[ActiveDir] OT: HARDWARE question. FILE SERVER VS ATTACHED STORAGE SOLUTION
HI, I have 2 questions. We need more storage space but we don't know if we should go with an attached storage solution (NAS, SAN, etc) or just get a big file server, can anyone tell me benefit and disadvantage of each one, or point me to URL with this info? Also, my hardware knowledge is very obsolete, how can I get up to speed in terms of hardware Thanks all Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
Hi, Sorry it took me a little bit to answer your questions. OS version Windows server 2003, standard edition, SP1... Hardware Intel Xeon cpu 3 Ghz, 3.75 GB or Ram DNS version W32i APP ENU 5.2.3790.1830 shp442,880 03-24-2005 dns.exe tcp/ip: internal dns servers internal1: private fixed IP address 10.10. internal2: private fixed IP address 10.10 external dns server external1 : public IP address 65 (SOA) external2: public IP address 65... i just remembered that we have 2 more external DNS server that are hosted in another office (one of hour NASA contract) nasaoffice1: public ip nasaoffice2: public ip Thanks for your answer. Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 8:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache That's what I was getting at, too. Sorry to sound selfish and ask him to take it off-list :) He hasn't sent anything yet, though. If he does, I'll send him your way. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Steve Linehan Sent: Tue 1/16/2007 4:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache I am also interested in the answers to these questions especially OS version and SP level. We had a few issues with caching around in RTM and a few others around SP1. It is a long story but has to do with how the cache entries are organized in memory. The net affect was that certain lookups would cause the cache to have bad data that would cause the behavior you mention. If you could provide the version of DNS.EXE, full build number using something like filever.exe, that would also be helpful. The last issue I was aware of that exhibited these behaviors is documented here: http://support.microsoft.com/kb/903720/en-us . So I would be interested if you were experiencing the issue with a build beyond that one. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, January 16, 2007 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache How are these servers configured in TCP/IP? Who is forwarding to whom? And what is the SP level? If you want to take this off-list, you can do so by directly emailing me. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 1/16/2007 12:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS problem. Periodically have to clear the cache Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] DNS problem. Periodically have to clear the cache
Hi, I have 4 DNS servers, they are all AD integrated. 2 of them are supposed to be for internal used only, and the other 2 for the internet domain we have, unluckily they we never configured to be split DNS. Anyway, every none and then I have to clear the cache for the internal ones because they stop resolving for certain addresses. Sometimes I also have to update server data files for the DNS server to resolved certain names. Any help on how to troubleshoot this? Thanks Rezuma
RE: [ActiveDir] list logon user for the services in serveral server
Hi, A SA just left the company and I am suspecting he installed several applications in several servers using his account, therefore I cant change his password or disable his account, is there an easy of finding which services are running on his account without having to go to each different server? Thanks Rezuma
RE: [ActiveDir] list logon user for the services in serveral server
thanks, I see a few cmd files there, can you give me the link on how to use them? and what do they do? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, January 09, 2007 2:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list logon user for the services in serveral server for services use a script created by Dean Wells... get it here: http://www.jadonex.com/downloads/dec/DECscripts.zip http://www.jadonex.com/downloads/dec/DECscripts.zip PS joe/Dean: define coming soon ;-) for scheduled tasks create a script using schtasks (w2k3) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Ramon Linan Sent: Tue 2007-01-09 17:49 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] list logon user for the services in serveral server Hi, A SA just left the company and I am suspecting he installed several applications in several servers using his account, therefore I cant change his password or disable his account, is there an easy of finding which services are running on his account without having to go to each different server? Thanks Rezuma
RE: [ActiveDir] Strange DNS problem. How to troubleshoot
Hi, thanks for your reply, I was in panic mode yesterday and sent this email before doing more in deep troubleshooting myself, it turns out that the problem was in the Nasa DNS server, they were delegating the subdomain to another DNS server, but they have them wrongly configured the delegation :( Thanks anyway. My DNS are AD integrated, I though a file was written and that you could actually modify the dns conf by editing those files, like in Linux, I was wrong I guess, is there a way to force that file to be written? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, December 13, 2006 9:00 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Strange DNS problem. How to troubleshoot For starters, what version of Windows Server are you using? Is it fully patched? What's in the event logs (system, application, and dns event logs) before/during/after the dns server goes wonky [1]? Is this AD-Integrated DNS? If so, no dns files are going to be written out. If so, they'll be in the directory specified in the properties of the server. What is your DNS topology? Is this server authoritative for nasa.gov? Is it a forwarder? stub zone? ?? I'm sure there's more, but that's a great place to start. [1] Is that the correct use of the term? If not, please correct me so I don't make that gaffe again. On 12/12/06, Ramon Linan [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Hi, I am having a problem with the DNS. I have a few users that connects to computers at NASA. Every none and them our DNS server here stop resolving certain machines in the domains machine.subdomain.nasa.gov I have run nslookups asking for those machines to different DNS servers, my DNS don't resolve but others DNS are resolving fine, I have also use the online tool dnsstuff.com and and that one resolves too. Last time I solved the problem restarting the dns server service in the servers, other time I cleared the cache and updated the server data files and that was enough Any tips of how should I start troubleshooting this? Also, a separate question, I saw once that windows DNS server keep all the conf in a file, like Linux/UNIX, where is that file located? Thanks in advance Rezuma
RE: [ActiveDir] What is Websence
lol, that's ok with me, you are the best :D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 08, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What is Websence Me got a CEICW wizard that deploys my ISA...fast food/burger joint okay with you? :-) Ramon Linan wrote: Right, any new application has that cost the first time, ISA, Squid, Websense, that is assumed. But, if you ever want to meet me and invite me to dinner I would much prefer that you spend the cash that will cost to deploy ISA or Websence than the cost of implementing Squid. Still, you made a good point there. Squid is only free if you know how to implemented :) Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 08, 2006 3:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] What is Websence Please be advised that your time to learn, update, get up to speed on something is not free so while the fill in the blank may not have licensing fees, nothing in life is for free... everything has some sort of cost value to it. For me to learn it means I'd be expending my time to get up to speed. So sayeth my Momand she knows all. Ramon Linan wrote: you can also do that with Squid, can have a farm or squid proxies running together, and it is Free :D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Friday, December 08, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence Websense can also run on Linux. What I do like about it is that it can fail-open. Meaning that if your one Websense server is being rebooted or goes down users are still able to access the internet (User are not being filtered while the server is unavailable). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, December 08, 2006 7:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence Or Squid and squidguard, open source and free, and very reliable...but of course requires Linux -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Thursday, December 07, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence You can check their website: www.websense.com I evaluated the software version a couple of months ago and wasn't impressed -- stayed with SurfControl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir
[ActiveDir] Strange DNS problem. How to troubleshoot
Hi, I am having a problem with the DNS. I have a few users that connects to computers at NASA. Every none and them our DNS server here stop resolving certain machines in the domains machine.subdomain.nasa.gov I have run nslookups asking for those machines to different DNS servers, my DNS don't resolve but others DNS are resolving fine, I have also use the online tool dnsstuff.com and and that one resolves too. Last time I solved the problem restarting the dns server service in the servers, other time I cleared the cache and updated the server data files and that was enough Any tips of how should I start troubleshooting this? Also, a separate question, I saw once that windows DNS server keep all the conf in a file, like Linux/UNIX, where is that file located? Thanks in advance Rezuma
RE: [ActiveDir] What is Websence
Or Squid and squidguard, open source and free, and very reliable...but of course requires Linux -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Thursday, December 07, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence You can check their website: www.websense.com I evaluated the software version a couple of months ago and wasn't impressed -- stayed with SurfControl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] OT:What is Websence
You don't know I though you knew it all, this is sad day. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 08, 2006 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence I don't know but I bet it deserves [OT] in the subject. :o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] What is Websence
you can also do that with Squid, can have a farm or squid proxies running together, and it is Free :D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Friday, December 08, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence Websense can also run on Linux. What I do like about it is that it can fail-open. Meaning that if your one Websense server is being rebooted or goes down users are still able to access the internet (User are not being filtered while the server is unavailable). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Friday, December 08, 2006 7:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence Or Squid and squidguard, open source and free, and very reliable...but of course requires Linux -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Thursday, December 07, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence You can check their website: www.websense.com I evaluated the software version a couple of months ago and wasn't impressed -- stayed with SurfControl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] http://www.microsoft.com/technet/security/advisory/929433.mspx
I don't know if someone already ported this, but just in case. http://www.microsoft.com/technet/security/advisory/929433.mspx Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] security
Hi, What is the meaning of this event, Does it means that MSGINA was trying to login into that machine where the event was found? I was connected to an XP pro using remote desktop and all the sudden it kicked me out saying someone else connected to it, how do I find out who was it? Thanks A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:Winlogon\MSGina For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Split pagefile
Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: RE: [ActiveDir] Split pagefile
That is pretty cool, where do I learn about this? do you know of a good url where it tells you how to do your own crashdump analysis? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 3:21 PM To: ActiveDir@mail.activedir.org Subject: OT: RE: [ActiveDir] Split pagefile You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ List info : http://www.activedir.org/List.aspx List FAQ: http
RE: [ActiveDir] Domain and Subdomain. Duplicating accounts
