Re: RE : Re: [ActiveDir] remove orphan DC from the domain
Just what it says... it first attempts to transfer the FSMO roles from the one to the other...and it if can't find the proper DC.. it merely seizes the roles. It tries to negotiate politely with the role holder.. and if there is none for it to argue with it says fine... I'm taking the roles. I'm not sure sp1 matters does it? http://support.microsoft.com/kb/255504 Yann wrote: Really ? That is a very interesting... Could you develop this statement please ? What is a XFER ? When you say it does a seize, that means it choose a DC nearby ? and seize *automatically* a seizure ? Thanks, Yann */Paul Williams [EMAIL PROTECTED]/* a écrit : If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) This step is no longer necessary in k3 SP1. NTDSUTIL does it for you. If I remember correctly, it tries a XFER and then does a Seize (as that's the logic for the Seize anyway). I believe this was added in SP1. --Paul - Original Message - From: Almeida Pinto, Jorge de To: Sent: Friday, January 26, 2007 7:05 AM Subject: RE: [ActiveDir] remove orphan DC from the domain I forgot to mention: * If the DC that died had FSMO roles, you need to seize them (check which DC had FSMO roles with -- NETDOM QUERY FSMO) * DNS records are NOT removed by the NTDSUTIL. Must be done manually or wait if you have aging/scavenging enabled Also make sure the GC role and DNS roles is hosted by other computers (other DCs) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 01:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain Thanks for your logic. I hope so in the remaining Dc it will do automatically. Regards, Senthil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 26, 2007 5:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] remove orphan DC from the domain the AD metadata cleanup is nothing more then removal/deletion of objects that belong to a DC that is not live anymore. Just other like other object deletions (user, group, etc) the deletions will replicate to other DCs (assuming replication is working fine) that host the same partitions from which the objects were removed. Because of that you only need to target ONE live DC in the same domain when using NTDSUTIL. Imagine a domain with a 1000 DCs It would be a PITA to cleanup the AD metadata of one of the DCs on the other 999 DCs... ;-)) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) * Tel : +31-(0)40-29.57.777 * Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of senthil Kumar Sent: Fri 2007-01-26 00:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove orphan DC from the domain Hi, We already had 3 Dcs in out network. Suddenly one Dc gone down permanently. That wont come live back. Right now we want to remove that orphan dc completely. I have seen Microsoft article 1. Click Start, point to Programs, point to Accessories, and then click Command Prompt. 2. At the command prompt, type ntdsutil, and then press ENTER. 3. Type metadata cleanup, and then press ENTER. Based on the options given, the administrator can perform the removal, but additional configuration parameters must be specified before the removal can occur. 4. Type connections and press ENTER. This menu is used to connect to the specific server where the changes occur. If the currently logged on user does not have administrative permissions, different credentials can be supplied by specifying the credentials to use before making the connection. To do this, type set creds DomainNameUserNamePassword, and then press ENTER. For a null password, type null for the password parameter. 5. Type connect to server servername, and then press ENTER. You should receive confirmation that the connection is successfully established. If an error occurs, verify that the domain controller being used in the
Re: [ActiveDir] Disable CD ROM through GP
Why not setting up a test network/machine in VirtualPC/Vmware? Haritwal, Dhiraj wrote: Hi All, I want to disable CD ROM on all client machines through GP. I found the KB http://support.microsoft.com/kb/555324 created the attached test.adm file. Actually I don’t have any testing machine where I can test this *adm *file. Can anybody try tell me the complete process to enable it. Also tell me where it will reflect the changes whether in registry or it will create that option in GP to disable/enable CD ROM. Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] WMI and Vista
If one wanted to build a WMI query that would capture Vista and any other workstation OS after Vista... how would one build that query? I know that this will capture Vista: Select * from Win32_OperatingSystem where Version = 6.0.6000 But will this catch any version of Vista after XP if, on the odd chance they change the build number? I know that you can also add a ProductType=1 that captures the workstation only and not servers. But how can you build a WMI query string for Group policy filtering that is smart enough to capture Vista OS and whatever comes out after Vista (and yes, they are already looking for ideas for the next version see Steve Riley's blog with questions about firewalls in the next version if you don't believe me http://blogs.technet.com/steriley/archive/2007/01/18/it-s-your-turn-what-improvements-would-you-like-in-windows-firewall-and-ipsec.aspx Also, can you do: select * from Win32_OperatingSystem where Caption contains Vista ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] WMI and Vista
But can you do a detection of Vista and Vista+next OS? It's a weird request I know Alain Lissoir wrote: Btw, if the goal is just to detect, Vista (and not the SKU a I replied below), then: Select * from Win32_OperatingSystem where Version = 6.0 will make it. The Vista RTM build is 6.0.6000 regardless of the SKU (Vista Flavor). 5.0 Windows 2000, all flavors (SKU) 5.1 XP 32-bit, all flavors (SKU) 5.2 XP 64-bit if client, Windows Server 2003 if Server 6.0 Windows Vista, all flavors 6.0 Longhorn Server for now, but this may change ... Still under development as you know. HTH. /Alain. -Original Message- From: Alain Lissoir [mailto:[EMAIL PROTECTED] Sent: Sunday, January 21, 2007 11:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WMI and Vista Have you looked at the OperatingSystemSKU property? This is a property added in Vista to support the distinction between Vista Home, Ultimate, Business, etc ... http://msdn2.microsoft.com/en-gb/library/aa394239.aspx OperatingSystemSKU Data type: uint32 Stock Keeping Unit (SKU) number for the operating system. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is not available. Possible SKU values are: Value Meaning 0 Undefined 1 Ultimate Edition 2 Home Basic Edition 3 Home Basic Premium Edition 4 Enterprise Edition 5 Home Basic N Edition 6 Business Edition 7 Standard Server Edition 8 Datacenter Server Edition 9 Small Business Server Edition 10 Enterprise Server Edition 11 Starter Edition 12 Datacenter Server Core Edition 13 Standard Server Core Edition 14 Enterprise Server Core Edition 15 Enterprise Server IA64 Edition 16 Business N Edition 17 Web Server Edition 18 Cluster Server Edition 19 Home Server Edition 20 Storage Express Server Edition 21 Storage Standard Server Edition 22 Storage Workgroup Server Edition 23 Storage Enterprise Server Edition 24 Server For Small Business Edition 25 Small Business Server Premium Edition -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WMI and Vista If one wanted to build a WMI query that would capture Vista and any other workstation OS after Vista... how would one build that query? I know that this will capture Vista: Select * from Win32_OperatingSystem where Version = 6.0.6000 But will this catch any version of Vista after XP if, on the odd chance they change the build number? I know that you can also add a ProductType=1 that captures the workstation only and not servers. But how can you build a WMI query string for Group policy filtering that is smart enough to capture Vista OS and whatever comes out after Vista (and yes, they are already looking for ideas for the next version see Steve Riley's blog with questions about firewalls in the next version if you don't believe me http://blogs.technet.com/steriley/archive/2007/01/18/it-s-your-turn-what-imp rovements-would-you-like-in-windows-firewall-and-ipsec.aspx Also, can you do: select * from Win32_OperatingSystem where Caption contains Vista ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] WMI and Vista
A very highly academic question to see if there's a way to even build such a filter :-) Alain Lissoir wrote: It is hard to guarantee what the version # of the next OS will be :) obviously, but I would do something like: Select * from Win32_OperatingSystem where Version = 6.0 What's the reasoning or issue behind this specific weird question? :) /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 1:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] WMI and Vista But can you do a detection of Vista and Vista+next OS? It's a weird request I know Alain Lissoir wrote: Btw, if the goal is just to detect, Vista (and not the SKU a I replied below), then: Select * from Win32_OperatingSystem where Version = 6.0 will make it. The Vista RTM build is 6.0.6000 regardless of the SKU (Vista Flavor). 5.0 Windows 2000, all flavors (SKU) 5.1 XP 32-bit, all flavors (SKU) 5.2 XP 64-bit if client, Windows Server 2003 if Server 6.0 Windows Vista, all flavors 6.0 Longhorn Server for now, but this may change ... Still under development as you know. HTH. /Alain. -Original Message- From: Alain Lissoir [mailto:[EMAIL PROTECTED] Sent: Sunday, January 21, 2007 11:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] WMI and Vista Have you looked at the OperatingSystemSKU property? This is a property added in Vista to support the distinction between Vista Home, Ultimate, Business, etc ... http://msdn2.microsoft.com/en-gb/library/aa394239.aspx OperatingSystemSKU Data type: uint32 Stock Keeping Unit (SKU) number for the operating system. Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0: This property is not available. Possible SKU values are: Value Meaning 0 Undefined 1 Ultimate Edition 2 Home Basic Edition 3 Home Basic Premium Edition 4 Enterprise Edition 5 Home Basic N Edition 6 Business Edition 7 Standard Server Edition 8 Datacenter Server Edition 9 Small Business Server Edition 10 Enterprise Server Edition 11 Starter Edition 12 Datacenter Server Core Edition 13 Standard Server Core Edition 14 Enterprise Server Core Edition 15 Enterprise Server IA64 Edition 16 Business N Edition 17 Web Server Edition 18 Cluster Server Edition 19 Home Server Edition 20 Storage Express Server Edition 21 Storage Standard Server Edition 22 Storage Workgroup Server Edition 23 Storage Enterprise Server Edition 24 Server For Small Business Edition 25 Small Business Server Premium Edition -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 21, 2007 11:00 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] WMI and Vista If one wanted to build a WMI query that would capture Vista and any other workstation OS after Vista... how would one build that query? I know that this will capture Vista: Select * from Win32_OperatingSystem where Version = 6.0.6000 But will this catch any version of Vista after XP if, on the odd chance they change the build number? I know that you can also add a ProductType=1 that captures the workstation only and not servers. But how can you build a WMI query string for Group policy filtering that is smart enough to capture Vista OS and whatever comes out after Vista (and yes, they are already looking for ideas for the next version see Steve Riley's blog with questions about firewalls in the next version if you don't believe me http://blogs.technet.com/steriley/archive/2007/01/18/it-s-your-turn-what-imp rovements-would-you-like-in-windows-firewall-and-ipsec.aspx Also, can you do: select * from Win32_OperatingSystem where Caption contains Vista ? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: OT RE: [ActiveDir] Unsubing
Funny... because one of our SBS MVPs is our Mac expert and we are relying on him more and more as Mac are in our SBS networks. I think it's somewhat religious thinking to think that just because you are running a Mac you suddenly don't need to be AD aware. We certainly do in our Running Kitchen sinks and Macintosh's in our network, networks. Try parallels virtualization on those suckers for some really fun stuff. Our Mac guru also states that while there are times that he recommends the Mac server, there are more often times that it's a Windows server that's the best. Entourage works great on the Exchange back end. I think it's a bit myopic to be un-subing when you could parlay that Mac knowledge of AD goodness into something bigger and more job venues as we go more and more interop in business. (We may not be running Vista for a while...but we're not ripping out these XP's for a while But that's just my SBS view... so what do I know. :-) Craig Cerino wrote: Either way, Oliveer is ours no matter how hard he fights :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan (Temp) Sent: Friday, January 19, 2007 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing No no no no no, Craig: You can check out any time you want, But you can *never* leave! Steve Egan (temp) Systems/Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Cerino Sent: Friday, January 19, 2007 5:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unsubing You are with us now - - - - you may never leave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver Marshall Sent: Friday, January 19, 2007 8:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unsubing Sorry to send this to the list, but I cant find the address to unsubscribe. Can anyone help me out? As much as I love you all, my recent affair with Apple OS X has left me realising that our love is just a sham and that other delights await me. Big up'. Olly www.g2support.com/backups List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netwo rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network
[ActiveDir] OT: (only sort of as they will yet all you when the calendars are all messed up) Recorded webcast on Daylight savings patching
http://blogs.msdn.com/mthree/archive/2007/01/19/now-available-webcast-on-windows-2000-updates-for-daylight-saving-time.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: (only sort of as they will yet all you when the calendars are all messed up) Recorded webcast on Daylight savings patching
...that should read yell at you not yet all you (Mountain Dew wearing off...) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: http://blogs.msdn.com/mthree/archive/2007/01/19/now-available-webcast-on-windows-2000-updates-for-daylight-saving-time.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] [OT] E-Mail Template
Redearthsoftware PolicyPatrol. but (wince) Exchange 5.5? Man I feel for ya... Tony Murray wrote: Hi Milton In future, please use the [OT] prefix in the subject line for off-topic posts such as this. Have a look at the Exchange 5.5. FAQ here for recommendations for adding disclaimers to email messages. http://www.swinc.com/resources/exchange/faq_db.asp?status=questionsfaqID=1000faqname=Exchange%205.5sectionID=1006sectionName=Third%20Party%20Software%20and%20Add-Ons http://www.swinc.com/resources/exchange/faq_db.asp?status=questionsfaqID=1000faqname=Exchange%205.5sectionID=1006sectionName=Third%20Party%20Software%20and%20Add-Ons Tony www.activedir.org http://www.activedir.org *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Milton Sancho *Sent:* Friday, 19 January 2007 11:20 a.m. *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] E-Mail Template Hello, How to create an e-mail template using exchange 5.5? The idea is that when any employee compose a new e-mail, at the bottom of the message has included a company message that would be the same for all the employees. I know that at user level i can create a local signature but I need that information at corporate level, it has to be a way to do it at server level config ! Thanks for comments about it List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] Test of daylight patch
So I patched the workstations, the server, the exchange and did a 'fake' appointment for everyone at 4/1/2007 at 1 a.m. My Windows Mobile 3/sync to the server phones sync'd to the server and said the appointment was 12 a.m. http://support.microsoft.com/kb/923953 Oh boy are we going to have fun... How to configure daylight saving time for the United States and Canada in 2007 and in subsequent years on Windows Mobile-based devices http://www.microsoft.com/windows/timezone/dst2007.mspx Ladies and Gentlemen check those phones. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Who needs that much ram anyway?
(it was a joke) I'm just surprised it needs a fix already. Martin Tuip wrote: I can think of quite a few situations. RAM is cheap aswell compared to the early days. Martin Tuip Exchange MVP - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, January 16, 2007 1:00 AM Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Who needs that much ram anyway?
