAM call into PSS and open an Advisory case to get an answer to the question. Phil On 9/12/05, Aramide Adebanjo [EMAIL PROTECTED] wrote: Hey guys,Thanks for all these...now let me go a step further...what if a company wants to consolidate their applications,build redundancy, failver capabilites and implement clustering as well using Veritas clustering Solutioncan ISA be treated as a microsoft application that can be clustered...?? And if yes..whats the best way of doing it...apparently not too many companies have towed this line..but what if it can be pulled of..whatcha ya all think...?? thx-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 12, 2005 10:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomotothingMaybe not in the ordinary sense, Brian. But in the ISA 2004 Enterp realm, we should be able to do that. OR, if you prefer, we can say tomato and ketchup or something. NLB is the way to go in ISA 2004, and the way ISA uses NLB (in addition to the new Configuration Storage server concept, you do indeed have some resilience that is not usually available in the normal NLB deployments.The only time I've seen ISA installed in another clustering configuration outside of NLB is when Rain Wall was used. Of course I haven't seen every ISA server installation, but I'd wager that NLB is generally considered the standard clustering solution for ISA 2004. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Brian DesmondSent: Mon 9/12/2005 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster Server Clustering and Load Balancing I wouldn't really call a tomato tomoto thing.More an apples and oranges thing. Load Balancing is not a fault tolerant solution, whereas clustering if something breaks everything moves over to another node... Thanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Medeiros, JoseSent: Monday, September 12, 2005 1:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] ISA 2004 and Microsoft Cluster ServerGreetings Aramide,I do not believe that Microsoft ISA server 2004 can be clustered per say using Microsoft Cluster service. I took the ISA server 2000 2004 class and the MOC stated that the ISA 2004 Enterprise edition is designed to be load balanced which I believe would solve your issue ( It's just a terminology thing. You say tomato, I say tomoto... ) :-) http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/network_load_balancing_ee.mspxJose-Original Message- From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Aramide Adebanjo Sent: Monday, September 12, 2005 9:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] ISA 2004 and Microsoft Cluster ServerHi guys,A quick one...does anyone have any idea where I can get documentation on installing ISA 2004 Standard/Enterprise edition on a Microsoft Clustering Solution. Kindest RegardsList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL...
in this subnet, they setup the CSMs, and then the firewall people just have to add additional special rules (like connecting to SQL, for example). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Jason B Sent: Thursday, September 08, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... This has been a GREAT discussion and I have received a lot of useful info. I really appreciate the replies, suggestions, slams and help.I think I am going to revisit trying to have the sharepoint server moved to the LAN and see if I can't convince the powers that be to apportion an ISA license and hardware appropriate for running ISA to put on the DMZ.We already have a sharepoint server on the LAN...I am not too familiar with sharepoint, but I wonder if the existing sharepoint server can handle both the internal and external users...That's a question for another group, I guess. Anyway, I gathered quite a bit from the posts and discussion, but what are the main specific and concrete points that I am going to want to bring up to dissuade them from having the sharepoint server on the DMZ?My expertiese isn't in the hardware/networking aspect of configuration, but I know enough that I am not comfortable opening all the ports for AD auth from the DMZ to the LAN.Our network admin didn't think that it was a big deal to open the ports since it was only on the DMZ and he could control the traffic that was allowed to the DMZ.