Thanks for the answer Laura, They are running a Unix application that queries the LDAP to find the user :O!!, , unluckily this application does not allow to specify the LDAP source, they have try using GC but that did not work, they also try using ADAM but they were also having trouble with this...I will ask him to describe the problems he was having in both cases and maybe you can give me a hand :D Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 16, 2006 8:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts Besides significantly increasing the likelihood of people logging onto the wrong domain and generating support calls along the lines of where's my stuff? Not really. AD accommodates the same name in multiple domains, as long as the UPNs are different (which they are, or account creation would have failed). Why doesn't the other SA just let people use their regular accounts? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 16, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts Hi, The company I work for has 2 office in 2 different states. The main office is domain.com and other office is a subdomain (sub.domain.com). Our users sometimes go to the other office (sub.domain.com) to work for a week or so, I just found out that other SA has been creating accounts for my users in the subdomain. So now I have same user in the domain and subdomain, beside being a stupid way of doing things is there any technical issue this could create? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Domain and Subdomain. Duplicating accounts
I agree with you, it would be enough with one domain and 2 sites, but I just started working here, and it was setup that way, plus, the other office is a company we bought and I think there was some politics involved in doing it that way... I may change that though, if I can. Love politics Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 17, 2006 12:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts What Laura said, plus - why do you have two domains for this scenario. I know nothing about your environment, but my instinct says that you don't need them. Thanks, Brian From: [EMAIL PROTECTED] on behalf of Laura A. Robinson Sent: Thu 11/16/2006 7:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain and Subdomain. Duplicating accounts Besides significantly increasing the likelihood of people logging onto the wrong domain and generating support calls along the lines of where's my stuff? Not really. AD accommodates the same name in multiple domains, as long as the UPNs are different (which they are, or account creation would have failed). Why doesn't the other SA just let people use their regular accounts? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 16, 2006 4:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain and Subdomain. Duplicating accounts Hi, The company I work for has 2 office in 2 different states. The main office is domain.com and other office is a subdomain (sub.domain.com). Our users sometimes go to the other office (sub.domain.com) to work for a week or so, I just found out that other SA has been creating accounts for my users in the subdomain. So now I have same user in the domain and subdomain, beside being a stupid way of doing things is there any technical issue this could create? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] AD Audit/Compliance Tool
Joe's has a long list of tools that I am using to do exactly that http://www.joeware.net/win/free/all.htm that's one option From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Merry, Joel (US - Philadelphia)Sent: Tuesday, November 14, 2006 4:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Audit/Compliance Tool Hi All ... I'm looking for a tool that will query all of the domains in a single forest and show me expired accounts, accounts with passwords older than xx days, duplicate accounts (accounts with the same samaccountname in different domains), accounts with primary SMTP address of something other than @domain.com, @domain1.com, @domain2.com, etc. I'm scripting most of it now, but it's a pain. Any suggestions? Thanks, Joel This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
[ActiveDir]AD SECURITY.Run As command used - to impersonate Administrators
Hi,
So I
decided to try out GFI event monitor, I am loving it so far, but I am not a
security expert so I am easy to impress.
Anyway,
I got a bunch of emails like the one below. Have you guys seen something similar
in your logs? Is this someone trying to hack ora service trying to run
something?
Thanks
Subject: 11/12/2006 12:28:38 PM "Run As" command used - to
impersonate Administrators - outside work hours - Critical - servername
- 552
Logon attempt using explicit credentials:
Logged on user:
User Name: administrator
Domain: domain
Logon ID: (0x2,0x9D018B17)
Logon GUID: {ec9c7758-8375-8064-3e03-8e860a568322}
User whose credentials were used:
Target User Name: administrator
Target Domain: domain.com
Target Logon GUID:
{13d439ef-0597-c23e-aa24-8ca92f9e7730}
Target Server Name: server.domain.com
Target Server Info: cifs/server.domain.com
Caller Process ID: 1620
Source Network Address: -
Source Port: -.org/
RE: [ActiveDir] how to access blocked site.
LOL, Susan does he really work in your office? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, November 13, 2006 9:50 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] how to access blocked site. As an admin here You do know I could fire your assets if you do this at my office? You are introducing risks that as an employee, you don't have the right to do at a firm. There's a reason us annoying admins block this stuff. Introduce risks at home please, and not on my watch, okay? Ajay Kumar wrote: Hi all, It could be wrong question but I want to know about how to acess the restricted or blocked site, which is access denied from office. I know some tools work like K-PROXY, but it woks on some internet site. So please suggest me how to access blocked site. which can work well. Thanks Regards, Ajay pardeshi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir]event log monitoring.
Hi, I want to implement a system that will send me an email whenever there is an error in any of the event logs in my servers. I could do this with an script or similar, butI don't have the time to do it that way and many other reasons. I was wondering if any of you has used GFI EventsManager, my main concern is to know if monitoring the events will put to much work on the servers that I am monitoring, I don't want to crash my server because I am monitoring it. Any suggestion? Thanks Rezuma
RE: [ActiveDir]event log monitoring.
MOM is cool...and expensive, anyway, do you know if this kind of monitoring software will kill the machine they are monitoring? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Thursday, November 09, 2006 1:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]event log monitoring. Mom (Microsoft Operations Manager)is pretty good at this From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, November 09, 2006 10:25 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]event log monitoring. Hi, I want to implement a system that will send me an email whenever there is an error in any of the event logs in my servers. I could do this with an script or similar, butI don't have the time to do it that way and many other reasons. I was wondering if any of you has used GFI EventsManager, my main concern is to know if monitoring the events will put to much work on the servers that I am monitoring, I don't want to crash my server because I am monitoring it. Any suggestion? Thanks Rezuma
RE: [ActiveDir] Exchange --NDR--
did you guys ever resolved this problem? www.dnsstuff.com, there you can check if your IP is in a DNS BL or similar, he queries a bunch of list. Where you able to send email telneting into the other server? telnet servername 25 helo yourdomain? mail from:youremailaddress rcpt to:valid email address in that domain data test . From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Wednesday, November 08, 2006 2:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR-- You should be able to see my email from the response. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Technical SupportSent: Tue 11/7/2006 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR-- Please let me know how I can contact you Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Monday, November 06, 2006 10:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exchange --NDR-- 4.4.7 is "usually" the other server's problem. If you want, I can privately help you verify this, if you send me the domain/ip of the other server in a private (off-list) message. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Technical SupportSent: Mon 11/6/2006 8:14 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Exchange --NDR-- Hi, I am sending mail @XYZ.COM and here is the error I am getting. When id to Email ID Verification and MX Record lookup it works fine for xyz.com. Also I am not facing this problem with any other mail id. I am able to send mails to other clients/vendors. Here is the NDR I am getting. --- Your message did not reach some or all of the intended recipients. Subject: Updated: Undelivered Sent: 11/6/2006 6:58 PM The following recipient(s) could not be reached: [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 --- Please suggest what the possible reason is for the same. Do I need to change something from my end (a new connector) or get something changed at remote (Client) end? Thanks!!! Ravi Dogra
[ActiveDir] lastlogontimestamp
Hi, Some of my user only access our network via IMAP or webmailto check their email. When they do that, are they modifying the LastlogontimeStamp? The functional level is windows 2003. Thanks
RE: [ActiveDir] Exchange --NDR--
first thing you should do to troubleshoot if telnet directly into the other server and see what happens. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, November 06, 2006 11:55 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Exchange --NDR-- Ravi; When you say your MX record looks "fine" what and how are you specifically checking the MX record? Is this an established MX record, any other history, might be helpfull as well. I have seen this before but need more information before going forward. Brent EadsEmployee Technology Solutions, Inc.The contents contain privileged and/or confidential information intended for the named recipient of this email. ETSI (Employee Technology Solutions, Inc.) does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email in error, please reply to us immediately and delete the document. Viruses, Malware, Phishing and other known and unknown electronic threats: It is the recipient/client's duties to perform virus scans and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect.Any loss/damage incurred by using this material is not the sender's responsibility. Liability will be limited to resupplying the material. "Technical Support" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/06/2006 10:14 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] Exchange --NDR-- Hi, I am sending mail @XYZ.COM and here is the error I am getting. When id to Email ID Verification and MX Record lookup it works fine for xyz.com. Also I am not facing this problem with any other mail id. I am able to send mails to other clients/vendors. Here is the NDR I am getting. --- Your message did not reach some or all of the intended recipients. Subject: Updated: UndeliveredSent: 11/6/2006 6:58 PM The following recipient(s) could not be reached: [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 [EMAIL PROTECTED] on 11/6/2006 9:08 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. MyFrontEnd.Domain.local #4.4.7 --- Please suggest what the possible reason is for the same. Do I need to change something from my end (a new connector) or get something changed at remote (Client) end? Thanks!!! Ravi Dogra Message scanned by TrendMicro Message scanned by TrendMicro
[ActiveDir] Problem driving me crazy
Hi, I have a user who got marry (changed her last name)so I had to change her login username, email, etc. Since I did that, she has not been able to log on to a server (DC) using remote desktop connection, I checked and she has the right permissions to use terminal services, etc. What is the best way to troubleshoot this? I am getting this log in the event log Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name:username Domain:domain name Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:servername For more information, see Help and Support Center at Thanks all
RE: [ActiveDir] Problem driving me crazy
You were right, that was the problem... Thanks so much From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, October 31, 2006 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem driving me crazy Check the Group Policies assigned to the terminal server. Under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignments, look for Allow Logon through Terminal Services. This user was probably added here. If you add a username to any of the Windows Settings policies in a GPO, and the username changes, then you have to go back and change it manually. It is not automatically updated like most of the rest of AD. I would recommend using security groups instead of users here for this reason. The group name is less likely to change. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, October 31, 2006 9:26 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem driving me crazy Hi, I have a user who got marry (changed her last name)so I had to change her login username, email, etc. Since I did that, she has not been able to log on to a server (DC) using remote desktop connection, I checked and she has the right permissions to use terminal services, etc. What is the best way to troubleshoot this? I am getting this log in the event log Logon Failure: Reason: The user has not been granted the requested logon type at this machine User Name:username Domain:domain name Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name:servername For more information, see Help and Support Center at Thanks all