(oh he goes for below the belt with the SBS remark) ;-) But yes, I'd argue it should be MU'd when Exchange is there. Eric Fleischman wrote: Exchange should not be in the business of patching kernels. It's just bad form. That said, it's not clear to me what the right answer is either. You want to get people the fix that need it but you don't want to go out there and start swapping kernel components on a user. That's just not the right way for a piece of software to work. How would the SBS crowd feel if an app changed the kernel out from under them? You run a lot of apps on that box. I think the options we have today are: readme + ExBPA + perhaps offering the patch via WU when we see Exchange installed. But the last point there is contentious, I knowit's merely an option to consider and give us feedback on. :) I remember watching this issue being debugged when it was hit and it's worth proactively patching. Exchange put a lot of energy in to finding this one and getting root cause + a fix prior to RTM. Hard issue to hit, but not impossible either. Honestly, on this one, I think they served their customers well. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 8:47 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Who needs that much ram anyway? Personally I was surprised that a Windows 2003 server and Exchange 2007 would need a patch to run more than 4 gigs because This problem occurs because of a problem in the Windows kernel Seems to me in the x64 era, we're all going to be running more than 4 gigs so they should bundle this up in the Exchange 2007 installer from the get go rather than having everyone stumble across a KB article. I'm assuming it's discussed in the readme that no one reads? Brian Desmond wrote: The more you can get in memory, the better. 32GB is the threshold for Exchange before it stops making sense. I've remoted into SQL servers with dozens of CPUs and dozens of gigs of ram before... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, January 16, 2007 4:01 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Who needs that much ram anyway? The Microsoft Exchange Information Store service stops responding on a computer that is running Windows Server 2003 and Exchange Server 2007 http://support.microsoft.com/?kbid=928368 This problem occurs if Exchange Server 2007 is installed on a computer that has more than 4 gigabytes (GB) of RAM. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Exchange daylight savings patch
http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4cd9-a7c3-8b5df5471b7adisplaylang=entm http://www.microsoft.com/downloads/details.aspx?familyid=c16aea4a-ed33-4cd9-a7c3-8b5df5471b7adisplaylang=entm Update for Daylight Saving Time changes in 2007 for Exchange Server 2003 Service Pack 2 (SP2). Ensure servers+Exchange+Sharepoint are patch (now to go figure out how my phones will handle this) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was ran. Slow link detection has not been disabled on that machine (or any on my network for that matter, with the exception of this new problem server now). ICMP is not being blocked. Windows firewall is turned off on all servers on the network (including the two DC's and this problem member server). To my knowledge there is nothing on the network limiting ICMP packet size. I certainly haven't done anything to limit it. For an update on the current status of disabling slow link detection. It has been roughly 30 minutes or so and no event log error shows after running gpupdate on the member server. When doing a gpresult everything appears to process correctly. This problem server is a new terminal server and when I logon as a TS user to this computer it still shows a 1054 error and the same 59 errors in the userenv log file. The only exception is when I login as the network admin account through remote desktops (the account I made the registry edit for GroupPolicyMinTransferRate under). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Is this the only system that is having this problem? Are you doing anything on your network to limit ICMP packet size? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In further testing today I did end up finding the location to add the GroupPolicyMinTransferRate DWORD value to the registry of the problem server. About 5 minutes ago I added that key with a value of 0 to HKLM and HKCU and when running a gpupdate I do not get the error and when looking at the userenv log I do not see the error 59 or any error that it cannot contact the DC. I do not want to say that this is it for sure but for the moment it does appear to be working. Now I suppose I should ask that since this was simply a troubleshooting step, what would I need to do in order to investigate a long-term solution to the problem? Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In addition to my last response I have noticed that when I reboot the problem server it will apparently apply the group policy without issues for 15 minutes or so and then will fail to do so from that point forward. When viewing the userenv log file after a reboot and after giving the gpupdate command, it shows no 59 errors and nothing shows up in the event log. Wait about 15 minutes or so and the event log shows the 1054 error and the userenv log shows the 59 error. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Hi Steve, When running nltest /dsgetdc:domainname on the problem member server I get the following (NOTE: I ran it twice, once for DOMAIN and again for DOMAIN.LOCAL which is the full name. I noticed that the flags for each are different): C:\Documents and Settings\supervisornltest /dsgetdc:domain DC: \\ATHENA Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: DOMAIN Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_FOREST CLOSE_S ITE The command completed successfully C:\Documents and Settings\supervisornltest /dsgetdc:domain.local DC: \\athena.domain.local Address: \\192.168.1.6 Dom Guid: 0c93e47c-f1a8-4e05-916c-d6e6670f2c96 Dom Name: domain.local Forest Name: domain.local Dc Site Name: Default-First-Site-Name Our Site Name: Default-First-Site-Name
Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network-cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was ran. Slow link detection has not been disabled on that machine (or any on my network for that matter, with the exception of this new problem server now). ICMP is not being blocked. Windows firewall is turned off on all servers on the network (including the two DC's and this problem member server). To my knowledge there is nothing on the network limiting ICMP packet size. I certainly haven't done anything to limit it. For an update on the current status of disabling slow link detection. It has been roughly 30 minutes or so and no event log error shows after running gpupdate on the member server. When doing a gpresult everything appears to process correctly. This problem server is a new terminal server and when I logon as a TS user to this computer it still shows a 1054 error and the same 59 errors in the userenv log file. The only exception is when I login as the network admin account through remote desktops (the account I made the registry edit for GroupPolicyMinTransferRate under). Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Monday, January 15, 2007 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Is this the only system that is having this problem? Are you doing anything on your network to limit ICMP packet size? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) In further testing today I did end up finding the location to add the GroupPolicyMinTransferRate DWORD value to the registry of the problem server. About 5 minutes ago I added that key with a value of 0 to HKLM and HKCU and when running a gpupdate I do not get the error and when looking at the userenv log I do not see the error 59 or any error that it cannot contact the DC. I do not want to say that this is it for sure but for the moment it does appear to be working. Now I suppose I should ask that since this was simply a troubleshooting step, what would I need to do in order to investigate a long-term solution to the problem? Thanks for all of the help! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 11:35 AM To: ActiveDir
Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
In the situations we've had you could have the latest drivers to the earliest ones..they made no difference whatsoever. The only fix we found was Intel nics. Donavon Yelton wrote: After some investigating I am apparently running the latest drivers for my NICs. The only updated files since 2.8.13.0 are for things like iSCSI which I do not use. I wish driver numbers would correspond though. So now that I know I'm running the latest version I'm stumped. Disabling slow link detection fixes the userenv errors but I still need the fix for that to carry over to my TS users on that server. And of course this doesn't fix the root cause which forces me to disable the slow link detection either. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was ran. Slow link detection has not been disabled on that machine (or any on my network for that matter, with the exception of this new problem server now). ICMP is not being blocked. Windows firewall is turned off on all servers
Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change my answer. I had ran the HP update package for the NC series cards in the server and it showed as updated (even if I run it at the moment it tells me that the drivers are up to date) with version 2.8.22.0. The problem is that when I look at the actual driver version by going to the device manager and viewing properties it shows a version of 2.8.13.0. On that note, in looking back at HP's revision history for their driver for this card it has no mention of version 2.8.13.0 so is it possible that this is the driver that came with Windows? If so, how can I go about getting rid of that driver and installing this new driver from HP. Updating the driver and choosing the new driver explicitly doesn't work and running HP's update package for the driver obviously fails to really update the driver. I can't say that this driver version is the root cause of the issue but I do need the drivers updated to have a place to start from. Susan, is there a known issue with Broadcom's that could possibly affect the problem I'm having? Thanks for the assistance! Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 1:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) These aren't broadcom nics are they? (Broadcoms are evil) Darren Mar-Elia wrote: Does this server have the same NIC driver as other servers? Or, have you tried updating this server's NIC driver? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Monday, January 15, 2007 10:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) This appears to be the only system on the network having this issue. I connected to another Windows 2003 Standard member server and did a gpupdate and then looked at the event log and it appears clean after the gpupdate command was ran. Slow link detection has not been disabled on that machine (or any on my network for that matter, with the exception of this new problem server now). ICMP is not being blocked. Windows firewall is turned off on all servers on the network (including the two DC's and this problem member server). To my knowledge there is nothing on the network limiting ICMP packet size. I certainly haven't done anything to limit it. For an update on the current status of disabling slow link detection. It has been roughly 30 minutes or so and no event log error shows after running gpupdate on the member server. When doing a gpresult everything appears to process correctly. This problem server is a new
Re: [ActiveDir] R2 Schema
Title: RE: [ActiveDir] R2 Schema (for those on the off chance interested in the SBS impact) While SBS's "r2" release does not give you the functionality of the real R2 bits, to have DFSRv2 on member servers you have to bump the schema on the SBS DC. The only parts of the real "r2" that SBS 2003 R2 gets is FSRM and MMC 3.0. http://blogs.technet.com/sbs/archive/2006/02/28/420825.aspx More tech details there. The printer management console doesn't need a schema update that I recall.. you just need the R2 install on that server. I don't remember (don't think) I did anything on my DC when I enabled the Printer Management console on the member server. Vinnie Cardona wrote: Excellent. Thank you. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, January 13, 2007 4:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema the AD schema is (must be)extended with the R2 stuff when either: * you want to install R2 on a DC * you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 06:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Thank you JorgeI was just a bit puzzled by one of the lines in the doc on the CD which states that the schema is only extended if you are planning on installing W2K3r2 on a W2K3 DC. I am still in the process of reading up on W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS requirementsI now understand more on the requirements. Thank you all for your help. Really do appreciate it. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 12, 2007 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema although the file servers are R2 because of the use of DFS-R (new replication mechanism), you MUST extend the AD schema so that the DFS-R information can be stored in AD Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 00:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] R2 Schema
Title: RE: [ActiveDir] R2 Schema Ours already automagically are.. so I probably didn't notice or need it Brian Desmond wrote: I thought you needed the schema updates for the extra attributes for pushing printers via GP. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, January 14, 2007 4:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] R2 Schema (for those on the off chance interested in the SBS impact) While SBS's "r2" release does not give you the functionality of the real R2 bits, to have DFSRv2 on member servers you have to bump the schema on the SBS DC. The only parts of the real "r2" that SBS 2003 R2 gets is FSRM and MMC 3.0. http://blogs.technet.com/sbs/archive/2006/02/28/420825.aspx More tech details there. The printer management console doesn't need a schema update that I recall.. you just need the R2 install on that server. I don't remember (don't think) I did anything on my DC when I enabled the Printer Management console on the member server. Vinnie Cardona wrote: Excellent. Thank you. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, January 13, 2007 4:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema the AD schema is (must be)extended with the R2 stuff when either: * you want to install R2 on a DC * you want to use R2 functionalities like DF, S-R, PMC, UnixIDm, etc. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 06:31 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Thank you JorgeI was just a bit puzzled by one of the lines in the doc on the CD which states that the schema is only extended if you are planning on installing W2K3r2 on a W2K3 DC. I am still in the process of reading up on W2K3r2 and DFS and thanks to you and Hunter which sent me the link to the DFS requirementsI now understand more on the requirements. Thank you all for your help. Really do appreciate it. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Almeida Pinto, Jorge de Sent: Friday, January 12, 2007 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema although the file servers are R2 because of the use of DFS-R (new replication mechanism), you MUST extend the AD schema so that the DFS-R information can be stored in AD Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Vinnie Cardona Sent: Sat 2007-01-13 00:05 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] R2 Schema Interesting. I have a similar situation. But in my case they want me to roll out R2 on 10 of my W2K3sp1 file and print servers to take advantage of DFS. After reading the installation docs from the CD it appears to me that I don't have to extend the schema because the servers I will be upgrading are not DCs...would like a reassurance that this is indeed the case with the community... -many thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Isenhour, Joseph Sent: Friday, January 12, 2007 3:11 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] R2 Schema I have a customer that is really pushing to have the R2 schema loaded in our W2K3 SP1 environment. The plan is to take advantage of the new DFS extensions. We don't have any plans to upgrade to R2 in the foreseeable future so we'd basically be running W2K3 with the R2 schema for several months or years. Does anyone see any potential issues with that? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx This e-mail and any attachment is for authorised use by the
[ActiveDir] OT: DTS webcast (this link works)
http://blogs.technet.com/james/archive/2007/01/11/daylight-saving-partner-webcast.aspx Further to my recent post about Daylight Saving updates to Microsoft products, partners are encouraged to join the webcast on this very subject. You can sign up for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032324210 Again, you can find more information on the DST preparations here: http://www.microsoft.com/dst2007 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs
Re: [ActiveDir] OT: Is anyone having trouble with Vista and ISA authentication?
Which ISA firewall client do you have? The new one that supports ISA? Rich Milburn wrote: Ive been having an issue for some time where Vista (w2k3 domain member) will work fine for a while, then suddenly start asking for proxy authentication for browsing and wont accept what I give it, even though other network access is fine, and I can even connect to \\proxysrv\mspclnt (so obviously the proxy server can authenticate me). Our ISA 2004 server requires user authentication for all outbound Internet requests. I end up with a 407 (proxy requires authentication) error after 3 tries with my correct credentials. Im using Wireshark (Ethereal) to look at the traffic, and I have a support incident open with Microsoft but Im trying to see if anyone else is having this issue. I only found one or two people on the beta newsgroups who did, and others here are not seeing the issue. I see it repeatedly, across multiple clean installations. The only difference I know of is that they are running as domain admins and I am not but why would that make a difference intermittently? Thanks Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Is anyone having trouble with Vista and ISA authentication?
(and these days I can't assume) 64 or 32? 64 there's a needed hotfix for Vista 64 to work with ISA. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Which ISA firewall client do you have? The new one that supports ISA? Rich Milburn wrote: I’ve been having an issue for some time where Vista (w2k3 domain member) will work fine for a while, then suddenly start asking for proxy authentication for browsing – and won’t accept what I give it, even though other network access is fine, and I can even connect to \\proxysrv\mspclnt file:///%5C%5Cproxysrv%5Cmspclnt (so obviously the proxy server can authenticate me). Our ISA 2004 server requires user authentication for all outbound Internet requests. I end up with a 407 (proxy requires authentication) error after 3 tries with my correct credentials. I’m using Wireshark (Ethereal) to look at the traffic, and I have a support incident open with Microsoft… but I’m trying to see if anyone else is having this issue. I only found one or two people on the beta newsgroups who did, and others here are not seeing the issue. I see it repeatedly, across multiple clean installations. The only difference I know of is that they are running as domain admins and I am not – but why would that make a difference intermittently? Thanks Rich /--- //Rich Milburn// //MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc.// //4551 W. 107th St// //Overland Park, KS 66207// //913-967-2819// //--// //”I love the smell of red herrings in the morning” - anonymous/ / *---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---* PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system./ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Is anyone having trouble with Vista and ISA authentication?
KB917902 http://support.microsoft.com/kb/917902/en-us on second thought ... that might/prob not applicable...we only need it as ISA is on our DC and Vista 64 doesn't play nice with that setup. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Which ISA firewall client do you have? The new one that supports ISA? Rich Milburn wrote: I’ve been having an issue for some time where Vista (w2k3 domain member) will work fine for a while, then suddenly start asking for proxy authentication for browsing – and won’t accept what I give it, even though other network access is fine, and I can even connect to \\proxysrv\mspclnt file:///%5C%5Cproxysrv%5Cmspclnt (so obviously the proxy server can authenticate me). Our ISA 2004 server requires user authentication for all outbound Internet requests. I end up with a 407 (proxy requires authentication) error after 3 tries with my correct credentials. I’m using Wireshark (Ethereal) to look at the traffic, and I have a support incident open with Microsoft… but I’m trying to see if anyone else is having this issue. I only found one or two people on the beta newsgroups who did, and others here are not seeing the issue. I see it repeatedly, across multiple clean installations. The only difference I know of is that they are running as domain admins and I am not – but why would that make a difference intermittently? Thanks Rich /--- //Rich Milburn// //MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc.// //4551 W. 107th St// //Overland Park, KS 66207// //913-967-2819// //--// //”I love the smell of red herrings in the morning” - anonymous/ / *---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---* PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system./ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] client time sync
http://www.minasi.com/newsletters/nws0306.htm Fixing Time Synchronization Problems My XP desktop stopped synchronizing its time with the domain. The Event Log kept showing that the desktop hadn't time-synced with any of my DCs in weeks. That worried me because if my workstation's time drifted more than five minutes from the domain controllers' time then I'd not be able to log on. Once I was three minutes off, I figured it was time to figure out what had happened. I tried to re-synchronize from the command line: w32tm /resync And got the computer did not resync because no time data was available. Oooh, that doesn't look good. But then I realized that I'd fixed my system's time server as an experiment rather than letting AD set it. Some free time sync programs do that also, so many of you may be in this position. I just cleared out HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters's NtpServer value entry, and then I restarted the Windows Time Service. Sadly, no dice ... still no sync. For some reason, if your domain doesn't find all of the Registry entries to be just right, then it won't sync with your system. You can, thankfully, fix it with this command: w32tm /config /syncfromflags:DOMHIER /update Type that from a command line, and then restart Windows Time Service and retry the w32tm /resync or, better, w32tm /resync /rediscover A command that cleans out and rebuilds a few other Registry entries. I had that problem with my XP box about a year ago; since then I've found these commands useful on a number of systems. When workstations get more than five minutes out of sync with the DC, then they stop authenticating but they're not very forthcoming about the reason -- so when authentication's a problem then first look at DNS, and if that doesn't help then look at time! Rimmerman, Russ wrote: I tried it, it says: The computer did not resync because no time data was available I followed http://support.microsoft.com/kb/929276 but it was already set right…. Try the command... w32tm /resync /rediscover See if that helps the client figure out where it should look for time. ~Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Wednesday, January 10, 2007 2:12 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Client time sync I have a machine (at least one I know of) that isn't syncing time with the domain controller its logging into. I've restarted the win32time service on it to see if that would sync it and it doesn't. Any suggestions on where to start? The DC and the client are off by about 9 minutes. ~~ This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Cameron and its Operating Divisions. Any unauthorized use or disclosure is prohibited. If you are not the intended recipient, please contact the sender by reply email and delete and destroy all copies of the original message inclusive of any attachments. ~~ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Time change support webcast
http://blogs.technet.com/beatrice/archive/2007/01/09/preparing-for-dst-changes-in-2007.aspx In August of 2005 the United States Congress passed the Energy Policy Act, which changes the dates of both the start and end of daylight saving time (DST) from 2007. While the change in daylight saving time applies to U.S. and Canada, it may have an impact also on customers who interact or integrate with systems that are based in North America or rely on such date/time for calculations. Windows Client, windows Server, Windows Mobile, Sharepoint Services, Exchange Server and Office Outlook are some of the Microsoft Products which will be affected by the DTS changes. Updates to these products are being developed and tested. Depending on the particular product or scenario, these updates will be released through Microsoft Customer Support Services (CSS), Hotfixes incorporated in Knowledge Base articles, Windows Update, Microsoft Update, Windows Server Update Services (WSUS), and the Microsoft Download Center. What you can do in the meanwhile to prepare your business for the change: 1. Check the Microsoft site: Preparing for daylight saving time changes in 2007 2. Participate on Microsoft Support WebCast: Deploying Microsoft Windows 2000 updates for daylight saving time changes for worldwide use, which is specifically focused on Microsoft Windows 2000. It talks about the registry changes and the time zones that are being updated. This WebCast also tells how to confirm that the updates have been applied, and then provides information about testing and rollback procedure. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] WSUS 3.0 beta 2
There is a WSUS beta newsgroup specifically for such questions. .. and BTW it's just about to shut down as they are nearing RC and I'm assuming that as this is a beta you've installed this in a test network only? Haritwal, Dhiraj wrote: Hi, Does anyone knowing about WSUS 3.0 beta 2….actually I had installed it facing some problem. So can anybody help me? Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Risks of exposure of machine account passwords
Assuming you have LC3 still around... now you have to use other tools. However, the cracking ease is dependent upon the lanman hash settings. If you have 98/NT, other alternative OSs and have to have lanman enabled.it's trivial if you are on the lan to crack the passwords using (and I forget the group that took LC3 and now have made it opensource) LC3's equivalent. Ziots, Edward wrote: Actually Machine password can be extracted from LC3 and higher, done it myself, and it seems that Windows Choice of Secure password with the DC's insist that hard to crack. You can also use Opcrack with rainbow tables, and cachedump or pwdump3e to get the computer account hash and crack that bugger simply. I agree, its gotta usuallybe an inside job to get it, and the computer account could prove less fruitful, than a juicer user account with higher level access, but its an interesting way to hack I suppose. TY Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *joe *Sent:* Monday, January 08, 2007 3:33 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Risks of exposure of machine account passwords If an attacker gets access to a machine account password they can connect to AD as that computer which is usually just normal user access rights. In fact, if you set up an auth as the computer and tap an ADAM instance and look at the RootDSE it will show you the groups you are a member of that are right for that context. For example: tokenGroups: TEST\TESTCMP$ tokenGroups: TEST\Domain Computers tokenGroups: Everyone tokenGroups: BUILTIN\Users tokenGroups: NT AUTHORITY\NETWORK tokenGroups: NT AUTHORITY\Authenticated Users tokenGroups: NT AUTHORITY\This Organization I don't think overall that computer accounts are any more risky than normal userids. On the flip side, I think it is silly to leave enabled machine accounts lying around for computers that you are relatively sure will never reconnect. That is why I wrote oldcmp and make it available to everyone. The key part is as Al mentioned, how did they get that password? I don't recall seeing anything that will extract that from a machine and even so, I expect it is much easier and useful to target user passwords than computer passwords - primarily admin type user's. A dirty trick I have used in the past to disprove how secure an environment was was to set up a web site on a workstation, enable basic auth only, write a little perl cgi script to write the creds sent to the website to a log file and throw up a website unavailable screen and then tell admins that I have a web site that doens't seem to authenticate users properly could they try to logon to see if it is just my test IDs or a permission problem. I would say at least 50%-60% of the time the admins will go to the page and type in their creds. Alternately try to get an admin to log into a workstation I control. In far too many cases I think you will find admins are user's too... :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Mr Oteece *Sent:* Monday, January 08, 2007 1:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Risks of exposure of machine account passwords What are the risks associated with the exposure of machine account passwords in Active Directory? Passwords are changed for machine accounts regularly, but they don't really expire and can get rather old. If an attacker has access to this password, what sort of access would he have to other systems on the network via Kerberos? i.e., would he be able to forge service tickets as other users and elevate his access elsewhere? The laxness of policy surrounding these accounts suggests that this is not a huge risk. Should we be more concerned with these old passwords? Otis -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] AD Auditing and Change Control
Last I checked the public info on ACS is/has/will be in beta forever and won't be in a product until the System Center line of products hits the streets (they are still in beta). These days ACS isn't a solution for anyone other than the folks that got the beta bits eons ago. I'm still getting my head around the Vista audit logs but liking what I see so far (lots more granular info). Shawn Barker wrote: AD Auditing and Change Control Hi Matt, Natively its difficult to track all changes to AD. If you do this through the event log, then you need a mechanism to regularly harvest the event logs, such as Microsoft Audit Collection System (ACS). Otherwise, as youve noted, the logs will overwrite and you will lose historical information. Even with event collection in place, youre still at the mercy of what changes and what change information you can actually get from the event log. By increasing your audit policy you can ensure more change details are captured in the event log, but youre also producing a lot of additional information in the event logs that you might not need, and you may need to worry about server overhead, logs wrapping more often, etc. Ultimately you likely need to know not just that an object was modified but what specifically was changed, before/after values, etc. not all of which is easy to gleam from event logs. The two main 3rd party products that solve this challenge are NetPro ChangeAuditor and Quest InTrust for Active Directory. Thanks, Shawn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mattingly, Garrett Sent: Friday, January 05, 2007 11:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Auditing and Change Control Hi All, I was asked if there was a way to find out all changes performed in AD by a particular user account. The personal was wondering if there is a AD attribute to query on to do this. Natively I believe that event log auditing is about the only way you can track this information natively which is almost useless because the security log overwrites after a day or so. As far as I know in AD you have a creation and modified date on objects in AD but there is no created by or modified by attribute that I am aware of. I thought maybe object owner might be and attribute but I did not see this listed in ADSIEdit. This is basically a How can we find out what this guy is doing or did? problem. Questions: Is this even possible with native tools? Are there recommended 3rd party tools that could do this? Ive heard of something call ECORA Auditor Pro, anybody use this? Thanks, Garrett -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] I thought we weren't supposed to be doing GP editing stuff on DCs in the first place?