- Original Message - From: Al Mulnick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Sent: Wednesday, September 07, 2005 5:04 PM Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL...Looks like we have plenty of ideas and opinions ;) ISA is a great way to deal with this, but I believe the decision was made to put the SP machine in the DMZ regardless of the technical merit or viability. And whether or not it is a good idea.That said, ISA doesn't offer much if you put it AND this machine in a semi-trusted network (for whatever that means these days.) Shame there's no leeway though.The downside to using IPSec is that as others have pointed out, it won't work on member server -DC for W2K servers (limitation of the OS) but will for 2K3 member servers but that still leaves you with a secure channel from the DMZ host to your internal network.That means you can't monitor the traffic from the DMZ to your internal network because it's encrypted (sounds like a broken record, I know.) Too bad you can't sway the decision makers to do this differently. But hopefully you've received a lot of ideas to pick from. Best of luck, Al From: [EMAIL PROTECTED] on behalf of Bernard, Aric Sent: Wed 9/7/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... I agree with Phil - I think using an ISA (or other reverse proxy solution) is the best way to go given your constraints. Using a reverse proxy solution allows you the following: 1. Keep you Sharepoint server behind the firewall, yet make it accessible to external clients as if it was in the DMZ. 2. Restrict your [additional] holes through the firewall to only that needed by the reverse proxy solution to interact with the Sharepoint server (port 80). BTW - this scenario is becoming extremely common.The next common addition you will see to this will likely be the use of ADFS to provide an identity trust bridge between the internal forest and a partner forest (or other identity system). Regards, Aric Bernard From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil Renouf Sent: Wednesday, September 07, 2005 9:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open. If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication. http://support.microsoft.com/kb/q179442/PhilOn 9/7/05, Jason B [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Because this will be a sharepoint server for clients.Regardless
Re: [ActiveDir] OT: Exmerge 2003
Are you sure? Outlook 2003 does not have a 2GB limit on PST files and I thought that the latest version of ExMerge created PST's using the Outlook 2003 format. Phil On 9/8/05, Michael B. Smith [EMAIL PROTECTED] wrote: It has the same 2 GB limit.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of DeStefano, DanSent: Thursday, September 08, 2005 11:25 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] OT: Exmerge 2003I have to archive some mailboxes on an Exchange 2003 server and wouldlike to use the Exchange 2003 Mailbox Merge Wizard. However, these mailboxes are over 2GB and I was wondering if exmerge 2003 has the same2GB .pst file size limitation as Outlook 2000 and XP, or can it create.pst files larger than 2GB like Outlook 2003?Thanks in advance, Dan DeStefanoNOTICE:The information contained in this transmission is privileged,confidential, and intended only for the use of the individual or entitynamed above.If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking ofany action in reliance on the contents of this transmission is strictlyprohibited.If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the originalmessage and all copies.Thank you.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Exmerge 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;830336 The .pst file has a different format and folder size limit in Outlook 2003 It's my understanding that the latest version of ExMerge use the new Unicode PST format. Phil On 9/8/05, Steve Shaff [EMAIL PROTECTED] wrote: Dan,No, there should not be an issue with creating the PST file.However,it still holds true that you risk corruption with PST files over a gig or so.S-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] ] On Behalf Of DeStefano, DanSent: Thursday, September 08, 2005 8:25 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] OT: Exmerge 2003I have to archive some mailboxes on an Exchange 2003 server and would like to use the Exchange 2003 Mailbox Merge Wizard. However, thesemailboxes are over 2GB and I was wondering if exmerge 2003 has the same2GB .pst file size limitation as Outlook 2000 and XP, or can it create .pst files larger than 2GB like Outlook 2003?Thanks in advance,Dan DeStefanoNOTICE:The information contained in this transmission is privileged,confidential, and intended only for the use of the individual or entity named above.If you are not the intended recipient, you are herebynotified that any disclosure, copying, distribution, or the taking ofany action in reliance on the contents of this transmission is strictly prohibited.If you have received this transmission in error, pleasenotify Eze Castle Integration, Inc. by e-mail and destroy the originalmessage and all copies.Thank you.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: Exmerge 2003