RE: [ActiveDir] list lastlogontime for every user script
Thanks Matt for the script that you sent and thanks Joe for your tool. I used Joe's tool (no sexual connotation here) because it was easy and fast. I have just one question, I am getting some users with lastlogontimespamp /00/00-00:00:00 most of them (or all of them) are system users, like the systemmailbox. I bet this is because they never login into the system. This is the command that I used oldcmp -report -age 90 -users -llts is there a way of excluding disabled users from the results? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 27, 2006 12:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script It isn't, it is randomly calculated every time logonTime is updated. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, October 26, 2006 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script How is this 9-14 day value tracked for each user object, by the way? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 26, 2006 5:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] list lastlogontime for every user script oldcmp Keep in mind that by default, lastLogonTimeStamp is not updated every day, it will be updated about every 9-14 days (14 days with a random swing of minus 0-5 days). You can output to csv or html, whatever is more convenient for you. Alternately if you just want to query the value directly, you can use adfindto generate the output. However, oldcmp tends to be easier for most folks. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 26, 2006 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] list lastlogontime for every user script Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
[ActiveDir] list lastlogontime for every user script
Hi, I am trying to do an script or something that will list lastlogontime for all users so I can receive an email when someone has not use the account for more than 30 days. I have seen a couple of examples of half built scripts that don't work, I get lost when they start dealing with the converting the number to a date... Does anyone has a script will do some similar? does Joe ware has something similar? Thanks Ramon
RE: [ActiveDir] OT: TechED 2007
I did not follow the whole discussion, but...is the TechEd in Orlando or where in Florida? I would not main my company paying for me to go to Disney :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Friday, October 20, 2006 7:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: TechED 2007 Absolutely - somebody send me to Floreda (Oh Homer, you so crazy...) themolk. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Friday, 20 October 2006 8:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: TechED 2007 Hey, I'm not adverse to the odd conference in Florida (being from Australia) *grin* - Original Message - From: Missy Koslosky [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, October 20, 2006 9:36 AM Subject: RE: [ActiveDir] OT: TechED 2007 retch I'm SOOO sick of conferences in Florida. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, October 19, 2006 4:29 AM To: ActiveDir.org Subject: [ActiveDir] OT: TechED 2007 It's Florida ! Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This email (including any attachments) contains confidential information and is intended only for the named addressee. If you are not the named addressee you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system and destroy any copies. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Email transmission cannot be guaranteed to be secure or error-free and emails may be interfered with, may contain computer viruses or other defects and may not be successfully replicated on other systems. The sender does not give any warranties nor accepts any liability in relation to any of these matters. If you have any doubt about the authenticity of an email purportedly sent by us, please contact us immediately. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] sharepoint access log
Hi, What is the best or easiest way to find out if a user logged into the SharePoint server (wss2)? We have a SharePoint service server that is accessible from outside the company. We use AD mode for the users thanks
RE: [ActiveDir] sharepoint access log
you are right, thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron SteeleSent: Thursday, October 19, 2006 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] sharepoint access log Likley HTTP Access logs. Should show the authd users, where they authd from and when. /aaron From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Thursday, October 19, 2006 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] sharepoint access log Hi, What is the best or easiest way to find out if a user logged into the SharePoint server (wss2)? We have a SharePoint service server that is accessible from outside the company. We use AD mode for the users thanks
[ActiveDir] DNS PROBLEM. EVENT 4013 AND 4515 AFTER POWER PROBLEM.
HI, It has happened twice already. We had a power problem (and for I don't know what reason yet) the symentrac UPS did not pick up. All the servers went down. We have 4 DNS server, 2 for outside to handle the domain (it is AD integrated ) and 2 for the internal network, they are not split. When we brought the server back up the client could not use dns servers, and the dns server were showing the error event 4013 and 4515 (posted below) Also, it took me forever to login into the server. When trying to access the DNS console it was saying it could not contact the AD. The 4 DNS server are DC but we also have 2 more DC, one with exchange. The external DNS have an external ip (of course) and the 2 DC that are DNS also have external IP (yeah, I know should not have DC on internet) After a few minutes (15-20 long minutes hearing users-looser) everything started working fine on its own. Any idea of what's going on? Rezuma === 4013 The DNS server was unable to open the Active Directory. This DNS server is configured to use directory service information and can not operate without access to the directory. The DNS server will wait for the directory to start. If the DNS server is started but the appropriate event has not been logged, then the DNS server is still waiting for the directory to start. 4515 The zone gst.com was previously loaded from the directory partition DomainDnsZones.gst.com but another copy of the zone has been found in directory partition ForestDnsZones.gst.com. The DNS Server will ignore this new copy of the zone. Please resolve this conflict as soon as possible. If an administrator has moved this zone from one directory partition to another this may be a harmless transient condition. In this case, no action is necessary. The deletion of the original copy of the zone should soon replicate to this server. If there are two copies of this zone in two different directory partitions but this is not a transient caused by a zone move operation then one of these copies should be deleted as soon as possible to resolve this conflict. To change the replication scope of an application directory partition containing DNS zones and for more details on storing DNS zones in the application directory partitions, please see Help and Support. For more information, see Help and Support Center at List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] orgfinder
Hi, I was working on a webpart for SharePoint to allow users keep up to date their info in AD, I just found out that there is already a free one. www.orgfinder.com They have an asp application and a webpart. The application is working fine but the webpart is not working. The app pool identity for the asp application is a user that I have created, as I said this is working great. But the SharePoint is using a different app pool with identity network services and of course does not have rights to update AD info. What would be the best way to fix this? changing the identity in the SharePoint app pool requires several step because it will brake connection to the content and configuration DB. Is there other way? does anyone knows if it is possible to use another app pool for just one webpart...I doubt it but I though I would be worthy to ask. Thanks
RE: [ActiveDir] DHCP Problem
Your question is very confusing. When you go to the DHCP administrator console, you need to add a DHCP server, do you see that computer in the list when you try to added? That server, was a DC? It so which roles did it have? Rezuma -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Monday, October 16, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DHCP Problem Good Morning, I have a bad DHCP problem. I have replaced our Primary Domain Computer and I think I have messed DHCP up badly. The new Domain Controller has been given the same IP address as the old on and when I go into DHCP console the old server name shows up for the DHCP computer. This was an emergency switch as the old DC has died. Thanks in advance for all your help. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] DHCP Problem
At this point you probably have had enough help to figure out your problem with the DHCP...anyway, if the server died and you were not able to demote it you will probably want to check which roles was that server holding netdom query /domain:domain fsmo Schema owner Domain role owner PDC role RID pool manager Infrastructure owner -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Monday, October 16, 2006 10:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP Problem Rezuma, The old server was our DC and GC and DHCP and DNS. It has died. On the new server I am trying to rebuild DHCP but when I add the IP address of the server it shows up with the name of the old server and will not let me do anything with it. I think I need to wipe all traces of DHCP off the domain and start over. Bob IT Guy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, October 16, 2006 10:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DHCP Problem Your question is very confusing. When you go to the DHCP administrator console, you need to add a DHCP server, do you see that computer in the list when you try to added? That server, was a DC? It so which roles did it have? Rezuma -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Anderson Sent: Monday, October 16, 2006 10:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DHCP Problem Good Morning, I have a bad DHCP problem. I have replaced our Primary Domain Computer and I think I have messed DHCP up badly. The new Domain Controller has been given the same IP address as the old on and when I go into DHCP console the old server name shows up for the DHCP computer. This was an emergency switch as the old DC has died. Thanks in advance for all your help. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: WSS and AD. WebPart user information
Frustrating!, :) sounds very hard to do for a .net newbie like me. I have work with Zope and Plone before and everything is much easier... Unluckily, we cant use Plone or other CMS I am more familiar with, and I need to create this tool, webpart or whatever so the users can update their contact info. I have done a few scripts in asp to display information from AD even to change information in AD, my problem is how to do that inside SharePoint, unless I can create an external page to do this and have a link in the SharePoint site... Anyway, thanks for the info, I will get your book to see if figure things out. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Tuesday, October 10, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: WSS and AD. WebPart user information Ryan and I wrote a whole book that is essentially all about how you might write such a thing (www.directoryprogramming.net), but we don't have any pre-baked web parts in the samples. All the code is lower level than that. We also have such a thing that we use internally (actually a server control, not a full web part) that uses Ajax and a popup query form to implement an AD picker. Unfortunately, I can't share it outside the company. The key to something like this is deciding how you want the security model to work. You can basically either use the trusted subsystem design (use a service account to query AD) or use the delegated model (flow the authenticated user's security context through to AD). Since SharePoint uses impersonation by default, the delegated model is what you'll get unless you change something to implement the trusted subsystem model. Delegation is hard to get working, as it requires implementing Kerberos delegation, one of the black arts of Windows AD configuration stuff. SharePoint tends to fight delegation as well, as versions before SP2 actually disable Kerberos authentication in the IIS metabase when it is installed. You have to undo that or get protocol transition working. It can be icky. :) Joe K. - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 2:30 PM Subject: [ActiveDir] OT: WSS and AD. WebPart user information Hi everyone, Does anyone knows of a web part for Windows SharePoint services 2 or 3 to grab information from AD users? I want to create a web part that will allow the user to update their contact information and update AD at the same time. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: LDAP and AD? Learn more from Gil Kirkpatrick - plus three bonus tracks!