Morphed folders appear in the SYSVOL Group Policy folder after you use Group Policy Object Editor to view a GPO on a Windows Server 2003-based domain controller: http://support.microsoft.com/?kbid=929266 Perform GPO management tasks on a certain domain controller. For example, perform GPO management tasks on the primary domain controller (PDC) emulator only I thought we weren't supposed to be doing GP editing stuff on DCs in the first place? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] NTP Client Software
I'm assuming you have a mixed environment... granted I'm small...but I've not found the built in time sync to not sync once the DC has been properly pointed and the ports are open on the firewall properly. I've read somewhere (need to google this) that some of the military time servers that we used to sync with are no longer externally sync-able. http://support.microsoft.com/kb/314054 http://support.microsoft.com/kb/816042/ Ken Cornetet wrote: http://ntp.isc.org/bin/view/Main/ExternalTimeRelatedLinks *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Dan Smith *Sent:* Wednesday, January 03, 2007 8:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] NTP Client Software Hello Wonder if anyone out there has any NTP client software recommendations? We need to keep some clients within 1-2 sec’s of our stratum 1 timeserver and Windows Time simply does not cut it. Any suggestions would be much appreciated. Dan Send instant messages to your online friends http://uk.messenger.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] OT: Exchange 2003 Copy Outgoing Messages
Inbound is a piece of cake. Outbound needs journaling http://support.microsoft.com/?id=281926 (not sure if 2007 makes this easier?) Aaron Steele wrote: Dan, I did some quick searching and found a white-paper from MS on Outbound Journaling and how one might set that up. That might be your best course for further research. http://www.microsoft.com/downloads/details.aspx?FamilyID=d357e733-0e22-477c-b884-0c38fbb51533displaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=d357e733-0e22-477c-b884-0c38fbb51533displaylang=en /aaron *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Dan DeStefano *Sent:* Wednesday, January 03, 2007 2:21 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Exchange 2003 Copy Outgoing Messages Is there a way built-into Exchange 2003 running on Server 2003 that a user can be copied on all messages sent by another user? We have a manager that wants to monitor all outgoing messages sent by certain users regardless of the recipient. Is this possible? Thank you in advance for any help. Dan DeStefano *Info-lution Corporation* [EMAIL PROTECTED] http://www.info-lution.com http://www.info-lution.com/ Office: 727 546-9143 FAX: 727 541-5888 If you have received this message in error please notify the sender, disregard any content and remove it from your possession. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] NTP Client Software
If you are time syncing with a Non Windows server you may have to do a 0x8 command as well (see below) This problem may occur when your computer sends synchronization requests by using symmetric active mode. By default, Windows Server 2003 domain controllers are configured as time servers and use symmetric active mode to send synchronization requests. Some NTP servers that do not run Windows respond only to requests that use client mode. To resolve this problem, configure Windows Time to use client mode when it synchronizes with the time server. To do this, follow these steps: 1. Click Start, click Run, type cmd , and then press ENTER. 2. At the command prompt, type the following commands in the order that they are given. After you type each command, press ENTER. w32tm /config /manualpeerlist: NTP_server_IP_Address ,0x8 /syncfromflags:MANUAL net stop w32time net start w32time w32tm /resync For more info: Time synchronization may not succeed when you try to synchronize with a non-Windows NTP server in Windows Server 2003 http://support.microsoft.com/?id=875424 Brian Desmond wrote: Pool.ntp.org is what you want to point to ideally. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, January 03, 2007 10:25 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTP Client Software I'm assuming you have a mixed environment... granted I'm small...but I've not found the built in time sync to not sync once the DC has been properly pointed and the ports are open on the firewall properly. I've read somewhere (need to google this) that some of the military time servers that we used to sync with are no longer externally sync-able. http://support.microsoft.com/kb/314054 http://support.microsoft.com/kb/816042/ Ken Cornetet wrote: http://ntp.isc.org/bin/view/Main/ExternalTimeRelatedLinks *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Dan Smith *Sent:* Wednesday, January 03, 2007 8:53 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] NTP Client Software Hello Wonder if anyone out there has any NTP client software recommendations? We need to keep some clients within 1-2 sec’s of our stratum 1 timeserver and Windows Time simply does not cut it. Any suggestions would be much appreciated. Dan Send instant messages to your online friends http://uk.messenger.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
[ActiveDir] OT: Admin pack KB now out
Error message when you install the Windows Server 2003 management tools on a Windows Vista-based computer: MMC could not create the snap-in: http://support.microsoft.com/default.aspx/kb/930056 http://blogs.technet.com/windowsserver/archive/2006/12/23/administering-windows-server-2003-from-windows-vista.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
Re: [ActiveDir] Vista GPO
(see Subject line as to why you cannot edit the policy on a DC) Because for Vista you need to be on a Vista box for the Group policies in Vista to make sense. The firewall rules alone grab a virtual set up ..set up a DC and a Vista box and fire up the group policy settings for Vista's new firewall and then fasten your seatbelt as to how different they are from XP sp2. The best practice for those that insanely edit on our DCs from those that have come from Enterprise is that they recommend that you edit the policy disabled because if you build/edit a policy on a live DC you can nail yourself big time if you mess them up. One shouldn't introduce live change in a domain without testing. Best practice is indeed to not be building a Group policy on a domain controller where they could go into effect and you haven't tested the impact. Matt Hargraves wrote: I'm not too terribly suprised, I think that there are GP-like items in Linux also. However, that still leaves my other question unanswered: What is the really compelling reason to not edit GPOs on a DC as opposed to a workstation, other than the fact that you really shouldn't bother logging into any server for something that you can do from your workstation? People point to 'best practices', but I don't know if there is any justification beyond the fact that you shouldn't bother hopping onto a DC just to edit a GPO that you could edit from your workstation. Does anyone have an answer to that? On 12/19/06, *Darren Mar-Elia* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The Mac does have something akin to GP, though the name eludes me at the moment and its not quite the same. And of course, folks like Centrify have created a GP client for the Mac that integrates into Windows GP as well. Darren *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of *Matt Hargraves *Sent:* Tuesday, December 19, 2006 8:49 AM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Vista GPO Also, since we're talking about GPOs, while I haven't managed a Mac in several years, I don't remember them offering this functionality, so I'm not even sure how that's relevant to this discussion. On 12/19/06, *Matt Hargraves* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: While the only GPOs I've edited at the DC/server side have been the GPOs for my sister's SBS box, which I connect to from around 1400 miles away, I don't generally do it as a rule - too cumbersome and a waste of my time normally. I guess the real question for me is Why not?. It's just an MMC snap-in. Nothing huge in there that's going to trash the box. Nothing that is going to compromise security... If there is something in that MMC that I shouldn't be doing from a server/DC, then it's probably something I shouldn't be doing from my workstation too. I guess the real question should be Why, other than the fact that there's no reason to waste the steps to pull up the RDP client and login to a remote server, shouldn't I edit GPOs from the PDC Emulator? The GPOs are going to be edited there anyway (or at least that's where your GPMC is going to connect to) and then distribute from there. I can only think of one reason and that's Don't login to a DC unless you need to but that goes for any box... or do you just run around your environment randomly logging in through RDP to all kinds of servers for no reason other than you have nothing better to do? There are very few things that you really need to do at any box, whether it's a DC, a file server, SQL or even Exchange box. Hell, you don't even need to login locally to reboot it unless you've defined that by GPO. Like I said before, there is only 1 box that I do that for and that's because that box is 1400 miles away and I can't vpn into their network yet (hope to get that setup in the next year, when I visit sometime - *if* I visit sometime :( ). I don't really do it much, but I also can't think of a really good reason to actually avoid doing it either (example - I have to do a dcdiag on the PDC, then someone requests a GPO change - should I really disconnect from that box just to do the same thing from another?). As for backward compatability, many companies are still running NT boxes in their environments and have been for many years now, because they don't have much of a choice - the server apps aren't being produced any more and there isn't an upgrade path that would take less than 6 months of hard work, not to mention having to retrain potentially hundreds (if not more) of employees. I don't think that it should be necessary to include all of
Re: [ActiveDir] Vista GPO
Depends on what you define as compelling. I killed off Win2k way before XP sp2 was released. Todd Hofert wrote: If I remember correctly, there were no real compelling reasons to go to XP until after SP2 was released. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 19, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO (as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue's Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2 /index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS 2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like
Re: [ActiveDir] Vista GPO
Well its about time item no 1: Granular control of removable devices. http://www.sbslinks.com/vista.ppt As I showcased in that slide deck that I just did to a bunch of CPAs.. I can't do the 3d view thingy on my..what now nearly two year old tablet. Uh huhSo what. When I do that view it makes me seasick anyway. And UAC isn't that annoying. Rich Milburn wrote: So did we, where I was at the time. Now I can't recall what the driving factors were, but it was pre-SP2. There were enough to convince some hard-core captains to do it, though, and that was a tough sell. With XP SP2, Vista is a tough sell to people who believe everything they read about Vista but haven't checked out for themselves. I thought it was just kinda cool looking but not compelling, till I started digging deep into it. That's when I saw a lot of well it's about time they fixed that issues, and various things that for me, would be selling points on their own merit. But alas, those around me who have not taken the time to find out for themselves, get hung up on the reviews saying it takes a Cray supercomputer to run it, all so you can get some eye candy that's overrated at best. I'm not going to go into it all right now, but depending on your environment, there are compelling reasons to get familiar with Vista. With SP1, I expect it to be widely deployable (and compelling to do so). And I would expect [1] SP1 in the mid-2007 Longhorn RTM time frame. [1] I have no privileged knowledge about that, it's just a guess based on the fact that the Vista/Longhorn code is closely related, the two OS's are meant to go hand-in-hand, and W2K3 Server SP1 and XP SP2 were closely related. In a way, some of the Vista code which is shared with Longhorn is getting a longer beta run, and will likely be fixed in Longhorn and the fixes will apply to Vista - especially as relates to how the Vista client is used in conjunction with the server, including admin tasks. Again, that is a guess, not inside info. I could be way off. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 19, 2006 12:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Vista GPO Depends on what you define as compelling. I killed off Win2k way before XP sp2 was released. Todd Hofert wrote: If I remember correctly, there were no real compelling reasons to go to XP until after SP2 was released. Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Tuesday, December 19, 2006 10:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Am I the only one who remembers the teeth-pulling necessary to get people to make the move to XP? Or to Win2K? Both of which were a fairly big leap. XP was seen as eye candy with very little benefit over Win2K (but with licensing and deployment and compatibility problems that could be avoided by staying on a perfectly good platform). I had to write up several papers on what was different and better in XP than in Win2K (not where I work now, just for the record...) I think in 2 years we're going to see a similar situation. The more IT types dig into Vista, and see solutions to problems that either have no solution in XP, or require workarounds and make-do's (is that a word?), the more people will start to see the point in upgrading. I think the same goes for Longhorn. So... this is just my opinion, but I think that one would be remiss in not digging into Vista now to see if there's more than just eye candy and extensive hardware requirements... So far, in my experience, I've been pretty surprised at the things that will run on Vista. Conversely, there are a few things we have that still do not work on XP. We use Win2K VMs for those handful of things. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 15, 2006 7:32 PM To: ActiveDir
[ActiveDir] OT:TechNet Magazine Active Directory Component Jigsaw Poster:
Download details: TechNet Magazine Active Directory Component Jigsaw Poster: http://www.microsoft.com/downloads/details.aspx?familyid=c236336d-ab43-44b1-ad6f-a2f668fb8c02displaylang=en -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Let's see how many wrong things are in this web site
http://utools.com/help/MovingSBS.asp SBS is limited to 5-20 users -- try 75 users or devices Because SBS does not allow a second domain controller, there is no supported way to back up Active Directory to protect against failure of the SBS computer. --- Firstly, SBS supports additional domain controllers.. and have for years... as far as a supported way to backup AD... last I checked there's this new fangled thing called System state backup... kinda a reliable way to back up AD last I heardand in fact there's a SBS wizard that backs up the entire system. UMove is the *only* utility that can recover Active Directory when running a standalone Small Business Server. --- my guess is there are some guys on this list that would disagree with that statement List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] SMB Problems
SMB signing enabled? If it's not a newer one, they can't communicate over SMB with the require SMB signing on. In August of this year there was a patch that came down that adjusted the default SMB signing behavior and it was in the optional section and on WSUS. Was that installed perhaps? http://msinfluentials.com/blogs/jesper/archive/2006/08/24/SMB-Message-Signing-Troubles_3F00_.aspx Bob Anderson wrote: Good Morning, I'm not sure I should be asking this here but here goes. We have a full Windows 2003 domain and almost all XP Professional workstations. I have a Ricoh Printer, Copier, Scanner on the Network that we use to Scan documents to each users system. During the last Month or so all but about 4 workstations have failed to allow scans to be created, the scanner does not give me any error messages. Each user is in the scanner address book with their Windows User ID and Password to access the own PC Directory. Does any on have a clue as to why some work and some do not. Thanks for any thoughts you may have. Bob Anderson IT Guy Kent Sporting Goods 433 Park Ave. S New London OH 44851 419-929-7021 x315 email: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Vista GPO
Yup. I think it finally WU'd down didn't it? Brian Desmond wrote: There was a hotfix for that - they lengthened some string or something in the adm file format if I remember right. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO You may recall, there was a similar case when XP came out too - if memory serves, you had to manage XP GPO settings from an XP box - if you opened them on Win2K, there were problems (I can't recall now exactly what those problems were... it would corrupt the policy? Lose the settings?) anyway so there are tons more settings (+ side) and you have to use Vista for now (- side, sorta). I wouldn't be too surprised if they fix that with the next server and XP SP... but I haven't actually heard that. --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar- Elia Sent: Thursday, December 14, 2006 4:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Vista introduces a new Admin Template format called ADMX. These are found on Vista in C:\windows\policydefinitions and, unfortuately cannot be consumed by earlier versions of Windows. That is you must manage Vista GP from Vista. Darren -Original Message- From: Za Vue [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 12/14/2006 1:18 PM Subject: Re: [ActiveDir] Vista GPO Sorry. Exactly what Ben wrote. Thanks.. -Z.V. WATSON, BEN wrote: Maybe he may be referring to the location of any possible new ADM files included with Vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, December 14, 2006 10:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3, unless you mean the LDIF files that are in sources\adprep on the Vista CD? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, December 14, 2006 9:57 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Vista GPO Anyone know what and where the GPO plugin for Win2003 on the Vista DVD is called and located? -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] Vista GPO
Bad for whom? Down here where the bar is low for best practices in the first place the var/vap comes in and has to kick the owner off of his shiny new OEM Vista box and borrow it to set up the group policy firewall settings for it, or other settings that the managed services partner may want to do. When I'm doing group policy stuff... I'm up on that GPMC that is automagically installed on that SBS box and I'm in a group policy frame of mind. I could manage GPOs from my desktop but I just don't... I RDP into the server. What you guys should think of is burning in a VCD (virtual) Vista image that is pre-staged to be nothing but a Group policy management tool? (stupid idea?) Laura A. Robinson wrote: So Microsoft should encourage their bad practices? Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 12:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the ideal is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Darren Mar-Elia *Sent:* Fri 12/15/2006 9:18 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice then became to use only XP desktops for GP management. I think there's a tendency to think this is such a terrible thing, this backwards-incompatibility, and we might forget that Vista is not new with this, we had similar issues before. And who remembers the teeth-pulling to get people to move to Active Directory?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, December 15, 2006 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO This is actually a little different because if you view a GPO that was created with Vista, using XP or 2003, none of the ADMX settings can actually be read at all, because they are a completely new format that GPEditor or GPMC on those older platforms don't understand. In fact, those XP or 2003 will happily copy up the ADMs into the Vista GPO like they used to do, and you're back to each GPO storing ADMs in SYSVOL.