I must have been using the wrong searches because with all the information on ExMerge I saw none of it showed the PST file type. That article does, thanks for clearing that up. Phil On 9/8/05, Michael B. Smith [EMAIL PROTECTED] wrote: The ExMerge utility does not support Unicode PST files. It's all over the knowledge base. Here is an example KB article for you that documents the restriction: http://support.microsoft.com/default.aspx?scid=kb;en-us;823176 ExMerge uses a different code base than Outlook. The enhancement is much requested, but has not been executed. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 08, 2005 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Exmerge 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;830336 The .pst file has a different format and folder size limit in Outlook 2003 It's my understanding that the latest version of ExMerge use the new Unicode PST format. Phil On 9/8/05, Steve Shaff [EMAIL PROTECTED] wrote: Dan,No, there should not be an issue with creating the PST file.However,it still holds true that you risk corruption with PST files over a gig or so.S-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of DeStefano, Dan Sent: Thursday, September 08, 2005 8:25 AMTo: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exmerge 2003I have to archive some mailboxes on an Exchange 2003 server and would like to use the Exchange 2003 Mailbox Merge Wizard. However, thesemailboxes are over 2GB and I was wondering if exmerge 2003 has the same 2GB .pst file size limitation as Outlook 2000 and XP, or can it create.pst files larger than 2GB like Outlook 2003?Thanks in advance,Dan DeStefanoNOTICE:The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above.If you are not the intended recipient, you are herebynotified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictlyprohibited.If you have received this transmission in error, pleasenotify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies.Thank you.List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] cloning DC's
A KB article might be a good idea actually. Definitely be good to be able to point to a definitive article on the subject when consultants bring this up as a possibility. Phil On 9/8/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: Funny how this topic comes up now and then...I may even be worth creating a KB article on this issue or is that useless?Windows 2000/2003 DCs should NEVER, NEVER, NEVER be imaged forbackup/restore purposes! Imaging is NOT AD aware backup/restore solutionand thus not MS approoved!A W2K3 pre-SP1 hotfix, a W2K post-SP4 hotfix and W2K3 SP1 will stop DCs replicating by disabling replication when USN rollback is detected. As Iknow the detection is not guaranteed, but when it detects it does thatto prevent further damage.The same problem CAN occur when DCs are used in a virtual environment and snapshots are used for exampleBe very carefull with this!Read more at:MS-KBQ875495_How to detect and recover from a USN rollback in WindowsServer 2003MS-KBQ885875_How to detect and recover from a USN rollback in Windows 2000 ServerIf you don't pay attention to this mail or to mail from others aboutthis and still want to do it... Well, be sure you get enough coffee,painkillers (for the headache you will get from it), dust off your ABBA collection ;-) and afterwards possibly search for a new job or be readyto get yelled at.CheersJorge-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Wednesday, August 17, 2005 23:03To: activedirectorySubject: [ActiveDir] cloning DC's I know i read this thread before but i can't seem to find it.we are creating a new forest root and the IBM consultants here createdthe first root dc and now they want to clone it using Disk Image and sysprep to create the other DC's in the root.I think i heard this is a bad idea. Am I right?I can't seem to find any article on this but I do remember this beingspoken of on the list and I don't remeber what the conculsion was. thanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] strange issue with(what else) Exchange(ot)
What version of Exchange are you working with? I think you mentioned that you have NetBIOS disabled, is that correct? I can confirm that in fact Exchange 2000 requires connectivity to the Schema Master FSMO role holder to install via /disasterrecovery. I've been told that this is not the case in 2003, but I can't confirm that definitively. I've also seen some cases where you can have difficulty installing Exchange via /disasterrcovery if NetBIOS is disabled and once NetBIOS was enabled Exchange installed fine. Phil On 9/6/05, Tom Kern [EMAIL PROTECTED] wrote: I emailed awhile ago about this issue- i'm recreating my domain in a test forest for migration testing. in our real and test forest, we have no connectivity to the root domain and no EA or SA access(never will). we are primary dns for both the root and child domain however. I recreated our domain in a test lab. then i tried installing exchange using the /diasterrecovery switch and it complained about not being able to contact the schema master and refused to go on. I ran adsiedit.msc as local system on a child dc and put this child dc as the value for the fSMORoleHolder attrib and then exchange installed until 24hrs later it stopped working. It claimed it could'nt contact a dc or gc. when i tested the secure channel, i got access denied. It was behaving as if it wasn't a membr of the domain. disjoining and rejoining did nothing. so a ibm consultant took over from there and while on the phone with MS, seized the fsmo roles via ntdsutil(but without EA or SA access?!!) anyway, that