Have anyone gone to one of this conference in the past? There is one in DC that I may go, is it worthy? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, October 05, 2006 3:06 PM To: ActiveDir.org Subject: [ActiveDir] OT: LDAP and AD? Learn more from Gil Kirkpatrick - plus three bonus tracks! http://list.windowsitpro.com/t?ctl=3B222:40CB7 Calling all Linux Gurus; UNIX Ninjas; Windows Masters and rubber chicken lovers Just got this in my SPAM inbox. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: WSS and AD. WebPart user information
Hi everyone, Does anyone knows of a web part for Windows SharePoint services 2 or 3 to grab information from AD users? I want to create a web part that will allow the user to update their contact information and update AD at the same time. Thanks Rezuma
RE: [ActiveDir] OT: ExMerge works for some, not others
Can you post the error? Make sure those users are not hidden in the GAL, if you hide them it will not work. Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, October 04, 2006 8:20 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: ExMerge works for some, not others Hello: Sorry for the OT. ExMerge is giving me heartburn. I have a small Exchange install where all the tools (and everything else) is on the DC. (Yes, if they had thought about it earlier, it would be SBS -- but it is not.) I am trying to run ExMerge to pull out PST files. The user running ExMerge is Domain Admin, Enterprise Admin, and Domian User. I believe all of those groups are denied SEnd As and Receive As. At least, Receive As is required to run ExMerge. Yet, despite that, I am able to run ExMerge against about half of the users. The other half cough up permission errors in the log. One additional factor: all of the problem users were disabled within AD. I re-enabled the accounts for this purpose. Any thoughts about what is going on here? Why some work and some don't? Thanks. - nme --No virus found in this outgoing message.Checked by AVG Free Edition.Version: 7.1.394 / Virus Database: 268.12.10/459 - Release Date: 9/29/2006
RE: [ActiveDir] what is the meaning of OT in front of the subject
Some of the subjects have that OT preceding the subject, what's that? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Not receiving email from this list
I was not receiving them until I realized that it was our sonicwall antispam...I have had no problem since then. Rezuma -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Thursday, October 05, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Not receiving email from this list I'm not getting emails from this list at my work email, starting last Thursday. Has anyone else experienced the same thing? Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: wikis
Right, and remember there is not absolute truth!! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: wikis
OT As I said before there is not universal truth , that is only truth if you are using decimal system ;) 999,998 + 2 = 9b ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 05, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: wikis 999,998 + 2 = 1,000,000, not 100,000. ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Nims Sent: Thursday, October 05, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: wikis It's funny how we quote wikis as definitive sources of information, when they can be edited by anyone and everyone :) Who vets the edits and how much does that person know about the subject matter?? Anyone can edit, which is why they are generally correct. When 100,000 people view a record, and 2 people want to change it to be incorrect, 999,998 will want to correct it. I wouldn't use a wiki as a great historical or technical source. But for encyclopedia entries, which give a good summation of a subject, they are great. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] 200 users network. Adding 2 classes to the GC
pretty cool Joe!, thanks for the info From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 03, 2006 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Yes. You have to mark each attribute you want in the GC to be part of the PAS. Basically set the attribute isMemberOfPartialAttributeSet to TRUE. Ex: G:\admod -schema -rb cn=uid isMemberOfPartialAttributeSet::TRUE AdMod V01.07.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 DN Count: 1Using server: r2dc2.test.loc:389Directory: Windows Server 2003Base DN: cn=uid,CN=Schema,CN=Configuration,DC=test,DC=loc Modifying specified objects... DN: cn=uid,CN=Schema,CN=Configuration,DC=test,DC=loc... The command completed successfully To find out which attributes are involved, run this adfind -sc s:*posix* -af objectcategory=classschema maycontain the output should be something like G:\adfind -sc s:*posix* -af objectcategory=classschema maycontain AdFind V01.32.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006 Using server: r2dc2.test.loc:389Directory: Windows Server 2003Base DN: CN=Schema,CN=Configuration,DC=test,DC=loc dn:CN=PosixAccount,CN=Schema,CN=Configuration,DC=test,DC=locmayContain: descriptionmayContain: gecosmayContain: loginShellmayContain: unixUserPasswordmayContain: userPasswordmayContain: homeDirectorymayContain: unixHomeDirectorymayContain: gidNumbermayContain: uidNumbermayContain: cnmayContain: uid dn:CN=PosixGroup,CN=Schema,CN=Configuration,DC=test,DC=locmayContain: memberUidmayContain: gidNumbermayContain: descriptionmayContain: unixUserPasswordmayContain: userPasswordmayContain: cn 2 Objects returned -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 2:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC I don't think I am making myself clear. I already have those classes in the schema, I just want to add the properties that those classes have to the global catalog so they replicate throughout the forest, I don't need to install those classes in the AD, I already did that. Do I have to add attribute by attribute to the GC? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, October 03, 2006 1:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Hi Rezuma, I suspect you might run into the same issue I had when I did the R2 forestprep with SFU 3.5 (although you have the earlier SFU 3.0). If so, see the fixup from Steve Linehan posted to this newsgroup on 8/7/06 (and my comment from 8/12/06). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 03, 2006 11:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC You get the R2 CD and do the forestprep, it will install the entire R2 schema which includes all of those Unix interop classes and attributes. You do not really want to do this manually or it could be troublesome later. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC We are using windows 2003 servers. But what I need is, to add those 2 classes that already exist in the AD schema to the global catalog so they replicate through the GCs in theforest. How do I add 2 whole classes with their attributes? changing the "replicate this attribute in the global catalog" optionattribute by attribute? Thanks Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 03, 2006 11:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Modifying the schema except for indexing or adding PAS attributes in a forest with Windows 2000 domain controllers is really a non-event when done properly with proper OIDs and names. Indexing can work your DCs a little as the new indexes have to be created but it depends on the attribs being indexed and what type of index is being created on how much that will hit your DC. Usually I would say it is minimal impact. WIth Windows 2000 GCs, you get to enjoy a full PAS refresh which generates a considerable amount of replication. Simply, if you are running Windows 2000 DCs, why in the world are you doing so, upgrade already, 2003 has been around for 3 years already and has a ton of AD enhancements. In a small network like yours, I wouldn't expect even a small burp
RE: [ActiveDir] 200 users network. Adding 2 classes to the GC
thanks for the info, how do I go about adding them to the GC? and, being a small network, do you see any dramatic effect to doing that? in terms of replication I mean. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 02, 2006 11:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC SFU30 is pretty old. What you really shoulddo is apply the Windows Server 2003 R2 Schema which has the aux classes: posixAccountposixGroup joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Monday, October 02, 2006 3:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 200 users network. Adding 2 classes to the GC Hi, I have a Unix application that uses LDAP queries. The developer is telling me that 2 classes should be available in the GC (theyneed to query the whole forest for some information) The classes are msSFU30PosixAccount and msSFU30PosixGroup. How do I add a whole class to the GC? I know how to add an attribute, do I have to go attribute by attribute? We only have 200 users and no many AD objects, is there a reason while I should not add those 2 classes, in terms of replication I mean and for small network like this. Thanks Rezuma
[ActiveDir] Move all OU and USERS from one forest to another forest
Hi, I am trying to build a testing environment. I have the production forest and the testing forest, not connected at all. Is there an easy way of creating all the same OUs and users from one forest to the other?, each forest only have one domain, also, I only interested in moving some of the attributes,i.e. there is no MS exchange in the testing environment so I don't care about exchange attributes. I was going to build an script that will read from production LDAP and create objects in the other one, but is there is already something that, like a tool or script it will prefer to use it to save time. Can I use ADAM for this? Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] 200 users network. Adding 2 classes to the GC