Re: [ActiveDir] Vista GPO
And SBS's version of "fill in the blank" always lags behind the big guys (we let you bleed first so we don't have to :-) We're 64bit only or bust in the Longhorn era. That means for us to have a Longhorn GP'er... we're migratin' the Kitchen sink to run on faster hardware (the water will run that much faster... just think of it) Akomolafe, Deji wrote: I'm sure that you are aware that LH is still many years away from significant adoption. We will see several intervening years between LH release and its reaching the mainstream. In the meantime, Vista would have become the de-facto desktop OS in place of XP (yes, I can dream). So, between now, then and when-ever, people will be needlessly handicapped in their ADM/ADMX decision making. I foresee a lot of gnashing of the teeth, more gripping, beaucoup "evil M$" rants, and other heart-burn-inducing misunderstandings. Nobody said it would be non-trivial. If it were, people like me will not need people like you. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Come on Dejiits exactly the same, else why in the world do we upgrade perfectly good IT systems? J Folks can manage their GP from DCs when Longhorn ships. Until then, its Vista. Also, it would fairly trivial, if not time-consuming, to convert all those ADMXs in Vista back to ADMs. There is nothing technically preventing that. But, it is not trivial to back-port the other new Vista functionality, like published printers, wired policy, the new IPSec and Firewall stuff, back to older versions. You wouldnt need to back-port all of itjust enough to support GP Editing, but still, its a lot of work and MS, like most other software companies, probably needs to make the hard call about where to put dev and testing resources. I agree that its not ideal, but I dont think having to manage GP from Vista for the intervening space of time until Longhorn ships is a terrible thing. It will probably take most orgs that much time to decide when to go to Vista anyway. And for the aggressive ones, Vista is not a bad choice for a management platform. I think the benefits of the central store and other improvements outweigh the medium term inconvenience. I am curious, however, what others think. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Friday, December 15, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO People don't seem to have a problem with that concept when it comes to game consoles :) Bad analogy. Go stand in the corner, no wii for you :) When people start running their businesses on game consoles, then you can come back and compare. For now, it's just plain incomprehensible that you can't manage ADMX from anything but Vista. Yeah, ideally we would want to encourage clients to NOT manage things directly from servers, and to ensure that IF they are going to introduce Vista, the IT folks' machines should be doing the dog-fooding, but realistically, the "ideal" is always the exception in this field. Microsoft should know that. People will insist on managing GPO directly from the DCs, best practices be damned. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Darren Mar-Elia Sent: Fri 12/15/2006 9:18 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO I hear you Rich. I had a long discussion with someone on the GP newsgroups who thought that the fact that XP and 2003 couldn't read Vista GP settings was an abomination and a scandal of the highest order and that MS should be beaten for their insolence (I'm paraphrasing :-)). But, yes, we should all be used to the fact that sometimes, you have to adopt the new stuff to get the new toys. People don't seem to have a problem with that concept when it comes to game consoles :) Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rich Milburn Sent: Friday, December 15, 2006 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Vista GPO Sorry, I understand it's different, what I meant was merely that we had some growing pains like this when XP first came out. Our practice
Re: [ActiveDir] Vista GPO
(as a bystander here .. I personally like the point/counterpoints.. just sometimes we need to realize that we lose ...what? About 60% of communication via email? And adjust accordingly okay? Can we hug and make up?) Pogue’s Posts - Technology - New York Times Blog: http://pogue.blogs.nytimes.com/2006/12/14/14pogue-email-2/ Granted I'm little... but are you guys really and truly rolling out Vista in other than Lab settings anyway? I'm getting hit over the head on a daily basis by vendors are are saying Wait. My two benchmarks of when I can say I'm somewhat business ready on Vista is when the ISA firewall client that supports Vista ships (it did earlier this week) and when Trend isn't offering up beta versions as the only ones that will run on Vista. Are you guys really and truly rolling these suckers out on production boxes? Don't geeks adapt anyway? (We may not read... but we adapt right?) This is slightly incorrect...but the fact is SQL 2005 express officially needs sp2 to run on Vista http://money.cnn.com/2006/12/14/magazines/business2/microsoft_vista.biz2/index.htm?cnn=yes *Wait Until after Tax Time? *Note that Intuit's tax software divisions are recommending that their users wait until after tax season to make any move to Windows Vista. These notices are posted for both Lacerte Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=18m=399604r=MzE0NTkxNTExOQS2b=0j=NzQzNjgzNDcS1mt=1 and ProSeries Professional Tax Software http://recp.proadvisors.intuit.com/ctt?kn=21m=399604r=MzE0NTkxNTExOQS2b=0j=NzQzNjgzNDcS1mt=1. *Prudence Suggested for QuickBooks Users Too.* Windows Vista holds much promise for significant improvements in security and functionality. However, Intuit suggests the decision to upgrade to Windows Vista be approached carefully, for two reasons: * Potential reliability issues often associated with the initial release of operating systems. * Intuit will not be able to support QuickBooks 2006 and earlier on Windows Vista. Laura A. Robinson wrote: Deji, I've had enough of you attributing statements to me that I have not made, and therefore I am finished with this conversation. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Friday, December 15, 2006 4:44 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO Did I actually say that clueless folks are writing you checks? Or are you projecting? That those who write you checks but don't/can't/won't do things the right way (according to you) are clueless, and you don't like their checks? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Laura A. Robinson *Sent:* Fri 12/15/2006 12:50 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO BTW, I would disagree with your assessment of Microsoft's customer base. I work in Microsoft's largest district, with our largest customers, and I find them far from clueless. I also find very few clueless folks writing us checks that add up to those billions in the vault. Do I run into misinformed people? Absolutely. Clueless? Not really. Well, not among my customers, anyway. :-) Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Laura A. Robinson *Sent:* Friday, December 15, 2006 2:26 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Vista GPO And it's the clueful customers who (rightly) become angry when something in a product that exists purely for backward compatibility opens a security hole. Now, I'm not saying that all security holes are due to backward compatibility, and I'm not saying that every bit of code that comes out of Redmond is perfect. However, I have said for years that many of the things that people don't like about Microsoft's products are the result of backward compatibility, not bad coding or a lack of consideration on the part of Microsoft's programmers. As somebody else (Darren? Richard?) said, there is a point where a line has to be drawn in the
Re: [ActiveDir] SBS Dies Twice in Four Days
As a generalization if the Microsoft O/S event logs are blank the issue tends to be hardware related (and those are the hardest ones to nail down at times) Eric Fleischman wrote: Can you give us some data? Like, when it dies, what do you see? Is death a blue screen? Or something else? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Wednesday, December 13, 2006 10:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] SBS Dies Twice in Four Days Hi – I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday’s crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the “Enabled Journal Wrap Automatic Restore” key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server – twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don’t seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I’ve got to feel comfortable with leaving this server for a week – or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme// -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] SBS Dies Twice in Four Days
[I don't mean really blank.. I just mean that they don't point to anything useful blank] Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: As a generalization if the Microsoft O/S event logs are blank the issue tends to be hardware related (and those are the hardest ones to nail down at times) Eric Fleischman wrote: Can you give us some data? Like, when it dies, what do you see? Is death a blue screen? Or something else? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Wednesday, December 13, 2006 10:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] SBS Dies Twice in Four Days Hi – I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday’s crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the “Enabled Journal Wrap Automatic Restore” key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server – twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don’t seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I’ve got to feel comfortable with leaving this server for a week – or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme// -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] SBS Dies Twice in Four Days
For many/most they just use the built in (uh.. does 2k have built in?) UPS software in Windows rather than the Powerchute third party stuff. I just know that Powerchute had an expired Java cert in their program and brought servers to their knees a year or so ago making symptoms like DNS issues. So when it doubt pull it off. Noah Eiger wrote: Hi - Thanks for the links, Susan. Yes, those are the errors regarding Exchange / AD and the FRS errors seem to have gone away. The UPS is a good one to point to. The only thing that has changed is that we replaced the UPS. Ah ha, you might say. We had a UPS on this for years, but it did not run APC's PowerChute. That battery started beeping, and we installed the application. Then the UPS died. This is a new battery and new UPS. Do you know of any incompatibilities with APC's PowerChute? PowerChute does not show anything out of the ordinary around the time of the crashes. Finally, someone asked what was on the screen. I did not see it because I was not on site. The person who did the restart for me said the screen was blank. The screen is on a KVM. Regardless, I am calling Dell today. Thanks. -- nme -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 14, 2006 9:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBS Dies Twice in Four Days [I don't mean really blank.. I just mean that they don't point to anything useful blank] Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: As a generalization if the Microsoft O/S event logs are blank the issue tends to be hardware related (and those are the hardest ones to nail down at times) Eric Fleischman wrote: Can you give us some data? Like, when it dies, what do you see? Is death a blue screen? Or something else? *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Noah Eiger *Sent:* Wednesday, December 13, 2006 10:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] SBS Dies Twice in Four Days Hi – I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday’s crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the “Enabled Journal Wrap Automatic Restore” key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server – twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don’t seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I’ve got to feel comfortable with leaving this server for a week – or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme// -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Daylight savings time patches
WSUS Product Team Blog : DST Timezone KB929120 KB928338 updates explanation for WSUS admins: http://blogs.technet.com/wsus/archive/2006/12/13/dst-timezone-updates-why-do-i-have-2-when-i-synch-wsus-today.aspx (for the record I saw two updates as well) While this update is being offered as optional now, once Outlook and Exchange tools are completed, so that all updates and tools can be run at the same time, we expect to change the classification of 928338 to high priority or critical. For more information please see: _http://www.microsoft.com/windows/timezone/dst2007.mspx_.; (the answer to will this patch end up on high priority) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Daylight savings time patches
(okay that posted way too fast...what's wrong with the servers?) ;-) Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: WSUS Product Team Blog : DST Timezone KB929120 KB928338 updates explanation for WSUS admins: http://blogs.technet.com/wsus/archive/2006/12/13/dst-timezone-updates-why-do-i-have-2-when-i-synch-wsus-today.aspx (for the record I saw two updates as well) While this update is being offered as optional now, once Outlook and Exchange tools are completed, so that all updates and tools can be run at the same time, we expect to change the classification of 928338 to high priority or critical. For more information please see: _http://www.microsoft.com/windows/timezone/dst2007.mspx_.; (the answer to will this patch end up on high priority) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] SBS Dies Twice in Four Days
Microsoft partners have a service called Server down. If you are merely a registered Microsoft partner (which since you say clients and you are touching a SBS box.. you should be) you can log into your www.microsoft.com/partner profile (need passport) go to the support section, find the Business critical section and you have a number there and either a local number or toll free one to call. If this is a SBS 2000 sp4 box.. how old are those drives? Call Server Down when you get stuck.. the resource is there... use it IMHO. Now then... when did it die? What occurs in the event logs right before? Those JRNL wrap errors don't occur that often to SBS boxes. 2104 after a reboot is SBS tripping on Exchange and AD toes as it boots up. http://msmvps.com/blogs/bradley/archive/2004/01/22/1997.aspx http://msmvps.com/blogs/bradley/archive/2004/01/22/1998.aspx http://www.eventid.net/display.asp?eventid=8197eventno=840source=MSExchangeFBPublishphase=1 8197? Like that? Noah Eiger wrote: Hi – I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday’s crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the “Enabled Journal Wrap Automatic Restore” key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server – twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don’t seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I’ve got to feel comfortable with leaving this server for a week – or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme// -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] SBS Dies Twice in Four Days
Other ideas: UPS good? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Microsoft partners have a service called Server down. If you are merely a registered Microsoft partner (which since you say clients and you are touching a SBS box.. you should be) you can log into your www.microsoft.com/partner profile (need passport) go to the support section, find the Business critical section and you have a number there and either a local number or toll free one to call. If this is a SBS 2000 sp4 box.. how old are those drives? Call Server Down when you get stuck.. the resource is there... use it IMHO. Now then... when did it die? What occurs in the event logs right before? Those JRNL wrap errors don't occur that often to SBS boxes. 2104 after a reboot is SBS tripping on Exchange and AD toes as it boots up. http://msmvps.com/blogs/bradley/archive/2004/01/22/1997.aspx http://msmvps.com/blogs/bradley/archive/2004/01/22/1998.aspx http://www.eventid.net/display.asp?eventid=8197eventno=840source=MSExchangeFBPublishphase=1 8197? Like that? Noah Eiger wrote: Hi – I have a client with a four-year old SBS 2000 SP4 install on a Dell PowerEdge 2500. In the last four days, the machine has simply died -- twice. I can find no obvious (or not so obvious) cause for this. There appears little that correlates directly with the crashes. The event logs are pretty clear of major errors (except below). The Open Manage software does not show any hardware problems. The drives are somewhat fragmented but not horribly. The few errors that show up include this: Shortly before Saturday’s crash, the FRS log recorded a 13568 JRNL_WRAP_ERROR. Since this is the only DC in this domain, I followed the steps provided to set the “Enabled Journal Wrap Automatic Restore” key to 1. This appeared to have cleared the error. This error has not recurred. Also, Exchange has logged some errors such as 2104 and 8197 which seem associated with access to the GC. When I followed the steps in MSKB 828764, I do not find any entries in the registry keys listed which are supposed to refer to the GC. Either way, I am not sure those would bring down a server – twice. Sorry if this is rambling a bit. I have been looking at this for several hours and don’t seem to be making any headway. Any thoughts welcome. The server is up now (after a hard reboot), but I’ve got to feel comfortable with leaving this server for a week – or my earlier post about laptop batteries will be meaningless ;-) TIA -- nme// -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] FRS and DNS problem
http://www.eventid.net/display.asp?eventid=13562eventno=662source=NtFrsphase=1 Reviewed that? You've checked that it truly holds the FSMO roles? (ntdsutil) http://support.microsoft.com/kb/255504 http://support.microsoft.com/kb/234790 Craig A. Bumpstead wrote: Hi, I moved all FSMO roles from my old server to my new server. But now I seem to have a FRS issue. When I run netdiag /test:dns I get the following: Domain membership test . . . . . . : Failed [WARNING] The system volume has not been completely replicated to the local machine. This machine is not working properly as a DC. I also get Event ID: 13562 As a result I am unable to remove the old server via dcpromo, as it reports it cannot locate a domain controller. Any help would be great. Cheers, Craig List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Quota Software
FSRM is even in SBS 2003 R2 ;-) Steve Linehan wrote: Windows Server 2003 R2 not only improved on the quota management built into the product, allowing granularity down to the user, but also added reporting and file screening. You can find more information on these new features at the following links: http://www.microsoft.com/technet/technetmag/issues/2006/05/GetControl/default.aspx http://download.microsoft.com/download/7/4/7/7472bf9b-3023-48b7-87be-d2cedc38f15a/WS03R2_Storage_Management.doc Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Tuesday, December 12, 2006 1:33 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Quota Software We use a 3rd party app SpaceGuard SRM from www.tools4ever.com on our file servers to implement directory level (rather than user level) disk quotas, monitor usage, send email to users when they get close or hit the quota, etc. I can monitor and manage quotas from a single client workstation and have setup automatic quotas for Home Directories. Spaceguard works fine for our single site. We did not try the built in Windows quota at the time we switched to AD 4 years ago because the quota was by user. It may have gotten better in win2k3. Michael J. Miller Computing Services College of Veterinary Medicine, UIUC _ Mark Parris wrote: All, I have been tasked with implementing disk quota's for corporate users the some of the data is centralised and some is stored on regional file servers, but no user has data spead over more than one server or location. Whilst I understand the concepts I have never implemented quota software so can anyone recommend a quota management software that works? The software must be configurable to a user or a group and not at the volume level. A nice to have would be storage billing. Any gotchas? Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Benefits of SBS2003 R2 over SBS2000
Over SBS 2000 or over SBS 2003? 'cause if you are asking about 2000 to 2003 ...besides security...besides community support... Remote Web workplace and the daily email are two killer killer apps of SBS.. wizard to set up Outlook over http automagically.how long do you need for me to convince you to kill off that SBS 2000 at get onto SBS 2003? (Excuse the attitude, please) US versus THEM: http://www.sbslinks.com/Us_v_them.htm Mind you this is SBS 2003 sp1 comparison to normal Windows Server but R2 adds a SBSized WSUS. Robert Rutherford wrote: Hi Guys, Has anyone got a decent list of the benefits of SBS2003 R2 over SBS2000? I cant find anything detailing the improvements/benefits. Thanks, Rob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Benefits of SBS2003 R2 over SBS2000
Small Business Server 2003 R2 Release - ITP WebBlog: http://blog.itprosusa.com/?p=23 A smidge more of the difference between SBS 2003 sp1 and SBS 2003 R2. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Over SBS 2000 or over SBS 2003? 'cause if you are asking about 2000 to 2003 ...besides security...besides community support... Remote Web workplace and the daily email are two killer killer apps of SBS.. wizard to set up Outlook over http automagically.how long do you need for me to convince you to kill off that SBS 2000 at get onto SBS 2003? (Excuse the attitude, please) US versus THEM: http://www.sbslinks.com/Us_v_them.htm Mind you this is SBS 2003 sp1 comparison to normal Windows Server but R2 adds a SBSized WSUS. Robert Rutherford wrote: Hi Guys, Has anyone got a decent list of the benefits of SBS2003 R2 over SBS2000? I cant find anything detailing the improvements/benefits. Thanks, Rob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Vista Activation and KMS
Yes but does it have good screenshots. ..it's not a SBSized whitepaper unless it's got screenshots you know ;-) Honestly I don't see that many SBSers will be setting up a KMS infrastructure anyway... Microsoft may love it if we roll out 25 or more VLs.. but I doubt that and we'd be buying OEM Vista's anyway. (not to mention... we'd annoyingly ask to have a wizard to install this sucker anyway ;-) I'm assuming you mean this link? http://www.microsoft.com/downloads/details.aspx?FamilyID=9893f83e-c8a5-4475-b025-66c6b38b46e3DisplayLang=en Laura A. Robinson wrote: You know, there's one thing I may have forgotten to mention- there's a good whitepaper on this. :-P Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *MikeM *Sent:* Saturday, December 09, 2006 12:10 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Vista Activation and KMS So Laura, correct me if I'm wrong, but are you suggesting we read the white paper? Seriously, thank you for all of the input on this matter. -MM- On 12/8/06, *Laura A. Robinson* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: 1. The entire conversation is ~450 BYTES of traffic. If you can't swing that over six months, you have bigger problems than activation. SSL-based VPN changes nothing. Connectivity is connectivity. Why do you assume that activation can't occur over an SSL-based VPN? 2. If you have no links at all, either look at a KMS host at the remote sites, or look at MAK activation. 3. Who said anything about you having to have two different images? Folks, please read the whitepapers and try this out before you reject it. The expression tilting at windmills comes to mind with some of these objections. Laura *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] *On Behalf Of [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *Sent:* Friday, December 08, 2006 11:41 AM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS If it's so well baked then how do you support multiple remote offices with slow VPN links, or none at all? How do you support field users without a VPN client, or using an SSL based VPN? Making us use two different images (one for each key type) isn't a solution since it doubles our support work and clients may move from one model to the other. There are plenty of situations where it just doesn't work well for IT in the real world. Thanks, Andrew Fidel *Laura A. Robinson [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* Sent by: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 12/05/2006 04:43 PM Please respond to ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] OT: Vista Activation and KMS The Windows Server 2003 KMS host will be out soon. In the meantime, Vista is perfectly acceptable to use and it's incredibly simple to decommission it as a KMS host when you implement a Win2K3 host. No TAM support needed. Again, I'd really encourage people to thorougly read the documents I referenced before, because I'm seeing a lot of confusion on this list that indicates that people aren't really understanding how this works (not you in particular, Susan, just a general comment as I've been watching the VLA comments for a little while). Or if you're Neil, you can schedule a LiveMeeting and I'll explain it, because Neil's company is one of my district's customers. ;-) Laura -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, December 05, 2006 3:21 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org