exchange installed fine with the dr switch(however that was just less than 24hrs ago). Installing a new exchange server is impossible. i still get can't connect to schema master error. sometimes its a can't connect to root domain error I'm currently talking to MS and so far they can't seem to figure it out. also they can't give me a answer as to why exchange setup needs to conect to the root domain(in fact as far as they're concerned, its the first time they heard of that). I'm wondering why MS can't explain conculsivleythe behavior oftheir own products to me? Anyway, i was wondering if anyone knew the answer out here or could explain these symptoms in any way? Esp since i think my company needs to install a new exchange server for archival and compliance purposesin our production enviorment before we migrate(as in asap as we have been out of complaince and are about to be audited very soon). thought i'd ask here while waiting for MS to respond. you guys seem to be a higher quality of support than most companies pay to get from MS. thanks!!
Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL...
I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open. If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication. http://support.microsoft.com/kb/q179442/ Phil On 9/7/05, Jason B [EMAIL PROTECTED] wrote: Because this will be a sharepoint server for clients.Regardless, thatdecision has already been made and I don't have any input into it. Any info on the ports I'd need open?- Original Message -From: ASB [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Wednesday, September 07, 2005 8:45 AMSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate withAD SQL...Why did you decide to put it in the DMZ? -ASBOn 9/7/05, Jason B [EMAIL PROTECTED] wrote: We are putting a MS sharepoint server in the DMZ and need to have it on the domain and communicating with a SQL server on the domain.Because of these needs, we only want to open the minimum number of ports to get functionality.We have LDAP (389) opened and SQL (1433) opened.What other ports will we need to open to be able to log in on the sharepoint server with a domain account?Currently, with only these two ports opened, a domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Where to begin...
I think it important to understand what type of domain is running here. Is it an NT4 domain, or is it Windows 2000/2003? I am assuming it is an Active Directory domain, but with the use of the PDC/BDC terminology I want to make sure. If it is Active Directory then in addition to the other good suggestions I would like to see what DNSLint says. Phil On 9/7/05, Peter Jessop [EMAIL PROTECTED] wrote: BrianI think that the problems you have may be DNS related and you need to check both the DNS servers themselves and the client configurations. You mentioned that you had corrected issues with the pointer records. This should not be necessary as the clients should register these dynamically. You should check that this is being done properly. The domain controllers are themselves DNS clients and it is imperative that they register their services correctly. The first rule of Windows administration is 'Look in the event log' both on the DCs and clients.Also run dcdiag. Tell us more about the set up. e.g. is DNS AD integrated, client configuration etc..Windows networks are very stable when set up properly. Unfortunately they are often not. Good luckPeter Jessop
Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL...
Did I miss something in that article? I don't see where it says client DC via IPSec is not supported; just that you can't encrypt Kerberos traffic. Phil On 9/7/05, Tony Murray [EMAIL PROTECTED] wrote: If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's IPSec would be good, but it isn't supported between member servers and DCs. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, 8 September 2005 4:20 a.m.To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open. If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication. http://support.microsoft.com/kb/q179442/ Phil On 9/7/05, Jason B [EMAIL PROTECTED] wrote: Because this will be a sharepoint server for clients.Regardless, thatdecision has already been made and I don't have any input into it. Any info on the ports I'd need open?- Original Message -From: ASB [EMAIL PROTECTED] To: ActiveDir@mail.activedir.orgSent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate withAD SQL...Why did you decide to put it in the DMZ? -ASBOn 9/7/05, Jason B [EMAIL PROTECTED] wrote: We are putting a MS sharepoint server in the DMZ and need to have it on the domain and communicating with a SQL server on the domain.Because of these needs, we only want to open the minimum number of ports to get functionality.We have LDAP (389) opened and SQL (1433) opened.What other ports will we need to open to be able to log in on the sharepoint server with a domain account?Currently, with only these two ports opened, a domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL...