We are using windows 2003 servers. But what I need is, to add those 2 classes that already exist in the AD schema to the global catalog so they replicate through the GCs in theforest. How do I add 2 whole classes with their attributes? changing the "replicate this attribute in the global catalog" optionattribute by attribute? Thanks Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 03, 2006 11:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Modifying the schema except for indexing or adding PAS attributes in a forest with Windows 2000 domain controllers is really a non-event when done properly with proper OIDs and names. Indexing can work your DCs a little as the new indexes have to be created but it depends on the attribs being indexed and what type of index is being created on how much that will hit your DC. Usually I would say it is minimal impact. WIth Windows 2000 GCs, you get to enjoy a full PAS refresh which generates a considerable amount of replication. Simply, if you are running Windows 2000 DCs, why in the world are you doing so, upgrade already, 2003 has been around for 3 years already and has a ton of AD enhancements. In a small network like yours, I wouldn't expect even a small burp even in the worst case unless you have few users and a ton (tens or hundreds of thousands)of other types of objects. You would mention that though I expect. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 8:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC thanks for the info, how do I go about adding them to the GC? and, being a small network, do you see any dramatic effect to doing that? in terms of replication I mean. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 02, 2006 11:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC SFU30 is pretty old. What you really shoulddo is apply the Windows Server 2003 R2 Schema which has the aux classes: posixAccountposixGroup joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Monday, October 02, 2006 3:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 200 users network. Adding 2 classes to the GC Hi, I have a Unix application that uses LDAP queries. The developer is telling me that 2 classes should be available in the GC (theyneed to query the whole forest for some information) The classes are msSFU30PosixAccount and msSFU30PosixGroup. How do I add a whole class to the GC? I know how to add an attribute, do I have to go attribute by attribute? We only have 200 users and no many AD objects, is there a reason while I should not add those 2 classes, in terms of replication I mean and for small network like this. Thanks Rezuma
RE: [ActiveDir] 200 users network. Adding 2 classes to the GC
I don't think I am making myself clear. I already have those classes in the schema, I just want to add the properties that those classes have to the global catalog so they replicate throughout the forest, I don't need to install those classes in the AD, I already did that. Do I have to add attribute by attribute to the GC? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, October 03, 2006 1:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Hi Rezuma, I suspect you might run into the same issue I had when I did the R2 forestprep with SFU 3.5 (although you have the earlier SFU 3.0). If so, see the fixup from Steve Linehan posted to this newsgroup on 8/7/06 (and my comment from 8/12/06). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 03, 2006 11:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC You get the R2 CD and do the forestprep, it will install the entire R2 schema which includes all of those Unix interop classes and attributes. You do not really want to do this manually or it could be troublesome later. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 11:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC We are using windows 2003 servers. But what I need is, to add those 2 classes that already exist in the AD schema to the global catalog so they replicate through the GCs in theforest. How do I add 2 whole classes with their attributes? changing the "replicate this attribute in the global catalog" optionattribute by attribute? Thanks Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, October 03, 2006 11:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Modifying the schema except for indexing or adding PAS attributes in a forest with Windows 2000 domain controllers is really a non-event when done properly with proper OIDs and names. Indexing can work your DCs a little as the new indexes have to be created but it depends on the attribs being indexed and what type of index is being created on how much that will hit your DC. Usually I would say it is minimal impact. WIth Windows 2000 GCs, you get to enjoy a full PAS refresh which generates a considerable amount of replication. Simply, if you are running Windows 2000 DCs, why in the world are you doing so, upgrade already, 2003 has been around for 3 years already and has a ton of AD enhancements. In a small network like yours, I wouldn't expect even a small burp even in the worst case unless you have few users and a ton (tens or hundreds of thousands)of other types of objects. You would mention that though I expect. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, October 03, 2006 8:39 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC thanks for the info, how do I go about adding them to the GC? and, being a small network, do you see any dramatic effect to doing that? in terms of replication I mean. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 02, 2006 11:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC SFU30 is pretty old. What you really shoulddo is apply the Windows Server 2003 R2 Schema which has the aux classes: posixAccountposixGroup joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Monday, October 02, 2006 3:06 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 200 users network. Adding 2 classes to the GC Hi, I have a Unix application that uses LDAP queries. The developer is telling me that 2 classes should be available in the GC (theyneed to query the whole forest for some information) The classes are msSFU30PosixAccount and msSFU30PosixGroup. How do I add a whole class to the GC? I know how to add an attribute, do I have to go attribute by attribute? We only have 200 users and no many AD objects, is there a reason while I should not add those 2 classes, in terms of replication I mean and for small network like this. Thanks Rezuma
[ActiveDir] 200 users network. Adding 2 classes to the GC
Hi, I have a Unix application that uses LDAP queries. The developer is telling me that 2 classes should be available in the GC (theyneed to query the whole forest for some information) The classes are msSFU30PosixAccount and msSFU30PosixGroup. How do I add a whole class to the GC? I know how to add an attribute, do I have to go attribute by attribute? We only have 200 users and no many AD objects, is there a reason while I should not add those 2 classes, in terms of replication I mean and for small network like this. Thanks Rezuma
RE: [ActiveDir] Test 123
That's because the people like to sleep during the night :) Just Joking -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Thursday, September 28, 2006 2:53 AM To: ActiveDir.org Subject: [ActiveDir] Test 123 Just checking to see if the list is working as nothing landed overnight. Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]SUBDOMAIN AND LDAP
You guys are amazing, in terms of AD knowledge, way out of league. Anyway, I was the one asking about this application, I have more questions. First I must said, that I am waiting to hear from the vendor about whether the app modifies the Schema or not, I got 2 emails from them, one saying yes and the other saying no, it does not change it!!! :( I am panicking already. Here goes my question: We have 2 offices, only 4 people in the HQ are going to be using this app, so if the app changes the schema of AD it would be better to use ADAM, is this right? Especially because I don't know how good if the application going to be about cleaning AD if we don't use it anymore. The first vendor tech who replied to me said that the application changes the schema, and he was saying that it has already changed the schema in the submain, where all the current users for this application are, is that possible? If I have domain.com and child.domain.com, can I change the schema of AD for a subdomain and not for the main domain?? I though It was only one LDAP for the whole forest?, this does not make sense considering the schema owner is the same for both child and main domain. Can I say to the vendor how wrong he is or are there exception to that situation? If there a tool I can use that will compare the out of the box schema for windows 2003+exchange with the current schema? Or do I have to use adsiedit and try to figure out what is part of the app? I am still waiting to receive an answer about the way these dudes authenticate, simple bind, secure bind, Kerberos, or whatever. Thanks all -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, September 24, 2006 4:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP In my own mind I've wrestled a lot with whether or not I like auth via LDAP. I've come to the conclusion that it's ok, and that we should build mechanisms to facilitate it. Things like tokenGroups on RootDSE speak to this, but we should do more. LDAP is easy. Anyone can write an LDAP-based application. On the flip side, Kerb is hard (a-la ADFS). Windows-level integration (LogonUser() like APIs) is likely what I like best, but there are problems, such as lack of x-platform story and the need to be within trust's reach. ADFS is a pretty good answer, but it's new, and people aren't yet comfy with the APIs (assuming they are easy to use, like LDAP) as well as lack of a consistent, reliable infrastructure you find everywhere. LDAP is the defector choice considering these complications. So, you can like LDAP or not, but it's here to stay and people are using it. :) And I'm not sure this is a bad thing. On some specific points Far too many times that I have looked at LDAP traces I see passwords and IDs just flowing across the wire like there was no tomorrow. To be fair, you need to be clear as to where you are seeing this. For example, two servers talking to one another in the clear might be acceptable depending upon your security model. SSL does not raise the bar out of the gate like people seem to want to believe. You need to look at a threat model to really know. In fact, I'd assert that most people who turn on SSL do so straight out of the gate and take the perf hit w/o ever having looked at a threat model! This is sad to me, it means they didn't threat model generally (and consequently don't know where the real gaps are) but also are paying a perf penalty w/o really knowing if it is required. Is your thought that those protocols are headed in the direction to be more universal and used even when Web access isn't even involved? I don't know what Joe was thinking, but I'm certainly willing to assert this. As these technologies become easier to use and empower more scenarios, it is reasonable to assume that people may use them internally as well as externally. As this happens, it is rolled out even within an organization. I can name a few major organizations off hand which are using these as a unifying infrastructure among desperate systems within their enterprise. It is likely going to happen more and more, and I think it's already happening quite a bit today. That said, this is not to say you will see 100% coverageI don't know. If we make ADFS a Kerberos-like piece of the infrastructure (automagically installed and configured out of the box), that becomes a more realistic perspective to consider. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, September 24, 2006 8:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]SUBDOMAIN AND LDAP Yeah I understand, lots of vendors use LDAP for auth, but it doesn't make it good/right. Just like lots of vendors requiring admin access or always passing NULL for LPSECURITY_ATTRIBUTES when working with securable objects. ADAM is another story, if you need to use ADAM principals you
RE: [ActiveDir]SUBDOMAIN AND LDAP