Re: [ActiveDir] OT: Vista Activation and KMS
Some questions: - * In order to help provide our services, we occasionally provide information to other companies that work on our behalf. These companies are required to keep this information confidential and are prohibited from using it for any other purpose. Question - We asked in the WGA forum what other info was provided and to whom this was provided to but didn't get a good answer.In secured networks is this shared info more disclosed to the customer? http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=593225SiteID=25 · *Secure zone: *In this scenario, the tool can activate computers using MAK proxy activation. This assumes that the clients in the secure zone do not have Internet access. The following two key issues need to be addressed: · The computers must be discoverable (through Active Directory® directory service or Workgroups). · The tool has to make a call to the WMI services on the computer to get status and install MAKs and CIDs. This requires the firewall to be configured to allow DCOM RPC traffic through it. For more details on this, see How to configure RPC dynamic port allocation to work with firewalls at the following URL: http://support.microsoft.com/?kbid=154596 Question - Is this the same sort of connection that is needed to allow for MBSA 2.0 to scan through firewalls? As at the present time with XP sp2 and MBSA I cannot get a consistent scan.. the remedy is in the MBSA FAQ http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx which states that I need to use KB 902400...which is a security patch. In order to install this with the proper flags (per my read) I have to uninstall 05-051 and then redeploy it with the needed flags. I don't remove security patches lightly... do you know if the same Dcom issue will affect MAK proxy as I've seen with MBSA 2.0 through XP sp2 firewalls? *Step 1: Review system requirements* MBSA cannot scan a remote computer protected by a firewall unless the firewall is configured to open the ports that MBSA uses to communicate with the computer. The Windows Update Agent implements a remote scanning interface based on DCOM. The account being used to scan must possess local administrator rights. The computer must also be configured to meet the following conditions: • The Server service, Remote Registry service, and File and Print Sharing service must be running on the remote computer. • The required ports must be open on the firewall. • The Windows Update Agent must be installed and the Automatic Updates service must not be disabled. Remote computer scans are performed using TCP port 135, a dynamic or static DCOM port, and ports 139 and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. You must allow these ports to be open on the remote firewall if a personal firewall is being used. *Note:* The use of DCOM for remote scanning through Windows Firewall on all versions of Windows XP may require a post-SP2 hotfix as described in Microsoft Knowledgebase article 895200, Availability of the Windows XP COM+ Hotfix Rollup Package 9. Customers may now obtain this fix by installing the COM+ update (KB 902400) using these procedures: 1. Download the update from http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-42D7-8E57-58656A3FB2F7 on the Microsoft Download Center. 2. Copy the update to the computer you are updating and open a command prompt on that computer. 3. Run the update using the command line options described in KB article 824994 (specifically, the /B:SP2QFE command line option). Doing this will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes, in addition to the fixes released in the security bulletin MS05-051. Question - Also are there specific ISA rules/configurations that need to be addressed? --- Fyi for those - this caused some concern that they had taken away full boot VL images... you may need to request media if you want to do a true clean install image with a qualifying XP license around. They are still there.. you just have to request them: Volume License Product Use Rights require that you have a previous qualifying operating system license for each copy of Windows Vista you deploy. The default 32-bit Volume License media are upgrade-only and are not bootable[1] #_ftn1. You must first boot a previous version of Windows and then run the setup to install Windows Vista. Bootable media is also available on request through your Volume License portal. [1] #_ftnref1 64-bit Volume License media are not restricted in this way,
Re: [ActiveDir] OT: Vista Activation and KMS
BTW that first part was a bit blonde ('tis a Saturday and the dew hasn't kicked in)..what I meant was...there isn't any special flag that needs to be kicked on the Vista's like there is on XP sp2 to get that Dcom thing working? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Some questions: - * In order to help provide our services, we occasionally provide information to other companies that work on our behalf. These companies are required to keep this information confidential and are prohibited from using it for any other purpose. Question - We asked in the WGA forum what other info was provided and to whom this was provided to but didn't get a good answer.In secured networks is this shared info more disclosed to the customer? http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=593225SiteID=25 · *Secure zone: *In this scenario, the tool can activate computers using MAK proxy activation. This assumes that the clients in the secure zone do not have Internet access. The following two key issues need to be addressed: · The computers must be discoverable (through Active Directory® directory service or Workgroups). · The tool has to make a call to the WMI services on the computer to get status and install MAKs and CIDs. This requires the firewall to be configured to allow DCOM RPC traffic through it. For more details on this, see How to configure RPC dynamic port allocation to work with firewalls at the following URL: http://support.microsoft.com/?kbid=154596 Question - Is this the same sort of connection that is needed to allow for MBSA 2.0 to scan through firewalls? As at the present time with XP sp2 and MBSA I cannot get a consistent scan.. the remedy is in the MBSA FAQ http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx which states that I need to use KB 902400...which is a security patch. In order to install this with the proper flags (per my read) I have to uninstall 05-051 and then redeploy it with the needed flags. I don't remove security patches lightly... do you know if the same Dcom issue will affect MAK proxy as I've seen with MBSA 2.0 through XP sp2 firewalls? *Step 1: Review system requirements* MBSA cannot scan a remote computer protected by a firewall unless the firewall is configured to open the ports that MBSA uses to communicate with the computer. The Windows Update Agent implements a remote scanning interface based on DCOM. The account being used to scan must possess local administrator rights. The computer must also be configured to meet the following conditions: • The Server service, Remote Registry service, and File and Print Sharing service must be running on the remote computer. • The required ports must be open on the firewall. • The Windows Update Agent must be installed and the Automatic Updates service must not be disabled. Remote computer scans are performed using TCP port 135, a dynamic or static DCOM port, and ports 139 and 445. Where a firewall or filtering router separates two networks, TCP ports 135, 139, and 445 and UDP ports 137 and 138 must be open in order for MBSA to connect and authenticate to the remote computer being scanned. You must allow these ports to be open on the remote firewall if a personal firewall is being used. *Note:* The use of DCOM for remote scanning through Windows Firewall on all versions of Windows XP may require a post-SP2 hotfix as described in Microsoft Knowledgebase article 895200, Availability of the Windows XP COM+ Hotfix Rollup Package 9. Customers may now obtain this fix by installing the COM+ update (KB 902400) using these procedures: 1. Download the update from http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-42D7-8E57-58656A3FB2F7 on the Microsoft Download Center. 2. Copy the update to the computer you are updating and open a command prompt on that computer. 3. Run the update using the command line options described in KB article 824994 (specifically, the /B:SP2QFE command line option). Doing this will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes, in addition to the fixes released in the security bulletin MS05-051. Question - Also are there specific ISA rules/configurations that need to be addressed? --- Fyi for those - this caused some concern that they had taken away full boot VL images... you may need to request media if you want to do a true clean install image with a qualifying XP license around. They are still there.. you just have to request them: Volume License Product Use Rights require that you have a previous qualifying operating system license for each copy of Windows Vista you deploy. The default 32-bit Volume License media are upgrade-only and are not bootable[1] #_ftn1. You must first boot a previous version of Windows and then run
[ActiveDir] OT: Silly me.. I thought it already had RTM'd
http://blogs.technet.com/brettjo/archive/2006/12/08/exchange-server-2007-rtm.aspx Good Morning all, just wanted to bring the following to your attention..!!! http://msexchangeteam.com/archive/2006/12/07/431782.aspx Okay so where's the Exchange 2007 listserves? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] What is Websence
Please be advised that your time to learn, update, get up to speed on something is not free so while the "fill in the blank" may not have licensing fees, nothing in life is for "free"... everything has some sort of cost value to it. For me to learn it means I'd be expending my time to get up to speed. So sayeth my Momand she knows all. Ramon Linan wrote: you can also do that with Squid, can have a farm or squid proxies running together, and it is Free :D From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Vinnie Cardona Sent: Friday, December 08, 2006 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence Websense can also run on Linux. What I do like about it is that it can fail-open. Meaning that if your one Websense server is being rebooted or goes down users are still able to access the internet (User are not being filtered while the server is unavailable). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ramon Linan Sent: Friday, December 08, 2006 7:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence Or Squid and squidguard, open source and free, and very reliable...but of course requires Linux -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Derek Harris Sent: Thursday, December 07, 2006 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] What is Websence You can check their website: www.websense.com I evaluated the software version a couple of months ago and wasn't impressed -- stayed with SurfControl. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ravi Dogra Sent: Thursday, December 07, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] What is Websence Is it a box or software driven web filtering. Please provide some info on this. -- Thanks, RD List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
for that). Also, we currently have 2 main offices in Spain (conneted by DSL) and people working or tele-working in the US, Mexico, Colombia, Germany and the UK (2/3 people on each place at most): I believe that creating the infrastructure (relability-wise) to serve all those locations inhouse would be a tad expensive and (I belive) not really warranted. Of course, I'd love to hear opinions either way... As for control freak, we have an VPS so we have root on the mail server; as a matter of fact the hardest point for the internal acceptance of a hosted solution would probably lack of root access on the email server... I agree with you that to manage that that many (ok, those who manage Multi-K domains, please stop laughing) users, AD is a must And, besides, we delvelop security software that runs on top of AD, so I'd be a bit odd if we didn't use our own SW ;) In any case, I really am starting to believe that the simpler thing will be to get the real thing, so the options seem to be: 1) Get an Exchange Server inhouse. But that means making sure that our DSL line doesn't go down, and having the bandwith etc... 2) House a server on some co-lo. The comm. problems disappear, but we still have to babysit the thing... 3) Go for a hosted exchange provider. I've seen offers on the range of ~7€/mo/user; I believe that for a limited number of user (~30 ATM, possibly up to 40 in the foreseable future) that makes more sense than doing it all ourselves... I'd really love to hear your thoughts on the matter, and also if you could comment/recommend any service providers you'd make my life considerably easier ;) In any case, thanks again for reading this far and bearing with my ramblings. Happy Christmas for all ;) Javier Jarava On 05/12/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Hosted SBS with Outlook 2003 Office Live http://office.microsoft.com/en- us/outlook/HA100809831033.aspx Not 2003 without a SBS box on the backend but 2007 uses Office Live to share calendars. 40 people and you don't have a server... wow.the control freak in me is freaking out. We put SBS servers in at 5 to 10 people and even less. Shared calendars pushes the sale of many a SBS box I don't know of non MS solutions. Javier Jarava wrote: Hi! Sorry if this question is a bit off-topic to the list, but I've seen some Exchange-related questions here, so I know there is Exchange expertise hanging around ;) and I didn't know where to ask; please feel free to point me to the proper forums (forii?) to ask in. I am looking for a way to implement shared calendars a la exchange (ie, they have to be visible and used from within Outlook 2003), but without actually using/hosting an Exchange Server ourselves. The idea is that people should be able to see/manage the calendar of the people they manage, so free/busy info is not enough. And the outlook requisite is a must (as my CEO put it yesterday: I live within Outlook; I don't want to meddle with web apps or the like) I know that it's a bit odd of a requisite, but we are a small co. (~ 40 employees) and the president feels that having to babysit a server in-house is a bit of a needless burden. At present we host our email / web presence / customer ticketing system in a pair of VPS from Verio, so if the proposed solution could run on top of FreeBSD it'd be a big plus ;) Of course (now going for the and ask about the KitchenSink part ;) if we could put it into place without having to tweak our email setup that'd be wonderful!!. We understand that we'd probably have to install some Outlook plugin, so that's OK... If there is no way to have the Shared Calendar feature as a stand-alone service/server, I guess the next step would be to ask those of you who know Exchange for an exchange clone that runs on FreeBDS / Unix. Or last but not least, I guess that there must be hosted Exchange providers out there that you can recommend. That'd mean re-doing our mail system, but I guess that we could live with it, if need be. Thanks a lot for those of you who have read this far. Best Regards Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http
Re: [ActiveDir] Delegate join computer to domain
In the default domain set up ... a domain user can set up 10 computers as was pointed out After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. Why not just change the group to have that right again? As you know there's a specific group policy setting for that. What's the risk for this group to not have this right? (Threats and Countermeasures guide discusses the pros/cons) Wells, James Arthur wrote: Ben, There is a larger list of required ACE entries to JOIN a computer to the domain. They are: List Contents Read All Properties Delete Delete Subtree Read Perms All Extended Rights(gives you Allowed to Authenticate Change Pwd Receive As Reset Pwd Send As) Validate write to DNS host name Validated write to service principal name (Property permissions) Write Account Restrictions Read DNS Host Name Attributes Read Personal Information Read Public Information Good luck! (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K Compatible Access grants extra permissions letting users join computers, even when dropping the workstation quota to 0). --James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Thursday, December 07, 2006 1:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate join computer to domain Hello everyone, Our desktop support group are all a part of a security group called IT. I delegated the Create and Delete Computer ACEs to the security group over the OU that I want them to add computer accounts into when a machine is joined to the domain. After I adjusted the security settings, I reduced the default number of computers an authenticated user can join to the domain down to zero. It seems that the members of the IT security group can pre-create the computer accounts, but when they attempt to go through the join process, they are caught at the check that determines if they have surpassed the number of machines a user can join to the domain (which is now zero). What must I do so this security group is not subject to that check? Thanks, Ben -Original Message- From: Thompson, Elizabeth [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: 12/7/06 11:31 AM Subject: RE: [ActiveDir] Please help me Check and see if it still has the dead server listed under its the NTDS Settings in AD Sites and Services. Had this happen once to me. I manually deleted the NTDS reference and it was happy. Elizabeth Thompson Service and Support Technician/Exchange Admin Information Technology Services The Community College of Baltimore County From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 07, 2006 10:50 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ActiveDir] Please help me I have a strange problem and can not find any solution I used DCpromo to depromote a computer. It worked ok, the Domain controller was depromoted. But when I use repadmin to show other dc´s replication, it show replications from the domain controler depromoted. I didn´t find anything to explain how to solve that. Where can I find it, to remove it from replication. The machine is a network computer, but replication fails with message: SPO-COSTA\SPO-CENTRO5 -- (THIS IS THE DOMAIN CONTROLER THAT IS NOT A DOMAIN CONTROLER ANYMORE) DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 13018091/OU, 13018091/PU Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): A operação de agente do sistema de diretórios (DSA) não pode prosseg uir devido a uma falha de pesquisa de DNS. 96 consecutive failure(s). Last success @ 2006-12-01 07:58:08. Adrião Ferreira Ramos Depto. de Operações e Infra-Estrutura - CII.14 [EMAIL PROTECTED] (11) 3388.8193 Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação baseada nessas informações. Se você recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperação. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the
[ActiveDir] OT: But THANK YOU WSUS/Exchange
http://blogs.technet.com/wsus/archive/2006/12/06/intelligent-message-filter-for-exchange-server-2003-supersedence-release-model.aspx Starting today, the WSUS administrator will notice that the IMF Filters now supersede each other instead of direct expiration of every update. A review of the process over the last couple of months allowed us to identify that the expiration release model just wasn't working. The new model allows a better control of ensuring that an IMF update will always be available even if the release window for the new update is missed. The new release model will be as follows: 1. The new update (N) will supersede the previous update (N-1) when viewed by the WSUS administrator 2. N-3 updates and older will be expired. Scott Roberts (Exchange SE) -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] _msdcs not propagated in AXFR
Put duct tape over the top and forget about them. Seriously...you mess with those (especially the OU stuff) and you will break some wizards in SBS. Kinda like the Kitchen Sink stuff you live with it or if you do mess with 'em, please do so not on a client's box and only on your own that only you will touch because if there's one thing that will make me take forks out and start stabbing folks is when you mess up a clients box. Truly... when a SBSer who knows the quirks about SBS comes into a network and sees stuff screwed around with, they will swingmigration/flatten it and get it back to a known state because it costs the client more in the long run when it's not default. Granted that default may not be what big server land considers default... but it is what it is. I'll ping you up with Paula aka Lanwench... the world wide Former Enterprisers who hate the quirks of SBS but deal with them anyway is starting new chapters daily. Michael B Allen wrote: Yeah, but you can just ignore it and it's not the default Users or Computers containers. Still, is there a safe way to remove those? Similarly there's a safe way to remove the Default-First-Site-Name stuff too? Mike On Mon, 04 Dec 2006 20:28:42 -0800 Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: http://msmvps.com/blogs/bradley/archive/2005/07/27/59808.aspx http://www.sbslinks.com/images/wp5z50vd.gif Joe? Deji? Got some forks? Laura A. Robinson wrote: Please tell me that you're making that up. Otherwise I'll have to stab myself in the eye with a fork. My Business Words fail me. :-) Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 9:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR We install the Kitchen Sink service too don't forget ;-) (wait until we start talking about the My Business OU...that's usually good for another freak out or two) Laura A. Robinson wrote: Small point- dcpromo creates those zones as mentioned in the original question *if* you have not configured DNS beforehand, *if* you tell dcpromo to go ahead and do it for you, and *if* you're building the forest root domain. If you have configured DNS beforehand, how the zones get created (as stub zones, as subdomains, etc.) will depend on that preconfiguration. If you're not building the forest root domain, the subdomain already exists and dcpromo is just populating it. I bring this up only because there are many companies that have existing DNS infrastructures and it's important to know that default is not equivalent to mandatory. It is not a requirement that the _msdcs zone be either a separate zone or a subdomain in an existing zone, whether it's a stub or a full zone, etc. Of course, since we're talking SBS, all of this goes out the window (no pun intended). SBS is its own freaky little animal. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans Halbmayr Sent: Monday, December 04, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I
Re: [ActiveDir] Maybe OT: Shared Calendars w/o using Exchange? Tips/Suggestions/Recommedations?