That was the way that I understood that paragraph as well. And to give a little more information about Aric's point on not being able to monitor the traffic between the DMZ host and the DC's; that is why it is important to have an Intrusion Detection/Intrusion Prevention system in place. Even in a small shop this can save you a lot of headaches if properly maintained and will let you monitor for malicious traffic on the DMZ host and the DC's. It is a good way to mitigate many security admins concerns about opening encrypted tunnels through the firewalls. Phil On 9/7/05, Bernard, Aric [EMAIL PROTECTED] wrote: The quote relates to when you are using Kerberos as the method to setup the secure connection (ISAKMP). If you use certificated then IPSec can be used end-to-end between clients/member servers and DCs. Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tony MurraySent: Wednesday, September 07, 2005 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... Hi Phil Here's the text I was referring to: Currently, we do not support using IPSec to encrypt network traffic from a domain member server to a domain controller when you apply the IPSec policies by using Group Policy or when you use the Kerberos authentication method. The goal with IPSec is to encrypt the traffic between the two sides and with the scenario described below you would need Kerberos authentication. Or have I missed something? Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, 8 September 2005 11:02 a.m. To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... Did I miss something in that article? I don't see where it says client DC via IPSec is not supported; just that you can't encrypt Kerberos traffic. Phil On 9/7/05, Tony Murray [EMAIL PROTECTED] wrote: If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's IPSec would be good, but it isn't supported between member servers and DCs. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q254949 Tony From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, 8 September 2005 4:20 a.m. To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Which ports to open in the DMZ to communicate with AD SQL... I would look at putting the Sharepoint server on the internal network and deploy an ISA server in the DMZ and use Web Publishing or Server Publishing to get your external clients access to the site. If you want to open access from the DMZ to your AD Forest your firewall will be swiss cheese from all the ports than need to be open. If you absolutely HAVE to then I would prefer to look at using IPSec for communication between the Sharepoint box and your DC's. That leaves you only needing the IPSec port open and not the very large number of ports to support AD communication. http://support.microsoft.com/kb/q179442/ Phil On 9/7/05, Jason B [EMAIL PROTECTED] wrote: Because this will be a sharepoint server for clients.Regardless, thatdecision has already been made and I don't have any input into it. Any info on the ports I'd need open? - Original Message -From: ASB [EMAIL PROTECTED] To: ActiveDir@mail.activedir.orgSent: Wednesday, September 07, 2005 8:45 AM Subject: Re: [ActiveDir] Which ports to open in the DMZ to communicate withAD SQL...Why did you decide to put it in the DMZ? -ASBOn 9/7/05, Jason B [EMAIL PROTECTED] wrote: We are putting a MS sharepoint server in the DMZ and need to have it on the domain and communicating with a SQL server on the domain.Because of these needs, we only want to open the minimum number of ports to get functionality.We have LDAP (389) opened and SQL (1433) opened.What other ports will we need to open to be able to log in on the sharepoint server with a domain account?Currently, with only these two ports opened, a domain account can't log on to the sharepoint server in the DMZ. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
Re: [ActiveDir] Additional domain controller
You might want to look and moving the profiles to a non-DC to avoid this issue ;) Also, make sure you wait for the dcpromo to finish replicating. That amount of time depends on the size of your AD Database, speed of your network etc. Phil On 9/6/05, Boris Demirov [EMAIL PROTECTED] wrote: Thanks for the replies.So far I managed to join in the domain an additional DC. Set it up as a Global Catalog, set the replication time to four times per hour and now I am waitingto see if the replication works ( I will switch the old DC down to see if theusers can log in without problems - I suppose there will be one little problem - I use for user profles a path of that type -\\DC\profiles\Userprofile and after this DC is switched off the users willnot be able to download their profiles).Thanks again guys. I`ll send some results later. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS resolution - prioritization
Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be reffered to that DC during logon processes. The behaviour of ping is not going to be site aware, but logon traffic will be. Phil On 9/6/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Thanks Roger for the reply,Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice.I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. (subnet mask request in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~Fortune and Love befriend the bold~~~-- ~~~ Fortune and Love befriend the bold~~~
Re: [ActiveDir] Migrate Computers using ADMT
Short answer: Yes. ADMT needs the PC's to be on the network when this happens so that it can launch a process on the workstation to translate profiles etc. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I was to use the ADMT to migrate a workstation, would the wizardactually change the domain membership of the workstations if I used the ADMT v2 to migrate a workstation from child1.parent.com to parent.com?Justin A. SalandraMCSE Windows 2000 2003Network and Technology Services Manager Catholic Healthcare System646.505.3681 - office917.455.0110 - cell[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Migrate Computers using ADMT
Correct. Run some tests with ADMT to get used to how it all works (preferably in a test forest with test workstations). Note though that the machines have to be on and that there will always be a few that don't work etc.; this is pretty much the same thing as deploying any type of agent like this, say SMS for example. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: So technically I don't need to have a tech go to that computer and physically change domains? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, September 06, 2005 1:42 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Migrate Computers using ADMT Short answer: Yes. ADMT needs the PC's to be on the network when this happens so that it can launch a process on the workstation to translate profiles etc. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I was to use the ADMT to migrate a workstation, would the wizardactually change the domain membership of the workstations if I used the ADMT v2 to migrate a workstation from child1.parent.com to parent.com?Justin A. SalandraMCSE Windows 2000 2003Network and Technology Services Manager Catholic Healthcare System646.505.3681 - office917.455.0110 - cell [EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Moving forest root domains to child domains in another forest
Well, I wouldn't say ample hardware is required, but you will need to have some servers available to setup the new environment. A pretty typical approach is to use a few servers to setup an initial environment then as you free old servers up through the migration you rebuild them into the new environment to support additional resources. How many servers you need to start off with would depend on the size of your environment. Setting up a whole new environment would be nice though :) Phil On 9/4/05, Brian Desmond [EMAIL PROTECTED] wrote: You'd be well off to bite the bullet and buy the Quest stuff. It will be able to take care of most of this in a moderately painless (much opposed to not very paineless writing scripts and such by hand). You'll need ample hardware to duplicate everything you have in the new setup. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Saturday, September 03, 2005 9:47 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving forest root domains to child domains in another forest Your best bet is going to be to create two new child domains in one of the forests and migrate all the objects from the other two domains. This is a pretty common domain restructuring task so there is a lot of information out there about how to do these kinds of migrations. You can use ADMT to do the migrations (it is a free tool from Microsoft), or you could look into 3rd party migration tools from someone like Quest or NetIQ (the two most popular). That is just the domain piece, there are likely some Exchange points to make, but I'll let some of the Exchange folks here tackle that piece. The same should hold true though, setup some new Exchange servers within your new root forests Exchange Org and migrate the mailboxes to those servers. That is some pretty high level information there though, there is quite a lot to do with this type of initiative and a lot to keep track of. A good high level place to start is this MS Document: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/cead3dc3-4920-4b7a-b6fe-6111d44110b3.mspx Phil On 9/3/05, Chaves, Jan Amcil L. [EMAIL PROTECTED] wrote: Hi! I have a huge task to do. I have three separate Windows Server 2003 forests, each with a single domain (and Exchange 2003 servers to boot). I have to combine all three into a single forest and end up with just one root domain, with the other two as child domains of the first. Is there any way (by hook or by crook) to do this? Pointers to third-party apps are very much appreciated.Thanks,Jan