I see, thanks for the info, especially about not being able to delete classes or properties, this actually make even more useful using ADAM, since there are app that will not longer use in a few years, cool stuff all this. Good point, I just checked, and only the administrator user is part of the schema group , they don't have the administrator user or password so probably they aren't change the schema at all. Thanks for the info again. Rezuma -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Monday, September 25, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP Ramon Linan wrote: You guys are amazing, in terms of AD knowledge, way out of league. Anyway, I was the one asking about this application, I have more questions. First I must said, that I am waiting to hear from the vendor about whether the app modifies the Schema or not, I got 2 emails from them, one saying yes and the other saying no, it does not change it!!! :( I am panicking already. Here goes my question: We have 2 offices, only 4 people in the HQ are going to be using this app, so if the app changes the schema of AD it would be better to use ADAM, is this right? Especially because I don't know how good if the application going to be about cleaning AD if we don't use it anymore. If we are talking about cleaning as about cleaning schema this can't be done - You can't remove classes or attributes from schema, You can only defunct them in Windows 2003. The first vendor tech who replied to me said that the application changes the schema, and he was saying that it has already changed the schema in the submain, where all the current users for this application are, is that possible? If I have domain.com and child.domain.com, can I You should really consider using their application as obviously they don't have basic AD knowledge or they are missing some concepts. Schema is common for all domains in the forest, so If You will alter the schema on schema master all domains in the forest will get this changes. BTW to alter the schema You have to have really high privileges so: 1. Somebody let them to do something with schema admin privileges 2. They don't know what they are talking about. change the schema of AD for a subdomain and not for the main domain?? I though It was only one LDAP for the whole forest?, this does not make sense considering the schema owner is the same for both child and main domain. Can I say to the vendor how wrong he is or are there exception to that situation? You should ask them: 1. If their application is extending AD schema 2. If answer to 1 is Yes: do they have their specific OIDs numbers registered and they are unique. 3. They should present You these changes as LDIFs and You should test it in the lab. If there a tool I can use that will compare the out of the box schema for windows 2003+exchange with the current schema? Or do I have to use adsiedit and try to figure out what is part of the app? Schema Analyzer which comes with ADAM SP1 can do this: http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4 EF6-A3E5-2A2A57B5C8E4displaylang=en I am still waiting to receive an answer about the way these dudes authenticate, simple bind, secure bind, Kerberos, or whatever. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir]SUBDOMAIN AND LDAP
It looks like this guys that are building the app are using LDAP to find the username and Kerberos to create the token, do that make sense? Also, it looks like this application add 2 classes to the AD, I wonder when is worthy to use ADAM , should it be use for any custom app that expands the schema or only depending on how big the changes are to the schema? Any recommendation? Thanks Rezuma -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Monday, September 25, 2006 10:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]SUBDOMAIN AND LDAP Ramon Linan wrote: You guys are amazing, in terms of AD knowledge, way out of league. Anyway, I was the one asking about this application, I have more questions. First I must said, that I am waiting to hear from the vendor about whether the app modifies the Schema or not, I got 2 emails from them, one saying yes and the other saying no, it does not change it!!! :( I am panicking already. Here goes my question: We have 2 offices, only 4 people in the HQ are going to be using this app, so if the app changes the schema of AD it would be better to use ADAM, is this right? Especially because I don't know how good if the application going to be about cleaning AD if we don't use it anymore. If we are talking about cleaning as about cleaning schema this can't be done - You can't remove classes or attributes from schema, You can only defunct them in Windows 2003. The first vendor tech who replied to me said that the application changes the schema, and he was saying that it has already changed the schema in the submain, where all the current users for this application are, is that possible? If I have domain.com and child.domain.com, can I You should really consider using their application as obviously they don't have basic AD knowledge or they are missing some concepts. Schema is common for all domains in the forest, so If You will alter the schema on schema master all domains in the forest will get this changes. BTW to alter the schema You have to have really high privileges so: 1. Somebody let them to do something with schema admin privileges 2. They don't know what they are talking about. change the schema of AD for a subdomain and not for the main domain?? I though It was only one LDAP for the whole forest?, this does not make sense considering the schema owner is the same for both child and main domain. Can I say to the vendor how wrong he is or are there exception to that situation? You should ask them: 1. If their application is extending AD schema 2. If answer to 1 is Yes: do they have their specific OIDs numbers registered and they are unique. 3. They should present You these changes as LDIFs and You should test it in the lab. If there a tool I can use that will compare the out of the box schema for windows 2003+exchange with the current schema? Or do I have to use adsiedit and try to figure out what is part of the app? Schema Analyzer which comes with ADAM SP1 can do this: http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4 EF6-A3E5-2A2A57B5C8E4displaylang=en I am still waiting to receive an answer about the way these dudes authenticate, simple bind, secure bind, Kerberos, or whatever. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Schema analyzer
Hi, I need to compare our current AD schema to the one that comes out of the box when you install windows 2003+MS exchange. I have been told that with Schema Analyzer which comes with ADAM SP1 can do this... Has anyone done this before? I can figure out how to do it, anyone can lead to a doc where I can learn how to do it? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir]SUBDOMAIN AND LDAP
Hi, I have an application that uses LDAP to authenticate (authenticates against AD). In my AD I have a domain and subdomain or child domain. I assume that both domain and subdomain uses the same LDAP, right? Also, if the application is using a user from the subdomain to query the LDAP, what kind of access will that user have to have to authenticate users at the main domain level. Basically, the application is authenticating fine the users from the subdomain but cant fine the users from the main domain... Thanks for any advice. Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Search Mailbox
I don't really understand your question... You can connect to mailboxes in exchange programmatically, is this an answer? Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefanoSent: Thursday, September 21, 2006 9:02 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] Search Mailbox Is there any way to search for messages within a mailbox without using Outlook in Exchange 2000; like using System Administrator? Dan DeStefanoInfo-lution Corporation[EMAIL PROTECTED]http://www.info-lution.comOffice: 727 546-9143FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession.
RE: [ActiveDir] I'm Baaaaaaack!
:) allthis is very random From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, DejiSent: Thursday, September 21, 2006 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] I'm Baaack! Yikes! Is it Halloween yet? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Rick KingslanSent: Thu 9/21/2006 11:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] I'm Baaack! Be afraid Be very afraid! :-) Rick _ Be seen and heard with Windows Live Messenger and Microsoft LifeCams http://clk.atdmt.com/MSN/go/msnnkwme002001msn/direct/01/?href="" List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] AD Reporting Tool?
Check Hyena. All users, that's really easy to do, you can even use AD users and computers, you can also do the disabled once with AD users and computers. You can do the memberof with Hyena, there is a 30 free trial of hyena and it is fully functional. http://www.systemtools.com/hyena/ad_main.htm Of course, you can also build your own scripts. Rezuma -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Wednesday, September 20, 2006 9:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Reporting Tool? Our auditors, for the first time, now suddenly want a report of all our users in AD, what groups they are in, and if the account is disabled or not. Is there a tool that I can get up to speed on quickly (today if possible), run it against our AD, and get this report for them? Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
HI, I have a SharePoint sitefor a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring.The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
ooops, forget about the Sharepoint using the clients LDAP, they will never let us access their users database, duh! So, now i need to fight with the project managers and giving them reason why their password should change...my first question is still valid. How big of a security risk is not having password expiring? and if it is important how is that banks dont ask clients to change password. Thanks Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint sitefor a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring.The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Let's put it this way, sales department make money , IT department spends it :( :( :( That's their point of view anyway...and I still don't have a good answer to why Citibank don't force you to change your password, and they offer web based ...? Thanks for your email -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:10 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