Hosted SBS with Outlook 2003 Office Live http://office.microsoft.com/en-us/outlook/HA100809831033.aspx Not 2003 without a SBS box on the backend but 2007 uses Office Live to share calendars. 40 people and you don't have a server... wow.the control freak in me is freaking out. We put SBS servers in at 5 to 10 people and even less. Shared calendars pushes the sale of many a SBS box I don't know of non MS solutions. Javier Jarava wrote: Hi! Sorry if this question is a bit off-topic to the list, but I've seen some Exchange-related questions here, so I know there is Exchange expertise hanging around ;) and I didn't know where to ask; please feel free to point me to the proper forums (forii?) to ask in. I am looking for a way to implement shared calendars a la exchange (ie, they have to be visible and used from within Outlook 2003), but without actually using/hosting an Exchange Server ourselves. The idea is that people should be able to see/manage the calendar of the people they manage, so free/busy info is not enough. And the outlook requisite is a must (as my CEO put it yesterday: I live within Outlook; I don't want to meddle with web apps or the like) I know that it's a bit odd of a requisite, but we are a small co. (~ 40 employees) and the president feels that having to babysit a server in-house is a bit of a needless burden. At present we host our email / web presence / customer ticketing system in a pair of VPS from Verio, so if the proposed solution could run on top of FreeBSD it'd be a big plus ;) Of course (now going for the and ask about the KitchenSink part ;) if we could put it into place without having to tweak our email setup that'd be wonderful!!. We understand that we'd probably have to install some Outlook plugin, so that's OK... If there is no way to have the Shared Calendar feature as a stand-alone service/server, I guess the next step would be to ask those of you who know Exchange for an exchange clone that runs on FreeBDS / Unix. Or last but not least, I guess that there must be hosted Exchange providers out there that you can recommend. That'd mean re-doing our mail system, but I guess that we could live with it, if need be. Thanks a lot for those of you who have read this far. Best Regards Javier Jarava List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Vista Activation and KMS
I personally am not ready to stick a Vista box as a Licensing server. ISA still doesn't have a firewall client that works for one... and I've yet to find a a/v that doesn't BSOD my tablet pc or act strangely on another box I built. In fact I'm still using my Technet 'for testing purposes' ones as I'm not ready to play with my VL ones. Activation on the VL ones means I'm serious to roll...and quite frankly.. I'm not. I still want to see a more formal support story on Activations in general for folks that aren't TAM supported... YMMV and all that. Laura A. Robinson wrote: I am not at all talking about solutions that don't exist today. Go to a Vista machine and take a look at slmgr.vbs. Laura *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Tim Vander Kooi *Sent:* Tuesday, December 05, 2006 12:39 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Vista Activation and KMS While Laura and yourself make valid points, you are both talking about solutions that do not exist today. I’m just trying to help the OP with the problem he is having right now. Getting into the full licensing overhead of Vista, not to mention LH, could, and undoubtedly will, take weeks and/or months. For right now, at this very moment, using your VL key (and I will continue to refer to it as a VL key as long as the page on which I am reading it says “ Volume License Product Keys” at the top of it) for Vista – KMS will allow you to activate your installation via the web just fine. This is not something I would do for an entire enterprise, but for your first few test machines on your production network I would do it. Again YMMV, Tim *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Harvey Kamangwitz *Sent:* Tuesday, December 05, 2006 10:28 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Vista Activation and KMS If you have any kind of a complex environment, you'll find volume activation to be very frustrating indeed: 1. The KMS service can't support more than one key, so if you have Longhorn VL clients in your environment you have to put up a second KMS infrastructure for them. 2. You can't (rather, shouldn't) use autodiscovery If you do have both LH and Vista. The KMS client can't distinguish between a KMS with LH and a KMS with Vista, and there's nothing in the client that says oh, I hit a KMS but it has the wrong key so try again immediately so ~50% of a client's activation attempts will fail. 3. Autodiscovery isn't practical if you have more than a few forests that don't trust the forest your KMS is in. All admins of the untrusted forests must manually register the _vlmcs record in their forest to find the KMS. ...the list goes on. (I haven't even mentioned the practical aspects of volume activation in a lab or firewalled environment.) It's not a fully-baked solution. Depending on your environment, it might be easier to scrap the whole autodiscovery, create a DNS CNAME with a couple of KMS behind it, stuff the FQDN in the KMS client's registry if you have a standard build, and fugeddaboutit :-). On 12/4/06, *Laura A. Robinson* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: KMS runs on Vista (now), will run on Longhorn when Longhorn is released, and will also run on Win2K3 as soon as we finish making the Win2K3 install. :-) Laura -Original Message- From: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 04, 2006 1:12 PM To: ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Vista Activation and KMS Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com
Re: [ActiveDir] OT: Vista Activation and KMS
Nope, I've done it web based. At the present time there are two kinds of keycodes up on MVLS.. one that wants a KMS, the other that will phone home to Redmond automatically. Have your MVLS folks request the other type of key is my understanding how this will work for now. The KMS type won't be out until Longhorn. KMS activations will have to phone home to your servers twice a year. Brian Cline wrote: I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] _msdcs not propagated in AXFR
(the red flag of SBS brings out you know who) SBS does the best when it is the DNSer... and when it is the DNSer... it does all that you need when it's installed. SBS does the necessary DNS zones when it's set up to be the main cheese of the network. how did you set up this box? Ask a SBSer what dcpromo is and we go dc-what?. Our install wizard does that for us... we don't ever use the command dcpromo ... unless we are migrating a SBS box into an existing network or Swing migratin' from one to another. Hans Halbmayr wrote: Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT (sorta):Group Policy Log View
Download details: Group Policy Log View: http://www.microsoft.com/downloads/details.aspx?familyid=bcfb1955-ca1d-4f00-9cff-6f541bad4563displaylang=en -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Vista Activation and KMS
But the MVLS admin has to request the MAK keys... on mine the KMS were default and I had to request MAK (like Brian said) Tim Vander Kooi wrote: You need to go to Control Panel System then at the bottom select Change Product Key. This will allow you to enter your VL key which will result in Vista activating via the web. Definitely not well documented unfortunately. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Brian Cline *Sent:* Monday, December 04, 2006 11:45 AM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] OT: Vista Activation and KMS I was testing out the RTM of Vista Enterprise last night and noticed I didn't have to enter a key at any point during the install. When Windows tried to activate, it told me there was a DNS error, so I suspected it looks for a local activation server by default. Sure enough, in the DNS cache was a lookup for a nonexistent _vlmcs._tcp.domain.com. Upon further research, it appears Microsoft has not released KMS yet, and I couldn't find any option to activate directly with Microsoft. For the moment, is telephone activation the only option? Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] _msdcs not propagated in AXFR
We install the Kitchen Sink service too don't forget ;-) (wait until we start talking about the My Business OU...that's usually good for another freak out or two) Laura A. Robinson wrote: Small point- dcpromo creates those zones as mentioned in the original question *if* you have not configured DNS beforehand, *if* you tell dcpromo to go ahead and do it for you, and *if* you're building the forest root domain. If you have configured DNS beforehand, how the zones get created (as stub zones, as subdomains, etc.) will depend on that preconfiguration. If you're not building the forest root domain, the subdomain already exists and dcpromo is just populating it. I bring this up only because there are many companies that have existing DNS infrastructures and it's important to know that default is not equivalent to mandatory. It is not a requirement that the _msdcs zone be either a separate zone or a subdomain in an existing zone, whether it's a stub or a full zone, etc. Of course, since we're talking SBS, all of this goes out the window (no pun intended). SBS is its own freaky little animal. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans Halbmayr Sent: Monday, December 04, 2006 1:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Usually dcpromo creates all these zones. Windows creates these zones in a forest partition. If you have a linux DNS server just create another slave zone of _msdcs.example.com. The gray one is only the delegation. Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 5:39:26 PM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR Ok, so basically _msdcs is just a separate zone. Do Windows DNS setups usually do this? I'm using SBS. I have a bind DNS server running on a linux machine with a slave zone for example.com. The AXFR doesn't have those records (aside from the NS record). So what you're saying is that I need to setup another slave zone for the _msdcs subdomain? Mike On Sat, 2 Dec 2006 03:02:22 -0800 (PST) Hans Halbmayr [EMAIL PROTECTED] wrote: Hi Mike, the gray one is the delegation of the zone. The _msdcs ist a subdomain of your forest root. Because it is needed all over the forest it is delegated. Regards Hans - Original Message From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Saturday, December 2, 2006 12:15:29 AM Subject: Re: [ActiveDir] _msdcs not propagated in AXFR I'm not sure I understand. In DNS admin I see two zones. One for _msdcs.example.com with all the usual _msdcs records and one for example.com which incedentally has an NS record for _msdcs.example.com. The little folder thingy for this _msdcs is grey which I guess signifies that it's some kind of link to the other zone? So I understand why the _msdcs records other than the one NS record are not transferring but I don't understand why the structure is split into two zones and if I can/should do something about it. Mike On Fri, 1 Dec 2006 11:27:14 -0800 Akomolafe, Deji [EMAIL PROTECTED] wrote: Seen this? http://support.microsoft.com/kb/817470 Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Fri 12/1/2006 9:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _msdcs not propagated in AXFR Does anyone know why the _msdcs records are not returned in an AXFR DNS query? This means that slave zones will not have those records and that software querying for a domain controller may not find one. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ __ __ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ:
Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
http://www.myitforum.com/articles/8/view.asp?id=9048 http://www.myitforum.com/articles/8/view.asp?id=9284 Rod's been tracking that on myitforum and the Patch management listserve for a while now. Guy Teverovsky wrote: Hi all, Recently I had a case where we experiences high CPU utilization after deploying SMS client to DCs. By now we have identified that the issue was caused by an extension of sms_def.mof file containing the definitions of information that should be collected from the agent. The interesting part is that I was able to reproduce the behavior without SMS agent. Just execute the following WMI query on your DC and see the CPU spikes to 100% and will stay there till you kill the wmiprvse.exe process: *select * from Win32_Account where LocalAccount=True and SIDType=1* Now you do not need to explain to me that this is damn stupid to run this type of query on a DC, yet I would expect the DC to be able to handle the query, but what I see is that the query never returns - it just hangs there choking up the CPU till you kill the WMI process. Almost the same behavior is observed when executing wmic useraccount from the command line, but in this case the query does return the results after a while (~2-3 minutes on ~2K user account AD). The only thing related to the issue that I was able to find is the following KB: http://support.microsoft.com/kb/268715 (WMI Query Support for Win32_Group Is Not Optimized) where the following query SELECT * FROM Win32_Group WHERE Domain=workgroup AND Name=smith causes the identical behavior. But folks, we are talking W2K3 with SP1 and not W2K pre-SP2. Any chance anyone has stumbled upon it ? Is aware of hotfix ? Thanks, Guy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC
I'd direct you to Rod and the gang at Myitforum as they are where the SMS gang hangs out and have the plug into the folks that can give you more info (IMHO) Guy Teverovsky wrote: Thanks Susan, but I think this case is different - we are talking about different WMI class and in my case the query hangs and never returns results. The ITMU issue is probably a result of intensive load on the CPU when performing the query you pointed to, but in my case if I let it run for hours it still never finishes. I am far from being well versed in WMI, but I'd suspect that here the problem is caused by WMI not using paging in the query or very inefficient processing when using both LocalAccout=True and SidType=1 keys. Guy From: [EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 01, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 100% CPU utilization when querying Win32_Account on DC http://www.myitforum.com/articles/8/view.asp?id=9048 http://www.myitforum.com/articles/8/view.asp?id=9284 Rod's been tracking that on myitforum and the Patch management listserve for a while now. Guy Teverovsky wrote: Hi all, Recently I had a case where we experiences high CPU utilization after deploying SMS client to DCs. By now we have identified that the issue was caused by an extension of sms_def.mof file containing the definitions of information that should be collected from the agent. The interesting part is that I was able to reproduce the behavior without SMS agent. Just execute the following WMI query on your DC and see the CPU spikes to 100% and will stay there till you kill the wmiprvse.exe process: *select * from Win32_Account where LocalAccount=True and SIDType=1* Now you do not need to explain to me that this is damn stupid to run this type of query on a DC, yet I would expect the DC to be able to handle the query, but what I see is that the query never returns - it just hangs there choking up the CPU till you kill the WMI process. Almost the same behavior is observed when executing wmic useraccount from the command line, but in this case the query does return the results after a while (~2-3 minutes on ~2K user account AD). The only thing related to the issue that I was able to find is the following KB: http://support.microsoft.com/kb/268715 (WMI Query Support for Win32_Group Is Not Optimized) where the following query SELECT * FROM Win32_Group WHERE Domain=workgroup AND Name=smith causes the identical behavior. But folks, we are talking W2K3 with SP1 and not W2K pre-SP2. Any chance anyone has stumbled upon it ? Is aware of hotfix ? Thanks, Guy List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Vista Stuck on Completing Upgrade
Never seen that on ones I've upgraded. Harding, Devon wrote: Anyone? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Wednesday, November 29, 2006 7:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Vista Stuck on Completing Upgrade I know it's not AD realated but have anyone had any issues upgrading XP to Vista RTM and got stuck on 'Completing Upgrade (64%)...'? I've removed all AV burning related software it has been stuck at this position for over 12 hours now. When I force reboot, it rolls back to Windows XP. Any Ideas? btw: is there another mailing list for these type of questions? -Devon This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: OT: RE: [ActiveDir] Split pagefile
Heck even us SBSers know how to that :-) E-Bitz - SBS MVP the Official Blog of the SBS Diva : Hey Peter! That was pretty easy!: http://msmvps.com/blogs/bradley/archive/2006/04/25/92594.aspx E-Bitz - SBS MVP the Official Blog of the SBS Diva : Debugging 101: http://msmvps.com/blogs/bradley/archive/2006/06/22/102538.aspx E-Bitz - SBS MVP the Official Blog of the SBS Diva : The debug presentation from TechEd: http://msmvps.com/blogs/bradley/archive/2006/06/29/103239.aspx (call me wacko but I love crash dumps.. they are fun :-) Laura A. Robinson wrote: You know, you can actually do your own crashdump analysis. We even used to teach people how to do it back in the NT4 days. I loved that class. :-D Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Hoehn Sent: Thursday, November 30, 2006 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, Best practice used to be to put the pagefile on a different BUS than the OS. The idea is that you can read/write to both the OS and the PF at the same time. We always put the entire PF on a separate bus/drive in it's own partition. That way you have the added speed of a bus apart from the OS bus and a contiguous PF. We never bothered with a C: swapfile because we could never afford to send the dump to M$ for decryption. :-} Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Thursday, November 30, 2006 11:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Hi, I have an answer and a question about the same. Most of my servers have 2 partition, one for the OS and the other for data, I always put the pagefile in the data partition, so yes, you can have the have the whole thing in a different partition or hard drive. Actually, Linux system always create a swap partition just for that purpose, so I wonder if it would be more efficient to always create a partition just for the pagefile... Anyone knows? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Sorry for the reply to my own post, but this article: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003 /AdminTips /Miscellaneous/EnhancePerformancebyMovingthePagefile.html says I can move the whole thing to a different partition. I'll leave a meg on the C drive just for the dumpfile, which we limit to 64K, in case the system crashes and I can actually figure out how to read the dumpfile. But, really, is it OK to leave absolutely NO pagefile on C:/? We normally leave at least 200Mb on the C: partition when we move the rest to a different drive. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Thursday, November 30, 2006 9:55 AM To: Exchange Discussions Subject: Split pagefile Colleagues, Is there a best practice for splitting the pagefile on Exchange 2003 across multiple drives? My C drive is up to nearly 9GB used out of 10GB, and I'd like to move off most of the 3GB pagefile to maybe the database drive. We have only 500 users on that system, so performance shouldn't be too much of an issue. Thanks in advance, folks. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email
Re: [ActiveDir] OT - BES 4.1.2 server on a SBS 2003 box
I'll find you contacts with folks that have done this. In general it's wise to get off of the popconnector anyway IMF has no ability to filter spam in a pop connector setup. Popconnector will also not route bcc'd email... so in general it's wise to move off of pop. Bart Van den Wyngaert wrote: Hi, Anybody experience with BES (BlackBerry Enterprise Server) 4.1.2 on a SBS 2003 box? More particular I have following case: client requested installation of BES by another company. E2K3 is configured to download mails from POP3 accounts and SMTP to relay to the ISP SMTP server. After a long ping-pong with the other company, they told that BES couldn't function in 2 ways due the fact E2K3 is not configured to support it and they keep refering to SMTP. Now if I read the docs well from BlackBerry, I see that the BES server communicates with the BB device on port 3101 TCP both ways. So I'm a bit confused... Do I need to advise my customer to review his E2K3 configuration and instead of downloading their email from POP3 mailboxes, reconfigure it that MX record points to the server itself etc. OR are those consultants way off topic and just guessing and stuff? Thanks in advance for all lights in this very OT matter, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT - BES 4.1.2 server on a SBS 2003 box
http://msmvps.com/blogs/kwsupport/archive/2005/02/18/36388.aspx Let me ping you up with Kevin. Bart Van den Wyngaert wrote: Hi Susan, Who else to answer SBS questions? *grin* Yeah I know it's wise to drop the pop connector setup, but besides that I don't like their technical explanation for troubleshooting their install of BES... I'm now troubleshooting it myself and already found out that they don't have configured TCP 3101 on their firewall... So now the guy is on the line with his ISP to have his firewall updated and I'm looking for the error message he has. And that's my case, I don't like people that tell strange technical things that seem kinda strange to me. In that case I want to know every little detail so I understand it and if correct, no objection to do so. Call me annoying ;-) Thanks Bart On 11/28/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: I'll find you contacts with folks that have done this. In general it's wise to get off of the popconnector anyway IMF has no ability to filter spam in a pop connector setup. Popconnector will also not route bcc'd email... so in general it's wise to move off of pop. Bart Van den Wyngaert wrote: Hi, Anybody experience with BES (BlackBerry Enterprise Server) 4.1.2 on a SBS 2003 box? More particular I have following case: client requested installation of BES by another company. E2K3 is configured to download mails from POP3 accounts and SMTP to relay to the ISP SMTP server. After a long ping-pong with the other company, they told that BES couldn't function in 2 ways due the fact E2K3 is not configured to support it and they keep refering to SMTP. Now if I read the docs well from BlackBerry, I see that the BES server communicates with the BB device on port 3101 TCP both ways. So I'm a bit confused... Do I need to advise my customer to review his E2K3 configuration and instead of downloading their email from POP3 mailboxes, reconfigure it that MX record points to the server itself etc. OR are those consultants way off topic and just guessing and stuff? Thanks in advance for all lights in this very OT matter, Bart List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights
I've been to their headquarters in the San Jose area and had meetings with some of their networking folks. Give them a chance. Seriously. They are dead serious about supporting non admin and Vista. Granted Vista is pushing that in a big way... but I've had enough meetings and calls to give them the benefit of the doubt this time. For me... this is the bellweather tipping event in "non admin" world. >From now on I can say to folks "Well Intuit goes on record as supporting Non-admin... why can't you?" This is one of THE major vendors in my space and they've come out on record as no longer demanding admin rights. That's a huge move in my book. Don't discount the impact, nor the fact that they are now setting a good example for other vendors. Not to mention, I've personally tested this (and found the 'dat' bug myself). I can attest that it works. P.S. If you ever have an incident with a clueless support tech... holler ... as I have ways to get feedback back to folks. [EMAIL PROTECTED] wrote: As per normal it's probably wrong. Intuit's developers AND support folks are clueless when it comes to permissions. Their answer when I escalated a case about Quickbooks 2006 Enterprise users needing Power User rights was that they really just needed Full Controll over HKCR! (The audacity of calling a product Enterprise and requiring elevated privileges on terminal services didn't seem to make much impact with them) I told them to shove it and tracked down the two keys outside HKLM\Software\Intuit that they actually needed. From what I remember you could get around the licensing problem by copying the license files to each users profile under the appropriate path, doesn't look like that would be true for this version though, so they have actually made negative progress in that regard. Thanks, Andrew Fidel "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] " [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/23/2006 01:33 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] OT: Quickbooks really and truly will run without Admin rights http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCONTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted+-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to chang
Re: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights
Patience. That's the next goal and will be rectified as well. (Intuit beta tester and yes, they are doing a special beta for that) Michael B. Smith wrote: Yeah, but don't try running it on vista. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, November 23, 2006 1:34 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCO NTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted +-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to change folder permissions: 1. Right-click on the Start button and select Explore. 2. Navigate to each first folder on the list above. 3. Right click on the folder and select Properties. 4. Click on the Security tab. 5. Select Everyone in Group or user names. Note: If Everyone is not listed in that window, click on Add, then type in Everyone in the Enter the object names to select and click OK. If the Multiple Names Found box pops up, select Everyone and click OK. 6. Add a checkmark to the Full Control checkbox and click OK. 7. Repeat steps 1-6 for each folder on the list above. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Are governments insane? (WA time change in 11 days)
The AU's have passed a daylight savings change http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html Word is that MS will release a patch http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight-savings-update-its-approved.aspx But here's another way to do this: http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] computer policy processing -retry behaviour
Man if it were me I'd try to get up to XP sp2. Vista is a bit bleeding edge and many of my LOB stuff isn't ready yet...but 2000... most of the zero day stuff works very nicely on that platform. Graham Turner wrote: Darren, thanks as ever 4 post reply this confirms my thoughts / fears !! vista, looks interesting - stuck with Windows 2000 for now i guess we will need to stuff enough of the settings that we need to get the computers to some sort of functional state into local group policy. the big one for me is a user startup script - presumably we can put this into a local startup script that is functionally equiv to the group policy startup script GT ps did try to subscribe to gpoguy.com mail list last night but nothing back from the request - ?? Hey, since when is GP not related to AD? GP is the reason AD is so popular... Anyone shoots you down for it, they'll have to answer to the gpoguy :-) In Win2K, XP, and 2003, if there is no connectivity to a DC when computer *foreground* processing occurs (this is the processing that occurs at computer startup) then GP processing simply fails. After that, you're correct to say that during the next scheduled background processing cycle, GP will refresh. This could be as long as 120 minutes (90 minutes plus up to 30 minute randomized value). Note that you can reduce this background interval to as low as every 7 seconds (not that you'd want to) via policy. However, its important to note that some policy requires a foreground processing cycle (software installation or startup scripts in some cases come to mind) so if the DC is never available during boot, these policies will never process. Now, Vista does something new. Vista has something called an NLA refresh (well that's what I call it). Vista uses an entirely different, and more dynamic mechanism for detecting the presence of a DC. What Vista says with respect to GP refresh is, if the last GP processing cycle failed, then as soon as I detect that the DC is back online, I will trigger a background policy refresh. So, it doesn't help with the foreground issues stated above, but does significantly reduce the refresh time of up to 120 minutes. Hope that helps. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide, the definitive resource for Group Policy information. Group Policy Management solutions at www.sdmsoftware.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Wednesday, November 22, 2006 4:46 AM To: activedir@mail.activedir.org Subject: [ActiveDir] computer policy processing -retry behaviour this is query re processing of computer group policies. i note that not strictly AD related so i hope not to get 'shot down' ! i wanted to get a view on the 'retry' behaviour of the WIndows 2000 group policy engine, in a scenario of a user-initiated VPN, in which domain controller connectivity is not available until some time after user logon. this will impact the processing of computer polices that would normally be downloaded and processed prior to CTRL-ALT-DEL presumably, the initial computer policy processing would fail and only refresh on the next scheduled interval ?? OR does the GP engine attempt more aggressively to download policies on the basis of an initial failure ? if not it seems there are going to be major issues in endpoint config on the basis of any machine policies not being processed some way after user logon Help on this gladly received. GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Are governments insane? (WA time change in 11 days)
That's for the future one for USA..not the one for Western Australia though. Chong Ai Chung wrote: http://www.microsoft.com/windows/timezone/dst2007.mspx Download link for the update is provided in following KB article but it's a broken link for now: http://support.microsoft.com/kb/928388/ On 11/22/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: The AU's have passed a daylight savings change http://www.news.com.au/perthnow/story/0,21598,20795690-5007222,00.html Word is that MS will release a patch http://blogs.technet.com/mkleef/archive/2006/11/22/wa-daylight-savings-update-its-approved.aspx But here's another way to do this: http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht http://www.sbs-rocks.com/SBS-MVPs/Summer_Time_Problem.mht List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Security checklists - [Fwd: IASE Postings (UNCLASSIFIED)]
Original Message Subject:IASE Postings (UNCLASSIFIED) Date: Wed, 22 Nov 2006 13:47:18 -0500 From: IASE [EMAIL PROTECTED] Classification: UNCLASSIFIED Caveats: NONE DISA FSO has released the following updated Security Checklists, Security Readiness Review Scripts, and the Gold Disk Version 2. Checklists: http://iase.disa.mil/stigs/checklist/index.html http://iase.disa.mil/stigs/checklist/index.html ACF2 Checklist, Version 5, Release 21, filename: ACF2-Checklist V5R21.doc, dated 11-24-06 Active Directory Checklist, Version 1, Release 13, filename: AD_Checklist_V1R13_20061005.zip, dated: 10-05-06 Application Security Checklist, Version 2, Release 19, filename: app-security-checklist-v2r19-24Nov06.doc, dated: 11-24-06 Database Checklist, Version 7, Release 2-2, filename: DB_Checklist_V7R2-2_20061029.zip, dated: 10-29-06 Desktop Application Checklist, Version 2, Release 16, filename: Desktop_App_Checklist_v2r16.zip, dated: 11-24-06 DSN Checklist, Version 2, Release 3-3, filename: DSN-Checklist-V2R3-3-20061124.pdf, dated: 11-24-06 RACF Checklist, Version 5, Release 21, filename: RACF-Checklist-V5R21.doc, dated: 11-24-06 TSS Checklist, Version 5, Release 21, filename: TSS-Checklist_V5R21.doc, dated: 11-24-06 Unisys Checklist, Version 7, Release 2, filename: Unisys-Checklist-V7R2-20061124.pdf, dated: 11-24-06 UNIX Checklist, Version 5, Release 1, filename: UNIX-Checklist-V5R1-20065.zip, dated: 11-15-06 W2K3 Checklist, Version 5, Release 1.7, filename: Checklist_W2K3_V5R1.7_112406.zip, dated: 11-24-06 WIN2K Checklist, Version 5, Release 1.7, filename: Checklist_WIN2K_V5R1.7_112406.zip, dated: 11-24-06 WINXP Checklist, Version 5, Release 1.7, filename: Checklist_WINXP_V5R1.7_11204.zip, dated: 11-24-06 SRR Scripts: http://iase.disa.mil/stigs/SRR/index.html http://iase.disa.mil/stigs/SRR/index.html Oracle Unix Listener Password Check, filename: FindLsnr.sh, dated: 10-30-06 Oracle Unix Scripts, Version 7, Release 2-2, filenames: OracleUnix_Script_V7R2-2_20061102.tar, OracleUnix_Script_V7R2-2_20061102.tar.gz, OracleUnix_Script_V7R2-2_20061102.zip, dated: 11-02-06 Oracle Windows Script, Version 7, Release 2-2, filename: OracleWindows_Script_V7R2-2_20061102.zip, dated: 11-02-06 OS390 Scripts, Version 5, Release 21, filename: OS390.V5R21.zip, dated: 11-08-06 UNIX Scripts, Version 5, Release 1, filenames: UNIX 51-15November06.tar.bz2, UNIX 51-15November06.tar.Z, UNIX 51-15November06.tar.zip, UNIX 51-15November06.tar.gz, dated: 11-15-06 Websrr Unix Scripts, Version 5, Release1, filename: websrr-unix-v5r1-20061115.tar.zip, dated: 11-15-06 GOLD Disk Version 2: http://iase.disa.mil/stigs/SRR/index.html http://iase.disa.mil/stigs/SRR/index.html Gold Disk Version 2 Scan Disk GDV2_CD1_Engine_11-24-2006.iso SRR-Lite CD: http://iase.disa.mil/stigs/stig/index.html http://iase.disa.mil/stigs/stig/index.html , http://iase.disa.mil/stigs/checklist/index.html http://iase.disa.mil/stigs/checklist/index.html , http://iase.disa.mil/stigs/SRR/index.html http://iase.disa.mil/stigs/SRR/index.html SRR Lite - Sept06.zip SRR_Lite_CD_READ-ME_v1-1.pdf STIG TIM Meeting Schedule: http://iase.disa.mil/stigs/stig/index.html http://iase.disa.mil/stigs/stig/index.html Technical Interchange Meeting Schedule, filename: FY07 STIG TIM Schedule.xls PKI Checklists and Procedures: https://powhatan.iiie.disa.mil/techguid/cds/index.html https://powhatan.iiie.disa.mil/techguid/cds/index.html C2G Security Checklist, Version 4, Release 2, filename: C2G_checklist_11-15-2006.pdf, dated: 11-15-06 C2G Procedures, Version 4, Release 2, filename: C2G_Procedures_11-15-2006.pdf, dated: 11-15-06 DII Security Checklist, Version 3, Release 3, filename: DII_Checklist_11-15-2006.pdf, dated: 11-15-06 DII Guard Procedures, Version 3, Release 4, filename: DII_Guard_Procedures-11-15-2006.pdf, dated: 11-15-06 OWL Security Checklist, Version 1, Release 4, filename: OWL_Checklist_11-15-2006.pdf, dated: 11-15-06 OWL Procedures, Version 1, Release 5, filename: OWL Procedures_11-15-2006.pdf, dated: 11-15-06 RM Security Checklist, Version 2, Release 2, filename: RM_Checklist_11-15-2006.pdf, dated: 11-15-06 RM Procedures, Version 2, Release 3, filename: RM_Procedures_11-15-2006.pdf, dated: 11-15-06 TDX Security Checklist, Version 2, Release 2, filename: TDX_Checklist_11-15-2006.pdf, dated: 11-15-06 TDX Procedures, Version 2, Release 4, filename: TDX_Procedures_11-15-2006.pdf, dated: 11-15-06 TGS Security Checklist, Version 2, Release 2, filename: TGS_Checklist_11-15-2006.pdf, dated: 11-15-06 TGS Procedures, Version 2, Release 3, filename: TGS_Procedures_11-15-2006.pdf, dated: 11-15-06 PKI STIG and Checklist: https://powhatan.iiie.disa.mil/techguid https://powhatan.iiie.disa.mil/techguid DRSN STIG, Version 1, Release 2, filename: DRSN STIG V1R2 2006 1115.pdf, dated: 11-15-06 DRSN Checklist, Version 1, Release 2, filename: DRSN CHK LST V1R2 2006
Re: [ActiveDir] Windows 2000 Admin Password
http://www.google.com/search?sourceid=navclientie=UTF-8rls=GGLG,GGLG:2005-36,GGLG:enq=reset+administrator+password Start with Google. Law 3 of computer security.. if you have physical access... it's YOURS to own. Haritwal, Dhiraj wrote: I forgot the password of one of my windows 2000 server. Is there any way to reset/remove the administrator password? Dhiraj Haritwal This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: Quickbooks really and truly will run without Admin rights
http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCONTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted+-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to change folder permissions: 1. Right-click on the Start button and select Explore. 2. Navigate to each first folder on the list above. 3. Right click on the folder and select Properties. 4. Click on the Security tab. 5. Select Everyone in Group or user names. Note: If Everyone is not listed in that window, click on Add, then type in Everyone in the Enter the object names to select and click OK. If the Multiple Names Found box pops up, select Everyone and click OK. 6. Add a checkmark to the Full Control checkbox and click OK. 7. Repeat steps 1-6 for each folder on the list above. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
View Advanced Features Look in Foreign Security Principles that I recall? [EMAIL PROTECTED] wrote: - We recently upgraded the schema in one forest from Windows 2000 to Windows 2003. - We now receive the following error when trying to access group policies, The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Group Policy Modelling to function properly. To learn more about this issue and how you can correct it, click Help.. - I can confirm we do not have an Enterprise Domain Controllers group in any of the domains. - I have found the following article http://technet2.microsoft.com/WindowsServer/en/library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx?mfr=true which shows how to fix the GPO issue using GrantPermissionOnAllGPOs.wsf...but this assumes we actually have the group Enterprise Domain Controllers available. From further reading I see this group has a specific SID of S-1-5-9 so I can not simply create a new group. - Does anyone have any idea how the group Enterprise Domain Controllers can be recreated with the correct SID of S-1-5-9 so that we can run the script GrantPermissionOnAllGPOs.wsf to fix the group policy problem? Thanks in advance, Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Enterprise Domain Controllers group missing...
Now granted my picture is worth a thousand words may not be accurate since I also have the Kitchen sink service running... fwiw that's what mine looks like... http://www.sbslinks.com/aduc.htm [EMAIL PROTECTED] wrote: Then correct it so people can learn rather than simply point out that its wrong which really gets no one anywhere... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Akomolafe, Deji | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 07:12 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Its not viewable/searchable under ADUC even with advanced features turned on That is an incorrect statement. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Tue 11/21/2006 9:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... Hi there, I finally found out where this group was...it is available from Windows 2000 AD forwards and is found at CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,CN=Configuration,DC=x,DC=x,DC=x. Its not viewable/searchable under ADUC even with advanced features turned on but you can use it to apply security on an AD object. Cheers everyone for your assistance... ;-) Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Steve Linehan | | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 22/11/2006 03:33 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org| |cc: | |Subject: RE: [ActiveDir] Enterprise Domain Controllers group missing... | --| Sorry read and responded to this to fast you should have an Enterprise Domain Controllers group however it becomes a member of Windows Authorization Access group after the PDC upgrade. You will be missing some of the other Groups and Security Principals listed in that section until the PDC is upgraded. Thanks, -Steve
Re: [ActiveDir] [OT] Vista Admin Tools Pack
http://windowsconnected.com/blogs/nick/archive/2006/07/11/3235.aspx Try installing it like that WATSON, BEN wrote: With the release of Vista to MSDN as well as the Microsoft Licensing site for download, I would assume that an Administration Tools Pack should be quickly on the way soon for Vista. Anyone have any information on when a Vista compatible Adminpak will be available? I would've run Vista Beta 2 full time on my work desktop to test it out, but with the inability to install the adminpak that severly limited Vista's usefulness to me. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] [OT] Vista Admin Tools Pack
The only thing I've heard is that it won't be out until beta 3 of Longhorn (or something like that) http://www.microsoft.com/technet/community/chats/trans/windowsnet/06_0801_tn_wslong.mspx *MaximOu_MSFT (Expert):* *Q: *that it suffers, that it is not of the subject but I have a problem with the installation of the administrative tools of AD on Vista Windows, any aid appreciated much. *A: *The plans for Longhorn Server adminpak are still being finalized. Presently, there is no LH Server adminpak that can be installed on Windows Vista, although there are some discussions about how to make it possible. You might get a more detailed and up-to-date response on the Longhorn Server Management web forum: http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=575SiteID=17 http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=575SiteID=17%20 WATSON, BEN wrote: Yeah, I found that page when beta 2 came out. While it did allow the tools to install, several critical snap-ins wouldn't function such as ADUC. -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 11/18/06 6:25 PM Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack http://windowsconnected.com/blogs/nick/archive/2006/07/11/3235.aspx Try installing it like that WATSON, BEN wrote: With the release of Vista to MSDN as well as the Microsoft Licensing site for download, I would assume that an Administration Tools Pack should be quickly on the way soon for Vista. Anyone have any information on when a Vista compatible Adminpak will be available? I would've run Vista Beta 2 full time on my work desktop to test it out, but with the inability to install the adminpak that severly limited Vista's usefulness to me. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] [OT] Vista Admin Tools Pack
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=437266SiteID=17PageID=1 Try the RTM .. it appears to work (98% complete on my Vista download so I can't confirm yet) WATSON, BEN wrote: Yeah, I found that page when beta 2 came out. While it did allow the tools to install, several critical snap-ins wouldn't function such as ADUC. -Original Message- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org ActiveDir@mail.activedir.org Sent: 11/18/06 6:25 PM Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack http://windowsconnected.com/blogs/nick/archive/2006/07/11/3235.aspx Try installing it like that WATSON, BEN wrote: With the release of Vista to MSDN as well as the Microsoft Licensing site for download, I would assume that an Administration Tools Pack should be quickly on the way soon for Vista. Anyone have any information on when a Vista compatible Adminpak will be available? I would've run Vista Beta 2 full time on my work desktop to test it out, but with the inability to install the adminpak that severly limited Vista's usefulness to me. Thanks, ~Ben List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: M$
... it must be everyone weirding out waiting for their Vista downloads on MSDN... at least I'm hoping that's the reasonotherwise...can we go back to when Deji was insulting the wrong Laura? At least near my dinnertime? Laura A. Robinson wrote: I am so grossed out now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Friday, November 17, 2006 9:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Mm... Yummy! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 17, 2006 3:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ May I have that fork when you're finished? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Friday, November 17, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ Great, thanks joe. Now I have to go stab my eyes out with a fork. It's worse than Princess Jorge in the lederhosen at Oktoberfest. On 11/17/06, joe [EMAIL PROTECTED] wrote: I wear boots with lifts. Shirts with padding. And carry hershey's kisses in my cheeks like a squirrel. -- -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: M$
(oops) ;-) and :-) of course Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: ... it must be everyone weirding out waiting for their Vista downloads on MSDN... at least I'm hoping that's the reasonotherwise...can we go back to when Deji was insulting the wrong Laura? At least near my dinnertime? Laura A. Robinson wrote: I am so grossed out now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Friday, November 17, 2006 9:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ Mm... Yummy! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Friday, November 17, 2006 3:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: M$ May I have that fork when you're finished? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Friday, November 17, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: M$ Great, thanks joe. Now I have to go stab my eyes out with a fork. It's worse than Princess Jorge in the lederhosen at Oktoberfest. On 11/17/06, joe [EMAIL PROTECTED] wrote: I wear boots with lifts. Shirts with padding. And carry hershey's kisses in my cheeks like a squirrel. -- -- No virus found in this outgoing message. Checked by AVG Free Edition. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] OT: The lite ISA appliance (now I get what you were talking about)
http://msmvps.com/blogs/bradley/archive/2006/11/17/the-real-truth-about-the-fresno-version.aspx Omygosh...that just made my night... -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Sonicwall vs ISA (was M$)