Re: [ActiveDir] Moving forest root domains to child domains in another forest
You could build clusters in your city and ship them out to the remote location, or use something like HP's remote insight board to build the machines remotely. Or if you're looking for the Airline reward miles you could make a trip around the world ;) Phil On 9/4/05, Chaves, Jan Amcil L. [EMAIL PROTECTED] wrote: Commissioning new servers shouldn't be a problem. My worry is consolidating the Exchange enviromnents during the domain migration.The largest of the three domains spans 3 cities, each with a clustered Exchange 2003 server, with each server cluster in a different Exchange administative group. I guess no 3rd party app can move an Exchange cluster accross forests and organizations at the same time :)So I really have to literally take a trip around the globe, rebuilding servers and clusters as I go. This is going to be a long trip.. Jan-Original Message-From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.orgSent: Sun Sep 04 15:41:29 2005 Subject: Re: [ActiveDir] Moving forest root domains to child domains in another forestWell, I wouldn't say ample hardware is required, but you will need to have some servers available to setup the new environment. A pretty typical approach is to use a few servers to setup an initial environment then as you free old servers up through the migration you rebuild them into the new environment to support additional resources. How many servers you need to start off with would depend on the size of your environment. Setting up a whole new environment would be nice though :)PhilOn 9/4/05, Brian Desmond [EMAIL PROTECTED] wrote: You'd be well off to bite the bullet and buy the Quest stuff. It will be able to take care of most of this in a moderately painless (much opposed to not very paineless writing scripts and such by hand). You'll need ample hardware to duplicate everything you have in the new setup. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [ mailto:[EMAIL PROTECTED]] On Behalf Of Phil Renouf Sent: Saturday, September 03, 2005 9:47 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Moving forest root domains to child domains in another forest Your best bet is going to be to create two new child domains in one of the forests and migrate all the objects from the other two domains. This is a pretty common domain restructuring task so there is a lot of information out there about how to do these kinds of migrations. You can use ADMT to do the migrations (it is a free tool from Microsoft), or you could look into 3rd party migration tools from someone like Quest or NetIQ (the two most popular). That is just the domain piece, there are likely some Exchange points to make, but I'll let some of the Exchange folks here tackle that piece. The same should hold true though, setup some new Exchange servers within your new root forests Exchange Org and migrate the mailboxes to those servers. That is some pretty high level information there though, there is quite a lot to do with this type of initiative and a lot to keep track of. A good high level place to start is this MS Document: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/cead3dc3-4920-4b7a-b6fe-6111d44110b3.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/cead3dc3-4920-4b7a-b6fe-6111d44110b3.mspx Phil On 9/3/05, Chaves, Jan Amcil L. [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi! I have a huge task to do. I have three separate Windows Server 2003 forests, each with a single domain (and Exchange 2003 servers to boot). I have to combine all three into a single forest and end up with just one root domain, with the other two as child domains of the first. Is there any way (by hook or by crook) to do this? Pointers to third-party apps are very much appreciated. Thanks, Jan
Re: [ActiveDir] Moving forest root domains to child domains in another forest
Your best bet is going to be to create two new child domains in one of the forests and migrate all the objects from the other two domains. This is a pretty common domain restructuring task so there is a lot of information out there about how to do these kinds of migrations. You can use ADMT to do the migrations (it is a free tool from Microsoft), or you could look into 3rd party migration tools from someone like Quest or NetIQ (the two most popular). That is just the domain piece, there are likely some Exchange points to make, but I'll let some of the Exchange folks here tackle that piece. The same should hold true though, setup some new Exchange servers within your new root forests Exchange Org and migrate the mailboxes to those servers. That is some pretty high level information there though, there is quite a lot to do with this type of initiative and a lot to keep track of. A good high level place to start is this MS Document: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/cead3dc3-4920-4b7a-b6fe-6111d44110b3.mspx Phil On 9/3/05, Chaves, Jan Amcil L. [EMAIL PROTECTED] wrote: Hi! I have a huge task to do. I have three separate Windows Server 2003 forests, each with a single domain (and Exchange 2003 servers to boot). I have to combine all three into a single forest and end up with just one root domain, with the other two as child domains of the first. Is there any way (by hook or by crook) to do this? Pointers to third-party apps are very much appreciated.Thanks,Jan