Hi, In the bank application case, I am not talking about the bank users having to change the password, I was meaning the bank clients having to change their PIN to access the online system... you did not required from your online clients to change their PIN every X days??? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard KlineSent: Tuesday, September 19, 2006 12:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I've worked for several banks and have never, ever not seen required password changes. In fact the reverse problem often occurs. Bank systems do not use the same authentication model (mainframe, domain, application specific) and require password changes on different cycles. Personnel often have the proverbial post-it pad in their desk drawer with written account names and passwords. I'm not a SharePoint expert and so will leaveothers to comment but I'd be very surprised if a non-domain LDAP can be used (guess that could be construed as a comment,but it'sreally justreasoned speculation). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Tuesday, September 19, 2006 11:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP HI, I have a SharePoint sitefor a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring.The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma
RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP
All this comments are great, does anyone have a url or document with a list of reason for having the passwords expiring or explaining why it is not a good thing to have non-expiring password? Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Kline Sent: Tuesday, September 19, 2006 12:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP Interesting point It doesn't mean a darn thing but it would interesting to see the sales folk squirm if they were asked to sign a disclaimer document stating that they'd be responsible for password related security breeches. What a shame it wouldn't be enforceable! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, September 19, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SHAREPOINT AND EXTERNAL LDAP I have been told (BTW) by the patch management tool folks that still support customers that buy NT patches -- that their main customers that buy NT patches from Microsoft are banks and financial institutions. Consider as well that when I walk into Bank of America they are running DOS based apps. I wouldn't use banks as a shining example of security policy...when BofA has 1. allowed slammer to nail their ATM networks 2. Lost backup tapes causing identity theft as two such shining examples of security policy in action. Who's going to be on the firing line when something happens? Bank of America? Or your buns? If it's your buns, are your comfortable with not changing passwords? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: I have been involved in externally facing Microsoft sponsored extranet/Sharepoint sites. The password gets changed. We have a GUI web portal and we are forced to change the password. Sales people set your security policy these days? Ramon Linan wrote: HI, I have a SharePoint site for a client, it is driving me crazy because the sales people are telling me that the users for this site, cant have their password expiring. The client is a government agency, so I don't want to be responsible for any information being stolen. How big of a security risk is not having password expiring? it seems to me like security 101, but the sales guy is saying that banks don't ask you to change your password every X day, good point. Something I was thinking is having SharePoint authenticating with their LDAP server, is this possible to do? can anybody point to a url on how to do this? thanks Rezuma -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Ad Reporting Tools
I will say that you could Hyena, it is pretty good with reports and not too expensive. But of course it would be way more cool if you create your own tools scripting, ADSI or CDO. good luck Ramon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave WadeSent: Monday, September 18, 2006 6:04 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Ad Reporting Tools Folks, I am struggling with a fairly simple request. We would like a simple report that lists how many PC's there are in each OU into an Excel Spreadsheet. Well I have managed to do this with CSVDE and the summary report in Excel. Is there a better (low cost) solution? Dave Wade E-Services 0161 474 5456 **This email and any files transmitted with it are confidential andintended solely for the use of the individual or entity to whom theyare addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you.http://www.stockport.gov.uk**
RE: [ActiveDir] ADSI programming
Hi, I want to start programming in AD. I have experience programming with Python, PHP and VBA. Any suggestion on which language is more convienient to program with ADSI. I was going to use Python because I can be use in windows, MAC or Linux/unix Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ No problem at all, he is actually living in MD. Let me know if you would like his contact info. Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Thursday, September 14, 2006 9:18 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Sharepoint in the DMZ Thank you Is he in NY? Thanks Russ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon LinanSent: Wednesday, September 13, 2006 9:14 AMTo: ActiveDir@mail.activedir.orgSubject: FW: [ActiveDir] Sharepoint in the DMZ Hi Russ, I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested. BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone. Rezuma They should only open port 443 from the internet and use SSL if it will be used with AD users. If its dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection. When connecting servers in the DMZ to servers on the inside, the best way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because its a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server. I dont have an opinion on using a child domain, it will work fine but if security is the reason, Id build a separate domain and use a trust maybe. What do you think? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Tuesday, September 12, 2006 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I dont know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
FW: [ActiveDir] Sharepoint in the DMZ
Title: Sharepoint in the DMZ Hi Russ, I have a friend with a lot of experience as Sharepoint administrator in different environments, this is what he suggested. BTW, although he is currently working in the same company than me, he is looking to move to another company, in case you need someone. Rezuma They should only open port 443 from the internet and use SSL if it will be used with AD users. If its dual purpose for outlook web access, it still only needs 443. You can hide the purpose of this port from port scanners by using a load balancer or port redirection. When connecting servers in the DMZ to servers on the inside, the best way is to create a IPSec tunnel from web server to inside (dbase or exchange)) server using the MS built in networking and run the tunnel over a non-standard port such as 5066. That will minimize how many ports are open from the DMZ to inside and will also take care of forgetting to open a port or two when more traffic needs to pass such as NetBIOS or AD type traffic. Because its a non-standard port, it makes it harder to find and identify for specific exploit types such as SQL injection on port 1433 against SQL server. I dont have an opinion on using a child domain, it will work fine but if security is the reason, Id build a separate domain and use a trust maybe. What do you think? Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Group, RussSent: Tuesday, September 12, 2006 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Sharepoint in the DMZ Hi all I have a consultant that wants to put Sharepoint into our DMZ. Here is what he is proposing to do: Create a child domain and put the Sharepoint computer account in the child domain Put Sharepoint server in our DMZ. Open up the same ports for Sharepoint that we would open for Outlook Web Access Also open port 1433 for SQL Since I dont know much about Sharepoint, I was hoping someone would be to let me know if this has been done in the past and if it's safe. Thank you Russ
[ActiveDir] aexp.asp Changing user password via web
Hi, When you deploy MS Exchange it also install a bunch of asp scripts in IIS. For instance MS iisadmpwd/aexp.asp that allow users to change their password via browser!! I was wondering how secure is to have this scripts accessible from internet? Any suggestion? Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] more DNS questions
Hi, I have 2 internal DNS servers and 2 external DNS servers. We are delegating the subdomain sub.domain.com to another server in the same building that is managed by the Unix guys. We have also given them 16 ip address in the range x.y.z.65-80 One of their SA is asking me to update the reverse RR for several records in this way. x.y.z.67 CNAME 67.z.y.x.rev.sub.domain.com But when I go to our dns server all I find for the reverse zone is something like. z.y.x.in-addr.arpa, so when I tried to create a cname record there I get something like 67.z.y.x.in-addr.arpa instead of 67.z.y.x.rev.sub.domain.com How can I get what this dude is asking me to do??? Do I need to create a reverse zone for that subdomain? Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Distribution list Maintenance. Policy dilemma
Hi, I have Department managers asking me to create DL in exchange of people who dont work in the company There is not technical problem to do that, but I am finding out, that the previous guy was doing that via contacts in AD. The problem is that in this business, a consultant will work one day for you and next to your competitor. My question is, what is the common practice in terms DL. Does anyone know a good way of maintaining them? Most of the time, I dont get notified when we no longer work with a consultant. How do you guys deal with DL maintenance? .Any suggestion?
RE: [ActiveDir] Distribution list Maintenance. Policy dilemma
Thats an idea although I am not very concern about getting the request for adding a new account/contact to a DL. My concern is to maintain the DL, in most of the cases the DL would have contacts not AD users, and you cant put expiration on contacts. So, how do I force/remind the managers to notify me whenever a contact should not longer be in the DL? Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, September 05, 2006 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribution list Maintenance. Policy dilemma Youve got to use an automated system (web based usually) where an employee requests the contractor account/contact and puts an expiration on it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, September 05, 2006 12:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribution list Maintenance. Policy dilemma Hi, I have Department managers asking me to create DL in exchange of people who dont work in the company There is not technical problem to do that, but I am finding out, that the previous guy was doing that via contacts in AD. The problem is that in this business, a consultant will work one day for you and next to your competitor. My question is, what is the common practice in terms DL. Does anyone know a good way of maintaining them? Most of the time, I dont get notified when we no longer work with a consultant. How do you guys deal with DL maintenance? .Any suggestion?