http://msinfluentials.com/blogs/jesper/archive/2006/09/28/New-Article_3A00_-SBS-At-Home.aspx Install it at home -- monitor and control your kid's Internet access :-) It is a compromise... but the advantages still outweigh the risks IMHO Rich Milburn wrote: Hehe MSSBS = MSKSE Microsoft Windows, Kitchen Sink Edition One day I'm actually going to load it up and see why SBS rocks, cause without doing that, I tend to think what your tagline really means is SBS [takes] rocks [to run all that stuff on one box and tell someone to connect to it] :op I hear it's a good product though... certainly less hardware - intensive than a server farm... --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 -- I love the smell of red herrings in the morning - anonymous -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, November 15, 2006 12:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Sonicwall vs ISA (was M$) (here we go again) ;-) Remember though in SBSland ISA is on the DC and we can't move it off legally without a separate license. Therefore making the SonicWall versus ISA with a slight nuance that it doesn't normally have. ISA = it's windows .. it can't be secure... oh look it's Patch tuesday ... you are patching it again! (yadda yadda) Sonicwall = it's hardware, therefore it must be better.. I mean just because the password is still the default and you havent' changed it from the default ;-) ...and there goes the arguments This also goes hand in hand with one nic versus two argumentsso they are somewhat Intertwined. Haritwal, Dhiraj wrote: I think there should be no comparison between SonicWall ISA. Bcoz Sonicwall is having only a few options but ISA is having n number of Options. Sonicwall is a Common Firewall but ISA is more then that. **Thanks Regards,** **Dhiraj Haritwal** **System Administrator** **Sony India Pvt. Ltd.** **A-31, Mohan Co-operative Industrial Estate,** **Mathura Road, New Delhi - 110 044** **Tel. No. : 011-66006276** **Fax No. : 011-26959141, 26959143 ** **Cell No. : 9873585408** *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Wednesday, November 15, 2006 9:36 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] OT: Sonicwall vs ISA (was M$) Which part of it do you not understand? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT **-5.75, -3.23** Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Albert Duro *Sent:* Tue 11/14/2006 7:09 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Sonicwall vs ISA (was M$) Sonicwall vs. ISA? That's a new one on me. I'm not a SBSer, but I do have a Sonicwall. Would you care to expand? thank you - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, November 13, 2006 5:17 PM Subject: Re: [ActiveDir] OT: M$ (I would just like to go on record as saying that I thought Brett's post was funny) In the MVP survey this year the final question was give three words that best describe Microsoft? Boy howdy was that the hardest part of the survey to fill out. Three words to describe the company? Youch. Think about that one for a moment will ya? Ask me to say three words about the people of Microsoft and I'd have that survey done in a nanosecond. Ask me three words about the Company ...this financial entity that files 10Ks and like what do you want me to say? Microsoft (or M$ or MF$T whatever you'd like to call it) is a company registered with the SEC to do business. It is a software company. It is an entity. It has a Tax ID number. It has to make sucky decisions due to Judges and Lawyers and Patents and EU attorneys and stupid EOLA lawsuits and . The Employees of Microsoft (no abbreviations)... as was best put by a Security
Re: [ActiveDir] Restrict VPN Access By Computer Name
http://home.comcast.net/~clearviewtc/ This is about wireless setup ... but it might help with some of the basic concepts of setup *Configuring Secure Wireless Network Access with Microsoft® Windows® Small Business Server 2003* These documents provide prescriptive guidance to implement secure wireless network access using digital certificate-based authentication to a Windows Small Business Server 2003, and encryption keys which are dynamically-generated for each wireless computer. More formally, this is called 802.1x authentication using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) and WPA encryption. Dan DeStefano wrote: Cool, I will test that out, thanks. I am not too familiar with using or configuring EAP – would this solution require installing a CA on the network? Furthermore, would these certificates be assigned to the machine, not the user? No, I understand the difference between IAS and ISA. I just mentioned ISA because you said that it might be a good idea to use it. For most of our clients, a $1500 firewall solution is overkill. We are pretty much standardized on the Netgear FVL328, which costs under $300, provides 100 VPN tunnels for branch offices and is compact enough to fit in most of our clients’ wiring closets (the term “closet” being the operative word as most of our clients do not have or need a server room). I would prefer a firewall appliance to one installed on a server and most ISA appliances are on the expensive side and are designed for rack-mounting. I can’t remember where, but I vaguely remember reading that Microsoft would be offering a light version of ISA2006 that can be used as an embedded solution for small business networks such as those that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am mistaken, but I will try to find out. I will take your advice and wait for LH server instead of messing with WS2k3 quarantine. I appreciate the recommendation. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Tuesday, November 14, 2006 12:32 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name You are right, Calling-Station-Identifier (in some cases) map to the telephone number. In 802.1x scenario, though, it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC. I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter? Hope we are not mixing acronyms here, re: IAS vs. ISA. IAS is the RADIUS server. Free with the OS. ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the light version you mentioned. If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT **-5.75, -3.23** Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Dan DeStefano *Sent:* Tue 11/14/2006 5:28 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a “light” version of some sort, but that being
Re: [ActiveDir] Restrict VPN Access By Computer Name
Expensive ISA appliances... let's qualify that Akomolafe, Deji wrote: Yes, you will need a CA for EAP. Ideally, you'd do a machine cert, because machines are what you want to filter. Are you providing hosted services to your clients, or what? Yes, there are ISA appliances. There have been since 2004. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Dan DeStefano *Sent:* Wed 11/15/2006 5:09 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name Cool, I will test that out, thanks. I am not too familiar with using or configuring EAP – would this solution require installing a CA on the network? Furthermore, would these certificates be assigned to the machine, not the user? No, I understand the difference between IAS and ISA. I just mentioned ISA because you said that it might be a good idea to use it. For most of our clients, a $1500 firewall solution is overkill. We are pretty much standardized on the Netgear FVL328, which costs under $300, provides 100 VPN tunnels for branch offices and is compact enough to fit in most of our clients’ wiring closets (the term “closet” being the operative word as most of our clients do not have or need a server room). I would prefer a firewall appliance to one installed on a server and most ISA appliances are on the expensive side and are designed for rack-mounting. I can’t remember where, but I vaguely remember reading that Microsoft would be offering a light version of ISA2006 that can be used as an embedded solution for small business networks such as those that I manage. It will compete with Netgear, Linksys, Firebox, etc.. Maybe I am mistaken, but I will try to find out. I will take your advice and wait for LH server instead of messing with WS2k3 quarantine. I appreciate the recommendation. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.info-lution.com http://www.info-lution.com/ Office: 727 546-9143 FAX: 727 541-5888 *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Akomolafe, Deji *Sent:* Tuesday, November 14, 2006 12:32 PM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name You are right, Calling-Station-Identifier (in some cases) map to the telephone number. In 802.1x scenario, though, it's usually the MAC, but I have also seen it map to the client's IP address. I attribute this to some vendors not reading the RFC or just opting to do it their way. In our situation, MS maps it to MAC. I re-read your original message and I have another thought. Since these are computers under your control, why not issue them certificates and use EAP as your authentication filter? Hope we are not mixing acronyms here, re: IAS vs. ISA. IAS is the RADIUS server. Free with the OS. ISA is the proxy/caching/firewall solution. $1,500.00 for Standard edition, comes in a black box version, too. For what it does, ISA is on of the cheapest solutions of its type in the market. I am not aware of the light version you mentioned. If you think NAP is complex, try your hands on 2K3 qtine. Also, you can combine all the NAP roles on one server, you do not have to separate them. The only strict requirement is that it be installed on a LH server. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http:/www.akomolafe.com - we know IT **-5.75, -3.23** Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Dan DeStefano *Sent:* Tue 11/14/2006 5:28 AM *To:* ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] Restrict VPN Access By Computer Name Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change
Re: [ActiveDir] OT: Sonicwall vs ISA (was M$)
Sonicwall has been very SMB friendly is why been a vendor at SMBnation many times. For the uber business class firewalls... single nic Sonicwall is what many var/vaps have standardized on. Albert Duro wrote: I understand in general terms the debate between only a firewall vs. only ISA. What intrigued me was why Sonicwall was singled out, and why this argument raged in particular in the SBS world, which is scale-wise in my neighborhood. - Original Message - *From:* Akomolafe, Deji mailto:[EMAIL PROTECTED] *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Sent:* Tuesday, November 14, 2006 8:05 PM *Subject:* RE: [ActiveDir] OT: Sonicwall vs ISA (was M$) Which part of it do you not understand? Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com http://www.akomolafe.com - we know IT *-5.75, -3.23* Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon *From:* Albert Duro *Sent:* Tue 11/14/2006 7:09 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] OT: Sonicwall vs ISA (was M$) Sonicwall vs. ISA? That's a new one on me. I'm not a SBSer, but I do have a Sonicwall. Would you care to expand? thank you - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, November 13, 2006 5:17 PM Subject: Re: [ActiveDir] OT: M$ (I would just like to go on record as saying that I thought Brett's post was funny) In the MVP survey this year the final question was give three words that best describe Microsoft? Boy howdy was that the hardest part of the survey to fill out. Three words to describe the company? Youch. Think about that one for a moment will ya? Ask me to say three words about the people of Microsoft and I'd have that survey done in a nanosecond. Ask me three words about the Company ...this financial entity that files 10Ks and like what do you want me to say? Microsoft (or M$ or MF$T whatever you'd like to call it) is a company registered with the SEC to do business. It is a software company. It is an entity. It has a Tax ID number. It has to make sucky decisions due to Judges and Lawyers and Patents and EU attorneys and stupid EOLA lawsuits and . The Employees of Microsoft (no abbreviations)... as was best put by a Security MVP he went looking for the employees of Microsoft that eat babiesyou know...the ones he's heard about in those Department of Justice/SlashDot postings and all that well he can't find them. Every one of them he (and I) have ever met are sincere, hardworking, trustworthy people. In fact that's one of the wonderful things about the blogs... they do a total 'end run' around WagEd/PR stuff and show the people for the people. Even when Brett didn't blog we knew about him via his blog. Just honest people talking to people. And that's when Microsoft truly rocks. I also know that in the newsgroups when I have someone who challenges my views I find that ends up happening is not that I'll change them, but I'll solidify my views. To those that use M$ knowing full well that it annoys you (the generic you, not you, you), if their goal is to annoythey won't change. The following items are bound to start arguments/flames etc. in my home base community (most of these are specific to SBS, so my apologies) 1. One nic versus two 2. Antivirus choice (with the exception of Norton Yellow Box consumer which is nearly universally hated by all in IT) 3. Sonicwall versus ISA server 4. .local/.lan versus .com 5. the lack of inclusion of DFSv2 in SBS 2003 R2 So I guess if you are doing a list of Arguments/Flamewars in this community I guess I will say 1. The use or non use of M$ :-) Sometimes you just have to let it roll off your back. :-) How about a lighter less argumentative topic change: So how about those USA elections, 'eh? What's your thoughts about Stem Cell Research? Laura A. Robinson wrote: Disclaimer #1: You in the below refers to a generic you, not a specific person. Disclaimer #2: My opinions are in no way intended to represent those of my employer. They're my own, and they were my opinions
Re: [ActiveDir] Is it 2000 or 2003?
Were these clean installs or inplace? Bart Van den Wyngaert wrote: Well I also have a strange thing... It concerns 2 SBS 2003 systems. Some months ago I raised both domain and forrest functional level on those boxes. By reading this thread I decided to have a look... Both tools report the correct OS actually on both boxes. The only I wonder is a bit that they both report with the gpresult tool that the domain type is Windows 2000 If I look using GUI, they both report functional level of domain forest being at 2003. Don't really get actually. Is this related? Normal or missed something when I did raise the functional levels? Thanks, Bart On 11/10/06, Noah Eiger [EMAIL PROTECTED] wrote: Good question. DFL = 2003 and FFL = 2003. So it must just be some lingering text string. Does anyone think there is more it? Thanks. -- nme -Original Message- From: Clingaman, Bruce [mailto:[EMAIL PROTECTED] Sent: Friday, November 10, 2006 9:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Is it 2000 or 2003? What does it say under: AD Users Computers | [right click domain name] | Raise Domain Functional Level... ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, November 10, 2006 11:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Is it 2000 or 2003? Hi - Several months ago, I upgraded a small, multi-site domain from W2k to W2k3. Or so I thought. The various markings in the schema indicate that the upgrade was successful. But when I run, for example, gpresult, it reports a Windows 2000 domain. Is this just some flag or string that did not get set properly or is there really a problem with the upgrade? Thanks. -- nme P.S. I also just noticed that when I run netdiag on a new W2k3EN DC, it says System info: Windows 2000 Server (Build 3790). -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Restrict VPN Access By Computer Name
I hear ya. I'll have to check with Amy...but I'm not sure you can restrict by computer name in ISA, and limiting by IP address won't work when you are on the road in a hotel room. Due do my data issues (SSN numbers and what not) I never want to have a laptop pulling data off the lan, so I have Terminal Servers and all my laptops are basically dumb terminals. Also SBS can't run ISA 2006, so if you are looking for a solution for SBS, stick with ISA 2004 or Sonicwall. Yup laptops are the bane of most admins existence. You signed up for [EMAIL PROTECTED] listserve? Dan DeStefano wrote: Thank you for your input. I hear you about SBS, but for small businesses it is really a great deal. We are a managed solution provider and most of our clients are in the SBS range of 5-50 users, for which SBS cannot be beat. I love the RWW and try to use it as much as possible on SBS networks. However, there are still some laptops that require offline data access and intermittent connectivity to the network to update offline files, OST files, etc, for which the RWW alone is not enough. Also, I should have mentioned that the network of which I am speaking belongs to our largest client who does not use SBS. The reason I mentioned SBS is that I would like to leverage whatever solution comes out of this to our SBS clients. We also have a policy that machines from which users connect must have latest AV and AS software, but users are normally admins on these machines (usually personal PCs/laptops). So, no matter what you do to the PC to make it secure, ultimately the user has control over it and its security is always in question. Ideally, I would like any user that requires VPN access to the network to be using a corporate asset, such as a laptop, to which we are the only people with admin privileges. However, management requires certain users that are not issued company notebooks to have VPN access. I am just trying to balance requirements from management with proper security. Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, November 14, 2006 1:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Restrict VPN Access By Computer Name (Say SBS and it's like waving a red flag in front of me) For SBS networks we don't use VPN, in fact the only time I use VPN is for patching, otherwise we use RWW (Remote Web Workplace) which does not introduce the risks that VPN does. RWW is a web based remote access and can typically be more secure (and thus not introduce the risks) from home PCs. And if you want two factor auth for RWW, Dana Epp is introducing RWW-Guard. But honestly I have a policy in my office that if they want remote access, they are to have up to date a/v, antispyware and I have the right to inspect their systems. (Logmein.com is great for this) Akomolafe, Deji wrote: Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head. Also, if you haven't started messing withthat2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished. Hope I haven't thoroughly confused you yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefano Sent: Mon 11/13/2006 9:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restrict VPN Access By Computer Name
Re: [ActiveDir] Restrict VPN Access By Computer Name
I can ping you up with Amy Babinchak ... she's the best ISA/Small business guru (and ISA MVP) around if you want to ask more about ISA? Dan DeStefano wrote: Thank you for your response. I thought the Calling-Station-Id was used for phone numbers (that is what the description says anyway). But you are saying that MAC addresses can be used here as well? Other than the above, what would the advantages of deploying IAS be? This is a small network with 100 or so users and only a handful of them have VPN access (right now being controlled in the user account properties). For this reason I am not sure I can also justify the costs of implementing ISA especially with a current firewall solution in place. Plus, we have no ISA experts in our organization or anyone who has even administered ISA before. Maybe this will change with the new ISA 2006, but most ISA solutions right now are enterprise-class and on the expensive side (for most small businesses). I heard that ISA 2006 is supposed to have a light version of some sort, but that being said, I am not sure if it would be as fully-featured and support what you are suggesting (though I know little of it other than the fact that it exists). Thanks for the advice about ws2k3 quarantine, I guess we wont waste our time with it. I have read about Longhorn NAP and it looks great. But it also looks a bit complex, requiring a bit more infrastructure than most small businesses need or can afford. Have you ever tried restricting VPN access by MAC address? Dan DeStefano Info-lution Corporation [EMAIL PROTECTED] http://www.info-lution.com Office: 727 546-9143 FAX: 727 541-5888 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Akomolafe, Deji Sent: Tuesday, November 14, 2006 1:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restrict VPN Access By Computer Name Call-Station-Identifier is a much more stable and reliable filter - it is the Client's MAC address. "Client Friendly Name" is optional and may not be sent in many VPN negotiation. The identifier will very likely be sent (I don't want to say ALWAYS since I don't have any relevant doc that say that, but I am yet to see a negotiation that does not include the identifier. Unfortunately, in order to use the identifier as a filter, you will have to create a policy for each device. I don't see how you can wildcard it. So, depending on how many clients you are talking here, well Yes, if I were you, I'd bring in RADIUS. Better, I'll bring in something like ISA 2006. With ISA, you should be able to create a Computer Set that includes the names or IPs of the Clients in question, and you can use that to filter your inbound VPN connection requests. I don't have such configuration, but it makes sense in my head. Also, if you haven't started messing withthat2K3 quarantine thingamabob yet, thank your stars. You don't want to. Not now the NAP in Longhorn is so close at hand. I'd recommend that you encourage your techs to concentrate on learning NAP instead. I just took a quick look around in NAP, and I can see where what you are trying to do here can be easily accomplished. Hope I haven't thoroughly confused you yet. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dan DeStefano Sent: Mon 11/13/2006 9:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Restrict VPN Access By Computer Name I was wondering if there is a way to restrict client VPN connections via computer name. The reason for this is that we only want clients connecting from approved devices for which they do not have administrative privileges. In other words, we do not want people VPNing into our network from their possibly virus and spyware-infested home PCs. I know that a clever user could rename his/her home PC, but this is probably not too likely and that type of user is probably likely to be conscious of updated antivirus/spyware software. I saw a setting in Remote Access Policies called Client Friendly Name (IAS). Is this the setting I am looking for? If so, do I have to set up an IAS server? If not, is there another way I can accomplish my goal. I know that WS2k3 R2 has a quarantine feature, but I am not familiar with it, though it looks like a bit of a PITA to set up and I am looking for a quick way to fix this problem. We will probably eventually use the new quarantine feature after our techs have had a chance to learn and test it a bit. I think another problem with this feature is for small business networks that have just a single SBS server. Any help would be