Re: [ActiveDir] Active Directory Permissions
Yeah I see occasional blanks and dupes as well. None for a couple of days, but it happens. I've also started to get replies to messages I haven't seen yet, then a few hours later the original message shows up. Phil On 9/2/05, Rocky Habeeb [EMAIL PROTECTED] wrote: Dean, Every post from Brett Shirley is a dupe to me. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dean WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Permissions Is anyone else receiving blank posts, per the enclosed, or occasional dupes? -- Dean WellsMSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Michael B. SmithSent: Thursday, September 01, 2005 8:52 PMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Permissions
Re: [ActiveDir] Active Directory Permissions
joe's the one who gets replies to messages he hasn't sent yet ;) On 9/2/05, Fugleberg, David A [EMAIL PROTECTED] wrote: Whoa...I first read that as I've also started to get replies to messages I haven't sent yet... I know the folks on this list are good, but not that good...:) Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Friday, September 02, 2005 7:35 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Active Directory Permissions Yeah I see occasional blanks and dupes as well. None for a couple of days, but it happens. I've also started to get replies to messages I haven't seen yet, then a few hours later the original message shows up. Phil On 9/2/05, Rocky Habeeb [EMAIL PROTECTED] wrote: Dean, Every post from Brett Shirley is a dupe to me. RH _ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dean WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Permissions Is anyone else receiving blank posts, per the enclosed, or occasional dupes? -- Dean WellsMSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Michael B. SmithSent: Thursday, September 01, 2005 8:52 PMTo: ActiveDir@mail.activedir.orgCc: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Active Directory Permissions
Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.
Very good points here. With something like this the key to having a seamless split is to do a lot of planning and investigation, otherwise there will be some seemingly small thing that breaks that becomes a huge issue. Phil On 9/2/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm facing a similar situation: single forest, single domain though. (Thank goodness!)I think the place to start is really outside AD: who owns all these resources you're keeping in AD?What do they intend to do with them? When does the split happen?And how? Big bang or slow death?? Is email integrated into your forests?Sites going where?IP space? It's a daunting task to get it all sorted out. If you have the overall company plan, knowing what to do with AD can be much easier.ALAl MaurerService Manager, Naming and Authentication Services IT | Information TechnologyAgilent Technologies(719) 590-2639; Telnet 590-2639http://activedirectory.it.agilent.com-- Cry 'Havoc!' and let slip the dogs of war- Anthony, in Julius Caesar III i.-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, September 01, 2005 8:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc.Depends.How good/how current is your cv?Like I said before, you really need to understand the environment to make these kinds of calls.Did you find out if they're two forests or one? Joe mentioned to me that you could use ADFIND to do this.adfind -h dc -b -s base |grep root would give you the information you needed. A lot depends on knowing that information.Once you know that, I think Phil posted something about an inventory or some such.He's absolutely right and that's why I suggested following the OSI stack from the bottom up to figure out what you have and what your options are. I'm dying to know about the forest or multiple forest answer :)-Original Message-From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of DannySent: Thursday, September 01, 2005 10:11 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Companies splitting - where to start with Active Directory, DNS, DHCP, etc. On 8/31/05, joe [EMAIL PROTECTED] wrote: Yes. Someone followed the MS book examples pretty explicitly. :o)Can I simply break the AD trust and hope it does melt down? :) Thanks,...DList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