[ActiveDir] DNS DOCUMENTATION
HI, I have one of my client that has AD integrated DNS. The internet domain is the same that the AD domain. (domain.com) They have ns1 and ns2 to handle the internet domain, meaning mx, www, A ,etc records for domain.com, those are the external DNS servers. And they also have several internal dns servers for AD. The thing is I am able to query ns1 and ns2 from outside the office and find out everything for the domain, global catalogs, DC, etc Is this the correct way to do it? Anybody knows a good white paper or similar that deals with AD integrated DNS, internal and external dns, etc? Thanks Rezuma
[ActiveDir] deleting subdomain
Hi, We had a DC that was taking out of AD without being demote. That DC was also the only domain controller for that child domain, child.domain.com I want to remove entirely that domain from the AD, any ideas on the step I should follow? I don't have access to that DC, so I cant do a clean removal. Thanks Rezuma List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] nslookup. AD beginer question
I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I cant find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that arent currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they dont then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
What I actually did was nslookup domain.comI just found out that one of the computer is a linux server that is managing a child domain child.domain.comthat is the reason is showing up there. Anyway, I am also getting an ip address for a windows server machine that is not a DC, dont know why Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question You mean, you did the following: nslookup Enter set q=aEnter domain.comEnter and the IP you got is for a user's desktop? If so, one reason could be because someone created an A record in DNS for domain.com and mapped it to the desktop's IP. Maybe because the desktop is running web service and hosting the domain.com web site. Is this what you meant? If so, you will need to go and delete the record. You will then need to tell your users that they will not be able to get to the domain.comwebsite site any longer because that is your AD domain name. You could create another A record named (for example) WWW under the domain.com zone and give it the desktop's IP and tell your users that they should now use http://www.domain.com/ to get to that website instead of domain.com This is a fairly common misconfiguration. And it's a big problem for your clients and DCs. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 1:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
[ActiveDir] disable 200 users
Hi, I have been given a list of 200 users to disable, and move to another OU. The users are not currently in the same OU but in many different OU. I am trying to use the txt file that contains the list of users to be disable. How can I do this? I was trying to use the query tool that comes with AD users and computer to select the users but got nowhere with |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user1))) |((objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))((objectCategory=person)(!objectSid=*))((objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14(objectCategory=user)(cn=user2))) etc Thanks Rezuma
RE: [ActiveDir] Exchange question
It has 2 network cards From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Wednesday, August 23, 2006 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Glad to hear that. Why is one SMTP server configured with 2 IP addresses? Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 3:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question I have done the telnet I think I found the problem, target smtp server was configured to only accept connection from certain ip address, the source smtp server has 2 ip address, only one was in the listit seems to be working fine now Thanks all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Wednesday, August 23, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thank everyone for the responseI am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domainI am wondering what are the implications of that Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend ifServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands toServerA from ServerB.Check the following: 1) Is the server responding to SMTP commands? 2)Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also
RE: [ActiveDir] Exchange question
Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thank everyone for the responseI am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domainI am wondering what are the implications of that Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend ifServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands toServerA from ServerB.Check the following: 1) Is the server responding to SMTP commands? 2)Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
I have done the telnet I think I found the problem, target smtp server was configured to only accept connection from certain ip address, the source smtp server has 2 ip address, only one was in the listit seems to be working fine now Thanks all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur E Sent: Wednesday, August 23, 2006 12:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question have you looked at this to see if there's any utility for you? http://support.microsoft.com/kb/323350/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Wednesday, August 23, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Thanks for your help. I have found out more about my problem. It looks like the target exchange SMTP server is acting up, I can telnet sometimes and sometimes I cant. Also sometimes I am able to telnet but it is really slow and sometimes it even freezes on me. I am still troubleshooting Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, August 23, 2006 9:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question The implications are further down the troubleshooting stack IMHO. If you cannot telnet to TCP 25 from the source Exchange server to the target Exchange server, then you have a problem with connectivity. You must be able to do this. Both directions. Until you can successfully do this, then there is nothing more you can hope to accomplish. You can check DNS as well, but you can also find out if basic connectivity is functioning using the ip addresses. If it's not, and it sounds like it's not, then you'll need to address that first. Al On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thank everyone for the responseI am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from : [EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the user's email address does not match the email server's domainI am wondering what are the implications of that Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend ifServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands toServerA from ServerB.Check the following: 1) Is the server responding to SMTP commands? 2)Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question
[ActiveDir] Exchange question
Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
Thanks, I will start theremy biggest problem is that I am new in this job and I still dont know how they have the exchange servers configured, something that I am seeing in the event log is the error Event id 3017 A non-delivery report with a status code of 5.3.5 was generated for recipient rfc822;[EMAIL PROTECTED] (Message-ID [EMAIL PROTECTED]). Causes: A looping condition was detected. (The server is configured to route mail back to itself). If you have multiple SMTP Virtual Servers configured on your Exchange server, make sure they are defined by a unique incoming port and that the outgoing SMTP port configuration is valid to avoid looping between local virtual servers. Solution: Check the configuration of the virtual serverÆs connectors for loops and ensure each virtual server is defined by a unique incoming port. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 4:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] Exchange question
Thank everyone for the responseI am going nuts here, everything is a mess. For some reason I cant telnet into domain1 email server from domain2 , not only that , domain1 has 2 smtp server, one in the port 6000 and the other in the port 25. Also I send an email to my personal account from domain2 and I got something like this in the header: Mail from :[EMAIL PROTECTED] Received: from servername.domain3.com ([ip address] helo=domain3.com So the domain in the users email address does not match the email servers domainI am wondering what are the implications of that Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brandon Pierce Sent: Tuesday, August 22, 2006 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question Obviously if the server is running out of space make sure you remediate that first. Second, I would recommend ifServerA cannot send to ServerB, but the reverse is NOT true, then I would suggest trying basic SMTP commands toServerA from ServerB.Check the following: 1) Is the server responding to SMTP commands? 2)Can the server accept and deliver the mail item to intended recipient? 3) Are the SMTP queues clear in ESM? 4) Is DNS responding correctly (A, PTR, SRV records present?)? Gut feeling...DNS. That's my first shot! Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, August 22, 2006 2:04 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Exchange question Have you seen this already? http://support.microsoft.com/kb/821910/ On 8/22/06, Ramon Linan [EMAIL PROTECTED] wrote: Thanks very much, I think my second question was very easy J but wanted to confirm it. The problem now is that we have 500 mg in the hard drive but the smtp queue is still not delivering the emails from one server to the other. We have 2 emails servers, one holds domain1.com and the other hold domain2.com. domain1.com can send and receive fine but domain2 cant send to domain2, the emails are stuck in the queue with that domain, how do I troubleshoot that? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, August 22, 2006 3:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exchange question minimum amount of HD space needed for the smtp to work? It depends mostly on how busy is the server. Also, if the hard drive gets full will that stop the queue from delivering the emails? Of course. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Tue 8/22/2006 11:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exchange question Hi, I have 2 emails server in 2 different locations. All the sudden emails are not coming from one server to the other, I found out that smtp queue folder was in a hard drive that was running out of space. Do you guys know what is the minimum amount of HD space needed for the smtp to work? Also, if the hard drive gets full will that stop the queue from delivering the emails? Thanks Rezuma
RE: [ActiveDir] machine GP load
I tried it out, I was hitting the enter key forever thanks to: WScript.Echo oChild.get(distinguishedName) vbTab c From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, August 10, 2006 8:59 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] machine GP load I just whipped up this _vbscript_ to get you started. Idon't have time to provide a more detailed breakdown as that involves a little extra thought, but this should point you in the right direction... Save, for example, as c:\count.vbs and run, from CMD, like so: cscript c:\count.vbs count.xls Dim oRootDse, oBase Set oRootDse = GetObject(LDAP://RootDSE) Set oBase = GetObject(LDAP:// oRootDse.get(defaultNamingContext)) countObjects oBase.ADsPath, 0 ' *** ' countObjects(ADsPath, count) ' ' Recursive function to count the number of children ' in a container. ' ' *** Private Function countObjects(oParent, iCount) Dim oChild, cChildren, aSchema, sSchema Dim i : i = 0 Set cChildren = GetObject(oParent) For Each oChild In cChildren aSchema = Split(oChild.schema,/) sSchema = aSchema(UBound(aSchema,1)) i = i + 1 c = countObjects(oChild.ADsPath, i) If(Not(sSchema = inetOrgPerson Or _ sSchema = user Or _ sSchema = computer Or _ sSchema = group))Then WScript.Echo oChild.get(distinguishedName) vbTab c End If Next countObjects=i End Function --Paul - Original Message - From: Jerry Welch To: ActiveDir@mail.activedir.org Sent: Thursday, August 10, 2006 12:49 AM Subject: RE: [ActiveDir] machine GP load Does anyone have, or know of, a utility program that will provide a breakout of object counts in ADin each container, with a rollup so that each container shows all of the containers below it ? Joe ? Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net )
RE: [ActiveDir] machine GP load
Lol you are right, did not see that J learn the hard way Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, August 10, 2006 10:40 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] machine GP load Ha ha. That's why my post says to run using CSCRIPT. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Thursday, August 10, 2006 2:31 PM Subject: RE: [ActiveDir] machine GP load I tried it out, I was hitting the enter key forever thanks to: WScript.Echo oChild.get(distinguishedName) vbTab c From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Thursday, August 10, 2006 8:59 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] machine GP load I just whipped up this _vbscript_ to get you started. Idon't have time to provide a more detailed breakdown as that involves a little extra thought, but this should point you in the right direction... Save, for example, as c:\count.vbs and run, from CMD, like so: cscript c:\count.vbs count.xls Dim oRootDse, oBase Set oRootDse = GetObject(LDAP://RootDSE) Set oBase = GetObject(LDAP:// oRootDse.get(defaultNamingContext)) countObjects oBase.ADsPath, 0 ' *** ' countObjects(ADsPath, count) ' ' Recursive function to count the number of children ' in a container. ' ' *** Private Function countObjects(oParent, iCount) Dim oChild, cChildren, aSchema, sSchema Dim i : i = 0 Set cChildren = GetObject(oParent) For Each oChild In cChildren aSchema = Split(oChild.schema,/) sSchema = aSchema(UBound(aSchema,1)) i = i + 1 c = countObjects(oChild.ADsPath, i) If(Not(sSchema = inetOrgPerson Or _ sSchema = user Or _ sSchema = computer Or _ sSchema = group))Then WScript.Echo oChild.get(distinguishedName) vbTab c End If Next countObjects=i End Function --Paul - Original Message - From: Jerry Welch To: ActiveDir@mail.activedir.org Sent: Thursday, August 10, 2006 12:49 AM Subject: RE: [ActiveDir] machine GP load Does anyone have, or know of, a utility program that will provide a breakout of object counts in ADin each container, with a rollup so that each container shows all of the containers below it ? Joe ? Thanks, Jerry Jerry Welch CPS Systems US/Canada: 888-666-0277 International: +1 703 827 0919 (-5 GMT) IP Phone (Skype): Jerry_Welch ( www.skype.net )
[ActiveDir] DC and CG in the DMZ of the network
Hi, I just started working for a company. I am finding out that they have 3 DC in the DMZ (firewall is Cisco PIX) 2 of them are NS servers that handle our external records to the domain (mx records, A record, www record, etc). The other one is unluckily an exchange 2003 (not good thing to put DC in exchange), this one is also a GC, the only one in the DMZ. >From my 9 years of experience is the first time I see DC in the DMZ or Publics IP, if someone is able to hack into exchange or DNS I guess they will have access to the AD too. How much should I worry about this? Is this a huge security whole? is this something common although I havent seen it before? Thanks in advance Rezuma
